Sida looga xakameeyo PC-gaaga taleefankaaga gacanta adoo isticmaalaya PowerShell Remote

Waxa laga yaabaa inaad horeba hawlo badan ootamaatig ah ugu samayso PowerShell gudaha, laakiin xaggee baad ka joogtaa Fogeynta PowerShell ayaa farqi u keenta Waa marka aad amarrada ku socodsiiso mishiinnada fog-fog, ha ahaadeen dhawr ama boqol, si is dhexgal ah ama barbar socda. Tignoolajiyadan, oo la heli karo tan iyo Windows PowerShell 2.0 oo la xoojiyay tan iyo 3.0, waxay ku saleysan tahay WS-Maareynta (WinRM) oo beddeleysa PowerShell Kanaalka maaraynta fog ee adag, la miisaami karo oo sugan.

Marka hore, waxaa muhiim ah in la fahmo laba fikradood oo muhiim ah: cmdlets leh -Xeerka Magaca Computerka (tusaale, Geedi-socodka Get-Adeeg ama Hel-Adeeg) maaha dariiqa muddada-dheer ee ay Microsoft ku taliso, iyo PowerShell Remoting uma shaqeeyo sidii "hack." Dhab ahaantii, dhaqangelinaya xaqiijinta labada dhinac, xisaabi diiwaan oo ixtiraamo ogolaanshahaaga caadiga ah, adoon kaydin aqoonsiga ama sixir u ordi wax kasta oo leh mudnaanta sare.

Waa maxay PowerShell Remoting iyo sababta loo isticmaalo?

cunt Awoodda Shirkadda PowerShell waad awoodi kartaa fuli ku dhawaad ​​amar kasta meel fog ka fog in aad ku bilaabi karto fadhi maxalli ah, laga bilaabo adeegyada waydiinta ilaa aad geyn karto isku xidhka, oo aad ku samayso boqolaal kombuyuutar hal mar. Si ka duwan cmdlets aqbala -ComputerName (badankoodu waxay isticmaalaan DCOM/RPC), fogaynta ku safra WS-Man (HTTP/HTTPS), Kaas oo ah saaxiibtinimo badan oo dab-damis ah, waxay u oggolaanaysaa isbarbardhigga iyo ka-qaadista inay u shaqeeyaan martigeliyaha fog, ma aha macmiilka.

Tani waxay u tarjumaysaa saddex faa'iidooyin oo la taaban karo: waxqabadka wanaagsan ee fulinta ballaaran, khilaaf yar ee shabakadaha oo leh shuruuc xaddidan iyo qaab ammaan oo waafaqsan Kerberos/HTTPS. Intaa waxaa dheer, adigoo aan ku xirneyn cmdlet kasta si uu u hirgeliyo fogaantiisa, Remote Waxay u shaqeysaa qoraal ama door kasta taas oo laga heli karo meesha loo socdo.

Sida caadiga ah, Server-yada Windows-ka ee dhawaanahan waxay la yimaaddaan fogaynta; gudaha Windows 10/11 waad dhaqaajinaysaa oo leh hal cmdlet. Oo haa, waxaad isticmaali kartaa aqoonsiyo kale, fadhiyo joogto ah, qodobbada dhamaadka caadada, iyo in ka badan.

Fiiro gaar ah: fogeynta lama mid aha furitaanka wax walba. Sida caadiga ah, kaliya maamulayaasha Way isku xidhi karaan, falalkana waxa lagu fuliyaa aqoonsigooda. Haddii aad u baahan tahay ergo qaabaysan, dhammaadka caadada ayaa kuu oggolaanaya inaad soo bandhigto kaliya amarrada muhiimka ah.

Sida ay uga shaqeyso gudaha: WinRM, WS-Man iyo dekedaha

Remote PowerShell wuxuu ku shaqeeyaa moodelka-serverka. Macmiilku waxa uu u soo diraa codsiyada Maamulka WS-da HTTP (5985/TCP) ama HTTPS (5986/TCP). Hadafka, adeegga Maareynta Fog ee Windows (WinRM) wuu dhegeystaa, xalliyaa barta dhamaadka (qaabaynta casharka), oo wuxuu martigeliyaa fadhiga PowerShell xagga dambe (habka wsmprovhost.exe), u soo celinta natiijooyin taxane ah macmiilka ee XML iyada oo loo marayo SOAP.

