Remote Administration Alongside Powershell (Part 2)

Introduction

Remoting is actually the surreptitious sauce of Windows PowerShell. In a previous article, nosotros had the chance to exhibit how centralized direction tin live on immensely to a greater extent than effective alongside script remoting.
This article reviews the challenges of remoting for network administrators, including managing non-domain computers inwards an acceptable safety context, delegating credentials across multiple hops, together with implicit remoting. There may live on times when you lot urgently demand to access your network or information midpoint from a remote location together with you lot don’t fifty-fifty have got a laptop or desktop reckoner available. Don’t panic, nosotros have got you lot covered.

Recommended

Automating Exchange Server 2016 deployment: Configure the network portion

Managing Non-Domain Computers

When you lot brand a connection, past times default, remoting delegates your logon credentials to the remote computer. The remote reckoner uses those credentials to impersonate you, executing the commands on your behalf. As you lot tin imagine, at that topographic point are safety risks involved when delegating your credentials to a remote server. For instance, if a malicious user was able to successfully impersonate a known remote computer, you lot could perhaps plow inwards your credentials to that impostor, who could utilisation them against you lot together with other people inwards the network.
To minimize this risk, remoting past times default requires usual authentication. The two-way authentication physical care for forces a customer to evidence its identity to a server together with the server to evidence its identity to the client. Mutual authentication is a native characteristic of the Active Directory Kerberos protocol, together with it is used past times remoting betwixt trusted domains computers.
However, when managing non-domain computers, you lot cannot count on Active Directory to grip usual authentication. For those cases, you lot either have got to render but about other shape of usual authentication using SSL certificates (this is the recommended approach) or add together the remote reckoner to your local TrustedHosts list. In both cases, the –Credential parameter is needed alongside the remoting command when making the connection. We’ll explicate both options next.

Using Remoting alongside SSL Certificates

When authentication relies on digital certificates, internal or external certification regime (CA) are a crucial element of the authentication process. The certificate installed on the remote reckoner must come upwardly from a trusted CA together with comport the same lift that you lot volition utilisation when making the connection. Even though IIS is non needed for this configuration to work, ensure that you lot install a spider web server certificate inwards the remote reckoner certificate store.
When you lot remote past times using HTTPS, the whole connectedness is encrypted past times using the encryption keys of the target computer’s SSL certificate; that way you lot could utilisation the Basic Authentication protocol together with the password would withal live on protected. Using MakeCert.exe to generate a self-sign certificate is non recommended inwards a production environment.

For our demonstration, a certificate signed past times an internal CA has been installed inwards a workgroup server named Server1. Let’s come across how it works.

1. To verify that the reckoner is inwards a workgroup together with that a certificate is installed inwards the reckoner store. Enter:

Get-CimInstance –ClassName Win32_ComputerSystem
Get-ChildItem –Path Cert:\LocalMachine\My

Figure 1

2. To laid upwardly the WinRM HTTPS listener, you lot demand to write downwards or re-create the certificate thumbprint from the previous output. Then run this code:

New-WSManInstance winrm/config/Listener `

Like what you're reading? Get the latest updates together with tech guides inwards your inbox.

-SelectorSet @{Address='*';Transport="HTTPS"} `
-ValueSet @{Hostname="Server1"; `
CertificateThumbprint="B78FAAAB0FFE4B91A566B2923330CCB0C0EBC09B"}

Figure 2
Let’s review the parameter used with New-WSManInstance:
Address = ‘*’ the service volition psyche on all available IP addresses.
Transport = HTTPS. The other pick is HTTP.
Hostname = Must agree the lift of the host on the certificate.
CertificateThumbprint = This is the thumbprint exposed alongside the Get-ChildItem cmdlet.

3. Configure the firewall to allow HTTPS traffic on port 5986. Enter:

Netsh AdvFirewall firewall add together dominion name="WinRM (HTTPS)" `
protocol=TCP dir=in localport=5986 action=allow

Figure 3

4. Start a remoting session to evidence the HTTPS listener. Run:

Enter-PSSession –ComputerName Server1 –Credential Server1\Administrator -UseSSL

Figure 4
After entering the password, the remote session prompt is displayed, confirming a successful HTTPS connection.

Figure 5

Adding the Remote Computer to Your Local TrustedHosts List

One-time alert here: This pick turns off the requirement for usual authentication, which increases the conduct chances of an assailant wreaking havoc on your network past times spoofing or impersonating the target connection.
The TrustedHosts listing tin live on configured locally or past times using grouping policy. It lists the computers for which usual authentication is non required (again a safety hazard). Computers may live on listed past times their name, DNS alias, or IP address; wildcards (*) are permitted. Once a reckoner is added to your local TrustedHosts list, you lot are allowed to shipping your credential to that remote reckoner without a physical care for inwards house to verify that the reckoner on the other destination is the 1 you lot intended to connect to.
Let’s configure a TrustedHosts listing on a Windows customer reckoner named Win81A.

