- Kuchotsa kumagwiritsa ntchito WinRM/WS-Man (HTTP/HTTPS) ndipo kumalola 1-to-1, 1-to-ambiri, ndi magawo olimbikira okhala ndi zowongolera zachitetezo.
- Yambitsani-PSRemoting imakonza utumiki, omvera, ndi firewall; HTTPS imafuna satifiketi yovomerezeka ndi machesi a CN/SAN.
- Zotsatira zabwezedwa deserialized; Njira zimatchulidwira mkati mwa scriptblock yakutali ndipo ma endpoints amagwiritsidwira ntchito pogawirana bwino.
Mutha kupanga kale ntchito zambiri ndi PowerShell kwanuko, koma mumatani PowerShell Remoting imapangitsa kusiyana Ndi pamene mumayendetsa malamulo pamakina akutali, kaya ochepa kapena mazana, molumikizana kapena mofanana. Ukadaulo uwu, womwe ukupezeka kuyambira Windows PowerShell 2.0 ndikuwongoleredwa kuyambira 3.0, umachokera pa WS-Management (WinRM) ndikusintha. PowerShell munjira yolimba, yowongoka komanso yotetezeka yoyang'anira kutali.
Choyamba, ndikofunikira kumvetsetsa mfundo ziwiri zazikulu: cmdlets ndi -ComputerName parameter (mwachitsanzo, Get-Process or Get-Service) si njira yayitali yomwe Microsoft amalimbikitsa, ndipo PowerShell Remoting sigwira ntchito ngati "kuthyolako." Pamenepo, imakakamiza kutsimikizirana, fufuzani zipika ndikulemekeza zilolezo zanu zanthawi zonse, osasunga mbiri kapena kuchita mwamatsenga chilichonse chokhala ndi mwayi wapamwamba.
Kodi PowerShell Remoting ndi chiyani ndipo mugwiritse ntchito?
Con Kutulutsidwa kwa PowerShell mungathe perekani pafupifupi lamulo lililonse patali kuti mutha kuyambitsa gawo lapafupi, kuchokera pakufunsa mafunso mpaka pakuyika masinthidwe, ndikuchita izi pamakompyuta mazana nthawi imodzi. Mosiyana ndi ma cmdlets omwe amavomereza -ComputerName (ambiri amagwiritsa ntchito DCOM/RPC), Remoting amayenda kudzera pa WS-Man (HTTP/HTTPS), yomwe ili yothandiza kwambiri pa ma firewall, imalola kufanana ndi kutsitsa ntchito kwa omwe ali kutali, osati kasitomala.
Izi zikumasulira muzabwino zitatu: Kuchita bwino pakuphedwa kwakukulu, kukangana kochepa pamanetiweki yokhala ndi malamulo oletsa komanso chitetezo chogwirizana ndi Kerberos/HTTPS. Komanso, posadalira cmdlet iliyonse kuti igwiritse ntchito yake yakutali, Kutalikirana Zimagwira ntchito pa script kapena gawo lililonse zomwe zikupezeka komwe mukupita.
Mwachikhazikitso, Ma seva aposachedwa a Windows amabwera ndi Remoting yathandizidwa; mu Windows 10/11 mumayiyambitsa ndi cmdlet imodzi. Ndipo inde, mutha kugwiritsa ntchito zidziwitso zina, magawo osalekeza, mathero achikhalidwe, ndi zina zambiri.
Zindikirani: Kutalikirana sikufanana ndi kutsegula chilichonse. Mwa kusakhazikika, olamulira okha Amatha kulumikizana, ndipo zochita zimachitidwa pansi pazidziwitso zawo. Ngati mukufuna nthumwi zowoneka bwino, malekezero achikhalidwe amakulolani kuti muwonetse malamulo ofunikira okha.
Momwe zimagwirira ntchito mkati: WinRM, WS-Man ndi madoko
PowerShell Remoting imagwira ntchito ngati kasitomala-seva. Wothandizira amatumiza zopempha za WS-Management kudzera HTTP (5985/TCP) kapena HTTPS (5986/TCP). Pa chandamale, ntchito ya Windows Remote Management (WinRM) imamvetsera, imathetsa mapeto (kusintha kwa gawo), ndikuchititsa gawo la PowerShell kumbuyo (wsmprovhost.exe process), kubwezera zotsatira zosawerengeka kwa kasitomala mu XML kudzera pa SOAP.
