- Remoting e sebelisa WinRM/WS-Man (HTTP/HTTPS) mme e lumella 1-to-1, 1-to-multiple, le linako tse phehellang tse nang le taolo ea ts'ireletso.
- Thusa-PSRemoting e hlophisa tšebeletso, bamameli, le firewall; HTTPS e hloka setifikeiti se nepahetseng le papali ea CN/SAN.
- Liphetho li khutlisoa li sa sebetse; mekhoa e sebelisoa ka har'a scriptblock e hole mme liphetho tsa tloaelo li sebelisoa bakeng sa ho fana ka mokhoa o hlakileng.
Mohlomong u se u ntse u iketsetsa mesebetsi e mengata ka PowerShell sebakeng sa heno, empa u hlile u hokae PowerShell Remoting e etsa phapang Ke ha o tsamaisa litaelo ho mechini e hole, ebang ke tse seng kae kapa tse makholo, ka ho sebelisana kapa ka ho bapisa. Theknoloji ena, e fumanehang ho tloha Windows PowerShell 2.0 'me e ntlafalitsoe ho tloha 3.0, e thehiloe ho WS-Management (WinRM) le liphetoho. PowerShell ka kanale e matla, e ka senyehang le e sireletsehileng ea taolo e hole.
Pele ho tsohle, ho bohlokoa ho utloisisa mehopolo e 'meli ea bohlokoa: cmdlets le -ParameterName ea Khomphutha (mohlala, Get-Process or Get-Service) ha se tsela ea nako e telele e khothalletsoang ke Microsoft, 'me PowerShell Remoting ha e sebetse e le "hack." Haele hantle, e qobella ho netefatsoa ka bobeli, hlahloba litlaleho le ho hlompha tumello ea hau e tloaelehileng, ntle le ho boloka mangolo a boitsebiso kapa ho tsamaisa ntho leha e le efe ka boselamose ka litokelo tse phahameng.
PowerShell Remoting ke eng mme ke hobane'ng ha u e sebelisa?
Con Remoting ea PowerShell u ka khona phetha hoo e ka bang taelo efe kapa efe u le remoutu eo u ka e qalisang lenaneong la lehae, ho tloha ho lits'ebeletso tsa lipotso ho isa ho litlhophiso, 'me u etse joalo ho makholo a likhomphutha hang-hang. Ho fapana le li-cmdlets tse amohelang -ComputerName (tse ngata li sebelisa DCOM/RPC), Remoting e tsamaea ka WS-Man (HTTP/HTTPS), e sebetsang hantle ho li-firewall, e lumella ho ts'oana le ho theola mosebetsi ho moamoheli ea hole, eseng moreki.
Sena se fetolela melemo e meraro e sebetsang: ts'ebetso e ntle ho lipolao tse kholo, khohlano e fokolang marang-rang e nang le melao e thibelang le mohlala oa ts'ireletso o lumellanang le Kerberos/HTTPS. Ho feta moo, ka ho se itšetlehe ka cmdlet ka 'ngoe ho kenya ts'ebetsong ea eona e hole, Remoting E sebetsa bakeng sa mongolo kapa karolo efe kapa efe e fumanehang sebakeng seo u eang ho sona.
Ka kamehla, li-server tsa Windows tsa morao-rao li tla le Remoting e nolofalitsoeng; ho Windows 10/11 o e kenya tshebetsong ka cmdlet e le 'ngoe. 'Me ho joalo, u ka sebelisa lintlha tse ling, linako tse phehellang, liphetho tsa moetlo, le tse ling.
Tlhokomeliso: Ho tlosa motho ka thoko ha ho amane le ho bula ntho e ngoe le e ngoe. Ka tloaelo, ke batsamaisi feela Li ka hokahana, 'me liketso li etsoa tlas'a boitsebiso ba tsona. Haeba o hloka moifo o hlophisitsoeng hantle, liphetho tsa moetlo li u lumella ho pepesa feela litaelo tsa bohlokoa.
