Pehea e hoʻomalu ai i kāu PC mai kāu kelepona paʻa me ka PowerShell Remoting

Hiki paha iā ʻoe ke hoʻokaʻawale i nā hana he nui me PowerShell kūloko, akā ma hea ʻoe Hana ʻo PowerShell Remoting i ka ʻokoʻa ʻO ia ka wā e holo ai ʻoe i nā kauoha ma nā mīkini mamao, inā he liʻiliʻi a he haneli paha, ma ke ʻano pāʻani a i ʻole ka like. ʻO kēia ʻenehana, loaʻa mai Windows PowerShell 2.0 a hoʻonui ʻia mai ka 3.0, ua hoʻokumu ʻia ma WS-Management (WinRM) a me nā mea hoʻololi. PowerShell i loko o kahi kahawai hoʻokele mamao paʻa, hiki ke hoʻonui a paʻa.

ʻO ka mea mua, he mea nui e hoʻomaopopo i ʻelua manaʻo nui: cmdlets me -Kamehameha ComputerName (e laʻa, Get-Process or Get-Service) ʻaʻole ia ke ala lōʻihi i ʻōlelo ʻia e Microsoft, a ʻaʻole hana ʻo PowerShell Remoting ma ke ʻano he "hack." I ka ʻoiaʻiʻo, hoʻokō i ka hōʻoia like ʻana, nā loiloi loiloi a mahalo i kāu mau ʻae maʻamau, me ka ʻole o ka mālama ʻana i nā hōʻoia a i ʻole e holo ana i kekahi mea me nā pono nui.

He aha ka PowerShell Remoting a no ke aha e hoʻohana ai?

Con Kamaʻilio Mana PowerShell hiki iāʻoe e hoʻokō kokoke i kekahi kauoha mamao hiki iā ʻoe ke hoʻomaka i kahi kau kūloko, mai nā lawelawe nīnau a hiki i ka hoʻonohonoho ʻana i nā hoʻonohonoho, a hana pēlā ma nā haneli kamepiula i ka manawa hoʻokahi. ʻAʻole like me nā cmdlets e ʻae -ComputerName (nui ka hoʻohana DCOM/RPC), Remoting hele ma o WS-Man (HTTP/HTTPS), ʻoi aku ka maikaʻi o ka pā ahi, ʻae i ka parallelism a me nā offloads e hana i ka host mamao, ʻaʻole ka mea kūʻai aku.

ʻO kēia ka unuhi ʻana i ʻekolu mau pono kūpono: ʻoi aku ka maikaʻi o ka hana ma nā hoʻokō nui, liʻiliʻi liʻiliʻi ma nā pūnaewele me nā lula kaohi a me kahi kumu hoʻohālike palekana e kūlike me Kerberos/HTTPS. Eia kekahi, ma ka hilinaʻi ʻole ʻana i kēlā me kēia cmdlet e hoʻokō i kāna mamao, Remoting Hoʻohana ia no kēlā me kēia palapala a kuleana paha i loaʻa ma kahi e hele ai.

Ma ka maʻamau, hele mai nā Windows Servers hou me ka Remoting hiki; i loko o Windows 10/11 ho'ā 'oe me hoʻokahi cmdlet. A ʻae, hiki iā ʻoe ke hoʻohana i nā hōʻoia ʻē aʻe, nā manawa hoʻomau, nā hopena maʻamau, a me nā mea hou aku.

Nānā: ʻAʻole like ka wehe ʻana me ka wehe ʻana i nā mea āpau. Ma ka paʻamau, nā luna hoʻoponopono wale nō Hiki iā lākou ke hoʻohui, a hana ʻia nā hana ma lalo o ko lākou ʻike. Inā makemake ʻoe i ka ʻelele maikaʻi, ʻae nā ʻaoʻao maʻamau iā ʻoe e hōʻike wale i nā kauoha koʻikoʻi.

Pehea e hana ai i loko: WinRM, WS-Man a me nā awa

Hana ʻia ʻo PowerShell Remoting ma kahi hiʻohiʻona mea kūʻai aku. Hoʻouna ka mea kūʻai aku i nā noi WS-Management ma o HTTP (5985/TCP) a i ʻole HTTPS (5986/TCP). Ma ka pahu hopu, hoʻolohe ka lawelawe ʻo Windows Remote Management (WinRM), hoʻoholo i ka hopena (hoʻonohonoho session), a hoʻokipa i ka hui PowerShell ma hope (kaʻina wsmprovhost.exe), e hoʻihoʻi ana i nā hopena serialized i ka mea kūʻai aku ma XML ma o SOAP.

