Yadda ake sarrafa PC ɗinku daga wayar hannu ta amfani da PowerShell Remote

Wataƙila kuna iya sarrafa ayyuka da yawa tare da PowerShell a gida, amma a ina kuke da gaske PowerShell Remote yana yin bambanci Shi ne lokacin da kuke gudanar da umarni akan na'urori masu nisa, ko kaɗan ko ɗaruruwa, ta hanyar mu'amala ko a layi daya. Wannan fasaha, akwai tun daga Windows PowerShell 2.0 kuma an inganta shi tun 3.0, ta dogara ne akan WS-Management (WinRM) da masu canzawa. PowerShell a cikin tashoshi mai ƙarfi, mai daidaitawa kuma amintaccen tashar gudanarwa mai nisa.

Da farko, yana da mahimmanci a fahimci mahimman ra'ayoyi guda biyu: cmdlets tare da - Sigar Sunan Kwamfuta (misali, Get-Process ko Samu-Sabis) ba hanya ce ta dogon lokaci da Microsoft ke ba da shawarar ba, kuma PowerShell Remoting baya aiki azaman “hack.” A hakika, tilasta tabbatar da juna, duba rajistan ayyukan da kuma mutunta izinin ku na yau da kullun, ba tare da adana takaddun shaida ko gudanar da wani abu da sihiri ba tare da manyan gata.

Menene PowerShell Remoting kuma me yasa amfani dashi?

con Ana cire PowerShell zaka iya aiwatar da kusan kowane umarni daga nesa wanda zaku iya ƙaddamarwa a cikin zaman gida, daga ayyukan tambaya zuwa ƙaddamar da daidaitawa, kuma kuyi haka akan ɗaruruwan kwamfutoci a lokaci ɗaya. Ba kamar cmdlets waɗanda ke karɓar -ComputerName (da yawa suna amfani da DCOM/RPC), Cirewa yana tafiya ta hanyar WS-Man (HTTP/HTTPS), wanda ya fi dacewa da Firewall, yana ba da damar daidaitawa da saukewa aiki ga mai watsa shiri mai nisa, ba abokin ciniki ba.

Wannan yana fassara zuwa fa'idodi masu amfani guda uku: ingantaccen aiki a cikin manyan kisa, ƙarancin rikici a cikin cibiyoyin sadarwa tare da ƙaƙƙarfan ƙa'idodi da ƙirar tsaro daidai da Kerberos/HTTPS. Bugu da ƙari, ta rashin dogara ga kowane cmdlet don aiwatar da nasa nesa, Remoting Yana aiki don kowane rubutu ko rawa wanda ke samuwa a inda aka nufa.

Ta hanyar tsoho, Sabbin Windows na baya-bayan nan suna zuwa tare da kunna Remote; a cikin Windows 10/11 ka kunna shi tare da cmdlet guda ɗaya. Ee, zaku iya amfani da madadin takaddun shaida, zaman dagewa, wuraren ƙarshe na al'ada, da ƙari.

Lura: Remoting baya ma'amala da buɗe komai. Ta hanyar tsoho, kawai masu gudanarwa Suna iya haɗawa, kuma ana aiwatar da ayyuka a ƙarƙashin ainihin su. Idan kuna buƙatar wakilai masu kyau, wuraren ƙarshe na al'ada suna ba ku damar fallasa mahimman umarni kawai.

Yadda yake aiki a ciki: WinRM, WS-Man da tashar jiragen ruwa

PowerShell Remoting yana aiki a cikin ƙirar abokin ciniki-uwar garken. Abokin ciniki yana aika buƙatun WS-Management ta hanyar HTTP (5985/TCP) ko HTTPS (5986/TCP). A kan manufa, sabis ɗin Gudanar da Nesa na Windows (WinRM) yana saurare, yana warware ƙarshen ƙarshen (tsarin zama), kuma yana ɗaukar zaman PowerShell a bango (tsarin wmprovhost.exe), maido da sakamakon da aka jera ga abokin ciniki a cikin XML ta hanyar SOAP.

