Maitiro ekudzora PC yako kubva pafoni yako uchishandisa PowerShell Remoting

Unogona kutoita otomatiki mabasa mazhinji nePowerShell munharaunda, asi unoendepi chaizvo PowerShell Remoting inoita mutsauko Ndopaunomhanyisa mirairo pamakina ari kure, angave mashoma kana mazana, achipindirana kana akafanana. Iyi tekinoroji, inowanikwa kubvira Windows PowerShell 2.0 uye yakagadziridzwa kubva 3.0, yakavakirwa paWS-Management (WinRM) uye inoshandura. PowerShell mune yakasimba, scalable uye yakachengeteka kure manejimendi chiteshi.

Chekutanga pane zvese, zvakakosha kuti unzwisise maviri akakosha mazano: cmdlets ne -ComputerName parameter (semuenzaniso, Tora-Process kana Tora-Sevhisi) haisi iyo nzira yenguva refu yakakurudzirwa neMicrosoft, uye PowerShell Remoting haishande se "hack." Saizvozvo, inosimbisa mutual authentication, odhita matanda uye kuremekedza zvibvumirano zvako zvakajairika, pasina kuchengetedza zvitupa kana kuita zvemashiripiti chero chinhu chine rombo rakanaka.

Chii chinonzi PowerShell Remoting uye nei uchiishandisa?

Con PowerShell Kudzokorora unogona ita chero murairo uri kure iyo iwe yaunokwanisa kuvhura mumusangano wepanzvimbo, kubva pakubvunza masevhisi kusvika pakuisa zvigadziriso, uye wozviita pamazana emakomputa kamwechete. Kusiyana necmdlets inobvuma -ComputerName (vazhinji vanoshandisa DCOM/RPC), Remoting inofamba neWS-Man (HTTP/HTTPS), iyo inonyanya kushandisa firewall-inoshamwaridzika, inobvumira parallelism uye offloads kushanda kune ari kure anogamuchira, kwete mutengi.

Izvi zvinoshandura kuita zvitatu zvinobatsira: kuita zvirinani mukuuraya kukuru, kushomeka kwema network ine mitemo inorambidza uye modhi yekuchengetedza inoenderana neKerberos/HTTPS. Uyezve, nekusatsamira pane imwe neimwe cmdlet kuti iite yayo kure, Remoting Inoshanda kune chero chinyorwa kana basa iyo inowanikwa kunzvimbo yekuenda.

Nekusagadzikana, ichangoburwa Windows Servers inouya neRemoting inogoneswa; mukati Windows 10/11 unoimutsa ine cmdlet imwe chete. Uye hongu, iwe unogona kushandisa zvimwe zvitupa, zvinoramba zvichiitika, tsika yekupedzisira, uye nezvimwe.

Ongorora: Kubvisa hakuna kufanana nekuvhura zvese. By default, vatungamiri chete Vanogona kubatana, uye zviito zvinoitwa pasi pekuzivikanwa kwavo. Kana iwe uchida kutumwa-kwakapfava, tsika dzekupedzisira dzinokutendera iwe kufumura chete mirairo yakakosha.

Iyo inoshanda sei mukati: WinRM, WS-Man uye ports

PowerShell Remoting inoshanda mutengi-server modhi. Mutengi anotumira zvikumbiro zveWS-Management kuburikidza HTTP (5985/TCP) kana HTTPS (5986/TCP). Pane chinangwa, iyo Windows Remote Management (WinRM) sevhisi inoteerera, inogadzirisa iyo yekupedzisira (session kumisikidzwa), uye inoitisa iyo PowerShell musangano kumashure (wsmprovhost.exe process), kudzosera serialized mhinduro kumutengi muXML kuburikidza neSOAP.

Kekutanga paunogonesa Remoting, vateereri vanogadziriswa, iyo yakakodzera firewall yekusarudzika inovhurwa, uye magadzirirwo echikamu anogadzirwa. Kubva kuPowerShell 6+, akawanda editions anogara, uye Gonesa-PSRemoting Inonyoresa magumo nemazita anoratidza shanduro (somuenzaniso, PowerShell.7 uye PowerShell.7.xy).

Kana iwe ukangobvumira HTTPS munharaunda yako, unogona kugadzira a muteereri akachengeteka nechitupa chakapihwa neCA yakavimbika (inokurudzirwa). Neimwe nzira, imwe nzira ndeye kushandisa TrustedHosts mune shoma, ine ngozi-inoziva nzira, yeboka rebasa rezviitiko kana asiri-domain makomputa.