E sebetsa joang ka hare: WinRM, WS-Man le likoung
PowerShell Remoting e sebetsa ka mokhoa oa moreki-server. Moreki o romela likopo tsa WS-Management ka HTTP (5985/TCP) kapa HTTPS (5986/TCP). Ho sepheo, tšebeletso ea Windows Remote Management (WinRM) ea mamela, e rarolla ntlha ea ho qetela (tlhophiso ea seboka), 'me e tšoara lenaneo la PowerShell ka morao (ts'ebetso ea wsmprovhost.exe), ho khutlisetsa liphetho tsa serialized ho moreki ka XML ka SEAP.
Lekhetlo la pele ha u nolofalletsa Remoting, bamameli baa hlophisoa, mokhelo o loketseng oa firewall oa buloa, 'me litlhophiso tsa nako lia etsoa. Ho tsoa ho PowerShell 6+, likhatiso tse ngata li teng hammoho, le Thusa-PSRemoting E ngolisa li-endpoint ka mabitso a bontšang mofuta (mohlala, PowerShell.7 le PowerShell.7.xy).
Haeba u lumella HTTPS feela tikolohong ea hau, u ka etsa a momameli ea bolokehileng ka setifikeiti se fanoeng ke CA e tšepahalang (e khothalelitsoe). Ntle le moo, mokhoa o mong ke oa ho sebelisa TrustedHosts ka mokhoa o fokolang, o tsebang kotsi, bakeng sa maemo a sehlopha sa mosebetsi kapa likhomphutha tse seng tsa domain.
Hlokomela hore Powershell Remoting e ka ba teng le cmdlets le -ComputerName, empa Microsoft e sutumelletsa WS-Man e le mokhoa o tloaelehileng le oa bokamoso bakeng sa tsamaiso e hole.
Ho nolofaletsa PowerShell Remoting le Liparamente tse Molemo
Ho Windows, bula feela PowerShell joalo ka motsamaisi 'me u tsamaee Thusa-PSRemoting. Sistimi e qala WinRM, e lokisa autostart, e nolofalletsa motho ea mametseng, mme e theha melao e nepahetseng ea firewall. Ho bareki ba nang le profil ea marang-rang ea sechaba, u ka lumella sena ka boomo ka -SkipNetworkProfileCheck (ebe o tiisa ka melao e itseng):
Enable-PSRemoting
Enable-PSRemoting -Force
Enable-PSRemoting -SkipNetworkProfileCheck -Force
Syntax e boetse e lumella, -Tiisa y -Haeba bakeng sa taolo ea phetoho. Hopola: E fumaneha feela ho Windows, 'me u tlameha ho tsamaisa console e phahameng. Melao e bōpiloeng e fapane pakeng tsa likhatiso tsa Server le Client, haholo-holo ho marang-rang a sechaba, moo ka ho sa feleng li lekanyelitsoeng ho subnet ea lehae ntle le haeba u atolosa scope (mohlala, ka Set-NetFirewallRule).
Ho thathamisa litlhophiso tsa seshene e seng e rekotile le ho netefatsa hore tsohle li lokile, sebelisa Fumana-PSSessionConfigurationHaeba li-endpoints tsa PowerShell.x le Workflow li hlaha, moralo oa Remoting oa sebetsa.
Mekhoa ea ts'ebeliso: 1 ho isa ho 1, 1 ho tse ngata, le linako tse phehellang
Ha o hloka khomphutha e sebetsanang le komporo e le 'ngoe, bula ho Kena-PSSessionMolaetsa o tla hlaha, 'me tsohle tseo u li etsang li tla ea ho moamoheli oa hole. U ka sebelisa lintlha hape ka Get-Credential ho qoba ho lula u li kenya hape:
$cred = Get-Credential
Enter-PSSession -ComputerName dc01 -Credential $cred
Exit-PSSessionHaeba seo u se batlang ke ho romela litaelo ho lik'homphieutha tse 'maloa hang-hang, sesebelisoa ke Kopa-Taelo e nang le scriptblock. Ka mokhoa o ikhethileng, e qala likhokahano tse fihlang ho tse 32 ka nako e le 'ngoe (e ka fetoloang ka -ThrottleLimit). Liphetho li khutlisoa joalo ka dintho tse lahliloeng (ntle le mekhoa ea "phela"):
Invoke-Command -ComputerName dc01,sql02,web01 -ScriptBlock { Get-Service -Name W32Time } -Credential $credU hloka ho kopa mokhoa o kang .Stop() kapa .Start()? E etse. ka hare ho scriptblock maemong a hole, eseng ntho e lahliloeng ea lehae, 'me ke phetho. Haeba ho na le cmdlet e lekanang (Emisa-Tšebeletso/Qala-Tšebeletso), hangata ho molemo ho e sebelisa bakeng sa ho hlaka.