ʻO ka manawa mua āu e hiki ai iā Remoting, hoʻonohonoho ʻia nā mea hoʻolohe, wehe ʻia ka ʻokoʻa ahi kūpono, a hana ʻia nā hoʻonohonoho manawa. Mai PowerShell 6+, hui pū nā puke he nui, a Hoʻopili-PSRemoting Hoʻopaʻa inoa i nā helu hope me nā inoa e hōʻike ana i ka mana (no ka laʻana, PowerShell.7 a me PowerShell.7.xy).

Inā ʻae wale ʻoe iā HTTPS i kou kaiapuni, hiki iā ʻoe ke hana i kahi mea hoʻolohe palekana me kahi palapala hōʻoia i hāʻawi ʻia e kahi CA hilinaʻi (manaʻo ʻia). ʻO kahi ʻē aʻe, ʻo ia ka hoʻohana ʻana iā TrustedHosts ma kahi ʻano palena ʻole, ʻike i ka pilikia, no nā hiʻohiʻona hana a i ʻole nā ​​kamepiula non-domain.

E hoʻomaopopo i hiki ke noho pū ʻo Powershell Remoting me nā cmdlets me -ComputerName, akā Ua koi ʻo Microsoft iā WS-Man e like me ke ala maʻamau a me ka wā e hiki mai ana no ka hoʻokele mamao.

E ho'ā ana i ka PowerShell Remoting a me nā ʻāpana pono

Ma Windows, wehe wale iā PowerShell ma ke ʻano he luna hoʻomalu a holo Hoʻopili-PSRemoting. Hoʻomaka ka ʻōnaehana WinRM, hoʻonohonoho i ka autostart, hiki i ka mea hoʻolohe, a hana i nā lula firewall kūpono. Ma nā mea kūʻai me kahi ʻaoʻao pūnaewele lehulehu, hiki iā ʻoe ke ʻae i kēia me -SkipNetworkProfileCheck (a laila hoʻoikaika me nā lula kikoʻī):

Enable-PSRemoting
Enable-PSRemoting -Force
Enable-PSRemoting -SkipNetworkProfileCheck -Force

 

ʻAe ka syntax, -E hōʻoia y -Pehea Ina no ka mana hoololi. E hoʻomanaʻo: Loaʻa ia ma Windows wale nō, a pono ʻoe e holo i ka console kiʻekiʻe. ʻOkoʻa nā lula i hana ʻia ma waena o nā paʻi Server a me nā mea kūʻai aku, ʻoi aku ma nā pūnaewele lehulehu, kahi i kaupalena ʻia ai lākou i ka subnet kūloko ke ʻole ʻoe e hoʻonui i ka laulā (e laʻa me Set-NetFirewallRule).

No ka papa inoa ʻana i nā hoʻonohonoho manawa i hoʻopaʻa ʻia a hōʻoia ua mākaukau nā mea a pau, e hoʻohana Loaʻa-PSSessionConfigurationInā ʻike ʻia nā mana hope o PowerShell.x a me Workflow, hoʻohana ʻia ka ʻōnaehana Remoting.

Nā ʻano hoʻohana: 1 i ka 1, 1 i ka nui, a me nā kau hoʻomau

Ke makemake ʻoe i ka console interactive ma kahi kamepiula hoʻokahi, e huli i Komo-PSSessionE ʻike ʻia ka wikiwiki, a ʻo nā mea a pau āu e hana ai e hele i ka host mamao. Hiki iā ʻoe ke hoʻohana hou i nā hōʻoia me Get-Credential e pale i ka hoʻokomo hou ʻana iā lākou:

$cred = Get-Credential
Enter-PSSession -ComputerName dc01 -Credential $cred
Exit-PSSession

Inā ʻo ka mea āu e ʻimi nei e hoʻouna i nā kauoha i kekahi mau kamepiula i ka manawa hoʻokahi, ʻo ia ka mea hana Hoʻopuka Kūkā me kahi papa palapala. Ma ka maʻamau, hoʻomaka ia a hiki i 32 mau pili like (hiki ke hoʻololi me -ThrottleLimit). Hoʻihoʻi ʻia nā hopena e like me mea deserialized (me ka ʻole o nā ala “ola”):

Invoke-Command -ComputerName dc01,sql02,web01 -ScriptBlock { Get-Service -Name W32Time } -Credential $cred

Pono e kāhea i kahi ala e like me .Stop() a i ʻole .Start()? Hana iā ia. i loko o ka scriptblock ma ka pōʻaiapili mamao, ʻaʻole ka mea deserialized kūloko, a ʻo ia nō. Inā loaʻa kahi cmdlet like (Stop-Service/Start-Service), ʻoi aku ka maikaʻi o ka hoʻohana ʻana no ka akaka.