Ziva kuti Powershell Remoting inogona kugarisana ne cmdlets ne -ComputerName, asi Microsoft inosundira WS-Man seyakajairwa uye yeramangwana-humbowo nzira yekutonga kure.

Kugonesa PowerShell Remoting uye Inobatsira Paramita

PaWindows, ingovhura PowerShell semutungamiri uye mhanya Gonesa-PSRemoting. Iyo sisitimu inotanga WinRM, inogadzirisa autostart, inogonesa muteereri, uye inogadzira iyo yakakodzera firewall mitemo. Pane vatengi vane yeruzhinji network profiles, unogona nemaune kubvumira izvi ne -SkipNetworkProfileCheck (uye wozosimbisa nemirairo chaiyo):

Enable-PSRemoting
Enable-PSRemoting -Force
Enable-PSRemoting -SkipNetworkProfileCheck -Force

 

Syntax inobvumirawo, -Simbisa y -WhatIf yekuchinja kutonga. Rangarira: Inowanikwa chete paWindows, uye iwe unofanirwa kumhanya yakasimudzwa console. Mitemo yakagadzirwa inosiyana pakati peServer neClient editions, kunyanya paruzhinji network, uko nekusarudzika inogumira kune subnet yemuno kunze kwekunge iwe ukawedzera chiyero (semuenzaniso, neSet-NetFirewallRule).

Kunyora zvakatorekodhwa zvesesheni zvigadziriso uye kusimbisa kuti zvese zvagadzirira, shandisa Tora-PSSessionConfigurationKana PowerShell.x uye Workflow endpoints ikaonekwa, Remoting framework inoshanda.

Mashandisiro modes: 1 kusvika 1, 1 kune akawanda, uye inopfuurira zvikamu

Paunenge uchida inopindirana console pane imwe komputa, tendeukira ku Pinda-PSSessionIko kukurumidza kuchaonekwa, uye zvese zvaunoita zvichaenda kune iri kure. Unogona kushandisazve zvitupa neGet-Credential kudzivirira kugara uchiapinda zvakare:

$cred = Get-Credential
Enter-PSSession -ComputerName dc01 -Credential $cred
Exit-PSSession

Kana zvauri kutsvaga ndezvekutumira mirairo kumakomputa akati wandei kamwechete, chishandiso chiri Invoke-Command ine scriptblock. Nekumisikidza, inotangisa anosvika makumi matatu nemaviri ekubatanidza (inogadziriswa ne -ThrottleLimit). Mibairo inodzoswa se deserialized zvinhu (pasina "mararamiro" nzira):

Invoke-Command -ComputerName dc01,sql02,web01 -ScriptBlock { Get-Service -Name W32Time } -Credential $cred

Unoda kudaidza nzira yakaita se.Stop() kana .Start()? Zviite. mukati meiyo scriptblock muchimiro chiri kure, kwete chemuno chakaraswa chinhu, uye ndizvozvo. Kana paine yakaenzana cmdlet (Misa-Sevhisi/Tanga-Sevhisi), kazhinji zviri nani kuishandisa kujekesa.

Kuti udzivise mutengo wekutanga nekupedzisa masesisheni pakufona kwega kwega, gadzira a Inopfuurira PSSession uye zvishandise zvakare pamakumbiro akawanda. Shandisa New-PSSession kugadzira chinongedzo, uye shandisa Invoke-Command-Session kushandisa zvakare mugero. Usakanganwa kuivhara neBvisa-PSSession kana wapedza.

Serialization, miganhu uye maitiro akanaka

Chinhu chakakosha: kana uchifamba, zvinhu "+ flatten" uye zvinosvika se deserialized snapshots, ine zvivakwa asi pasina nzira. Izvi zvinoitwa nemaune uye zvinochengetedza bandwidth, asi zvinoreva kuti haugone kushandisa nhengo dzinoita zvine musoro (se..Kill()) pakopi yeko. Mhinduro iri pachena: kumbira nzira idzodzo. ari kure uye kana uchingoda mamwe minda, sefa neSelect-Object kutumira data shoma.

Mune zvinyorwa, dzivisa Enter-PSSession (yakanangana nekushandiswa kwekudyidzana) uye shandisa Invoke-Command ine zvinyorwa zvinyorwa. Kana iwe uchitarisira kufona kwakawanda kana kuda kuchengetedza nyika (mabhii, mamodule anotorwa kunze kwenyika), shandisa zvirongwa zvinopfuurira uye, kana zvichiita, bvisa/zvibatanidza zvakare neDisconnect-PSSession/Connect-PSSession muPowerShell 3.0+.