Ho qoba litšenyehelo tsa ho qala le ho phethela mananeo pitsong ka 'ngoe, theha a Phehellang PSSSeboka 'me u e sebelise hape ka har'a likopo tse ngata. Sebelisa New-PSSession ho theha khokahano, 'me u sebelise Invoke-Command-Session ho sebelisa kotopo hape. U se ke ua lebala ho e koala ka Remove-PSSession ha u qetile.
serialization, meeli le mekhoa e metle
Lintlha tsa bohlokoa: ha u tsamaea, lintho "+ flatten" 'me li fihla joalo ka deserialized senepe, e nang le thepa empa e se na mekhoa. Sena se etsoa ka boomo 'me se boloka li-bandwidth, empa ho bolela hore u ke ke ua sebelisa litho tse etsang logic (joaloka .Kill()) kopi ea lehae. Tharollo e hlakile: kopa mekhoa eo. hole 'me haeba u hloka feela likarolo tse itseng, sefa ka Select-Object ho romela lintlha tse fokolang.
Mengolong, qoba Enter-PSSession (e reretsoeng tšebeliso e kopanetsoeng) 'me u sebelise Invoke-Command ka li-block blocks. Haeba u lebelletse mehala e mengata kapa u hloka ho boloka boemo (liphetoho, li-module tse tsoang kantle ho naha), sebelisa linako tse phehellang mme, ha ho hlokahala, o di kgaole/o di hoke hape ka Disconnect-PSSession/Connect-PSSession ho PowerShell 3.0+.
Netefatso, HTTPS, le Off-Domain Scenarios
Sebakeng, netefatso ea tlhaho ke Kerberos Mme tsohle di phalla. Ha sesebelisoa se sa khone ho netefatsa lebitso la seva, kapa o hokela ho CNAME IP kapa alias, o hloka e 'ngoe ea likhetho tsena tse peli: 1) Momameli. HTTPS e nang le setifikeiti e fanoeng ke CA eo u e tšepang, kapa 2) kenya sebaka seo u eang ho sona (lebitso kapa IP) ho TrustedHosts le sebelisa mangolo a bopakiKhetho ea bobeli e thibela netefatso ea bobeli bakeng sa moamoheli eo, kahoo e fokotsa sebaka ho fihlela bonyane bo hlokahalang.
Ho theha momameli oa HTTPS ho hloka setifikeiti (ho tsoa ho PKI ea hau kapa CA ea sechaba), se kentsoeng lebenkeleng la sehlopha mme se tlameletsoe ho WinRM. Port 5986/TCP e buloa ka har'a firewall mme, ho tsoa ho moreki, e sebelisoa. - Sebelisa SSL ka cmdlets e hole. Bakeng sa netefatso ea setifikeiti sa bareki, o ka etsa 'mapa oa setifikeiti ho ak'haonte ea lehae ebe o hokela le -SetifikeitiThumbprint (Enter-PSSession ha e amohele sena ka kotloloho; theha lenaneo pele ka New-PSSession.)
Hop ea bobeli le moifo oa mangolo
"Double hop" e tummeng e hlaha ha, ka mor'a ho hokela ho seva, o hloka seva eo ho fihlella mohlodi wa boraro molemong oa hau (mohlala, kabelo ea SMB). Ho na le mekhoa e 'meli ea ho lumella sena: CredSSP le moifo oa Kerberos o thehiloeng ke lisebelisoa.
Con CredSSP U nolofalletsa moreki le mokena-lipakeng ho fana ka mangolo a bopaki ka ho hlaka, 'me u theha leano (GPO) ho lumella moifo ho likhomphutha tse itseng. E potlakile ho e lokisa, empa e sa sireletseha haholo hobane lintlha li tsamaea ka mongolo o hlakileng ka har'a kotopo e patiloeng. Kamehla fokotsa mehloli le libaka tseo u eang ho tsona.