No ka pale ʻana i ke kumukūʻai o ka hoʻomaka a me ka hoʻopau ʻana i nā kau ma kēlā me kēia kelepona, hana i kahi PSSession mau a hoʻohana hou iā ia ma nā pule he nui. E hoʻohana i ka New-PSSession e hana i ka pilina, a e hoʻohana i Invoke-Command-Session e hoʻohana hou i ka tunnel. Mai poina e pani iā ​​​​ia me Remove-PSSession ke pau ʻoe.

Serialization, palena a me nā hana maikaʻi

ʻO kahi kikoʻī koʻikoʻi: i ka wā e hele ai, "+ palahalaha" nā mea a hiki mai deserialized snapshots, me nā waiwai akā ʻaʻohe ala. Ua noʻonoʻo kēia a mālama i ka bandwidth, akā ʻo ia ka mea ʻaʻole hiki iā ʻoe ke hoʻohana i nā lālā e hoʻokō i ka loiloi (e like me .Kill()) ma ke kope kūloko. ʻIke ʻia ka hopena: e kāhea i kēlā mau ala. mamao aku a inā makemake ʻoe i kekahi mau kahua, kānana me Select-Object e hoʻouna i nā ʻikepili liʻiliʻi.

Ma nā palapala, e hōʻalo iā Enter-PSSession (i manaʻo ʻia no ka hoʻohana ʻana) a hoʻohana i ka Invoke-Command me nā poloka palapala. Inā manaʻo ʻoe i nā kelepona he nui a pono paha e mālama i ka mokuʻāina (nā mea hoʻololi, nā modula i lawe ʻia), hoʻohana i nā kau hoʻomau a, inā pili, hoʻokaʻawale a hoʻohui hou iā lākou me Disconnect-PSSession/Connect-PSSession ma PowerShell 3.0+.

Hōʻoiaʻiʻo, HTTPS, a me nā hiʻohiʻona Off-Domain

I loko o kahi kikowaena, ʻo ka hōʻoia maoli ʻo Kerberos A kahe nā mea a pau. Ke hōʻoia ʻole ka hāmeʻa i ka inoa kikowaena, a i ʻole ʻoe e hoʻopili i kahi CNAME IP a i ʻole inoa inoa, pono ʻoe i kekahi o kēia mau koho ʻelua: 1) Listener HTTPS me ka palapala hōʻoia hoʻopuka ʻia e kahi CA āu e hilinaʻi ai, a i ʻole 2) e hoʻohui i ka huakaʻi (inoa a IP paha) i TrustedHosts a hoʻohana i nā palapala hōʻoiaʻO ka lua o ka koho e hoʻopau i ka hōʻoiaʻiʻo like ʻana no kēlā mea hoʻokipa, no laila e hōʻemi i ka laulā i ka liʻiliʻi e pono ai.

Pono ka hoʻonohonoho ʻana i kahi mea hoʻolohe HTTPS i kahi palapala hōʻoia (mai kāu PKI a i ʻole CA lehulehu), i hoʻokomo ʻia ma ka hale kūʻai hui a hoʻopaʻa ʻia iā WinRM. Wehe ʻia ʻo Port 5986/TCP ma ka pā ahi a, mai ka mea kūʻai aku, hoʻohana ʻia. -HoʻohanaSSL i nā cmdlets mamao. No ka hōʻoia hōʻoia o ka mea kūʻai aku, hiki iā ʻoe ke palapala palapala i kahi moʻokāki kūloko a pili pū me -Kapalapalapalapalapalapala (ʻAʻole ʻae pololei ʻo Enter-PSSession; e hana mua i ke kau me New-PSSession.)

ʻO ka lua o ka hop a me ka hāʻawi ʻana i nā palapala hōʻoia

ʻIke ʻia ka "double hop" kaulana i ka wā, ma hope o ka hoʻopili ʻana i kahi kikowaena, pono ʻoe i kēlā kikowaena e komo i kahi kumu waiwai ʻekolu ma kou inoa (e.g., he mahele SMB). ʻElua ala e ʻae ai i kēia: CredSSP a me nā ʻelele Kerberos i hoʻopaʻa ʻia i ka waiwai.

