Yuav ua li cas tswj koj lub PC los ntawm koj lub xov tooj ntawm tes siv PowerShell Remoting

Koj tuaj yeem ua haujlwm ntau yam haujlwm nrog PowerShell hauv zos, tab sis koj ua qhov twg tiag PowerShell Remoting ua qhov txawv Nws yog thaum koj khiav cov lus txib ntawm cov chaw taws teeb, txawm tias ob peb lossis ntau pua, sib tham sib lossis sib luag. Cov thev naus laus zis no, muaj txij li Windows PowerShell 2.0 thiab txhim kho txij li 3.0, yog raws li WS-Management (WinRM) thiab hloov pauv. PowerShell nyob rau hauv ib tug robust, scalable thiab ruaj ntseg tej thaj chaw deb tswj channel.

Ua ntej tshaj plaws, nws yog ib qho tseem ceeb kom nkag siab txog ob lub tswv yim tseem ceeb: cmdlets nrog -ComputerName parameter (piv txwv li, Tau-Process lossis Get-Service) tsis yog txoj hauv kev mus sij hawm ntev tau pom zoo los ntawm Microsoft, thiab PowerShell Remoting tsis ua haujlwm li "hack." Qhov tseeb, tswj kev sib nrig sib pab, tshawb xyuas cov cav thiab saib xyuas koj li kev tso cai ib txwm, tsis tas yuav khaws cov ntaub ntawv pov thawj lossis ua haujlwm zoo nrog txhua yam tshwj xeeb.

PowerShell Remoting yog dab tsi thiab vim li cas siv nws?

con PowerShell Tshem Tawm koj tuaj yeem ua tau yuav luag txhua yam hais kom ua remotely uas koj tuaj yeem tso tawm hauv ib qho kev sib tham hauv zos, los ntawm kev nug cov kev pabcuam mus rau kev teeb tsa, thiab ua li ntawd rau ntau pua lub khoos phis tawj ib zaug. Tsis zoo li cmdlets uas lees txais -ComputerName (ntau siv DCOM / RPC), Tshem Tawm taug kev ntawm WS-Man (HTTP/HTTPS), uas yog firewall-phooj ywg ntau dua, tso cai rau parallelism thiab offloads ua haujlwm rau cov chaw taws teeb tswj, tsis yog tus neeg siv khoom.

Qhov no txhais ua peb qhov txiaj ntsig zoo: kev ua tau zoo dua hauv kev tua loj, tsawg kev sib txhuam hauv tes hauj lwm nrog cov kev cai txwv thiab tus qauv kev nyab xeeb raws li Kerberos/HTTPS. Tsis tas li ntawd, tsis yog nyob ntawm txhua cmdlet los siv nws tus kheej tej thaj chaw deb, Remoting Nws ua haujlwm rau txhua tsab ntawv lossis lub luag haujlwm uas muaj nyob rau ntawm qhov chaw.

Los ntawm lub neej ntawd, Windows Servers tsis ntev los no tuaj nrog Remoting enabled; hauv Windows 10/11 koj qhib nws nrog ib tug cmdlet. Thiab yog, koj tuaj yeem siv lwm cov ntawv pov thawj, kev sib tham tsis tu ncua, cov ntsiab lus kawg, thiab lwm yam.

Lus Cim: Kev tshem tawm tsis yog ib qho kev qhib txhua yam. Los ntawm lub neej ntawd, tsuas yog cov thawj coj xwb Lawv tuaj yeem txuas tau, thiab kev ua haujlwm raug ua raws li lawv tus kheej. Yog tias koj xav tau cov neeg sawv cev zoo, cov ntsiab lus kev cai tso cai rau koj nthuav tawm tsuas yog cov lus txib tseem ceeb.

Nws ua haujlwm li cas hauv: WinRM, WS-Man, thiab cov chaw nres nkoj

PowerShell Remoting ua haujlwm hauv tus neeg siv khoom-tus qauv. Tus neeg thov xa WS-Management thov ntawm HTTP (5985/TCP) lossis HTTPS (5986/TCP). Ntawm lub hom phiaj, Windows Chaw Tswj Xyuas Chaw Taws Teeb (WinRM) kev pabcuam mloog, daws qhov kawg (session configuration), thiab tuav lub rooj sib tham PowerShell hauv keeb kwm yav dhau (wsmprovhost.exe txheej txheem), xa rov qab cov txiaj ntsig serialized rau tus neeg siv khoom hauv XML ntawm SOAP.

