PowerShell is a powerful, yet simple scripting language and command-line interface for system administration. PowerShell Remoting allows you to run remote commands on your local computer from anywhere in the world. This article gives an overview of how it works, what its benefits are and some common use cases.,
PowerShell Remoting is a technology that allows administrators to remotely control their servers and workstations from the command line. This article will teach you how to use PowerShell Remoting in your daily life. Read more in detail here: what is powershell remoting.
PSRemoting (PowerShell Remoting) is one of the most often utilized functionalities in PowerShell. Why? It’s because it’s so beneficial! You may connect to one or hundreds of distant machines and execute tasks with a single command.
In this Ultimate Guide, you’ll learn all there is to know about PSRemoting. You’ll discover what PSRemoting is, how it works, and all of the technologies that make it possible. PSRemoting will not be covered in this tutorial. Throughout the book, there are several references to many of our how-to guides.
PSRemoting, in a nutshell, enables you to perform commands on distant computers as if you were in front of them. PSRemoting is a collection of capabilities that connects and authenticates a user, executes remote commands, and returns any output to the local computer.
Consider PSRemoting to be similar to telnet, SSH, or even psexec. It’s merely a means for PowerShell to perform commands on computers.
PSExec: The Ultimate Guide is a related article.
PSRemoting depends largely on a notion known as a session. A remote shell that performs commands inside is referred to as a session. In the background, multiple stages are involved in creating one of these sessions.
When you start a PSRemoting session, the following procedures are followed roughly:
- On a WinRM listener, the client tries to connect to the target server (more on Listeners of WinRm below). On the destination server, a WinRM listener is a small web service. WinRM is Microsoft’s implementation of the WSMan standard. WSMan is an open standard that was developed in collaboration with a number of other significant tech firms at the time, including Dell, Intel, and Sun Microsystems.
- The authentication procedure starts when the client connects to the listener using the HTTP or HTTPS protocol. All of the intricacies of each authentication technique will be discussed later, but for now, just remember that the client must transmit credentials to the server in some way.
- PSRemoting generates a session once the client connects and authenticates to the server.
- After PSRemoting has created the session, it is ready to use. The client may now start delivering data to the server, with the server returning any appropriate output, which is known as serialization. Typically, this communication is encrypted.
Using PSRemoting to create a PSSession
Listeners for WinRM are now available for connection.
When a client connects across the network, it requires a place to connect to. The client must “speak” to something on the other side that is “listening”; this “listening” is performed by the WinRM listener.
Using the winrm command, you may see all of the Listeners of WinRm operating on any Windows PC.
winrm e winrm/config/listener/winrm/config/listener/winrm/config/listener/win
Listeners of WinRm
Listeners of WinRm have a few important components. They have:
- The IP address to which they bind is referred to as the listening address. The IP address to which a client connects.
- The kind of transport — Every WinRM listener requires a mechanism to interact with the client; this is accomplished through an HTTP or HTTPS transport.
- When a WinRM listener utilizes HTTPS as the transport protocol, it needs know the private key to use to authenticate the client; this key is retrieved via a Certificate thumbprint.
When possible, use an HTTPS listener. By assuring server validity and encrypting both authentication and transport traffic, HTTPS transport improves security. Use a trustworthy Certificate from a certifying authority rather than a self-signed Certificate when issuing a Certificate.
Validating a Server with Trusted Hosts
How Does PSRemoting Authentication Work With WinRM?
Authentication is one of the initial stages that PSRemoting does, as indicated above. One of the most difficult yet crucial aspects of PSRemoting is authentication.
When PSRemoting was initially released, it only had one authentication method: Windows Remote Management (WinRM), but you can now now use SSH, as you’ll discover later.
A username and password or a Certificate with multiple sorts of authentication for a username/password combination are the two types of authentication supported by WinRM.
Authentication from the Ground Up
Starting at the easiest, yet most insecure type of authentication is Authentication from the Ground Up. This type of authentication is a standard built into the HTTP protocol. Authentication from the Ground Up sends a base64 encoded copy of the username and password in the HTTP header from the client to the listener.
Because Authentication from the Ground Up only encodes the username and password and does not encrypt it, it’s trivial to intercept the credentials over the network.
Do not use Authentication from the Ground Up unless you absolutely have to. There are many other more secure methods WinRM can authenticate!