Con CredSSP Hiki iā ʻoe ke hāʻawi i ka mea kūʻai aku a me ka mea waena i nā hōʻoiaʻiʻo, a hoʻonoho ʻoe i kahi kulekele (GPO) e ʻae i ka hāʻawi ʻana i nā kamepiula kikoʻī. He wikiwiki ka hoʻonohonoho ʻana, akā ʻaʻole paʻa no ka hele ʻana o nā hōʻoia i ka kikokikona maʻemaʻe i loko o ka tunnel i hoʻopili ʻia. E kaupalena mau i nā kumu a me nā wahi.

ʻO ka koho koho ʻē aʻe i loko o ke kikowaena ʻo ia ka kaohi i ka ʻelele Kerberos (nā ʻelele i hoʻopaʻa ʻia i ka waiwai) i AD hou. ʻAe kēia i ka hopena e hilinaʻi i ka loaʻa ʻana o ka ʻelele mai ka waena waena no nā lawelawe kikoʻī, e pale aku i ka hōʻike ʻana i kou ʻike ma ka pilina mua. Pono i nā mea hoʻoponopono domain hou a me kahi RSAT hou.

Nā Kūlana Kūʻai Kūʻē

ʻO kekahi o nā gems o Remoting hiki ke hoʻopaʻa inoa i nā wahi pili me nā mana kūpono a me nā palena. Hoʻokumu mua ʻoe i kahi faila me New-PSSessionConfigurationFile (nā modules e preload, nā hana ʻike ʻia, nā inoa inoa, ExecutionPolicy, LanguageMode, etc.), a laila hoʻopaʻa inoa ʻoe me Register-PSSessionConfiguration, kahi hiki iā ʻoe ke hoʻonohonoho. RunAsCredential a me nā ʻae (SDDL a i ʻole GUI interface me -ShowSecurityDescriptorUI).

No ka ʻelele palekana, e hōʻike wale i nā mea e pono ai me -VisibleCmdlets/-VisibleFunctions a hoʻopau i ka palapala manuahi inā kūpono me LanguageMode RestrictedLanguage a i ʻole ka ʻōlelo ʻole. Inā haʻalele ʻoe i ka FullLanguage, hiki i kekahi ke hoʻohana i kahi poloka palapala e kāhea aku i nā kauoha i hōʻike ʻole ʻia, i hui pū ʻia me RunAs, he puka. E hoʻolālā i kēia mau wahi hope me kahi lei niho maikaʻi a kākau i ko lākou laulā.

Nā kāʻei kapu, GPO, a me Groupware

I AD hiki iā ʻoe ke kau i ka Powershell Remoting ma ka pālākiō me GPO: e ʻae i ka hoʻonohonoho maʻalahi o nā mea hoʻolohe WinRM, hoʻonoho i ka lawelawe iā Automatic, a hana i ka ʻokoʻa pā ahi. E hoʻomanaʻo e hoʻololi nā GPO i nā hoʻonohonoho, akā ʻaʻole lākou e hoʻāla koke i ka lawelawe; i kekahi manawa pono ʻoe e hoʻomaka hou a hoʻoikaika paha i kahi gpupdate.

Ma nā pūʻulu hana (ʻaʻole domain), hoʻonohonoho Remoting me Hoʻopili-PSRemoting, hoʻonoho i TrustedHosts ma ka mea kūʻai aku (winrm set winrm/config/client @{TrustedHosts=»host1,host2″}) a hoʻohana i nā hōʻoia kūloko. No HTTPS, hiki iā ʻoe ke kau i nā palapala hōʻoia i kau inoa ʻia, ʻoiai ua ʻōlelo ʻia e hoʻohana i kahi CA hilinaʻi a hōʻoia i ka inoa āu e hoʻohana ai ma -ComputerName ma ka palapala hōʻoia (CN/SAN match).