A karon farko da kuka kunna Remoting, ana saita masu sauraro, ana buɗe keɓantawar bangon bangon da ya dace, kuma ana ƙirƙira saitunan zama. Daga PowerShell 6+, bugu da yawa suna wanzuwa tare, da Kunna-PSRemoting Yana yin rajistar ƙarshen maki tare da sunaye waɗanda ke nuna sigar (misali, PowerShell.7 da PowerShell.7.xy).

Idan kawai ka ƙyale HTTPS a cikin mahallin ku, za ku iya ƙirƙirar a mai sauraro lafiya tare da takaddun shaida ta amintaccen CA (an shawarta). A madadin, wani madadin shine a yi amfani da TrustedHosts a cikin iyakataccen hanya, sanin haɗari, don yanayin rukunin aiki ko kwamfutocin da ba na yanki ba.

Lura cewa Powershell Remoting na iya zama tare da cmdlets tare da -ComputerName, amma Microsoft yana tura WS-Man a matsayin ma'auni da kuma hanyar tabbatar da gaba don gudanarwa mai nisa.

Ba da damar Canjin PowerShell da ma'auni masu fa'ida

A kan Windows, kawai buɗe PowerShell azaman mai gudanarwa kuma kunna Kunna-PSRemoting. Tsarin yana farawa WinRM, yana saita autostart, yana bawa mai sauraro damar, kuma ya ƙirƙiri ƙa'idodin Tacewar zaɓi. A kan abokan ciniki masu bayanin martabar hanyar sadarwar jama'a, zaku iya ba da izinin wannan da gangan -SkipNetworkProfileCheck (sannan kuma a karfafa da takamaiman dokoki):

Enable-PSRemoting
Enable-PSRemoting -Force
Enable-PSRemoting -SkipNetworkProfileCheck -Force

 

Har ila yau, syntax yana ba da izini, -Tabbatar y - Me Idan don sarrafa canji. Ka tuna: Yana samuwa ne kawai akan Windows, kuma dole ne ku gudanar da na'urar wasan bidiyo da aka ɗaukaka. Dokokin da aka ƙirƙira sun bambanta tsakanin bugu na Sabar da Abokin ciniki, musamman akan hanyoyin sadarwar jama'a, inda ta tsohuwa an iyakance su zuwa gidan yanar gizo na gida sai dai idan kun faɗaɗa iyakar (misali, tare da Set-NetFirewallRule).

Don jera saitunan zaman da aka riga aka yi rikodin kuma tabbatar da cewa komai ya shirya, yi amfani Get-PSSessionConfigurationIdan maƙallan Ƙarshen PowerShell.x da Gudun Aiki sun bayyana, tsarin Nesa yana aiki.

Hanyoyin amfani: 1 zuwa 1, 1 zuwa da yawa, da kuma zaman dagewa

Lokacin da kuke buƙatar na'ura mai ba da hanya tsakanin hanyoyin sadarwa akan kwamfuta ɗaya, juya zuwa Shigar-PSSessionDa sauri zai bayyana, kuma duk abin da kuka aiwatar zai je wurin mai watsa shiri mai nisa. Kuna iya sake amfani da takaddun shaida tare da Get-Credential don gujewa sake shigar da su akai-akai:

$cred = Get-Credential
Enter-PSSession -ComputerName dc01 -Credential $cred
Exit-PSSession

Idan abin da kuke nema shine aika umarni zuwa kwamfutoci da yawa lokaci guda, kayan aikin shine Kira-Kira tare da script block. Ta hanyar tsoho, yana ƙaddamar da haɗin kai har guda 32 (mai daidaitawa tare da -ThrottleLimit). Ana mayar da sakamakon kamar abubuwan da aka lalata (ba tare da hanyoyin "rayuwa" ba):

Invoke-Command -ComputerName dc01,sql02,web01 -ScriptBlock { Get-Service -Name W32Time } -Credential $cred

Kuna buƙatar kiran hanya kamar .Stop() ko .Fara()? Yi shi. cikin scriptblock a cikin m mahallin, ba na gida deserialized abu, kuma shi ke nan. Idan akwai daidai cmdlet (Stop-Service/Service-Fara), yawanci ya fi dacewa a yi amfani da shi don tsabta.