Authentication, HTTPS, uye Off-Domain Scenarios

Munzvimbo, kutendeseka kwekuzvarwa ndiko Kerberos Uye zvose zvinoyerera. Kana mudziyo ukatadza kuona zita reseva, kana kuti ukabatanidza neCNAME IP kana zita, unoda imwe yezviviri izvi zvingasarudzwa: 1) Muteereri. HTTPS nechitupa yakapihwa neCA yaunovimba nayo, kana 2) wedzera kwainoenda (zita kana IP) kune TrustedHosts uye shandisa zvitupaYechipiri sarudzo inodzima mutual authentication kune iyo host, saka inoderedza scope kusvika pashoma inodiwa.

Kumisikidza muteereri weHTTPS kunoda chitupa (chaizvo kubva kuPKI yako kana yeruzhinji CA), chakaiswa muchitoro chechikwata uye chakasungirirwa kuWinRM. Port 5986/TCP inozovhurwa mufirewall uye, kubva kumutengi, inoshandiswa. -Shandisa SSL mune kure cmdlets. Nekuda kwechokwadi chetifiketi chemutengi, unogona mepu cert kuaccount yemuno uye ubatane nayo -ChitupaChigunwe (Pinda-PSSession haigamuchire izvi zvakananga; gadzira chikamu chekutanga neNew-PSSession.)

Yechipiri hop uye kutumwa kwezvitupa

Iyo yakakurumbira "double hop" inoonekwa kana, mushure mekubatanidza kune sevha, iwe unoda iyo sevha kuti iwane a rechitatu resource pachinzvimbo chako (semuenzaniso, chikamu cheSMB). Pane nzira mbiri dzekubvumidza izvi: CredSSP uye zviwanikwa-zvakavakirwa zvakamanikidza Kerberos kutumwa.

Con CredSSP Iwe unogonesa mutengi uye murevereri kugovera zvakajeka zvitupa, uye unoisa mutemo (GPO) kubvumira nhume kune chaiwo makomputa. Inokurumidza kugadzirisa, asi yakachengeteka zvishoma nekuti zvitupa zvinofamba mumavara akajeka mukati meiyo encrypted tunnel. Gara uchiganhurira kwaunobva uye kwekuenda.

Iyo inosarudzirwa imwe nzira mudomasi ndeye yakamanikidza vamiriri veKerberos (resource-based contrained delegation) mune yazvino AD. Izvi zvinobvumira iyo yekupedzisira kuvimba nekugamuchira nhume kubva pakati pemasevhisi chaiwo, kudzivirira kufumura chitupa chako pane yekutanga kubatana. Inoda ichangoburwa domain controller uye yakagadziridzwa RSAT.

Custom Endpoints (Session Configurations)

Imwe yematombo eKubvisa ndeye kukwanisa kunyoresa mapoinzi ekubatanidza ne zvakagadzirirwa kugona uye miganhu. Kutanga iwe unogadzira faira neNew-PSSessionConfigurationFile (mamodule ekutanga kurodha, anooneka mabasa, ariases, ExecutionPolicy, MutauroMode, nezvimwewo), wobva wainyoresa neRegister-PSSessionConfiguration, kwaunogona kuseta. RunAsCredential uye mvumo (SDDL kana GUI interface ine -ShowSecurityDescriptorUI).

Pakutumwa kwakachengeteka, buritsa chete zvinodikanwa ne -VisibleCmdlets/-VisibleFunctions uye dzima scripting yemahara kana zvakakodzera MutauroMode RestrictedLanguage kana NoLanguage. Kana iwe ukasiya FullLanguage, mumwe munhu anogona kushandisa script block kudaidza isina kuburitswa mirairo, iyo, yakasanganiswa neRunAs, ringava gomba. Gadzira magumo aya nemuzinga wemazino akatsetseka uye nyora hukuru hwawo.

Domains, GPOs, uye Groupware

MuAD unogona kuendesa Powershell Remoting pachiyero neGPO: bvumidza otomatiki kumisikidzwa kweWinRM vateereri, isa sevhisi kuOtomatiki, uye gadzira kunze kwe firewall. Rangarira kuti maGPO anoshandura marongero, asi haagare akabatidza sevhisi ipapo ipapo; dzimwe nguva unofanirwa kutangazve kana kumanikidza gpupdate.

Mumaworkgroups (asiri-domain), gadzira Remoting ne Gonesa-PSRemoting, isa TrustedHosts pamutengi (winrm set winrm/config/client @{TrustedHosts=»host1,host2″}) uye shandisa zvitupa zvemuno. Kune HTTPS, unogona kukwira wega-zvitupa zvitupa, kunyangwe zvichikurudzirwa kushandisa yakavimbika CA uye simbisa zita racho yauchashandisa mu -ComputerName muchitupa (CN/SAN match).

