Pages

Sunday, April 7, 2013

PowerShell Remote





Definitely the most powerful tool in the command line with associated scripting language built on the basis of NET Framework. Allows each administrator to perform administrative operations on the local and (remote) level, in any computer the domain, forest, trusted domain and certainly directly in cloud from local computer.






What are the system requirements to enable Remote Powershell?

Powershell 3.0
Windows PowerShell 3.0
The Microsoft .NET Framework 4.0 >
Windows Remote Management 3.0


Powershell 2.0
Windows PowerShell 2.0 >
The Microsoft .NET Framework 2.0 >
Windows Remote Management 2.0 >

Remote session between PS 2.0 and 3.0 is supported but options that are native to 3.0 like reconnection of existing session in powershell are not supported. Of course you need administrative privileges on the system that you are remotely connecting via Powershell.
Powershell 3.0 as I said lets (remote) session on the server and clients in (private, domain, public) networks.




In 'private' and 'domain' networks, 'Enable-PSRemoting' command creates a 'firewall' rules that allow unlimited remote access. 'Enable-PSRemoting', also creates a 'firewall' rule for 'public' network that allows access only from computers in the same local 'subnet'
From client computer run 'Enable-PSRemoting' with parameter SkipNetworkProfileCheck in the 'public' profile to enable access only between computers on the same local 'subnet'









If you want to bypass all restrictions on the level of local (subnet) in (public) profile which are here just for security then (Set-NetFirewallRule) with the parameter name rule + (RemoteAddress Any ) will enable you just that



Set-NetFirewallRule –Name "WINRM-HTTP-In-TCP-PUBLIC" –RemoteAddress Any








Administrative privileges are required to establish remote session..To review default permission


Get-PSSessionConfiguration | Format-List -Property Name, Permission


If you want to assign permissions to other users to establish a default or any other (remote) session




  • Review session on the local computer: 

dir wsman:\localhost\plugin\microsoft*


  • Review session on the remote computer:

connect-wsman server01.(domain name).com


  • Adding permissions to users for PS session is done with (Set-PSSessionConfiguration) and adding (Execute) permission for desired users
set-pssessionConfiguration -name Microsoft.PowerShell -showSecurityDescriptorUI


  • To disable specific powershell session

disable-pssessionConfiguration -name Microsoft.PowerShell


  • To disable all powershell session

disable-psremoting



Creating a new session on the local computer can be done with (Register-PSSessionConfiguration) command.
Creating a new session as identical to the standard PS session with limit to the data that is received, (the default value is 50mb) looks like this:

register-psSessionConfiguration -name NewConfig MaximumReceivedDataSizePerCommandMB 20



  • Delete session from a local computer


unregister-psSessionConfiguration -name (New Name)

Get-PSSession | Remove-PSSession



PS is capable to accomplished session or perform operation on a greater number of computers simultaneously and thus significantly reduce administration. Invoke-Command will you allow it



invoke-command -computername Server01, Server02 {get-UICulture}

invoke-command -computername Server01, Server02 -filepath c:\Scripts\DiskCollect.ps1





In Windows Server 2008 and Windows 8 PS is included with the installation with one difference, the client WinRm is "locked". In it,and on the older systems you will need to execute the command Enable-PSRemoting or in interactive you can run Enable-PSRemoting-Force. In addition with Test-WSMan you can check to see if WinRm has problems.


From experience I know that often problems associated with firewall and complications when it is necessary to change starting configurations in order to avoid exposure to attacks. 



PS Remote uses "modified" starting (default) ports that communicate through firewall.



TCP/5985 = HTTP

TCP/5986 = HTTPS




This is the same port used by WinRm. Although some will say that this would be desirable there are scenarios where you or your security team will want all of this to change, often administrators use 80 for HTTP and port 443 for HTTPS. In order to change default ports run:




Set-Item WSMan:\localhost\Service\EnableCompatibilityHttpListener -Value true

Set-Item WSMan:\localhost\Service\EnableCompatibilityHttpsListener -Value true









You can choose any other port with the command:


Set-Item wsman:\localhost\listener\listener*\port –value <Port>



Additionally all this can be set via group policy (Group Policy)





Иднината = Ps J





































No comments:

Post a Comment