Ntho e 'ngoe e khethiloeng sebakeng sa domain ke ea e ile ea qobella moifo oa Kerberos (resource-based contrained delegation) mehleng ea AD. Sena se lumella sebaka sa ho qetela ho itšetleha ka ho amohela moifo ho tsoa bohareng bakeng sa lits'ebeletso tse ikhethileng, ho qoba ho pepesa boitsebiso ba hau khokahanong ea pele. E hloka balaoli ba domain ba morao-rao le RSAT e ntlafalitsoeng.
Mafelo a Tloaelehileng (Litlhophiso tsa Session)
E 'ngoe ea mahakoe a Remoting ke ho khona ho ngolisa lintlha tsa khokahano le bokhoni le meeli e hlophisitsoeng. Pele u hlahisa faele e nang le New-PSSessionConfigurationFile (li-module tseo u lokelang ho li kenya pele, mesebetsi e bonahalang, li-aliases, ExecutionPolicy, LanguageMode, joalo-joalo), ebe u e ngolisa ho Register-PSSessionConfiguration, moo u ka e behang teng. RunAsCredential le litumello (SDDL kapa GUI interface le -ShowSecurityDescriptorUI).
Bakeng sa moifo o bolokehileng, pepesa feela se hlokahalang ka -VisibleCmdlets/-VisibleFunctions le ho tima mongolo oa mahala haeba ho loketse le LanguageMode RestrictedLanguage kapa NoLanguage. Haeba u tlohela FullLanguage, motho e mong a ka sebelisa script block ho kopa litaelo tse sa hlahisoang, tseo, li kopantsoe le RunAs, e ka ba lesoba. Rala lintlha tsena tsa ho qetela ka kama ea meno a matle 'me u ngole boholo ba tsona.
Libaka, li-GPO, le Groupware
Ka AD o ka sebelisa Powershell Remoting ka tekanyo e nang le GPO: lumella tlhophiso ea othomathike ea bamameli ba WinRM, seta tshebeletso ho Automatic, 'me u thehe mokhelo oa firewall. Hopola hore li-GPO li fetola litlhophiso, empa ha se kamehla li bulelang tšebeletso hang-hang; ka linako tse ling o hloka ho qala bocha kapa ho qobella gpupdate.
Lihlopheng tsa mosebetsi (e seng domain), lokisa Remoting ka Thusa-PSRemoting, beha TrustedHosts ho moreki (winrm set winrm/config/client @{TrustedHosts=»host1,host2″}) 'me u sebelise lintlha tsa sebaka. Bakeng sa HTTPS, o ka beha litifikeiti tse ingoletseng, leha ho khothaletsoa ho sebelisa CA e tšepahalang le netefatsa lebitso seo u tla se sebelisa ho -ComputerName setifikeiting (CN/SAN match).
Li-cmdlets tsa bohlokoa le syntax
Li-commando tse ngata li koahetse 90% ea maemo a letsatsi le letsatsi. Ho kenya / ho tima:
Enable-PSRemoting
Disable-PSRemotingSeboka sa lipuisano 1 ho isa ho 1 'me u tsoe:
Enter-PSSession -ComputerName SEC504STUDENT
Exit-PSSession1 ho tse ngata, ka ho bapisa le mangolo a netefatso:
Invoke-Command -ComputerName dc01,sql02,web01 -ScriptBlock { Get-Service W32Time } -Credential $credLikopano tse phehellang 'me u sebelise hape:
$s = New-PSSession -ComputerName localhost -ConfigurationName PowerShell.7
Invoke-Command -Session $s -ScriptBlock { $PSVersionTable }
Remove-PSSession $sHo etsa liteko le WinRM E na le thuso:
Test-WSMan -ComputerName host
winrm get winrm/config
winrm enumerate winrm/config/listener
winrm quickconfig -transport:httpsLintlha tse sebetsang ho firewall, marang-rang le likoung
Bula 5985/TCP bakeng sa HTTP le 5986/TCP bakeng sa HTTPS ho komporo e shebiloeng le ho ea pele. firewall efe kapa efe e maharengHo bareki ba Windows, Enable-PSRemoting e theha melao bakeng sa li-profiles tsa domain le tsa poraefete; bakeng sa litlaleho tsa sechaba, e lekanyelitsoe ho subnet ea lehae ntle le haeba u fetola scope ka Set-NetFirewallRule -RemoteAddress Any (boleng boo u ka bo hlahlobang ho latela kotsi ea hau).