Nthawi yoyamba yomwe mutsegula Kutalikirana, omvera amakonzedwa, kupatula koyenera kwa firewall kumatsegulidwa, ndipo zosintha za gawo zimapangidwa. Kuchokera ku PowerShell 6+, zosintha zingapo zimakhalapo, ndi Yambitsani-PSRemoting Amalembetsa zomaliza ndi mayina omwe akuwonetsa mtunduwo (mwachitsanzo, PowerShell.7 ndi PowerShell.7.xy).
Ngati mungolola HTTPS m'malo anu, mutha kupanga a womvera wotetezeka ndi satifiketi yoperekedwa ndi CA yodalirika (yovomerezeka). Kapenanso, njira ina ndiyo kugwiritsa ntchito TrustedHosts m'njira zochepa, zodziwa zoopsa, pazochitika zamagulu ogwira ntchito kapena makompyuta omwe si a domain.
Dziwani kuti Powershell Remoting ikhoza kukhala limodzi ndi cmdlets ndi -ComputerName, koma Microsoft imakankhira WS-Man monga njira yokhazikika komanso yotsimikizira zam'tsogolo zamakonzedwe akutali.
Kutsegula PowerShell Remoting ndi Zothandiza Parameters
Pa Windows, ingotsegulani PowerShell monga woyang'anira ndikuyendetsa Yambitsani-PSRemoting. Dongosolo limayamba WinRM, limakonza autostart, limathandizira omvera, ndikupanga malamulo oyenera a firewall. Pa makasitomala omwe ali ndi mbiri yapaintaneti, mutha kulola dala izi ndi -SkipNetworkProfileCheck (kenako limbitsani ndi malamulo enieni):
Enable-PSRemoting
Enable-PSRemoting -Force
Enable-PSRemoting -SkipNetworkProfileCheck -Force
Syntax imalolanso kuti, - Tsimikizirani y -Zingatani Zitati kwa kusintha kusintha. Kumbukirani: Imapezeka pa Windows kokha, ndipo muyenera kuyendetsa console yokwezeka. Malamulo omwe adapangidwa amasiyana pakati pa Seva ndi Makasitomala amtundu, makamaka pamanetiweki, pomwe mwachisawawa amangokhala ndi subnet yakomweko pokhapokha mutakulitsa kukula (mwachitsanzo, ndi Set-NetFirewallRule).
Kuti mulembe masanjidwe ojambulidwa kale ndikutsimikizira kuti zonse zakonzeka, gwiritsani ntchito Pezani-PSSessionConfigurationNgati mathero a PowerShell.x ndi Workflow akuwonekera, Remoting framework ikugwira ntchito.
Mitundu yogwiritsira ntchito: 1 mpaka 1, 1 mpaka ambiri, ndi magawo olimbikira
Mukafuna cholumikizira cholumikizira pa kompyuta imodzi, tsegulani Lowani-PSSessionChidziwitsocho chidzawonekera, ndipo zonse zomwe mukuchita zidzapita kwa osungira akutali. Mutha kugwiritsanso ntchito zidziwitso ndi Get-Credential kuti musalowenso nthawi zonse:
$cred = Get-Credential
Enter-PSSession -ComputerName dc01 -Credential $cred
Exit-PSSessionNgati zomwe mukuyang'ana ndikutumiza malamulo kumakompyuta angapo nthawi imodzi, chida ndi Invoke-Command ndi scriptblock. Mwachikhazikitso, imatsegula mpaka 32 maulumikizidwe amodzi (osinthika ndi -ThrottleLimit). Zotsatira zabwezedwa ngati zinthu deserialized (popanda njira "zamoyo"):
Invoke-Command -ComputerName dc01,sql02,web01 -ScriptBlock { Get-Service -Name W32Time } -Credential $credMukufuna kuyitanitsa njira ngati .Stop() kapena .Start()? Chitani izo. mkati mwa scriptblock m'malo akutali, osati chinthu chapafupi, ndipo ndi momwemo. Ngati pali cmdlet yofanana (Imani-Service/Start-Service), nthawi zambiri ndibwino kuigwiritsa ntchito kuti imveke bwino.