Marka ugu horraysa ee aad karti u siiso Remoting, dhagaystayaashu waa la habeeyey, ka reebanaanshaha dab-damiska ee ku habboon waa la furay, iyo qaabaynta fadhiga ayaa la abuuray. Laga soo bilaabo PowerShell 6+, daabacado badan ayaa wada nool, iyo Daar-PSRemote Wuxuu diiwaangeliyaa dhibcooyinka dhamaadka magacyo ka tarjumaya nooca (tusaale, PowerShell.7 iyo PowerShell.7.xy).

Haddii aad u ogolaato HTTPS deegaankaaga, waxaad samayn kartaa a dhegeyste ammaan ah wata shahaado ay bixisay CA la aaminsan yahay (lagu taliyay). Beddelka kale, beddelka kale ayaa ah in loo isticmaalo TrustedHosts si xaddidan, hab khatar ah oo og, xaaladaha kooxda shaqada ama kombiyuutarada aan domain-ka ahayn.

Ogow in Powershell Remoting ay la noolaan karaan cmdlets oo wata -ComputerName, laakiin Microsoft ayaa riixaya WS-Man sida habka caadiga ah iyo mustaqbalka-caddayn ee maamulka fog.

Awoodsiinta Fogeynta PowerShell iyo cabbirrada faa'iidada leh

Daaqadaha, kaliya u fur PowerShell maamule ahaan oo socodsii Daar-PSRemote. Nidaamku wuxuu bilaabaa WinRM, wuxuu dejiyaa autostart, wuxuu awood u siinayaa dhageystaha, wuxuuna abuuraa xeerarka dab-damiska ee ku habboon. Macaamiisha leh astaanta guud ee shabakada dadweynaha, waxaad si ula kac ah u ogolaan kartaa tan -SkipNetworkProfileCheck (ka dibna ku xooji xeerar gaar ah):

Enable-PSRemoting
Enable-PSRemoting -Force
Enable-PSRemoting -SkipNetworkProfileCheck -Force

 

Syntax sidoo kale waxay ogolaataa, - Xaqiiji y - Maxaa Haddi si loo xakameeyo isbeddelka. Xusuusnow: Waxa kaliya oo laga heli karaa Windows, oo waa inaad socodsiisaa konsole sare. Xeerarka la abuuray waxay ku kala duwan yihiin daabacadaha Server-ka iyo macmiilka, gaar ahaan shabakadaha dadweynaha, halkaas oo asal ahaan ay ku xaddidan yihiin subnetka maxalliga ah ilaa aad ballaariso baaxadda (tusaale ahaan, Set-NetFirewallRule).

Si aad u taxdo isku xidhka fadhiga hore loo duubay oo aad u xaqiijiso in wax walba diyaar yihiin, isticmaal Hel-PSSessionConfigurationHaddii dhibcaha ugu dambeeya ee PowerShell.x iyo Workflow ay muuqdaan, qaabka fogeynta ayaa shaqeynaya.

Qaababka isticmaalka: 1 ilaa 1, 1 kuwa badan, iyo fadhiyo joogto ah

Marka aad u baahan tahay konsole is-dhexgal ah hal kombiyuutar, u leexo Gali-PSSessionDakhliga ayaa soo muuqan doona, wax kasta oo aad fulisona waxa ay aadi doonaan martigeliyaha fog. Waxaad dib u isticmaali kartaa aqoonsiga Hel-Credential si aad isaga ilaaliso inaad si joogto ah dib ugu soo celiso:

$cred = Get-Credential
Enter-PSSession -ComputerName dc01 -Credential $cred
Exit-PSSession

Haddii waxa aad raadinayso ay tahay inaad u dirto amarrada dhowr kombiyuutar hal mar, qalabku waa Talo-qaadasho oo leh xannibaad qoraal ah. Sida caadiga ah, waxay soo saartaa ilaa 32 xiriiriye (lagu hagaajin karo -ThrottleLimit). Natiijooyinka waxaa loo soo celiyaa sida walaxda qallafsan (la'aanteed hababka "nool"):

Invoke-Command -ComputerName dc01,sql02,web01 -ScriptBlock { Get-Service -Name W32Time } -Credential $cred

Ma u baahan tahay inaad u yeedhato hab sida .Stop() ama .Start()? Samee. gudaha scriptblock macnaha guud ee fog, ma aha shayga meesha ka saaray, waana taas. Haddii uu jiro cmdlet u dhigma (Stop-Adeeg/Adeeg-Bilow), waxa badanaa la door bidaa in loo isticmaalo si cad.