Thawj zaug koj qhib Remoting, cov neeg mloog tau teeb tsa, qhov kev zam ntawm firewall tsim nyog tau qhib, thiab cov kev sib kho tau tsim. Los ntawm PowerShell 6+, ntau yam kev sib koom ua ke, thiab Pab kom tau-PSRemoting Sau npe cov ntsiab lus kawg nrog cov npe uas cuam tshuam txog cov version (piv txwv li, PowerShell.7 thiab PowerShell.7.xy).

Yog tias koj tsuas tso cai HTTPS hauv koj ib puag ncig, koj tuaj yeem tsim ib qho nyab xeeb mloog nrog rau daim ntawv pov thawj uas tau muab los ntawm CA ntseeg siab (pom zoo). Xwb, lwm txoj hauv kev yog siv TrustedHosts hauv kev txwv, kev paub txog kev pheej hmoo, rau cov xwm txheej ua haujlwm lossis cov khoos phis tawj tsis yog sau npe.

Nco ntsoov tias Powershell Remoting tuaj yeem ua ke nrog cmdlets nrog -ComputerName, tab sis Microsoft thawb WS-Man raws li tus qauv thiab yav tom ntej-pov thawj txoj hauv kev rau kev tswj xyuas tej thaj chaw deb.

Enabling PowerShell Remoting thiab Siv Tsis Tau

Hauv Windows, tsuas yog qhib PowerShell ua tus thawj coj thiab khiav Pab kom tau-PSRemoting. Lub kaw lus pib WinRM, teeb tsa autostart, ua rau cov neeg mloog, thiab tsim cov cai tsim nyog firewall. Ntawm cov neeg siv nrog rau pej xeem network profile, koj tuaj yeem txhob txwm tso cai rau qhov no nrog -SkipNetworkProfileCheck (thiab tom qab ntawd ntxiv cov cai tshwj xeeb):

Enable-PSRemoting
Enable-PSRemoting -Force
Enable-PSRemoting -SkipNetworkProfileCheck -Force

Lub syntax kuj tso cai, - Paub meej y -Yog dab tsi rau kev hloov pauv. Nco ntsoov: Nws tsuas yog muaj nyob rau ntawm Windows, thiab koj yuav tsum khiav lub console siab. Cov kev cai tsim txawv ntawm Server thiab Client editions, tshwj xeeb tshaj yog nyob rau hauv pej xeem tes hauj lwm, qhov twg los ntawm lub neej ntawd lawv raug txwv rau lub zos subnet tshwj tsis yog tias koj nthuav dav (piv txwv li, nrog Set-NetFirewallRule).

Txhawm rau sau cov kev sib tham uas twb tau sau tseg lawm thiab paub meej tias txhua yam yog npaj txhij, siv Get-PSSessionConfigurationYog tias PowerShell.x thiab Workflow endpoints tshwm sim, Cov Txheej Txheem Tshem Tawm yog ua haujlwm.

Kev siv hom: 1 txog 1, 1 rau ntau, thiab ntu ntu ntu

Thaum koj xav tau kev sib tham sib console ntawm ib lub computer, tig mus rau Sau-PSSessionCov lus ceeb toom yuav tshwm sim, thiab txhua yam koj ua tiav yuav mus rau tus tswv tsev nyob deb. Koj tuaj yeem rov siv cov ntawv pov thawj nrog Get-Credential kom tsis txhob rov nkag mus tas li:

$cred = Get-Credential
Enter-PSSession -ComputerName dc01 -Credential $cred
Exit-PSSession

Yog tias koj tab tom nrhiav dab tsi yog xa cov lus txib mus rau ntau lub khoos phis tawj ib zaug, lub cuab yeej yog Invoke-Command nrog scriptblock. Los ntawm lub neej ntawd, nws pib mus txog 32 qhov sib txuas sib txuas (kho tau nrog -ThrottleLimit). Cov txiaj ntsig tau rov qab los li deserialized khoom (tsis muaj "nyob" txoj kev):

Invoke-Command -ComputerName dc01,sql02,web01 -ScriptBlock { Get-Service -Name W32Time } -Credential $cred

Yuav tsum tau hu ib txoj kev zoo li .Stop() lossis .Start()? Ua nws. nyob rau hauv lub scriptblock nyob rau hauv tej thaj chaw deb cov ntsiab lus, tsis yog lub zos deserialized khoom, thiab hais tias yog nws. Yog tias muaj qhov sib npaug cmdlet (Stop-Service/Start-Service), nws yog qhov zoo dua los siv nws kom meej.