Nā cmdlet kī a me ka syntax

ʻO kahi lima o nā commandos e uhi i ka 90% o nā hiʻohiʻona o kēlā me kēia lā. No ka ho'ā a hoʻopau:

Enable-PSRemoting    
Disable-PSRemoting

Kau pili 1 i ka 1 a puka i waho:

Enter-PSSession -ComputerName SEC504STUDENT 
Exit-PSSession

1 i ka nui, me ka like like a me nā hōʻoia:

Invoke-Command -ComputerName dc01,sql02,web01 -ScriptBlock { Get-Service W32Time } -Credential $cred

Nā kau hoʻomau a hoʻohana hou:

$s = New-PSSession -ComputerName localhost -ConfigurationName PowerShell.7
Invoke-Command -Session $s -ScriptBlock { $PSVersionTable }
Remove-PSSession $s

Ka hoao ana a me ka WinRM Pono:

Test-WSMan -ComputerName host
winrm get winrm/config
winrm enumerate winrm/config/listener
winrm quickconfig -transport:https

Nā memo maʻamau ma ka pā ahi, ka pūnaewele a me nā awa

E wehe i ka 5985/TCP no HTTP a me 5986/TCP no HTTPS ma ka kamepiula i hoʻopaʻa ʻia a ma luna. kekahi pā ahi waenaMa nā mea kūʻai mai Windows, hana ʻo Enable-PSRemoting i nā lula no ka domain a me nā ʻaoʻao pilikino; no nā ʻaoʻao lehulehu, ua kaupalena ʻia i ka subnet kūloko ke ʻole ʻoe e hoʻololi i ka laulā me Set-NetFirewallRule -RemoteAddress Any (kahi waiwai hiki iā ʻoe ke loiloi e pili ana i kou pilikia).

Inā hoʻohana ʻoe i nā hoʻohui SOAR/SIEM e holo ana i nā kauoha mamao (e laʻa mai XSOAR), e hōʻoia i ka server Hoʻoholo DNS i ka poʻe hoʻokipa, ka pilina me 5985/5986, a me nā hōʻoia me nā ʻae kūloko kūpono. I kekahi mau hihia, pono paha ka hoʻololi ʻana i ka NTLM/Basic authentication (e.g., me ka hoʻohana ʻana i kahi mea hoʻohana kūloko ma Basic me SSL).

Ho'ā-PSRemoting Nā ʻāpana (Hōʻuluʻulu Manaʻo)

-E noi ʻo Confirm i ka hōʻoia ma mua o ka hoʻokō ʻana; -Ka ikaika hoʻowahāwahā i nā ʻōlelo aʻo a hana i nā hoʻololi kūpono; -SkipNetworkProfileCheck hiki iā Remoting ma nā pūnaewele mea kūʻai lehulehu (palena ʻia e ka paʻamau i ka subnet kūloko); -WhatIf hōʻike iā ʻoe i ka mea e hana ʻole me ka hoʻohana ʻole ʻana i nā loli. Eia kekahi, e like me nā cmdlet maʻamau, kākoʻo ia nā palena maʻamau (-Verbose, -ErrorAction, etc.).

E hoʻomanaʻo ʻaʻole hana ʻo "Enable" i nā mea hoʻolohe HTTPS a i ʻole palapala hōʻoia no ʻoe; inā makemake ʻoe i ka hoʻopiʻi hoʻopau ʻana mai ka hoʻomaka a me ka hōʻoia ma muli o nā palapala hōʻailona, hoʻonohonoho i ka mea hoʻolohe HTTPS a hōʻoia i ka CN/SAN i ka inoa āu e hoʻohana ai ma -ComputerName.

Hoʻohana pono ʻo WinRM a me PowerShell Remoting Commands

ʻO kekahi mea pono ma ka aoao moe no ke ola o kēlā me kēia lā:

winrm get winrm/config
winrm enumerate winrm/config/listener
Set-NetFirewallRule -Name 'WINRM-HTTP-In-TCP' -RemoteAddress Any
Test-WSMan -ComputerName host -Authentication Default -Credential (Get-Credential)
New-PSSession -ComputerName host 
Enter-PSSession -ComputerName host 
Enable-PSRemoting -SkipNetworkProfileCheck -Force

I ka hoʻokele ʻana i ka Windows ma ka pālākiō, ʻae ʻo Remoting iā ʻoe e neʻe mai "kamepiula-i-kamepiula" i kahi ala hoʻolaha a paʻa. Ma ka hoʻohui ʻana i nā manawa hoʻomau, ka hōʻoia ikaika (Kerberos/HTTPS), nā palena palena palena ʻia, a me nā ʻōkuhi maopopo no ka diagnostics, loaʻa iā ʻoe ka wikiwiki a me ka mana me ka kaumaha ʻole i ka palekana a i ʻole ka loiloi. Inā hoʻohālikelike ʻoe i ka hoʻoulu ʻana o GPO a haku i nā hihia kūikawā (TrustedHosts, double hop, palapala hōʻoia), e loaʻa iā ʻoe kahi kahua mamao paʻa no nā hana i kēlā me kēia lā a me ka pane ʻana i nā hanana.