Kerberos Authentication is a kind of authentication that uses the Kerberos protocol
Are both your client and server in an Active Directory environment? If so, you’re using already using Kerberos Authentication is a kind of authentication that uses the Kerberos protocol across many of your network services.
When the WinRM client tries to connect to a WinRM listener through Kerberos, it encounters the following error:
- The server tries to get the client’s session key or ticket-granting-ticket from a domain controller first.
- If both the client and the server are legitimate and trusted, the domain controller provides the token.
- The server then uses the trusted token rather than the username and password to verify the client’s connection.
During Kerberos Authentication is a kind of authentication that uses the Kerberos protocol, the domain controller validates both the client and server during the ticket retrieval steps stopping someone malicious from impersonating the server.
Kerberos is a well-established and secure authentication technique that is used by default when a client and server are both members of an Active Directory domain. However, both the client and the server must be members of the same Active Directory forest or have a forest trust established.
Repairing Active Directory Trust Relationships for the Long Run
Authentication should be discussed.
WinRm may also try to utilize Kerberos, and if that fails, it can fall back to using the NT Lan Manager authentication protocol (NTLM).
When using NTLM, keep the following in mind:
- The server transmits a string to the client.
- The string is then encrypted with a hash of the user’s password by the client.
- The username, original string, and encrypted string are then transmitted back to the server, which transmits the username, original string, and encrypted string to a domain controller.
- The domain controller then searches for that user’s password hash and verifies that it matches by repeating the encryption procedure on the string.
NTLM is useful for certifying the client, but it does not validate the server, unlike Kerberos. This opens the door to a variety of attacks in which an attacker impersonates the server.
By verifying the server with a server authentication Certificate and attaching it to an HTTPS WinRM listener, you may increase NTLM security. In this configuration, the client uses NTLM to authenticate against the domain controller, while the server uses a trusted Certificate. The NLTM protocol employs an older encryption cipher with an obsolete key size, despite the fact that it enables client and server authentication.
As a result, NLTM can only be used if the server is added to the trusted host list or if an HTTPS listener is used.
One of the most uncommon authentication methods to use in WinRM is Authentication Digest. NTLM and Digest are similar authentication methods. Like NTLM, Digest generates a unique string that is encrypted with the hash of the user’s password. The password then doesn’t need to be sent to the server.
The MD5 hashing method is used to encrypt the password in Digest. Digest is widely considered outdated and should not be utilized as a result of this algorithm decision. MD5 has a number of documented flaws that make it unsuitable for use in cryptography.
Provider of Credential Security Support (CredSSP)
We could go through CredSSP’s ins and outs, but it’s not essential. Why? Because when it comes to PSRemoting with WinRM, CredSSP is often used to solve one issue: the “second hop problem,” which we’ll go over in more detail below.
When configured for CredSSP authentication, the WinRM client and server both use Authentication should be discussed. to authenticate both the user and client. But once completed, the user’s password is sent to the server.
The password is now encrypted since it is sent after the authentication procedure is complete. CredSSP encrypts the password using the TLS session keys, ensuring that the encrypted string is unique across sessions.
CredSSP is useful since it allows the server to connect to anything on your behalf after authentication. When this occurs, however, you are placing your whole confidence in the server to which you have connected with your user password.
Authentication Using Certificates
Arguably the most secure method of authentication to use with PSRemoting is Authentication Using Certificates. In this method of authentication, a typical key exchange happens with a private and public key on the client and a server validating the Certificate.
By mapping a user on the server into WinRM, WinRM authenticates the user. The public key is the only item passed throughout the authentication process, making it an extremely secure kind of authentication.
Although the most secure, Authentication Using Certificates is not too common. Why? Simply because of the leg work necessary to set it up. You must:
- Create a certification authority.
- Make a Certificate for user authentication.
- Distribute the public key.
- Make use of a local user account with the necessary rights (Administrators group probably)
- Create an HTTPS listener.
- …as well as other stages.
Even though the client and server are both members of Active Directory, you can’t utilize a domain user to authenticate with Certificates.
How to Configure WinRM over HTTPS is a related topic.
Default Authentication in the Windows Operating System
How do you know which authentication alternatives are accessible out-of-the-box now that you’ve seen how many there are? A table with two columns shows if the WinRM client is enabled by default and whether that particular authentication type is enabled by default.
Although all of the aforementioned authentication methods may be customized, the table below will give you a decent indication of what you’ll need to do so.