Kuti mupewe mtengo woyambira ndi kutsiriza magawo pa foni iliyonse, pangani a Kulimbikira PSSsession ndikugwiritsanso ntchito pamapemphero angapo. Gwiritsani ntchito New-PSSession kuti mupange kulumikizana, ndipo gwiritsani ntchito Invoke-Command-Session kuti mugwiritsenso ntchito njirayo. Musaiwale kutseka ndi Chotsani-PSSession mukamaliza.
Kukhazikitsa, malire ndi machitidwe abwino
Tsatanetsatane wofunikira: poyenda, zinthu "+ flatten" ndikufika ngati deserialized zithunzi, ndi katundu koma opanda njira. Izi ndi dala ndipo zimasunga bandiwifi, koma zikutanthauza kuti simungagwiritse ntchito mamembala omwe amapanga malingaliro (monga .Kill()) pamakope akomweko. Yankho ndilodziwikiratu: pemphani njirazo. kutali ndipo ngati mumangofunika magawo ena, sefa ndi Select-Object kuti mutumize zambiri.
M'mawu olembedwa, pewani Enter-PSSession (yofuna kugwiritsidwa ntchito mwapang'onopang'ono) ndipo gwiritsani ntchito Invoke-Command yokhala ndi zotchinga. Ngati mukuyembekezera mafoni angapo kapena mukufuna kusunga dziko (zosinthika, ma module obwera kunja), gwiritsani ntchito magawo olimbikira ndipo, ngati kuli kotheka, masulani/kuwalumikizaninso ndi Dikirani-PSSession/Connect-PSSession mu PowerShell 3.0+.
Kutsimikizika, HTTPS, ndi Off-Domain Scenarios
Mu domain, kutsimikizika kwawoko ndiko Kerberos Ndipo zonse zimayenda. Pamene chipangizocho sichingathe kutsimikizira dzina la seva, kapena mutagwirizanitsa ndi CNAME IP kapena alias, mukufunikira imodzi mwa njira ziwiri izi: 1) Womvera. HTTPS yokhala ndi satifiketi zoperekedwa ndi CA yomwe mumakhulupirira, kapena 2) onjezerani kopita (dzina kapena IP) ku TrustedHosts ndi gwiritsani ntchito zidziwitsoNjira yachiwiri imalepheretsa kutsimikizirana kwa wolandirayo, chifukwa chake imachepetsa kuchuluka komwe kuli kofunikira.
Kukhazikitsa omvera a HTTPS kumafuna satifiketi (yochokera ku PKI kapena CA ya anthu onse), yoyikidwa mu sitolo yamagulu ndikumangirira ku WinRM. Port 5986/TCP imatsegulidwa mu chowotcha moto ndipo, kuchokera kwa kasitomala, imagwiritsidwa ntchito. - Gwiritsani ntchito SSL mu cmdlets akutali. Kuti mutsimikizire satifiketi ya kasitomala, mutha kuyika satifiketi ku akaunti yakwanuko ndikulumikizana nayo -Chisindikizo cha Certificate (Enter-PSSession sikuvomereza izi mwachindunji; pangani gawo loyamba ndi New-PSSession.)
Kudumphira kwachiwiri ndi nthumwi za zidziwitso
"Double hop" yodziwika bwino ikuwoneka pamene, mutatha kulumikiza ku seva, mukufunikira seva kuti ipeze a gwero lachitatu m'malo mwanu (monga gawo la SMB). Pali njira ziwiri zololeza izi: CredSSP ndi nthumwi za Kerberos zomwe zimalepheretsa.