Txhawm rau zam kom tsis txhob muaj nqi pib thiab xaus kev sib tham ntawm txhua qhov hu, tsim ib qho Persistent PSSession thiab rov siv nws hla ntau cov lus thov. Siv New-PSSession los tsim kev sib txuas, thiab siv Invoke-Command-Session los rov siv lub qhov. Tsis txhob hnov ​​​​qab kaw nws nrog Remove-PSSession thaum koj ua tiav.

Serialization, txwv thiab kev coj ua zoo

Cov ntsiab lus tseem ceeb: thaum mus ncig, cov khoom "+ flatten" thiab tuaj txog li deserialized snapshots, nrog cov khoom tab sis tsis muaj txoj hauv kev. Qhov no yog txhob txwm tshaj tawm thiab txuag bandwidth, tab sis nws txhais tau tias koj tsis tuaj yeem siv cov tswv cuab uas ua cov logic (xws li .Kill()) ntawm cov ntawv luam hauv zos. Cov kev daws teeb meem yog pom tseeb: thov cov txheej txheem. kev deb thiab yog tias koj tsuas yog xav tau qee qhov chaw, lim nrog Xaiv-Tswj xa tawm cov ntaub ntawv tsawg dua.

Hauv cov ntawv sau, zam Enter-PSSession (xav kom muaj kev sib tham sib) thiab siv Invoke-Command nrog cov ntawv thaiv. Yog tias koj cia siab tias yuav tau txais ntau qhov kev hu lossis xav tau khaws cia hauv xeev (kuj hloov pauv, cov khoom siv txawv teb chaws), siv cov ntu tsis tu ncua thiab, yog tias tsim nyog, txiav tawm / rov txuas lawv nrog Disconnect-PSSession/Connect-PSSession hauv PowerShell 3.0+.

Authentication, HTTPS, thiab Off-Domain Scenarios

Nyob rau hauv ib tug sau, haiv neeg authentication yog Kerberos Thiab txhua yam ntws. Thaum lub cuab yeej tsis tuaj yeem txheeb xyuas lub npe neeg rau zaub mov, lossis koj txuas rau CNAME IP lossis alias, koj xav tau ib qho ntawm ob txoj kev xaiv no: 1) Mloog HTTPS nrog daim ntawv pov thawj tso tawm los ntawm CA koj ntseeg, lossis 2) ntxiv qhov chaw (lub npe lossis IP) rau TrustedHosts thiab siv cov ntawv pov thawjQhov kev xaiv thib ob cuam tshuam kev sib koom ua pov thawj rau tus tswv tsev ntawd, yog li nws txo qhov peev xwm mus rau qhov tsawg kawg nkaus tsim nyog.

Kev teeb tsa HTTPS tus mloog yuav tsum muaj daim ntawv pov thawj (qhov zoo tshaj plaws los ntawm koj lub PKI lossis pej xeem CA), ntsia hauv pab pawg khw thiab khi rau WinRM. Chaw nres nkoj 5986 / TCP yog tom qab qhib rau hauv firewall thiab, los ntawm tus neeg siv khoom, siv. -UseSSL hauv tej thaj chaw deb cmdlets. Rau cov neeg siv daim ntawv pov thawj authentication, koj tuaj yeem qhia daim ntawv pov thawj rau ib tus account hauv zos thiab txuas nrog -Certificate Thumbprint (Enter-PSSession tsis lees txais qhov no ncaj qha; tsim qhov kev sib tham ua ntej nrog New-PSSession.)

Qhov thib ob hop thiab delegation ntawm daim ntawv pov thawj

Lub npe nrov "ob chav hop" tshwm thaum, tom qab txuas mus rau lub server, koj xav tau tus neeg rau zaub mov nkag mus rau a peb cov peev txheej ntawm koj tus kheej (piv txwv li, ib qho SMB share). Muaj ob txoj hauv kev tso cai rau qhov no: CredSSP thiab cov peev txheej raws li kev txwv Kerberos tus sawv cev.

con CredSSP Koj tso cai rau tus neeg siv khoom thiab tus neeg nruab nrab kom nthuav tawm cov ntaub ntawv pov thawj, thiab koj tau teeb tsa txoj cai (GPO) kom tso cai rau kev tso cai rau cov khoos phis tawj tshwj xeeb. Nws yooj yim rau kev teeb tsa, tab sis tsis muaj kev nyab xeeb dua vim tias cov ntawv pov thawj taug kev hauv cov ntawv ntshiab hauv qhov encrypted. Ib txwm txwv qhov chaw thiab qhov chaw.

