Upload
alaire
View
78
Download
11
Embed Size (px)
DESCRIPTION
PowerShell Remoting in the Enterprise. What you need to know. Speaker. 9+ years experience in Microsoft-based IT Microsoft System Center 2012 R2 Windows PowerShell since 2007 Started writing VBscript in 2005 Worked in many enterprise environments with 10-70k+ systems. Why use remoting ?. - PowerPoint PPT Presentation
Citation preview
PowerShell Remoting in the Enterprise
What you need to know.
Speaker
9+ years experience in Microsoft-based IT Microsoft System Center 2012 R2 Windows PowerShell since 2007
Started writing VBscript in 2005 Worked in many enterprise environments with 10-70k+ systems
Why use remoting?
Fan-out management of Windows Server systems Desired State Configuration (DSC) in PowerShell v4 PowerShell Workflow Interactive remote management (similar to SSH) Quicker than RDP
How does remoting work?
Windows
Windows Remote
Management
HTTP
PowerShell
PowerShell Session
Client Server
Windows
Windows Remote
Management
HTTP
PowerShell
PowerShell Session
TCP 598
5
TCP 5986
Remoting Configuration
Enable-PSRemoting -Force; Set-WsmanQuickConfig -UseSSL; Use Group Policy
Enable-WSManCredSSP
Set-WSManQuickCon
figEnable-
PSRemotingConfigure GPO for
autoenrollmentConfigure certificate template
SSL requires a “Server Authentication” certificate
Manual Configuration Process
WinRM Service GPO ConfigurationDon’t leave listeners blank!
Windows PowerShell GPO Settings
Use either:
• Remote Signed• Unrestricted
powershell.exe –ExecutionPolicy Bypass –File c:\path\to\script.ps1
WinRM Client Configuration
Authentication Basic Negotiate Kerberos Client certificate mapping Credential Security Support Provider (CredSSP)
TrustedHosts DefaultPorts
TrustedHosts is useful in multi-forest, multi-domain, or workgroup environments. Special alias “<local>” for hostnames without dots “.”
WinRM Client Configuration
WinRM Shell Configuration
Setting Purpose
MaxShellsPerUser Limits the number of remote shells per authenticated user
MaxConcurrentUsers
Limits the number of simultaneously connected users
MaxShellRunTime Limits the maximum time period that a session can exist
MaxMemoryPerShellMB
The maximum memory that each remoting session can use
MaxProcessesPerShell
The maximum number of child processes that a single remote shell can have
IdleTimeout The idle timeout for a shell (think RDP)Set-Location –Path wsman:\localhost\shell;Get-ChildItem;
Windows Remote Shell GPO Configuration
Quota Management for Remote Shells
http://msdn.microsoft.com/en-us/library/windows/desktop/ee309367(v=vs.85).aspx
Setting ValueIdle Timeout 7200000Max Concurrent Users
10
Max Shell Runtime 2147483647
Max Processes Per Shell
25
Max Memory Per Shell
1024 (MB)
Max Shells Per User 30
Windows Server 2012 Default Values
PowerShell Remoting Cmdlets
Enter-PSSession New-PSSession Remove-PSSession Connect-PSSession Invoke-Command New-PSSessionConfigurationFile about_Session_Configuration_Files about_Session_Configurations
CIM Cmdlets
Get-CimAssociatedInstance Get-CimClass Get-CimInstance Get-CimSession Invoke-CimMethod New-CimInstance New-CimSession New-CimSessionOption Register-CimIndicationEvent Remove-CimInstance Remove-CimSession Set-CimInstance
Replace the WMI cmdlets in PowerShell v2.
CIM Session Remoting Protocols
DCOM/RPCUses a dynamic port range
Not “firewall friendly”
Is not standards-based
WinRMUses a common, single, static port
Is standards-based
Session Configurations
Restrict the commands that can be executed in a remote session Restrict who can access the session configuration Default session configurations can be removed or modified Use Enable-PSRemoting to restore original configurations (after
deleting)
Credential Security Support Provider (CredSSP) Allows double-hop scenario Three types of credentials.
PowerShell uses one. Default credential Saved credential Fresh credential
Can be configured via GPO
Server02Server01
Client01
CredSSP PowerShell Commands
• Get-WSManCredSSP• Enable-WSManCredSSP• Disable-WSManCredSSP
CredSSP Group Policy Configuration
Troubleshooting
Enable-PSWsmanCombinedTrace; Get-WinEvent –Oldest $PSHome\Traces\pstrace.etl
Enable the Microsoft-Windows-WinRM/Operational event log Read the error messages Use Nmap to test ports (http://nmap.org)
nmap.exe –p5985,5986 server.domain.com Use netstat –aon to ensure port is listening
Issues
Missing Service Principal Name (SPN) causes CredSSP connections to fail Windows Firewall prevents communication (TCP 5985) Windows Remote Management (WinRM) Listeners are empty in GPO configuration SSL Certificate is expired or has mismatched DNS name in Subject Name field Mismatching certificate thumbprints for WinRM “Service” and “Listener” configurations
Get-ChildItem -Path wsman:\localhost\Listeners\<HTTPSListener>; Get-ChildItem –Path wsman:\localhost\service; Remove-Item –Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Wsman\Listener\*+HTTPS:certThumbprint
Restart PowerShell after Enable-WSManCredSSP -Role Client; Incorrect permissions on $env:ProgramData\Microsoft\Crypto\RSA\MachineKeys prevents the WinRM service from
reading the SSL certificate Windows 2008: Missing Microsoft.PowerShell session configuration (use Enable-PSRemoting to resolve) Use FQDN to connect to remote system with CredSSP or SSL Certificate Revocation List (CRL) is outdated
Fix with: certutil.exe –CRL
Limitations
Starting a remote session from within a remote session Interactive command-line utilities don’t work well under remoting
sessions diskpart nslookup psexec
CredSSP is required to access network resources from a remote session
Built-in Variables
$PSSenderInfo – Use this automatic variable to explore the remote session configuration (authentication type, SSL, etc.)
$PSSessionOption – A preference variable that allows you to set the default remote session options