Con Chithunzi cha CredSSP Mumathandiza kasitomala ndi mkhalapakati kuti apereke umboni, ndipo mumakhazikitsa lamulo (GPO) lolola nthumwi kumakompyuta enaake. Ndiwofulumira kukonza, koma osatetezedwa chifukwa zidziwitso zimayenda momveka bwino mkati mwa njira yobisidwa. Nthawi zonse chepetsani magwero ndi kopita.
Njira yosankhidwa mu domain ndi adaletsa nthumwi za Kerberos (othandizira-based delegation) mu AD yamakono. Izi zimalola kuti mapeto ake azidalira kulandira nthumwi zochokera pakati pa ntchito zinazake, kupewa kuwonetsa kuti ndinu ndani pakulumikizana koyamba. Pamafunika olamulira madera aposachedwa ndi RSAT yosinthidwa.
Mapeto Amakonda (Masinthidwe a Gawo)
Chimodzi mwazinthu zamtengo wapatali za Remoting ndikutha kulembetsa malo olumikizirana nawo luso ndi malire. Choyamba mumapanga fayilo yokhala ndi New-PSSessionConfigurationFile (ma module oti muyiketu, ntchito zowoneka, zofananira, ExecutionPolicy, LanguageMode, ndi zina zotero), ndiyeno mumalembetsa ndi Register-PSSessionConfiguration, pomwe mutha kukhazikitsa. RunAsCredential ndi zilolezo (SDDL kapena GUI mawonekedwe ndi -ShowSecurityDescriptorUI).
Kwa nthumwi zotetezeka, wonetsani zomwe zili zofunika ndi -VisibleCmdlets/-VisibleFunctions ndikuletsa zolemba zaulere ngati kuli koyenera ndi LanguageMode RestrictedLanguage kapena NoLanguage. Mukasiya FullLanguage, wina atha kugwiritsa ntchito cholembera kuti apemphe malamulo osadziwika, omwe, kuphatikiza ndi RunAs, lingakhale dzenje. Pangani malekezerowa ndi chisa cha mano abwino ndikulemba kukula kwake.
Domains, GPOs, ndi Groupware
Mu AD mutha kuyika Powershell Remoting pamlingo ndi GPO: lolani kusinthika kwa omvera a WinRM, khazikitsani ntchitoyo kukhala Automatic, ndi kupanga chosiyana ndi firewall. Kumbukirani kuti ma GPO amasintha makonda, koma samayatsa ntchito nthawi yomweyo; nthawi zina muyenera kuyambitsanso kapena kukakamiza gpupdate.
M'magulu ogwira ntchito (omwe si a domain), sinthani Kutalikirana ndi Yambitsani-PSRemoting, ikani TrustedHosts pa kasitomala (winrm set winrm/config/client @{TrustedHosts=»host1,host2″}) ndikugwiritsa ntchito zidziwitso zakomweko. Kwa HTTPS, mutha kuyika ziphaso zodzilembera nokha, ngakhale tikulimbikitsidwa kugwiritsa ntchito CA yodalirika komanso kutsimikizira dzina zomwe mudzagwiritse ntchito mu -ComputerName mu satifiketi (machesi a CN/SAN).
Makiyi cmdlets ndi syntax
Ma commandos ochepa amaphimba 90% ya zochitika zatsiku ndi tsiku. Kuti muyambitse/kuzimitsa:
Enable-PSRemoting
Disable-PSRemotingChigawo chothandizira 1 mpaka 1 ndikutuluka:
Enter-PSSession -ComputerName SEC504STUDENT
Exit-PSSession1 kwa ambiri, ndi kufanana ndi zizindikiro:
Invoke-Command -ComputerName dc01,sql02,web01 -ScriptBlock { Get-Service W32Time } -Credential $credMagawo olimbikira ndikugwiritsanso ntchito:
$s = New-PSSession -ComputerName localhost -ConfigurationName PowerShell.7
Invoke-Command -Session $s -ScriptBlock { $PSVersionTable }
Remove-PSSession $sKuyesa ndi WinRM Zothandiza:
Test-WSMan -ComputerName host
winrm get winrm/config
winrm enumerate winrm/config/listener
winrm quickconfig -transport:httpsZolemba zothandiza pa firewall, network ndi madoko
Tsegulani 5985/TCP ya HTTP ndi 5986/TCP ya HTTPS pa kompyuta yomwe mukufuna komanso pa. firewall iliyonse yapakatikatiPa makasitomala a Windows, Yambitsani-PSRemoting imapanga malamulo amtundu ndi mbiri yachinsinsi; pazambiri zapagulu, zimangokhala pa subnet yakomweko pokhapokha mutasintha kuchuluka kwake ndi Set-NetFirewallRule -RemoteAddress Any (mtengo womwe mungawunike kutengera chiwopsezo chanu).