Don guje wa farashin farawa da ƙare zama akan kowane kira, ƙirƙira a Dagewar PSSession kuma a sake amfani da shi a cikin kiraye-kiraye da yawa. Yi amfani da Sabon-PSSession don ƙirƙirar haɗin, kuma yi amfani da Kira-Umurnin-Zama don sake amfani da rami. Kar a manta da rufe shi da Cire-PSSession idan kun gama.

Serialization, iyaka da kyawawan ayyuka

Wani muhimmin daki-daki: lokacin tafiya, abubuwa "+ lanƙwasa" kuma suna isa kamar yadda deserialized snapshots, tare da kaddarorin amma babu hanyoyin. Wannan ganganci ne kuma yana adana bandwidth, amma yana nufin ba za ku iya amfani da membobin da ke aiwatar da dabaru (kamar .Kill()) akan kwafin gida ba. Maganin a bayyane yake: kira waɗannan hanyoyin. nesa kuma idan kuna buƙatar wasu filayen kawai, tace tare da Zaɓi-Abin don aika ƙarancin bayanai.

A cikin rubutun, guje wa Shigar-PSSession (wanda aka yi niyya don amfani da mu'amala) kuma yi amfani da Invoke-Command tare da tubalan rubutun. Idan kuna tsammanin kira da yawa ko buƙatar adana yanayi (masu canzawa, samfuran da aka shigo da su), yi amfani da zaman dagewa kuma, idan ya dace, cire haɗin / sake haɗa su tare da Cire haɗin-PSSession/Haɗa-PSSession a cikin PowerShell 3.0+.

Tabbatarwa, HTTPS, da Yanayin Kashe-Yanki

A cikin yanki, amincin ɗan ƙasa shine Kerberos Kuma komai yana gudana. Lokacin da na'urar ba za ta iya tantance sunan uwar garken ba, ko kuma kun haɗa zuwa CNAME IP ko alias, kuna buƙatar ɗayan waɗannan zaɓuɓɓuka guda biyu: 1) Mai sauraro. HTTPS tare da takaddun shaida CA da kuka amince da ita ya bayar, ko 2) ƙara wurin da ake nufi (suna ko IP) zuwa TrustedHosts kuma amfani da takardun shaidaZaɓin na biyu yana hana amincin juna ga wannan rundunar, don haka yana rage iyaka zuwa mafi ƙarancin buƙata.

Ƙirƙirar mai sauraron HTTPS yana buƙatar takaddun shaida (mafi dacewa daga PKI ko CA na jama'a), shigar a cikin shagon ƙungiyar kuma an ɗaure zuwa WinRM. Ana buɗe tashar jiragen ruwa 5986/TCP a cikin Tacewar zaɓi kuma, daga abokin ciniki, ana amfani da su. - Yi amfani da SSL a cikin m cmdlets. Don takaddun shaida na abokin ciniki, zaku iya taswirar takaddun shaida zuwa asusun gida kuma ku haɗa da -Thumbprint Certificate (Shigar da PSSession baya karɓar wannan kai tsaye; ƙirƙiri zaman farko tare da Sabon-PSSession.)