Default Authentication in the Windows Operating System
The Problem of the Second Hop, often known as the Double-Hop Problem
The “second hop problem,” often known as a “double-hop,” is one of the most serious problems with PSRemoting. This happens when you use PSRemoting to connect to a remote system and then need to connect to another distant machine.
This is an issue since the server only confirms the identity of the originating client when the WinRm client authenticates to the first distant machine. The password is not sent to the server. When you try to connect to the second computer from the first connection’s server, the final server has no method of verifying the user’s identity.
CredSSP is a service provided by CredSSP. or Kerberos Delegation, you can overcome the double-hop issue in a number different methods.
CredSSP is a service provided by CredSSP.
The most common way to get around the double-hop problem is by CredSSP is a service provided by CredSSP.. CredSSP authentication gets around this situation by storing a user credential on the first remote server which the server turned client can then pass to the second remote server.
There’s one catch to CredSSP is a service provided by CredSSP. though. The user credential stored on the first remote server can be stored in plain-text thus introducing an obvious security concern. In newer operating systems a hash of the password and the Kerberos Ticket Granting Ticket (TGT). These can be used together to authenticate as the user anywhere on the network just like a plain-text password, but it does lower the risk a little.
Negotiate sends information back and forth between the client and server to verify that they are who they say they are, but the user’s password is never revealed. Because of this security feature, the first server will not be able to authenticate you when you connect to the second server.
Kerberos Delegation in Action
As previously stated, Kerberos is a popular method of configuring PSRemoting. It’s incredibly prevalent since it’s part of the ubiquitous Active Directory and is already set up by default. Kerberos is a good solution to authenticate WinRM on its own, but it doesn’t solve the double-hop issue.
You may avoid the double-hop issue by using Kerberos Delegation, a second method of authentication. Although there are several types of Kerberos Delegation, only Kerberos Constrained Delegation, especially resource-based Kerberos Constrained Delegation, is capable of (and safe enough) serving as an alternative to CredSSP.
Resource-based Kerberos Constrained Delegation is a form of delegating Kerberos Authentication is a kind of authentication that uses the Kerberos protocol tokens based on domain resources, like computers, in this case, that is constrained to a specific list of Kerberos (Active Directory) objects.
You must update the ADComputer object of the third machine in the chain to setup this Kerberos delegation. If you want to remote from ClientA to ServerB to ServerC, for example, you’ll need to change the ADComputer object for ServerC, but you’ll also need to know what ServerB is. Run the following command in PowerShell for this example:
Making use of resource-based Kerberos Delegation is compatible with remote connections such as…. or…, but not with PSRemoting. When utilizing PSRemoting to connect to a computer using WinRM, you will not be able to connect to a third machine.
Creating a resource-based organization Using the Set-ADComputer cmdlet, Kerberos Constrained Delegation is a one-line PowerShell command. For example, if you’re connected to ServerB through PSRemoting from ClientA and wish to connect to ServerC via…., perform the PowerShell command below.
Set-ADComputer -Identity ServerC -PrincipalsAllowedToDelegateToAccount ServerB Set-ADComputer -Identity ServerC -PrincipalsAllowedToDelegateToAccount ServerB Set-ADComputer
How to Install the Active Directory Module is a related topic.
For 15 minutes, WinRm caches unsuccessful connections. Even after setting up resource-based Kerberos Constrained Delegation, you may be unable to connect to the third machine due to this feature. To fix it, use the command klist purge -LI 0x3e7 on the third machine to delete the failed Kerberos tokens.
How Does PSRemoting SSH Authentication Work?
Although WinRm authentication is the most frequent means of PSRemoting authentication, you now have another option with PowerShell v6: SSH. PSRemoting may be used with Linux if you use SSH as the authentication mechanism.
PSRemoting with Windows and Linux: How to Set It Up
SSH, unlike WinRm, needs some extra client and server settings, such as installing an SSH client on the Windows client and…
Using PowerShell with Chocolatey to Install OpenSSL
When you use SSH to handle authentication, you’re restricted to the authentication methods that SSH provides. This reduces the number of options to just two: password-based and public-key-based.
Other kinds of authentication are offered by SSH, but they are often regarded as less secure than the password and public-key based alternatives, so we’ll stick to these two.
Authentication using a password
Password-based authentication is the simplest approach to set up SSH authentication using PSRemoting. Password-based authentication enables you to verify your identity by providing a password.
