PowerShell Remoting in
the Enterprise
What you need to know.
Speaker

9+ years experience in Microsoft-based IT

Microsoft System Center 2012 R2

Windows PowerShell since 2007


Started writing VBscript in 2005
Worked in many enterprise environments with 10-70k+ systems
Why use remoting?

Fan-out management of Windows Server systems

Desired State Configuration (DSC) in PowerShell v4

PowerShell Workflow

Interactive remote management (similar to SSH)

Quicker than RDP
How does remoting work?
Client
Server
PowerShell
Session
PowerShell
Session
PowerShell
PowerShell
Windows
Remote
Management
Windows
Remote
Management
HTTP
Windows
TCP
5986
TCP
5985
HTTP
Windows
Remoting Configuration

Enable-PSRemoting -Force;

Set-WsmanQuickConfig -UseSSL;

Use Group Policy
SSL requires a “Server
Authentication” certificate
Manual Configuration Process
Configure
certificate template
Configure GPO for
autoenrollment
Enable-PSRemoting
SetWSManQuickConfig
EnableWSManCredSSP
WinRM Service GPO Configuration
Don’t leave listeners blank!
Windows PowerShell GPO Settings
Use either:
• Remote Signed
• Unrestricted
powershell.exe –ExecutionPolicy Bypass –File c:\path\to\script.ps1
WinRM Client Configuration

Authentication

Basic

Negotiate

Kerberos

Client certificate mapping

Credential Security Support Provider (CredSSP)

TrustedHosts

DefaultPorts
TrustedHosts is useful in multi-forest,
multi-domain, or workgroup
environments. Special alias “<local>”
for hostnames without dots “.”
WinRM Client Configuration
WinRM Shell Configuration
Setting
Purpose
MaxShellsPerUser
Limits the number of remote shells per authenticated user
MaxConcurrentUsers
Limits the number of simultaneously connected users
MaxShellRunTime
Limits the maximum time period that a session can exist
MaxMemoryPerShellMB The maximum memory that each remoting session can use
MaxProcessesPerShell
The maximum number of child processes that a single
remote shell can have
IdleTimeout
The idle timeout for a shell (think RDP)
Set-Location –Path wsman:\localhost\shell;
Get-ChildItem;
Windows Remote Shell GPO
Configuration
Windows Server 2012 Default Values
Setting
Value
Idle Timeout
7200000
Max Concurrent Users
10
Max Shell Runtime
2147483647
Max Processes Per Shell 25
Max Memory Per Shell
1024 (MB)
Max Shells Per User
30
Quota Management for Remote Shells
http://msdn.microsoft.com/en-us/library/windows/desktop/ee309367(v=vs.85).aspx
PowerShell Remoting Cmdlets

Enter-PSSession

New-PSSession

Remove-PSSession

Connect-PSSession

Invoke-Command

New-PSSessionConfigurationFile

about_Session_Configuration_Files

about_Session_Configurations
CIM Cmdlets

Get-CimAssociatedInstance

Get-CimClass

Get-CimInstance

Get-CimSession

Invoke-CimMethod

New-CimInstance

New-CimSession

New-CimSessionOption

Register-CimIndicationEvent

Remove-CimInstance

Remove-CimSession

Set-CimInstance
Replace the
WMI cmdlets in
PowerShell v2.
CIM Session Remoting Protocols
DCOM/RPC
Uses a dynamic port range
Not “firewall friendly”
Is not standards-based
WinRM
Uses a common, single, static port
Is standards-based
Session Configurations

Restrict the commands that can be executed in a remote session

Restrict who can access the session configuration

Default session configurations can be removed or modified

Use Enable-PSRemoting to restore original configurations (after deleting)
Credential Security Support Provider
(CredSSP)

Allows double-hop scenario

Three types of credentials.
PowerShell uses one.


Default credential

Saved credential

Fresh credential
Server01
Server02
Client01
Can be configured via GPO
CredSSP PowerShell Commands
• Get-WSManCredSSP
• Enable-WSManCredSSP
• Disable-WSManCredSSP
CredSSP Group Policy Configuration
Troubleshooting

Enable-PSWsmanCombinedTrace;

Get-WinEvent –Oldest $PSHome\Traces\pstrace.etl

Enable the Microsoft-Windows-WinRM/Operational event log

Read the error messages

Use Nmap to test ports (http://nmap.org)


nmap.exe –p5985,5986 server.domain.com
Use netstat –aon to ensure port is listening
Issues

Missing Service Principal Name (SPN) causes CredSSP connections to fail

Windows Firewall prevents communication (TCP 5985)

Windows Remote Management (WinRM) Listeners are empty in GPO configuration

SSL Certificate is expired or has mismatched DNS name in Subject Name field

Mismatching certificate thumbprints for WinRM “Service” and “Listener” configurations

Get-ChildItem -Path wsman:\localhost\Listeners\<HTTPSListener>;

Get-ChildItem –Path wsman:\localhost\service;

Remove-Item –Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Wsman\Listener\*+HTTPS:certThumbprint

Restart PowerShell after Enable-WSManCredSSP -Role Client;

Incorrect permissions on $env:ProgramData\Microsoft\Crypto\RSA\MachineKeys prevents the WinRM service from reading the SSL certificate

Windows 2008: Missing Microsoft.PowerShell session configuration (use Enable-PSRemoting to resolve)

Use FQDN to connect to remote system with CredSSP or SSL

Certificate Revocation List (CRL) is outdated

Fix with: certutil.exe –CRL
Limitations

Starting a remote session from within a remote session

Interactive command-line utilities don’t work well under remoting sessions


diskpart

nslookup

psexec
CredSSP is required to access network resources from a remote session
Built-in Variables

$PSSenderInfo – Use this automatic variable to explore the remote session
configuration (authentication type, SSL, etc.)

$PSSessionOption – A preference variable that allows you to set the default
remote session options
TrevorSullivan@projectleadership.net