Si looga fogaado kharashka bilowga iyo dhameynta fadhiyada wicitaan kasta, samee a PSSession joogto ah oo dib u isticmaal codsiyo badan. Isticmaal New-PSSession si aad u abuurto xidhiidhka, oo isticmaal Baaq-Amarka-Kulanka si aad dib ugu isticmaasho tunnelka. Ha iloobin inaad ku xidho Ka saar-PSSession marka aad dhammayso.

Serialization, xadka iyo dhaqanka wanaagsan

Faahfaahin muhiim ah: marka la safrayo, shayada "+ silameen" oo u yimaadaan sida sawir-qaadid laga dhigay, oo leh hanti laakiin aan lahayn habab. Tani waa ula kac oo waxay badbaadisaa bandwidth, laakiin waxay la macno tahay inaadan isticmaali karin xubnaha fulinaya macquulka (sida .Kill()) koobiga maxalliga ah. Xalku waa cad yahay: u yeedh hababkaas. meel fog iyo haddii aad u baahan tahay oo keliya meelo gaar ah, ku shaandhayso Select-Object si aad u dirto xog yar.

Qoraalada, ka fogow Gelida-PSSession (loogu talagalay isticmaalka is dhexgal) oo isticmaal Barashada-Command oo leh blocks script. Haddii aad saadaaliso wicitaanno badan ama aad u baahan tahay inaad ilaaliso gobolka (kala duwanaanshaha, qaybaha la soo dhoofiyo), isticmaal fadhiyo joogto ah iyo, haddii ay khusayso, ka saar / dib ugu xidhiddooda Disconnect-PSSession/Connect-PSSession ee PowerShell 3.0+.

Xaqiijinta, HTTPS, iyo Goobo ka baxsan Domain

Gudaha domain, aqoonsiga asalka ahi waa Kerberos Wax walbana way qulqulaan. Marka qalabku uusan xaqiijin karin magaca server-ka, ama aad ku xirto CNAME IP ama alias, waxaad u baahan tahay mid ka mid ah labadan doorasho: 1) Dhageyste HTTPS oo wata shahaado ay soo saartay CA aad ku kalsoon tahay, ama 2) ku dar meesha loo socdo (magaca ama IP) TrustedHosts iyo isticmaal warqadaha aqoonsigaDoorashada labaad waxay curyaamisaa xaqiijinta wadajirka ah ee martida loo yahay, sidaas darteed waxay yaraynaysaa baaxadda ilaa ugu yaraan lagama maarmaanka ah.

Dejinta dhegeystaha HTTPS waxay u baahan tahay shahaado (sida ugu fiican PKI-gaaga ama CA-ga guud), oo lagu rakibay dukaanka kooxda oo ku xidhan WinRM. Dekedda 5986/TCP ayaa markaa laga furayaa dab-darka oo, macmiilka, ayaa la isticmaalaa. -Isticmaal SSL cmdlets fog. Xaqiijinta shahaadada macmiilka, waxaad khariidad u samayn kartaa shahaado koonto maxalli ah oo aad ku xidhi kartaa -Shumbprint Certificate (Enter-PSSession ma aqbalo tan si toos ah; ku samee fadhiga marka hore New-PSSession.)