Ngati mugwiritsa ntchito kuphatikiza kwa SOAR/SIEM komwe kumayendetsa malamulo akutali (mwachitsanzo kuchokera ku XSOAR), onetsetsani kuti seva ili Kusintha kwa DNS kwa omwe ali nawo, kulumikizana ndi 5985/5986, ndi zilolezo zokhala ndi zilolezo zakumaloko. Nthawi zina, kutsimikizika kwa NTLM/Basic kungafunike kusintha (mwachitsanzo, kugwiritsa ntchito wosuta wamba mu Basic ndi SSL).
Yambitsani-PSRemoting Parameters (Chidule cha Ntchito)
-Tsimikizirani akufunsa chitsimikiziro musanapereke; - Mphamvu amanyalanyaza machenjezo ndi kusintha zofunika; -SkipNetworkProfileCheck imathandizira Kutalikirana pamanetiweki amakasitomala (ocheperako ndi gawo lapafupi); -WhatIf ikuwonetsa zomwe zingachitike osasintha. Kuphatikiza apo, monga cmdlet iliyonse, imathandizira wamba magawo (-Verbose, -ErrorAction, etc.).
Kumbukirani kuti "Yambitsani" sikukupangani omvera a HTTPS kapena satifiketi; ngati mukufuna kubisa-kumapeto kuyambira pachiyambi ndi kutsimikizika kutengera zikalata, sinthani omvera a HTTPS ndikutsimikizira CN/SAN motsutsana ndi dzina lomwe mudzagwiritse ntchito -ComputerName.
Zothandiza WinRM ndi PowerShell Remoting Commands
Ena zinthu zofunika pabedi kwa moyo watsiku ndi tsiku:
winrm get winrm/config
winrm enumerate winrm/config/listener
Set-NetFirewallRule -Name 'WINRM-HTTP-In-TCP' -RemoteAddress Any
Test-WSMan -ComputerName host -Authentication Default -Credential (Get-Credential)
New-PSSession -ComputerName host
Enter-PSSession -ComputerName host
Enable-PSRemoting -SkipNetworkProfileCheck -ForceMukamayang'anira Windows pamlingo, Remoting imakulolani kuti musunthe kuchokera ku "kompyuta kupita pakompyuta" kupita ku njira yodziwikiratu komanso yotetezeka. Mwa kuphatikiza magawo osalekeza, kutsimikizika kolimba (Kerberos/HTTPS), malekezero ochepera, ndi zowunikira zowunikira, mumapeza liwiro ndi kuwongolera popanda kupereka chitetezo kapena auditing. Mukakhazikitsanso GPO yambitsa ndikuwongolera milandu yapadera (TrustedHosts, double hop, satifiketi), mudzakhala ndi nsanja yolimba yogwira ntchito tsiku ndi tsiku komanso kuyankha pazochitika.
Mkonzi wokhazikika pazaukadaulo komanso nkhani zapaintaneti yemwe ali ndi zaka zopitilira khumi pazama media osiyanasiyana. Ndagwira ntchito ngati mkonzi komanso wopanga zinthu pa e-commerce, kulumikizana, kutsatsa pa intaneti ndi makampani otsatsa. Ndalembanso pamawebusayiti azachuma, azachuma ndi magawo ena. Ntchito yanga ndi chidwi changanso. Tsopano, kudzera mu zolemba zanga mu Tecnobits, Ndimayesetsa kufufuza nkhani zonse ndi mwayi watsopano umene dziko laukadaulo limatipatsa tsiku lililonse kuti tisinthe miyoyo yathu.