1. First, to verify that the TrustedHosts listing is empty, run:

Get-Item –Path WSMan:\localhost\Client\TrustedHosts

Figure 6

2. To add together a reckoner name CoreG2 to the TrustedHosts list, enter:

Set-Item –Path WSMan:\localhost\Client\TrustedHosts –Value

The names or IP addresses you lot move inwards here, must live on the same ones that are used when remoting. For example, you lot cannot move inwards an IP address together with together with then endeavor to connect using the reckoner name.

Figure 7

3. To validate the configuration, run this again:

Get-Item –Path WSMan:\localhost\Client\TrustedHosts

Figure 8

4. Let’s banking concern check that CoreG2 is inwards a workgroup. Enter: 

Get-CimInstance –ClassName Win32_ComputerSystem | FL

Figure 9

5. To evidence the connectedness enter:

Enter-PSSession –ComputerName CoreG2 –Credential CoreG2\Administrator

Figure 10
The previous covert confirms that the TrustedHosts listing is properly configured together with nosotros are able to remote into a non-domain computer.

Multi-Hop Remoting

For remoting to work, your credentials must live on delegated to the target computer. Once you lot are connected, past times default you lot are non allowed to initiate but about other connectedness from that target reckoner into but about other server. because credentials tin live on delegated across 1 connectedness or hop only. In other words, credentials cannot live on chain-delegated a minute time.
In social club to overcome this default limitation, you lot must configure grouping policy or laid upwardly both ends of the connectedness equally follows:

1. On the reckoner from which you lot are connecting from, run the next command:

Enable-WSManCredSSP –Role Client –Delegate

The target reckoner lift tin live on a * wildcard or a express wildcard such as *.lanztek.local.

2. On the reckoner that you lot are connecting to, run the same cmdlet but assigning a dissimilar role. (This is the reckoner to which you lot are delegating your credentials.)

 Enable-WSManCredSSP –Role Server

Implicit Remoting

Installing specialized customer software on their desktop computers is 1 way many information technology personnel perform remote management of network services together with applications; using remote desktop is but about other option. Implicit remoting offers a dissimilar approach that is lighter than remote desktop sessions together with saves you lot the aggravation of installing together with maintaining customer applications on your workstation. Implicit remoting allows you lot to practise shortcuts on your local reckoner to PowerShell commands on a remote server. The commands you lot move inwards locally are implicitly run on the server through remoting together with the results are transmitted dorsum to you.
Let’s demonstrate implicit remoting past times connecting from a Windows 8 customer named Win81A to a domain controller named FS1.

1. On Win81A PowerShell console, practise a persistent connectedness to FS1 and shop it inwards a variable, enter:

$rdc = New-PSSession –ComputerName FS1

Figure 11

2. To display a listing of modules on FS1, run:

Get-Module –List –PSSession $rdc | FT ModuleType,Name –Auto

Figure 12

3. To import the Active Directory module from FS1, enter:

Import-Module –PSSession $rdc –Name ActiveDirectory

Figure 13

4. To notice out how many AD commands are at 1 time available on the local computer, enter:

Get-Command –Module ActiveDirectory | Measure-Object

Figure 14
These commands volition live on available equally long you lot proceed the PSsession opened upwardly alongside the remote computer.
Let’s evidence implicit remoting past times searching for reckoner accounts inwards the directory. Enter:

Get-ADComputer –Filter * –SearchBase “OU=file servers,dc=lanztek,dc=local” |
Select Name,ObjectGUID | FT -Autosize

Figure 15

Remoting Output Serialization

When you lot run commands on a remote computer, equally inwards the previous Active Directory demonstration, that reckoner serializes the results inwards XML format, together with transmits that XML text dorsum to your computer. The serialization physical care for deals solely alongside the properties of the object, which way static information. The XML received past times the local reckoner is deserialized dorsum into objects that are seat into the Windows PowerShell pipeline. However, the deserialized objects have got no methods or events. Think of whatever information that is received through remoting equally a static snapshot. You cannot perform whatever activity to modify or update those objects. This is of import to know, because you lot may desire to practise equally much processing equally possible on the remote reckoner where you lot are working alongside alive objects that have got methods together with events.