Rajada labaad iyo ergada aqoonsiga

Caanka ah "double hop" wuxuu soo baxaa marka, ka dib markaad ku xirto server, aad u baahan tahay server-kaas si aad u gasho a khayraadka saddexaad adiga oo ku hadlaya magacaaga (tusaale, wadaaga SMB). Waxa jira laba hab oo tan loo oggolaado: CredSSP iyo waftiga Kerberos ee xaddidan ee ku salaysan kheyraadka.

cunt CredSSP Waxaad awood u siinaysaa macmiilka iyo dhexdhexaadiyaha inay si cad u wakiishaan aqoonsiga, oo waxaad dejisay siyaasad (GPO) si aad ugu ogolaato waftiga kombiyuutarada gaarka ah. Way dhakhso badan tahay in la habeeyo, laakiin waa ka yara ammaan sababtoo ah caddayntu waxay ku socotaa qoraal cad gudaha tunnelka sir ah. Had iyo jeer xaddid meelaha iyo meelaha loo aadayo.

Beddelka la door bidayo ee domain waa ergada Kerberos ee la xaddiday (Ergada xaddidan ee kheyraadka ku saleysan) ee AD casriga ah. Tani waxay u ogolaanaysaa barta dhamaadka in ay ku tiirsanaato ka helida ergada barta dhexe adeegyo gaar ah, iska ilaalinta aqoonsigaaga xiriirka bilowga ah. Waxay u baahan tahay kontaroolayaasha domain ee dhawaa iyo RSAT la cusboonaysiiyay.

Dhibcaha Dhamaadka Gaarka ah (Isku-habaynta Kulanka)

Mid ka mid ah gems of Remoting waa awood u lahaanshaha in lagu diiwaangeliyo meelaha isku xirka awoodaha iyo xadka ku habboon. Marka hore waxaad soo saaraysaa fayl leh New-PSSessionConfigurationFile (modules si horay loogu shubo, hawlo muuqda, magacyo, Siyaasad fulin, Habka Luuqadda, iwm.), ka dibna waxaad ka diiwaan gelisaa Register-PSSessionConfiguration, halkaas oo aad dejin karto RunAsCredential iyo ogolaanshaha (SDDL ama GUI interface leh -ShowSecurityDescriptorUI).

Wafdiga badbaadada leh, ku soo bandhig kaliya waxa lagama maarmaanka u ah -VisibleCmdlets/-VisibleFunctions oo dami qoraallada bilaashka ah haddii ay ku habboon tahay Habka Luuqadda Luuqadda xaddidan ama Language. Haddii aad ka tagto FullLanguage, qof ayaa isticmaali kara block script si uu ugu yeero amarrada aan la shaacin, kaas oo, lagu daro RunAs, god bay noqon lahayd. Ku qaabi meelahan dhamaadka shanlo-ilko wanaagsan oo ku qor baaxaddooda.

Domains, GPOs, iyo Groupware

AD gudaheeda waxaad geyn kartaa Powershell Remoting cabir ahaan GPO: u ogolow qaabeynta tooska ah ee dhageystayaasha WinRM, u dhig adeega si toos ah, oo abuur marka laga reebo firewall-ka. Xusuusnow in GPOs ay beddelaan goobaha, laakiin had iyo jeer ma daaraan adeegga isla markaaba; Mararka qaarkood waxaad u baahan tahay inaad dib u bilowdo ama aad ku qasabto gpupdate.

Kooxaha shaqada (aan ahayn domain), ku habee Remote-ka Daar-PSRemote, dhig TrustedHosts macmiilka (winrm set winrm/config/client @{TrustedHosts=»host1,host2″}) oo isticmaal aqoonsiyada maxaliga ah. HTTPS, waxaad ku dhejin kartaa shahaadooyin iskiis u saxeexay, in kasta oo lagu taliyay inaad isticmaasho CA la aamini karo iyo ansixi magaca in aad ku isticmaali doonto -ComputerName ee shahaadada (CN/SAN match).

cmdlets furaha iyo syntax

In yar oo ka mid ah kumaandooska ayaa daboolaya 90% xaaladaha maalinlaha ah. Si loo hawlgeliyo/damiyo:

Enable-PSRemoting    
Disable-PSRemoting

Fadhi is dhexgal 1 ilaa 1 oo ka bax:

Enter-PSSession -ComputerName SEC504STUDENT 
Exit-PSSession

1 in badan, oo leh isbarbar socda iyo caddayn:

Invoke-Command -ComputerName dc01,sql02,web01 -ScriptBlock { Get-Service W32Time } -Credential $cred

Fadhiyo joogto ah oo dib u isticmaal:

$s = New-PSSession -ComputerName localhost -ConfigurationName PowerShell.7
Invoke-Command -Session $s -ScriptBlock { $PSVersionTable }
Remove-PSSession $s

Tijaabada iyo WinRM faa'iido leh:

Test-WSMan -ComputerName host
winrm get winrm/config
winrm enumerate winrm/config/listener
winrm quickconfig -transport:https

Qoraalo wax ku ool ah oo ku saabsan firewall, shabkada iyo dekedaha

Fur 5985/TCP HTTP iyo 5986/TCP ee HTTPS kombayutarka bartilmaameedka ah iyo Firewall kasta oo dhexdhexaad ahMacaamiisha Windows, Enable-PSRemoting waxay u abuurtaa xeerar boggaga iyo astaanta gaarka ah; profiles-ka guud, waxay ku kooban tahay shabakada hoose ee deegaanka ilaa aad wax ka bedesho baaxada Set-NetFirewallRule -RemoteAddress Mid kasta (qiimaha aad ku qiimayn karto iyadoo ku saleysan khatartaada).

Haddii aad isticmaasho SOAR/SIEM is dhexgalka kuwaas oo maamula amarada fog (tusaale ka XSOAR), hubi in server-ku leeyahay xallinta DNS kuwa martida loo yahay, isku xidhka 5985/5986, iyo aqoonsiga leh ogolaansho maxalli ah oo ku filan. Xaaladaha qaarkood, NTLM/xaqiijinta aasaasiga ah waxay u baahan kartaa hagaajin

Dareemi-PS-Remoting Halbeegyada (Koobka Hawlgelinta)

Xaqiiji weydiimaha xaqiijinta ka hor inta aanad fulin; - Xoog iska indhatiray digniinaha oo ay sameeyaan isbeddellada lagama maarmaanka ah; -SkipNetworkProfileCheck waxay awood u siisaa ka fogaynta shabakadaha macaamiisha dadweynaha (oo ku xaddidan shabakada hoose ee maxalliga ah); -WhatIf you tuso waxa dhici lahaa iyada oo aan la isticmaalin isbeddellada. Intaa waxaa dheer, sida cmdlet kasta oo caadi ah, way taageertaa xuduudaha guud (-Verbose, -ErrorAction, iwm.).

Xusuusnow in "Enable" aanu kuu abuurin dhegaystayaal HTTPS ama shahaadooyin; Haddii aad u baahan tahay sirta dhamaadka-ilaa-dhamaadka bilawga iyo xaqiijinta ku salaysan shahaadooyinka, habee dhageystaha HTTPS oo ansixi CN/SAN oo lid ku ah magaca aad ku isticmaali doonto -ComputerName.

WinRM faa'iido leh iyo amarada fogeynta PowerShell

Qaarkood alaabta sariirta dhinaceeda lagama maarmaanka ah maalinba maalinta ka dambaysa:

winrm get winrm/config
winrm enumerate winrm/config/listener
Set-NetFirewallRule -Name 'WINRM-HTTP-In-TCP' -RemoteAddress Any
Test-WSMan -ComputerName host -Authentication Default -Credential (Get-Credential)
New-PSSession -ComputerName host 
Enter-PSSession -ComputerName host 
Enable-PSRemoting -SkipNetworkProfileCheck -Force

Marka aad ku maamulayso Windows-ka cabirka, Remoting-ku wuxuu kuu ogolaanayaa inaad ka guurto "kumbuyuutar-kumbuyuutar" una gudubto hab caddayn ah oo sugan. Marka la isku daro fadhiyo joogto ah, xaqiijin xoog leh (Kerberos/HTTPS), xaddidaadaha dhamaadka, iyo raadadka cad ee ogaanshaha, waxaad helaysaa xawaare iyo xakameyn iyada oo aan loo hurayn amniga iyo hanti-dhawrka. Haddii aad sidoo kale jaangooyso firfircoonida GPO oo aad u wajahdo kiisaska gaarka ah (TrustedHosts, double hop, shahaadooyin), waxaad yeelan doontaa meel fog oo adag oo loogu talagalay hawlgallada maalinlaha ah iyo jawaabta dhacdada.