Hoto na biyu da wakilai na takaddun shaida

Shahararren “hop biyu” yana bayyana lokacin da, bayan haɗawa zuwa uwar garken, kuna buƙatar wannan uwar garken don samun damar a albarkatu na uku a madadin ku (misali, raba SMB). Akwai hanyoyi guda biyu don ba da izini ga wannan: CredSSP da taƙaddama na Kerberos na tushen albarkatu.

con CredSSP Kuna baiwa abokin ciniki da mai shiga tsakani damar ba da takaddun shaida a sarari, kuma kun saita manufa (GPO) don ba da izinin wakilai zuwa takamaiman kwamfutoci. Yana da sauri don daidaitawa, amma ƙasa da tsaro saboda takaddun shaida suna tafiya cikin madaidaicin rubutu a cikin rufaffen rami. Koyaushe iyakance tushe da wuraren zuwa.

Mafificin madadin a yankin shine takurawa tawagar Kerberos (Tallafi na tushen albarkatu) a cikin AD na zamani. Wannan yana ba da damar ƙarshen don dogara ga karɓar wakilai daga tsakiya don takamaiman ayyuka, guje wa fallasa ainihin ku akan haɗin farko. Yana buƙatar masu sarrafa yanki na kwanan nan da sabunta RSAT.

Madaidaitan Ƙarshen Ƙarshen (Tsarin Zama)

Ɗaya daga cikin duwatsu masu daraja na Remoting shine samun damar yin rajistar wuraren haɗin gwiwa tare da wanda aka keɓance iyawa da iyakoki. Da farko za ku ƙirƙiri fayil tare da Sabon-PSSessionConfigurationFile (modules don ƙaddamarwa, ayyuka na bayyane, laƙabi, Dokar aiwatarwa, Yanayin Harshe, da sauransu), sannan ku yi rajista tare da Register-PSSessionConfiguration, inda zaku iya saitawa. RunAsCredential da izini (SDDL ko GUI dubawa tare da -ShowSecurityDescriptorUI).

Don amintaccen wakili, fallasa abin da ya dace kawai tare da -VisibleCmdlets/-VisibleFunctions kuma kashe rubutun kyauta idan ya dace tare da Harshen Ƙuntataccen Yanayin Harshe ko NoLanguage. Idan kun bar FullLanguage, wani zai iya amfani da toshe rubutun don kiran umarnin da ba a bayyana ba, wanda, haɗe da RunAs, zai zama rami. Zana waɗannan wuraren ƙarshen tare da lallausan haƙori da kuma rubuta iyakarsu.

Domains, GPOs, da Groupware

A cikin AD zaku iya tura Powershell Remoting a sikelin tare da GPO: ba da izinin daidaitawa ta atomatik na masu sauraron WinRM, saita sabis ɗin zuwa atomatik, da ƙirƙirar ban da Tacewar zaɓi. Ka tuna cewa GPOs suna canza saituna, amma ba koyaushe suna kunna sabis ɗin nan take ba; wani lokacin kuna buƙatar sake farawa ko tilasta gpupdate.

A cikin ƙungiyoyin aiki (wanda ba na yanki ba), saita Remoting tare da Kunna-PSRemoting, saita TrustedHosts akan abokin ciniki (winrm saita winrm/config/abokin ciniki @{TrustedHosts=»host1,host2″}) da amfani da takaddun shaida na gida. Don HTTPS, zaku iya hawa takaddun takaddun hannu, kodayake ana ba da shawarar amfani da amintaccen CA da tabbatar da sunan wanda za ku yi amfani da shi a cikin -ComputerName a cikin takardar shaidar (CN/SAN match).

Maɓallin cmdlets da syntax

Kadan na kwamandojin sun rufe 90% na al'amuran yau da kullun. Don kunna / kashe:

Enable-PSRemoting    
Disable-PSRemoting

Zaman hulɗa 1 zuwa 1 kuma fita:

Enter-PSSession -ComputerName SEC504STUDENT 
Exit-PSSession

1 zuwa da yawa, tare da kamanceceniya da fa'ida:

Invoke-Command -ComputerName dc01,sql02,web01 -ScriptBlock { Get-Service W32Time } -Credential $cred

Zaman dagewa da sake amfani:

$s = New-PSSession -ComputerName localhost -ConfigurationName PowerShell.7
Invoke-Command -Session $s -ScriptBlock { $PSVersionTable }
Remove-PSSession $s

Gwaji da WinRM mai amfani:

Test-WSMan -ComputerName host
winrm get winrm/config
winrm enumerate winrm/config/listener
winrm quickconfig -transport:https

Bayanan kula na aiki akan Tacewar zaɓi, hanyar sadarwa da tashoshin jiragen ruwa

Bude 5985/TCP don HTTP da 5986/TCP don HTTPS akan kwamfutar da aka yi niyya da kunnawa. kowane matsakaici FirewallA kan abokan ciniki na Windows, Enable-PSRemote yana ƙirƙira dokoki don bayanan yanki da masu zaman kansu; don bayanan martaba na jama'a, yana iyakance ga gidan yanar gizo na gida sai dai idan kun canza iyakar tare da Set-NetFirewallRule -RemoteAddress Kowane (darajar da zaku iya tantancewa dangane da haɗarin ku).

Idan kuna amfani da haɗin gwiwar SOAR/SIEM waɗanda ke gudanar da umarni masu nisa (misali daga XSOAR), tabbatar cewa uwar garken yana da Ƙaddamarwar DNS zuwa runduna, haɗin kai zuwa 5985/5986, da takaddun shaida tare da isassun izini na gida. A wasu lokuta, NTLM/Tabbacin asali na iya buƙatar daidaitawa (misali, ta amfani da mai amfani na gida a Basic tare da SSL).

Kunna-PSRemoting Sigogi (Takaitacciyar Aiki)

- Tabbatar da buƙatar tabbatarwa kafin aiwatarwa; - Karfi yayi watsi da gargadin da yin canje-canjen da suka dace; -SkipNetworkProfileCheck yana ba da damar Remoting akan cibiyoyin sadarwar abokin ciniki na jama'a (an iyakance ta tsohuwa zuwa gidan yanar gizo na gida); - Menene Idan ya nuna maka abin da zai faru ba tare da amfani da canje-canje ba. Bugu da ƙari, kamar kowane daidaitaccen cmdlet, yana goyan bayan na kowa sigogi (-Verbose, -ErrorAction, da dai sauransu).

Ka tuna cewa “Enable” baya ƙirƙirar masu sauraron HTTPS ko takaddun shaida a gare ku; idan kuna buƙatar ɓoye-ɓoye na ƙarshe-zuwa-ƙarshe daga farko da tantancewa bisa ga takaddun shaida, saita mai sauraron HTTPS kuma tabbatar da CN/SAN akan sunan da zaku yi amfani da shi a cikin -ComputerName.

WinRM masu amfani da Dokokin Cire PowerShell

Wasu muhimman abubuwan gefen gado domin kowace rana:

winrm get winrm/config
winrm enumerate winrm/config/listener
Set-NetFirewallRule -Name 'WINRM-HTTP-In-TCP' -RemoteAddress Any
Test-WSMan -ComputerName host -Authentication Default -Credential (Get-Credential)
New-PSSession -ComputerName host 
Enter-PSSession -ComputerName host 
Enable-PSRemoting -SkipNetworkProfileCheck -Force

Lokacin sarrafa Windows akan sikelin, Remoting yana ba ku damar matsawa daga "kwamfuta-zuwa-kwamfuta" zuwa tsari mai amintacce. Ta hanyar haɗa zaman dagewa, tabbatarwa mai ƙarfi (Kerberos/HTTPS), ƙayyadaddun wuraren ƙarewa, da bayyanannun alamun bincike, ka sami sauri da sarrafawa ba tare da sadaukar da tsaro ko tantancewa ba. Idan kuma kun daidaita kunna GPO da ƙware na musamman (TrustedHosts, hop biyu, takaddun shaida), zaku sami ingantaccen dandamali mai nisa don ayyukan yau da kullun da martanin abin da ya faru.