Qhov kev xaiv zoo tshaj hauv kev sau npe yog qhov txwv Kerberos delegation (resource-based constrained delegation) nyob rau niaj hnub AD. Qhov no tso cai rau qhov kawg ntawm kev cia siab rau kev txais cov neeg sawv cev los ntawm qhov chaw nruab nrab rau cov kev pabcuam tshwj xeeb, tsis txhob nthuav tawm koj tus kheej ntawm qhov kev sib txuas pib. Yuav tsum muaj cov tswj hwm sau npe tsis ntev los no thiab hloov kho RSAT.

Kev Cai Endpoints (Session Configurations)

Ib qho ntawm lub pov haum ntawm Remoting yog muaj peev xwm sau npe cov ntsiab lus txuas nrog tailored muaj peev xwm thiab txwv. Ua ntej koj tsim cov ntaub ntawv nrog New-PSSessionConfigurationFile (modules rau preload, pom kev ua haujlwm, npe npe, ExecutionPolicy, LanguageMode, thiab lwm yam), thiab tom qab ntawd koj sau npe nrog Register-PSSessionConfiguration, qhov twg koj tuaj yeem teeb tsa. RunAsCredential thiab tso cai (SDDL lossis GUI interface nrog -ShowSecurityDescriptorUI).

Rau kev nyab xeeb delegation, nthuav tawm tsuas yog qhov tsim nyog nrog -VisibleCmdlets/-VisibleFunctions thiab lov tes taw pub dawb yog tias tsim nyog nrog LanguageMode RestrictedLanguage los yog NoLanguage. Yog tias koj tawm hauv FullLanguage, ib tus neeg tuaj yeem siv tsab ntawv thaiv kom hu cov lus txib uas tsis tau nthuav tawm, uas, ua ke nrog RunAs, nws yuav yog lub qhov. Tsim cov ntsiab lus kawg no nrog cov hniav zoo nkauj thiab sau lawv cov peev txheej.

Domains, GPOs, thiab Groupware

Hauv AD koj tuaj yeem siv Powershell Remoting ntawm nplai nrog GPO: tso cai rau kev teeb tsa tsis siv neeg ntawm WinRM mloog, teeb qhov kev pabcuam rau Automatic, thiab tsim qhov kev zam ntawm firewall. Nco ntsoov tias GPOs hloov chaw, tab sis lawv tsis tas yuav qhib qhov kev pabcuam tam sim; Qee zaum koj yuav tsum rov pib dua lossis yuam kom gpupdate.

Hauv pab pawg neeg ua haujlwm (tsis yog sau npe), teeb tsa Remoting nrog Pab kom tau-PSRemoting, teeb TrustedHosts ntawm tus neeg siv khoom (winrm teeb winrm/config/client @{TrustedHosts=»host1,host2″}) thiab siv cov ntawv pov thawj hauv zos. Rau HTTPS, koj tuaj yeem mount daim ntawv pov thawj tus kheej, txawm hais tias nws raug pom zoo kom siv CA uas ntseeg siab thiab validate lub npe uas koj yuav siv hauv -ComputerName hauv daim ntawv pov thawj (CN/SAN match).

Ntsiab cmdlets thiab syntax

Ib tug puv tes ntawm commandos npog lub 90% ntawm cov xwm txheej niaj hnub. Txhawm rau qhib / deactivate:

Enable-PSRemoting    
Disable-PSRemoting

Kev sib tham sib tham 1 mus rau 1 thiab tawm:

Enter-PSSession -ComputerName SEC504STUDENT 
Exit-PSSession

1 rau ntau, nrog parallelism thiab daim ntawv pov thawj:

Invoke-Command -ComputerName dc01,sql02,web01 -ScriptBlock { Get-Service W32Time } -Credential $cred

Cov kev sib tham tsis tu ncua thiab rov siv dua:

$s = New-PSSession -ComputerName localhost -ConfigurationName PowerShell.7
Invoke-Command -Session $s -ScriptBlock { $PSVersionTable }
Remove-PSSession $s

Kev xeem thiab WinRM Muaj txiaj ntsig:

Test-WSMan -ComputerName host
winrm get winrm/config
winrm enumerate winrm/config/listener
winrm quickconfig -transport:https

Cov ntawv sau qhia txog firewall, network thiab ports

Qhib 5985 / TCP rau HTTP thiab 5986 / TCP rau HTTPS ntawm lub hom phiaj lub khoos phis tawj thiab ntawm txhua qhov nruab nrab firewallNtawm cov neeg siv Windows, Enable-PSRemoting tsim cov cai rau sau npe thiab ntiag tug profiles; rau pej xeem cov ntaub ntawv, nws tsuas yog txwv rau cov subnet hauv zos tshwj tsis yog tias koj hloov kho qhov tshwj xeeb nrog Set-NetFirewallRule -RemoteAddress Any (tus nqi koj tuaj yeem ntsuas raws li koj qhov kev pheej hmoo).