The password is exchanged when the SSH connection is established, and the password is encrypted during transmission in the SSH authentication procedure. Unlike some other WinRM authentication methods, such as Kerberos, this authentication technique sends the whole password to the server.
You can sorta compare SSH Authentication using a password to the WinRM authentication method Basic using an HTTPS listener. The password itself is not protected in any meaningful way, but the entire connection, including the password, is encrypted based and the server is validated based on a Certificate.
Authentication using Certificates
While password-based authentication is simple to set up and use, it has two drawbacks.
- The first is that there is no secure method to authenticate in an unattended manner.
- Authentication using a password still sends a password across the network. While the password is encrypted within the SSH connection, the server receives the whole password. If the server is in some way compromised, it could become a security issue.
Authentication Using Certificates, on the other hand, does not send any sensitive data across the network like the password. Instead, the server has a copy of a public key, the client has a copy of the private key and the negotiations happens on the server.
The following is a preliminary workflow:
- When a client tries to authenticate, it transmits the public key’s ID or fingerprint to the server.
- If the public key is permitted on the server, it answers with a string encrypted with the public key.
- The client then uses the private key to decode the string.
- After that, the private key is hashed with a session ID.
- The server receives the session ID and compares it to the hash that was constructed using the original text and session ID.
- If the client’s session ID hash matches the server’s session ID, the client is authenticated and authorized to connect.
Anything encrypted with the public key can only be decoded with the private key that corresponds to it. Only the public key can decode anything encrypted with the private key. The session ID is also included in order to achieve Perfect Forward Secrecy (PFS).
PFS ensures safety. If the attacker gets his hands on the private key, he won’t be able to decode all of the communications that were sent back and forth. The shared secret used to encrypt communication is distinct for each session with a unique session ID.
Authentication Using Certificates with SSH, like WinRm, does require additional effort to set up such as generating the private/public key paid and authorizing the public key on the remote server.
To connect, you’ll need to have certain permissions.
Administrators and Remote Management Users are the two local categories of users who may connect to a server remotely using PSRemoting by default.
On a remote server, you may simply add user accounts to the local Administrators group, but you should always grant the least degree of access. If a user just needs to access to a distant machine using PSRemoting, the user account should be added to the Remote Management Users group rather than the Administrators group.
You may also utilize a feature called Just Enough Administration to further manage PSRemoting access (JEA). In PowerShell’s limited language mode, JEA enables non-administrator users to only perform particular commands as administrators.
Remoting: Implicit vs. “Explicit”
You’re undoubtedly acquainted with commands like Invoke-Command, New-PSSession, Enter-PSSession, and so on if you’ve used PSRemoting previously. When you perform these instructions, it’s evident that you’re attempting to connect to a distant computer. PSRemoting is being used explicitly.
Invoke-Command: The Most Effective Way to Run Remote Code
You’re directly performing PSRemoting-specific commands when you execute them, but did you realize there’s another way? Instead of explicitly executing Invoke-Command and other cmdlets, you may use implicit PSRemoting to take use of PSRemoting.
Implicit PSRemoting makes it seem as though the commands are being executed locally inside your PowerShell session, while they are really being executed on a remote system. Using a module that isn’t installed on your system is a nice illustration of this. Rather of installing it locally, you may export commands from a PSSession and execute them as if they were locally installed.
You can see in the screenshot below that I don’t have the Test-PendingReboot command. After that, I connected to a distant computer and exported the command.
Example of Export-PSSession
After that, if the module has been imported, I may run the Test-PendingReboot command. This is seen below, however you’ll note that the machine name in the output is the device from which the command was imported, not the device from which PowerShell is executing.
Instances of implicit remoting in action
The “check if powershell remoting is enabled” is a PowerShell command that can be used to check whether or not Powershell Remoting has been enabled. It will return true or false depending on the result.
Frequently Asked Questions
How do I use remoting in PowerShell?
A: You can use remoting to install a script that is run on another machine. To do this, open PowerShell and type the following command line:
PowerShell -Command C:\path\to\script.ps1
Should I enable PowerShell remoting?
A: No, PowerShell remoting is not required for this particular solution.
What is PS remoting in PowerShell?
A: Powershell remoting is a way to execute PowerShell commands on multiple computers from one instance of the Windows Explorer.
- powershell remoting winrm
- powershell remoting port
- enable-psremoting gpo