PowerShell Remoting in the Enterprise

What you need to know.

Speaker

9+ years experience in Microsoft-based IT Microsoft System Center 2012 R2 Windows PowerShell since 2007

Started writing VBscript in 2005 Worked in many enterprise environments with 10-70k+ systems

Why use remoting?

Fan-out management of Windows Server systems Desired State Configuration (DSC) in PowerShell v4 PowerShell Workflow Interactive remote management (similar to SSH) Quicker than RDP

How does remoting work?

Windows

Windows Remote

Management

HTTP

PowerShell

PowerShell Session

Client Server

Windows

Windows Remote

Management

HTTP

PowerShell

PowerShell Session

TCP 598

5

TCP 5986

Remoting Configuration

Enable-PSRemoting -Force; Set-WsmanQuickConfig -UseSSL; Use Group Policy

Enable-WSManCredSSP

Set-WSManQuickCon

figEnable-

PSRemotingConfigure GPO for

autoenrollmentConfigure certificate template

SSL requires a “Server Authentication” certificate

Manual Configuration Process

WinRM Service GPO ConfigurationDon’t leave listeners blank!

Windows PowerShell GPO Settings

Use either:

• Remote Signed• Unrestricted

powershell.exe –ExecutionPolicy Bypass –File c:\path\to\script.ps1

WinRM Client Configuration

Authentication Basic Negotiate Kerberos Client certificate mapping Credential Security Support Provider (CredSSP)

TrustedHosts DefaultPorts

TrustedHosts is useful in multi-forest, multi-domain, or workgroup environments. Special alias “<local>” for hostnames without dots “.”

WinRM Client Configuration

WinRM Shell Configuration

Setting Purpose

MaxShellsPerUser Limits the number of remote shells per authenticated user

MaxConcurrentUsers

Limits the number of simultaneously connected users

MaxShellRunTime Limits the maximum time period that a session can exist

MaxMemoryPerShellMB

The maximum memory that each remoting session can use

MaxProcessesPerShell

The maximum number of child processes that a single remote shell can have

IdleTimeout The idle timeout for a shell (think RDP)Set-Location –Path wsman:\localhost\shell;Get-ChildItem;

Windows Remote Shell GPO Configuration

Quota Management for Remote Shells

http://msdn.microsoft.com/en-us/library/windows/desktop/ee309367(v=vs.85).aspx

Setting ValueIdle Timeout 7200000Max Concurrent Users

10

Max Shell Runtime 2147483647

Max Processes Per Shell

25

Max Memory Per Shell

1024 (MB)

Max Shells Per User 30

Windows Server 2012 Default Values

PowerShell Remoting Cmdlets

Enter-PSSession New-PSSession Remove-PSSession Connect-PSSession Invoke-Command New-PSSessionConfigurationFile about_Session_Configuration_Files about_Session_Configurations

CIM Cmdlets

Get-CimAssociatedInstance Get-CimClass Get-CimInstance Get-CimSession Invoke-CimMethod New-CimInstance New-CimSession New-CimSessionOption Register-CimIndicationEvent Remove-CimInstance Remove-CimSession Set-CimInstance

Replace the WMI cmdlets in PowerShell v2.

CIM Session Remoting Protocols

DCOM/RPCUses a dynamic port range

Not “firewall friendly”

Is not standards-based

WinRMUses a common, single, static port

Is standards-based

Session Configurations

Restrict the commands that can be executed in a remote session Restrict who can access the session configuration Default session configurations can be removed or modified Use Enable-PSRemoting to restore original configurations (after

deleting)

Credential Security Support Provider (CredSSP) Allows double-hop scenario Three types of credentials.

PowerShell uses one. Default credential Saved credential Fresh credential

Can be configured via GPO

Server02Server01

Client01

CredSSP PowerShell Commands

• Get-WSManCredSSP• Enable-WSManCredSSP• Disable-WSManCredSSP

CredSSP Group Policy Configuration

Troubleshooting

Enable-PSWsmanCombinedTrace; Get-WinEvent –Oldest $PSHome\Traces\pstrace.etl

Enable the Microsoft-Windows-WinRM/Operational event log Read the error messages Use Nmap to test ports (http://nmap.org)

nmap.exe –p5985,5986 server.domain.com Use netstat –aon to ensure port is listening

Issues

Missing Service Principal Name (SPN) causes CredSSP connections to fail Windows Firewall prevents communication (TCP 5985) Windows Remote Management (WinRM) Listeners are empty in GPO configuration SSL Certificate is expired or has mismatched DNS name in Subject Name field Mismatching certificate thumbprints for WinRM “Service” and “Listener” configurations

Get-ChildItem -Path wsman:\localhost\Listeners\<HTTPSListener>; Get-ChildItem –Path wsman:\localhost\service; Remove-Item –Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Wsman\Listener\*+HTTPS:certThumbprint

Restart PowerShell after Enable-WSManCredSSP -Role Client; Incorrect permissions on $env:ProgramData\Microsoft\Crypto\RSA\MachineKeys prevents the WinRM service from

reading the SSL certificate Windows 2008: Missing Microsoft.PowerShell session configuration (use Enable-PSRemoting to resolve) Use FQDN to connect to remote system with CredSSP or SSL Certificate Revocation List (CRL) is outdated

Fix with: certutil.exe –CRL

Limitations

Starting a remote session from within a remote session Interactive command-line utilities don’t work well under remoting

sessions diskpart nslookup psexec

CredSSP is required to access network resources from a remote session

Built-in Variables

$PSSenderInfo – Use this automatic variable to explore the remote session configuration (authentication type, SSL, etc.)

$PSSessionOption – A preference variable that allows you to set the default remote session options

TrevorSullivan@projectleadership.net