PowerShell Remoting in the Enterprise What you need to know. Speaker 9+ years experience in Microsoft-based IT Microsoft System Center 2012 R2 Windows PowerShell since 2007 Started writing VBscript in 2005 Worked in many enterprise environments with 10-70k+ systems Why use remoting? Fan-out management of Windows Server systems Desired State Configuration (DSC) in PowerShell v4 PowerShell Workflow Interactive remote management (similar to SSH) Quicker than RDP How does remoting work? Client Server PowerShell Session PowerShell Session PowerShell PowerShell Windows Remote Management Windows Remote Management HTTP Windows TCP 5986 TCP 5985 HTTP Windows Remoting Configuration Enable-PSRemoting -Force; Set-WsmanQuickConfig -UseSSL; Use Group Policy SSL requires a “Server Authentication” certificate Manual Configuration Process Configure certificate template Configure GPO for autoenrollment Enable-PSRemoting SetWSManQuickConfig EnableWSManCredSSP WinRM Service GPO Configuration Don’t leave listeners blank! Windows PowerShell GPO Settings Use either: • Remote Signed • Unrestricted powershell.exe –ExecutionPolicy Bypass –File c:\path\to\script.ps1 WinRM Client Configuration Authentication Basic Negotiate Kerberos Client certificate mapping Credential Security Support Provider (CredSSP) TrustedHosts DefaultPorts TrustedHosts is useful in multi-forest, multi-domain, or workgroup environments. Special alias “<local>” for hostnames without dots “.” WinRM Client Configuration WinRM Shell Configuration Setting Purpose MaxShellsPerUser Limits the number of remote shells per authenticated user MaxConcurrentUsers Limits the number of simultaneously connected users MaxShellRunTime Limits the maximum time period that a session can exist MaxMemoryPerShellMB The maximum memory that each remoting session can use MaxProcessesPerShell The maximum number of child processes that a single remote shell can have IdleTimeout The idle timeout for a shell (think RDP) Set-Location –Path wsman:\localhost\shell; Get-ChildItem; Windows Remote Shell GPO Configuration Windows Server 2012 Default Values Setting Value Idle Timeout 7200000 Max Concurrent Users 10 Max Shell Runtime 2147483647 Max Processes Per Shell 25 Max Memory Per Shell 1024 (MB) Max Shells Per User 30 Quota Management for Remote Shells http://msdn.microsoft.com/en-us/library/windows/desktop/ee309367(v=vs.85).aspx PowerShell Remoting Cmdlets Enter-PSSession New-PSSession Remove-PSSession Connect-PSSession Invoke-Command New-PSSessionConfigurationFile about_Session_Configuration_Files about_Session_Configurations CIM Cmdlets Get-CimAssociatedInstance Get-CimClass Get-CimInstance Get-CimSession Invoke-CimMethod New-CimInstance New-CimSession New-CimSessionOption Register-CimIndicationEvent Remove-CimInstance Remove-CimSession Set-CimInstance Replace the WMI cmdlets in PowerShell v2. CIM Session Remoting Protocols DCOM/RPC Uses a dynamic port range Not “firewall friendly” Is not standards-based WinRM Uses a common, single, static port Is standards-based Session Configurations Restrict the commands that can be executed in a remote session Restrict who can access the session configuration Default session configurations can be removed or modified Use Enable-PSRemoting to restore original configurations (after deleting) Credential Security Support Provider (CredSSP) Allows double-hop scenario Three types of credentials. PowerShell uses one. Default credential Saved credential Fresh credential Server01 Server02 Client01 Can be configured via GPO CredSSP PowerShell Commands • Get-WSManCredSSP • Enable-WSManCredSSP • Disable-WSManCredSSP CredSSP Group Policy Configuration Troubleshooting Enable-PSWsmanCombinedTrace; Get-WinEvent –Oldest $PSHome\Traces\pstrace.etl Enable the Microsoft-Windows-WinRM/Operational event log Read the error messages Use Nmap to test ports (http://nmap.org) nmap.exe –p5985,5986 server.domain.com Use netstat –aon to ensure port is listening Issues Missing Service Principal Name (SPN) causes CredSSP connections to fail Windows Firewall prevents communication (TCP 5985) Windows Remote Management (WinRM) Listeners are empty in GPO configuration SSL Certificate is expired or has mismatched DNS name in Subject Name field Mismatching certificate thumbprints for WinRM “Service” and “Listener” configurations Get-ChildItem -Path wsman:\localhost\Listeners\<HTTPSListener>; Get-ChildItem –Path wsman:\localhost\service; Remove-Item –Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Wsman\Listener\*+HTTPS:certThumbprint Restart PowerShell after Enable-WSManCredSSP -Role Client; Incorrect permissions on $env:ProgramData\Microsoft\Crypto\RSA\MachineKeys prevents the WinRM service from reading the SSL certificate Windows 2008: Missing Microsoft.PowerShell session configuration (use Enable-PSRemoting to resolve) Use FQDN to connect to remote system with CredSSP or SSL Certificate Revocation List (CRL) is outdated Fix with: certutil.exe –CRL Limitations Starting a remote session from within a remote session Interactive command-line utilities don’t work well under remoting sessions diskpart nslookup psexec CredSSP is required to access network resources from a remote session Built-in Variables $PSSenderInfo – Use this automatic variable to explore the remote session configuration (authentication type, SSL, etc.) $PSSessionOption – A preference variable that allows you to set the default remote session options TrevorSullivan@projectleadership.net