Remote Powershell in domain environment
Sometimes you need to run some command on remote computer. If you don’t want to bother user using Remote Assistance or user is not at the computer you can try Remote Powershell. Powershell was new feature when Windows Vista and Windows Server 2008 came. So we can divide operating systems into three categories. Each category requires some things and some requirements.
Windows 7 / Windows Server 2008 R2 and higher
-
Needs to open ports in firewall (is your firewall is not open all the way)
- Needs to enable and configure WinRM
- Needs to configure WinRM service to run
Windows Vista / Windows Server 2008
- Needs everything from first group
- Needs to install PowerShell 2.0
Windows XP / Windows Server 2003
- Needs everything from second group
- Needs to install .NET Framework
Probably your environment will be mixed of all three types of operating systems. So let’s look how to configure it. I will use GPOs everywhere it can be used.
Enable Remote PowerShell for Windows Vista and Windows Server 2008
Create GPO and set following:
Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service > Allow automatic configuration of listeners (Allow Remote Server management through WinRM):
Firewall exceptions
Firewall exceptions for Windows 7 / Windows Server 2008 and higher
If you have Microsoft firewall closed and you need to make exception using GPO in Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile > Windows Firewall: Define inbound port exceptions:
Firewall exceptions for Windows XP / Windows Server 2003
You have to define New Firewall rule under Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules and create new Inbound rule with predefined type “Windows Remote Management”:
Configure Service
To enable Remote Powershell I need to configure service. WinRM service has to start automatically. Create new setting in GPO in Computer Configuration > Policies > Windows Settings > Security Settings > System Services. Setup service Windows Remote Management (WS-Management) following way:
Let’s change startup for this service using GPO settings under Computer Configuration > Preferences > Control Panel Settings > Services. Create new Service setting with following settings:
Windows XP / Windows 2003 specialities
To make Powershell work remotely on older operating systems you need to make sure your operating systems have installed two hotfixes: KB968930 and KB951847. These hotfixes are distibuted via Windows Updates so if you use WSUS, there updates are already on your older operating systems.
To enable PowerShell for remote connection you need to enable it using startup script. So you need to create new GPO which will run only on older OS. You can use following WMI filter to make this GPO apply only on older OS:
You can use following script as a startup script to enable Powershell Remote for Windows XP.
To test it you can run following command:
Enter-PSSession -ComputerName COMPUTER_NAME
Active Directory Users and Computes Implementation
To make it look better you can implement connection to computer using Active Directory Users and Computers.
On location \\domain.local\NETLOGON create new Powershell.vbs file:
' ' Script to run Remote Powershell on domain computer ' Set wshArguments = WScript.Arguments Set objComputer = GetObject(wshArguments(0)) ' ' Check if Remote Assistance is installed ' Set fso = CreateObject("Scripting.FileSystemObject") If (fso.FileExists("C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe")) Then ' Is istalled Set objShell = WScript.CreateObject("WScript.Shell") Return = objShell.Run("C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit \\domain.local\NETLOGON\Remote_Session.ps1" & objComputer.dNsHostName, 1, false) Else ' Is not installed, error. Wscript.Echo "Microsoft Remote PowerShell is not enabled on this machine." End If
On location \\domain.local\NETLOGON create new Remote_Session.ps1 file:
[CmdletBinding()] Param( [Parameter(Mandatory=$True,Position=1)] [string]$computerName ) Enter-PSSession -ComputerName $computername
When files are ready, you need to create new record in Active Directory using adsiedit.msc. Connecto to configuration partition of your domain:
Go to Configuration > CN=Configuration,DC… > CN=DisplaySpecifiers > CN=409 > CN=computer-Display and edit property called adminContextMenu.
Add another record into existing list of records. I used following record:
3, &PowerShell Remote,\\domain.local\NETLOGON\Powershell.vbs
which means:
3 – order of record in the list of records (if you have only one existing record, your number will be 2)
&PowerShell Remote – name of the item in context menu
\\domain.local\NETLOGON\Powershell.vbs – path to vbs script you created
Here is how it looks in one of the environments:
When all is done, your Active Directory Users and Computers console has to be reopened and you will find new record under computer account:
When you click on this new item in context menu new powershell window opens. This powershell window is remote powershell windows from remote computer.
I hope people start using powershell more often,
Zdravicko, mne ososbne sa to riesnie nepaci z bezpecnostneho hladiska. V pripade povolenia WinRM by bol urcite idelane povolit iba urcity rozsah IP adries (managment server). Roznych moznosti ako zneuzit remote powershell je strasne vela a dvere su takto otvorene. Takto nastavenie prostredie je idealne pre amatersky hacking. Ale mozno som paranoik. Ja viem ze od verzie WS2012 R2 je WinRM na serveroch defaul povolene a MS sa toho neboji, ale mne napadlo hned par sposobou ako to na desktope zneuzit. Power shell je strasne silny nastroj a treba sa k nemu aj tak spravat.
In english (short version): I think your solution is weak in security. Powershell is very powerful tool at least you should configure WinRM listeners to limit IP adress range.
@Michal_F
Naviem o ziadnej ceste ako zneuzit otvorene WinRM, ale budem rad ak sa s nami podelis s nejakym 🙂
Taktiez je na tebe ako si ten firewall na danych masinach nastavis. Samozrejme je lepsie specifikovat len niektore IP z ktorych je mozne robit WinRM.
No treba iba trochu fantazie, ale v podstae ide o zneuzitie urcitej skupiny lokalnych administratorov. Ja mam v zivej pamati ako sa u nas rozsiril Configer, a podobne to bude mozno pride nieco aj po ukonceni podpory Windows XP. Ak sa na niektorom pc podari spustit skodlivy kod s dostatocnymi pravami v podstate sa jeho sirenie nebude dat zabranit, pretoze WinRM je oficialna diera do systemu. Ak niekdo ma prava administratora na PC moze ti kludne z pamate ukradnut credentials a pouzit. Pekny clanok na tuto temu mal aj Ondrej sevecek, aj ked tam popisoval Terminal Server, ale preco by skodlivy kod beziaci ako systemovy proces nemohol fungovat podobne. Druha vec je bezpecnost z pohladu umyselneho hackingu … ale ako som pisal niesom bezpecak …Tam uz su zaujmave prve technologie ako secure boot, bitlocker, …. Priklad z praxe, skoncila podpora, a dodavatel nedodal heslo lokalaneho admina, kedze chalani mali fyzicky pristup k masine tak pomocou bruteforce utoku a rainbow tabulky zisitlili heslo za cca 11minut (islo o WinXP), rovnake heslo bolo potom nastavene aj na ostatnych PC … ja viem ze su to viac teoreticke ale nie nerealne pripady co sa moze stat.