Yog tias koj siv SOAR/SIEM kev koom ua ke uas khiav cov lus txib tej thaj chaw deb (xws li los ntawm XSOAR), xyuas kom tseeb tias cov neeg rau zaub mov muaj DNS daws teeb meem rau cov tswv, txuas rau 5985/5986, thiab cov ntaub ntawv pov thawj nrog kev tso cai hauv zos txaus. Qee zaum, NTLM/Basic authentication yuav xav tau kev hloov kho (xws li, siv tus neeg siv hauv zos hauv Basic nrog SSL).

Pab-PSRemoting Parameters (Cov Lus Qhia Ua Haujlwm)

-Confirm nug kom paub meej ua ntej ua tiav; -Txoj cai tsis quav ntsej cov lus ceeb toom thiab hloov qhov tsim nyog; -SkipNetworkProfileCheck enables Remoting ntawm pej xeem cov neeg siv network (tso txwv los ntawm lub neej ntawd mus rau lub zos subnet); -WhatIf qhia koj tias yuav muaj dab tsi tshwm sim yam tsis muaj kev hloov pauv. Tsis tas li ntawd, zoo li txhua tus qauv cmdlet, nws txhawb nqa cov tsis muaj (-Verbose, -ErrorAction, thiab lwm yam).

Nco ntsoov tias "Enable" tsis tsim HTTPS cov neeg mloog lossis daim ntawv pov thawj rau koj; yog tias koj xav tau qhov kawg-rau-kawg encryption los ntawm qhov pib thiab authentication raws li daim ntawv pov thawj, teeb tsa HTTPS mloog thiab siv tau CN/SAN tiv thaiv lub npe koj yuav siv hauv -ComputerName.

Pab tau WinRM thiab PowerShell Remoting Commands

Ib txhia cov khoom tseem ceeb hauv txaj rau lub neej txhua hnub:

winrm get winrm/config
winrm enumerate winrm/config/listener
Set-NetFirewallRule -Name 'WINRM-HTTP-In-TCP' -RemoteAddress Any
Test-WSMan -ComputerName host -Authentication Default -Credential (Get-Credential)
New-PSSession -ComputerName host 
Enter-PSSession -ComputerName host 
Enable-PSRemoting -SkipNetworkProfileCheck -Force

Thaum tswj hwm Windows ntawm qhov ntsuas, Remoting tso cai rau koj txav los ntawm "computer-to-computer" mus rau qhov kev tshaj tawm thiab kev nyab xeeb. Los ntawm kev sib txuas cov kev sib tham tsis tu ncua, kev lees paub muaj zog (Kerberos/HTTPS), txwv cov ntsiab lus kawg, thiab cov cim meej meej rau kev kuaj mob, koj nce ceev thiab tswj yam tsis muaj kev cuam tshuam kev ruaj ntseg lossis kev tshuaj xyuas. Yog tias koj tseem ua tus qauv GPO ua kom muaj zog thiab ua haujlwm tshwj xeeb (TrustedHosts, ob lub plhaw, daim ntawv pov thawj), koj yuav muaj lub chaw taws teeb muaj zog rau kev ua haujlwm txhua hnub thiab qhov xwm txheej teb.

Tshooj lej:

Yuav ua li cas tiv thaiv koj lub PC los ntawm pom tsis pom malware zoo li XWorm thiab NotDoor

Daniel Taus

Tus kws kho tshwj xeeb hauv kev siv thev naus laus zis thiab teeb meem hauv internet nrog ntau tshaj kaum xyoo ntawm kev paub hauv cov xov xwm sib txawv. Kuv tau ua haujlwm ua tus editor thiab tus tsim cov ntsiab lus rau e-lag luam, kev sib txuas lus, kev lag luam online thiab cov tuam txhab tshaj tawm. Kuv kuj tau sau rau ntawm kev lag luam, nyiaj txiag thiab lwm cov vev xaib. Kuv txoj hauj lwm kuj yog kuv lub siab nyiam. Tam sim no, dhau ntawm kuv cov ntawv hauv Tecnobits, Kuv sim tshawb nrhiav txhua yam xov xwm thiab lub cib fim tshiab uas lub ntiaj teb kev siv tshuab muab rau peb txhua hnub los txhim kho peb lub neej.