Windows PowerShell Web Access

This characteristic allows you lot to run Windows PowerShell commands together with scripts from a spider web browser without using whatever especial plug-in or having PowerShell installed on the customer computer. As long equally you lot have got a compliant browser, it is possible to brand connections from a tablet or smart phone.
On the Windows server, equally good adding the Windows Power spider web access feature, you lot must install Windows PowerShell 3.0 or a newer version, the spider web server (IIS) role, together with .NET Framework 4.5. An SSL certificate is also required to secure the connections. It is possible to practise a self-signed certificate during the configuration process, but that should live on used for testing purposes only. In production, a valid SSL certificate, signed past times a trusted certification say-so (CA) is highly recommended.
Let’s review the steps to install together with configure the PowerShell spider web access feature:

1. Install the Windows PowerShell Web Access feature. At the PowerShell prompt, move inwards the next command:

Install-WindowsFeature –Name WindowsPowerShellWebAccess -IncludeManagementTools

Figure 16

2. Set upwardly the spider web access gateway. You tin perform this chore alongside either the IIS Manager or PowerShell. The Install-PswaWebApplication cmdlet allows you lot to laid upwardly the Windows PowerShell Web Access spider web application inside the IIS default spider web site. Running this cmdlet creates the spider web access gateway alongside the next URL: https://<server_name>/pswa.

You tin modify the lift of the spider web application or install it on a dissimilar website. Also using the-UseTestCertificate parameter creates a evidence certificate together with configures the gateway to utilisation the certificate for HTTPS requests. For our demo, running Install-PswaWebApplication is enough, equally a valid certificate has been installed on the server already.

Install-PswaWebApplication

Figure 17

3. Configure authorization rules:

Access to the website is non permitted until authorization rules are configured to define the users together with groups that volition live on allowed to utilisation the Windows PowerShell gateway, together with which computers these users together with groups tin connect to. To add together an authorization rule, type the following:

Add-PswaAuthorizationRule –UserName Lanztek\Administrator `
-ComputerName * -ConfigurationName *

Figure 18
Once you lot run the previous command, the domain administrator tin access whatever reckoner inwards the network together with connect to whatever available PowerShell session configuration using an Internet browser. The target reckoner must live on configured to allow remoting together with solely authorized users on that reckoner volition live on granted access. The Test-PswaAuthorizationRule cmdlet tin validate whether a dominion exists for a specified user, reckoner or endpoint.

Verify Windows PowerShell Web Access configuration

The browser on the customer side must allow cookies together with back upwardly JavaScript. Once you lot opened upwardly the sign-in page, inwards our case https://Server1/pswa, you lot tin connect straight to the gateway, to but about other reckoner inwards the network, or to a custom URI. See the sign-in page below.

Figure 19
By default, the same credentials you lot move inwards to cross the gateway are also presented to the remote reckoner that you lot are connecting to. However, you lot tin expand the Optional Connection Settings section together with specify dissimilar credentials. This pick comes inwards handy when the concern human relationship authorized to connect to the gateway does non have got permissions to access the target computer.
After completing the credentials together with connectedness settings, click Sign In to connect to the remote computer. Now you lot have got a Windows PowerShell console running inwards a spider web browser.

Figure 20
On Windows Server 2012 R2, the Windows PowerShell Web Access gateway allows users to opened upwardly multiple connections to remote computers inwards dissimilar browser tabs.

Figure 21
Even though the web-based PowerShell console provides a grade of functionality really like to Windows PowerShell remoting, at that topographic point are but about limitations. For instance, but about shortcut keys are non supported, such equally Ctrl+C to interrupt command execution, or whatever of the component subdivision keys (F1, F2, F3, F7, etc.) related to command history.
To teach out the web-based PowerShell console, click Save or Exit in the lower correct corner. To sign out without saving your Windows PowerShell Web Access session, but click Exit. Clicking Save saves together with closes your electrical flow session. When you lot sign inwards to the gateway again, Windows PowerShell Web Access displays all of your saved sessions; at that point, you lot either select together with reconnect to a saved session, or starting fourth dimension a novel session, equally shown below.

Figure 22
Let’s convey payoff of the web-based PowerShell console to practise a network portion on a remote reckoner name FS1. Enter:

New-SmbShare –name Updates –Path c:\updates –FullAccess lanztek\admin –ReadAcess HelpDesk

Figure 23
To verify the permissions, run

Get-SmbShareAccess –Name Updates

Figure 24

Closing Remarks

This article shows that it is possible to utilisation PowerShell beyond the protective Active Directory boundaries together with withal render a potent grade of security. Using an mesh browser to remote into a server way that you lot practise non demand to have got a Windows reckoner to perform remote management alongside PowerShell. Actually, you lot don’t demand a computer, equally using a tablet or smart telephone alongside a compliant browser volition suffice. Remoting takes the Windows PowerShell automating functionality to the side past times side level. Having the capability to perform complex tasks on hundreds or thousands of computers inwards a really curt menstruum of fourth dimension is a priceless approbation for whatever network administrator.