KB ID 0001036
Problem
One of my goals for this year is to become more proficient with PowerShell. During my studies I came across PowerShell Web access and thought it was so cool, I’d have a play with it.
What is PowerShell Web Access?
It’s a web service that runs on a Server 2012 IIS web server. It lets you remote connect to that host (via https) and then launch a PowerShell secure connection to any machine in your network. So by deploying a secure bastion host in your DMZ you can manage your infrastructure via PowerShell, you don’t even need to have PowerShell on your remote machine, (as demonstrated below) that machine does not even have to be Windows. It just needs a browser that can run JavaScript and can accept cookies.
You Expect Me to Open All My Servers To Remote Management?
In a word yes, in fact if you have server 2012 or newer they already are, and if you have not already enabled the Windows Remote Management Service, on your legacy machines, DO SO! If not all the modern domain management tools will gradually stop working. As far as Microsoft is concerned PowerShell is the tool that all the management tools will be built on.
In fact if you are a security conscious type, you probably already have domain services in your DMZ, think of this as a secure ‘reverse-proxy’, whose traffic is secured by SSL and Kerberos.
Solution
Setting Up PowerShell Remote Access
1. PowerShell web access is a ‘windows feature’ add it with the following command;
[box]
Add-WindowsFeature WindowsPowerShellWebAccess
[/box]
2. Now it’s available you can install it like so;
[box]
Install-PswaWebApplication Note: My Target server is already running IIS and has a certificate binding for https, yours probably does not, if so generate a self signed certificate and assign it like so; Install-PswaWebApplication –UseTestCertificate Obviously in production replace this certificate with either a publicly signed one, or one form your own PKI environment.
[/box]
3. Now you need to allow access, the following allows all users to all machines to do everything (Note: I would not recommend this for a production environment, see next step).
[box]Add-PswaAuthorizationRule * * *[/box]
4. As I said above, lets be a little more secure, I’ve created a computer group, for my target computers, and a user group for my remote PowerShell admins. As above, I’ve not filtered what the users can do, you could give granular remote access to different levels of administrative groups using this, if that’s a requirement see this article.
[box]
Add-PswaAuthorizationRule -ComputerGroupName petenetlivePSComputers -UserGroupName petenetlivePSAdmins -ConfigutationName *
[/box]
5. So now if you connect to the server over https, (it creates a virtual directory called pswa) so we will need to go to https://{ip address or hostname}/pswa.
PowerShell Web Access – It Doesn’t Work!
If at this point there’s a problem, ensure the server and the client you are trying to connect to have comms, (can they ping each other by name and IP). Most importantly the machine you need to connect to needs to have WinRM running and its firewall configuring properly.
Configure Windows Remote Management for a Single Host
From an elevated command prompt execute the following command and follow the on-screen prompts;
[box]WinRM QuickConfig [/box]
Configure Windows Remote Management via Group Policy
A better approach would be to configure you hosts via GPO. You can find the correct GPO at;
[box]
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service > Allow remote server management through WinRM
On Server 2008 R2 and older the policy will be called 'Allow automatic configuration of listeners'
[/box]
Enable the policy and select which networks you want to allow remote connections from, above I’ve simply used asterisks to denote ‘all addresses’.
Providing all is well, you should have PowerShell access.
PowerShell from an Apple IOS Device (iPad shown)
PowerShell from an Android Device (Samsung Note shown)
Related Articles, References, Credits, or External Links
NA