Key cmdlets uye syntax

Vashoma ve commandos vanovhara iyo 90% yezviitiko zvezuva nezuva. Kuti activate/deactivate:

Enable-PSRemoting    
Disable-PSRemoting

Interactive session 1 kusvika 1 uye kubuda:

Enter-PSSession -ComputerName SEC504STUDENT 
Exit-PSSession

1 kune vakawanda, pamwe nekuenzanisa uye magwaro:

Invoke-Command -ComputerName dc01,sql02,web01 -ScriptBlock { Get-Service W32Time } -Credential $cred

Zvidzidzo zvinoramba zviripo uye shandisa zvakare:

$s = New-PSSession -ComputerName localhost -ConfigurationName PowerShell.7
Invoke-Command -Session $s -ScriptBlock { $PSVersionTable }
Remove-PSSession $s

Kuedza uye WinRM Inobatsira:

Test-WSMan -ComputerName host
winrm get winrm/config
winrm enumerate winrm/config/listener
winrm quickconfig -transport:https

Zvinyorwa zvinoshanda pane firewall, network uye ports

Vhura 5985/TCP yeHTTP uye 5986/TCP yeHTTPS pakombiyuta yakanangwa uye pa. chero yepakati firewallPaWindows vatengi, Gonesa-PSRemoting inogadzira mitemo yesizinda uye yakavanzika profiles; kune veruzhinji profiles, inogumira kune subnet yemuno kunze kwekunge iwe uchinge wagadzirisa chiyero neSet-NetFirewallRule -RemoteAddress Chero (mutengo waunogona kuongorora unoenderana nenjodzi yako).

Kana iwe ukashandisa SOAR/SIEM kusanganisa kunomhanyisa mirairo iri kure (semuenzaniso kubva kuXSOAR), ita shuwa kuti sevha ine DNS resolution kune vanotambira, kubatana ku5985/5986, uye zvitupa zvine mvumo yemuno yakakwana. Mune zvimwe zviitiko, NTLM/Basic authentication ingada kugadziriswa (semuenzaniso, kushandisa mushandisi wemuno muBasic neSSL).

Gonesa-PSRemoting Parameters (Kushanda Summary)

-Simbisa inokumbira kusimbiswa usati waita; -Kumanikidza anofuratira yambiro uye ita shanduko dzinodiwa; -SkipNetworkProfileCheck inogonesa Remoting pane yeruzhinji mutengi network (yakaganhurirwa nekusarudzika kune yemuno subnet); -WhatIf inokuratidza zvingaitika pasina kushandisa shanduko. Uyezve, senge chero yakajairwa cmdlet, inotsigira common parameters (-Verbose, -ErrorAction, nezvimwewo).

Rangarira kuti "Gonesa" haigadziri vateereri veHTTPS kana zvitupa zvako; kana iwe uchida kupedzisa-kusvika-kumagumo encryption kubva pakutanga uye kuvimbiswa kwakavakirwa pa zvitifiketi, gadzirisa muteereri weHTTPS uye simbisa CN/SAN maererano nezita rauchashandisa mu -ComputerName.

Inobatsira WinRM uye PowerShell Remoting Commands

Vamwe zvinhu zvakakosha zvepamubhedha zuva nezuva:

winrm get winrm/config
winrm enumerate winrm/config/listener
Set-NetFirewallRule -Name 'WINRM-HTTP-In-TCP' -RemoteAddress Any
Test-WSMan -ComputerName host -Authentication Default -Credential (Get-Credential)
New-PSSession -ComputerName host 
Enter-PSSession -ComputerName host 
Enable-PSRemoting -SkipNetworkProfileCheck -Force

Paunenge uchibata Windows pachiyero, Remoting inokutendera kuti ufambe kubva "kombuta-kuenda-kombuta" uchienda kune yekuzivisa uye yakachengeteka nzira. Nekubatanidza zvikamu zvinoramba zvichienderera, huchokwadi hwakasimba (Kerberos/HTTPS), magumo ekupedzisira, uye nzira dzakajeka dzekuongorora, unowana kukurumidza uye kutonga pasina kupa kuchengetedzwa kana kuongorora. Kana iwewo ukamisa GPO activation uye tenzi akakosha kesi (TrustedHosts, kaviri hop, zvitupa), iwe unenge uine yakasimba kure kure chikuva chemazuva ese mashandiro uye chiitiko mhinduro.