Haeba u sebelisa likhokahano tsa SOAR/SIEM tse tsamaisang litaelo tse hole (mohlala, ho tsoa ho XSOAR), etsa bonnete ba hore seva e na le Qeto ea DNS ho baamoheli, khokahanyo ho 5985/5986, le lintlha tse nang le litumello tse lekaneng tsa lehae. Maemong a mang, netefatso ea NTLM/Basic e ka hloka tokiso (mohlala, ho sebelisa mosebelisi oa lehae ho Basic with SSL).
Nuble-PSRemoting Parameters (Kakaretso ea Ts'ebetso)
-Tiisa o kopa netefatso pele o phethahatsa; - Matla e iphapanyetsa litemoso le ho etsa liphetoho tse hlokahalang; -SkipNetworkProfileCheck e thusa ho Remoting ho marang-rang a bareki ba sechaba (e lekanyelitsoeng ka ho sa feleng ho subnet ea lehae); -WhatIf e u bontša se neng se tla etsahala ntle le ho sebelisa liphetoho. Ntle le moo, joalo ka cmdlet efe kapa efe e tloaelehileng, e ea tšehetsa mekhoa e tloaelehileng (-Verbose, -ErrorAction, joalo-joalo).
Hopola hore "Enable" ha e u hlahisetse bamameli kapa litifikeiti tsa HTTPS; haeba o hloka encryption ea pheletso ho isa pheletsong ho tloha qalong le netefatso e ipapisitse le setifikeiti, lokisa momameli oa HTTPS 'me u netefatse CN/SAN khahlanong le lebitso leo u tla le sebelisa ho -ComputerName.
Litaelo tsa Remoting tsa WinRM le PowerShell
Tse ling lintho tsa bohlokoa ka ho fetisisa bakeng sa bophelo ba letsatsi le letsatsi:
winrm get winrm/config
winrm enumerate winrm/config/listener
Set-NetFirewallRule -Name 'WINRM-HTTP-In-TCP' -RemoteAddress Any
Test-WSMan -ComputerName host -Authentication Default -Credential (Get-Credential)
New-PSSession -ComputerName host
Enter-PSSession -ComputerName host
Enable-PSRemoting -SkipNetworkProfileCheck -ForceHa o laola Windows ka bongata, Remoting e u lumella ho tloha "khomphutha ho ea ho komporo" ho ea ho mokhoa o phatlalatsang le o sireletsehileng. Ka ho kopanya linako tse phehellang, netefatso e matla (Kerberos/HTTPS), liphetho tse thibetsoeng, le lintlha tse hlakileng tsa tlhahlobo, o fumana lebelo le taolo ntle le ho itela tshireletseho kapa tlhatlhobo. Haeba u boetse u tiisa ts'ebetso ea GPO 'me u tseba linyeoe tse khethehileng (TrustedHosts, hop habeli, litifikeiti), u tla ba le sethala se hole se tiileng bakeng sa ts'ebetso ea letsatsi le letsatsi le karabelo ea liketsahalo.
Mohlophisi ea ikhethileng litabeng tsa theknoloji le marang-rang ea nang le boiphihlelo bo fetang lilemo tse leshome mecheng ea litaba tse fapaneng tsa dijithale. Ke sebelitse ke le mohlophisi le moetsi oa dikahare bakeng sa khoebo ea e-commerce, puisano, papatso ea marang-rang le lik'hamphani tsa papatso. Ke ngotse hape ka liwebsaete tsa moruo, tsa lichelete le tsa makala a mang. Mosebetsi oa ka le ona ke takatso ea ka. Joale, ka lingoliloeng tsa ka ho Tecnobits, Ke leka ho hlahloba litaba tsohle le menyetla e mecha eo lefatše la theknoloji le re fang eona letsatsi le leng le le leng ho ntlafatsa bophelo ba rona.