Uyilawula njani iPC yakho kwifowuni yakho usebenzisa iPowerShell Remoting

Usenokuba sele uzenzele imisebenzi emininzi ngePowerShell ekuhlaleni, kodwa uphi ngokwenene PowerShell Remoting yenza umahluko Kuxa usenza imiyalelo koomatshini abakude, nokuba bambalwa okanye amakhulu, ngokusebenzisana okanye ngokunxuseneyo. Le teknoloji, ekhoyo ukususela kwi-Windows PowerShell 2.0 kwaye iphuculwe ukususela kwi-3.0, isekelwe kwi-WS-Management (WinRM) kunye nokuguqula PowerShell kwindlela eyomeleleyo, enokukaleka nekhuselekileyo yolawulo olukude.

Okokuqala, kubalulekile ukuqonda izimvo ezimbini eziphambili: cmdlets nge -ComputerName parameter (umzekelo, Fumana Inkqubo okanye Fumana-iNkonzo) ayisiyiyo indlela yexesha elide ecetyisiweyo nguMicrosoft, kwaye iPowerShell Remoting ayisebenzi “njengenkohliso.” Inyaniso, inyanzelisa ukuqinisekiswa okufanayo, uphicotho-zincwadi kwaye uzihloniphe iimvume zakho zesiqhelo, ngaphandle kokugcina iziqinisekiso okanye ukuqhuba ngomlingo nantoni na ngamalungelo aphezulu.

Yintoni i-PowerShell Remoting kwaye kutheni uyisebenzisa?

Con Ukususwa kwePowerShell unako yenza phantse nawuphi na umyalelo ukude onokuthi uyiphehlele kwiseshoni yasekhaya, ukusuka kwiinkonzo zokubuza ukuya ekusebenziseni uqwalaselo, kwaye wenze njalo kumakhulu ekhompyuter ngexesha elinye. Ngokungafaniyo ne-cmdlets eyamkelayo -ComputerName (abaninzi basebenzisa i-DCOM/RPC), Ukususwa ihamba nge-WS-Man (HTTP/HTTPS), esebenza ngakumbi kwi-firewall, ivumela ukuhambelana kunye nokukhuphela umsebenzi kumamkeli okude, hayi umxhasi.

Oku kuguqulela kwiinzuzo ezintathu ezisebenzayo: ukusebenza ngcono ekubulaweni okukhulu, Ukruthakruthwano oluncinci kuthungelwano kunye nemithetho ethintelweyo kunye nemodeli yokhuseleko ehambelana ne-Kerberos/HTTPS. Ngaphaya koko, ngokungaxhomeki kwi-cmdlet nganye ukuphumeza eyakhe indawo ekude, Ukude Isebenza kuso nasiphi na iskripthi okanye indima ekhoyo kwindawo oya kuyo.

Ngokungagqibekanga, iiSeva zeWindows zamva nje ziza kunye nokuRemothwa okunikwe amandla; ngaphakathi Windows 10/11 uyayivula nge cmdlet enye. Kwaye ewe, ungasebenzisa ezinye iziqinisekiso, iiseshini ezizingileyo, iziphelo zesiko, kunye nokunye.

Qaphela: Ukudemothi akuhambisani nokuvula yonke into. Ngokuzenzekela, ngabalawuli kuphela Bangakwazi ukudibanisa, kwaye izenzo zenziwa phantsi kobunikazi babo. Ukuba ufuna ugunyaziso olucokisekileyo, iziphelo zesiko zikuvumela ukuba uveze kuphela imiyalelo ebalulekileyo.

Isebenza njani ngaphakathi: WinRM, WS-Man kunye namazibuko

I-PowerShell Remoting isebenza kwimodeli ye-client-server. Umxhasi uthumela izicelo zoLawulo lwe-WS nge I-HTTP (5985/TCP) okanye i-HTTPS (5986/TCP). Kwithagethi, inkonzo yeWindows Remote Management (WinRM) imamele, isombulule isiphelo (uqwalaselo lweseshoni), kwaye isingathe iseshoni yePowerShell ngasemva (wsmprovhost.exe process), ukubuyisela iziphumo zolandelelwano kumxhasi kwi-XML nge-SEPA.

Kwixesha lokuqala usenza uRemo, abaphulaphuli baqwalaselwe, ulwahlulo olufanelekileyo lwefirewall luyavulwa, kwaye uqwalaselo lweseshoni luyadalwa. Ukusuka kwi-PowerShell 6+, iintlelo ezininzi zikhona, kunye Yenza-PSRemoting Ibhalisa isiphelo ngamagama abonisa inguqulelo (umzekelo, PowerShell.7 kunye PowerShell.7.xy).

Ukuba uvumela i-HTTPS kuphela kwindawo yakho, unokwenza i umphulaphuli okhuselekileyo ngesatifikethi esikhutshwe yi-CA ethembekileyo (kucetyiswa). Kungenjalo, enye indlela kukusebenzisa i-TrustedHosts ngendlela elinganiselweyo, ekwaziyo ubungozi, kwiimeko zeqela lomsebenzi okanye iikhomputha ezingezizo eze-domain.

Qaphela ukuba i-Powershell Remoting ingahlala kunye ne-cmdlets nge-ComputerName, kodwa UMicrosoft utyhala iWS-Man njengendlela esemgangathweni kunye nobungqina bexesha elizayo lolawulo olukude.

Ukwenza i-PowerShell iRemote kunye neeParameters eziluncedo

KwiWindows, vula nje i-PowerShell njengomlawuli kwaye uqhube Yenza-PSRemoting. Inkqubo iqala iWinRM, iqwalasela i-autostart, yenza umphulaphuli, kwaye idale imithetho efanelekileyo yomlilo. Kubathengi abaneprofayile yenethiwekhi yoluntu, ungavumela ngabom oku nge -SkipNetworkProfileCheck (kwaye ke ubethelele ngemithetho ethile):

Enable-PSRemoting
Enable-PSRemoting -Force
Enable-PSRemoting -SkipNetworkProfileCheck -Force

 

I-syntax nayo ivumela, -Qinisekisa y -Ungathini ukuba kulawulo lotshintsho. Khumbula: Ifumaneka kuphela kwiWindows, kwaye kufuneka uqhube i-console ephakamileyo. Imithetho eyenziweyo iyahluka phakathi koHlelo lweSeva kunye noMxumi, ngakumbi kuthungelwano lukawonke-wonke, apho ngokungagqibekanga luthintelwe kwi-subnet yendawo ngaphandle kokuba wandise umda (umzekelo, nge-Set-NetFirewallRule).

Ukudwelisa ulungelelwaniso lweseshoni esele lurekhodiwe kwaye uqinisekise ukuba yonke into ilungile, sebenzisa Fumana-PSSessionConfigurationUkuba iPowerShell.x kunye nesiphelo sokuhamba komsebenzi ziyavela, isakhelo sokuLawula siyasebenza.

Iindlela zokusetyenziswa: 1 ukuya ku-1, 1 ukuya kwabaninzi, kunye neeseshoni eziqhubekayo

Xa ufuna ikhonsoli esebenzayo kwikhompyuter enye, vula ku Ngena-PSSessionUncedo luza kuvela, kwaye yonke into oyenzayo iya kuya kwinginginya ekude. Unokuphinda usebenzise iziqinisekiso kunye ne-Get-Credential ukunqanda ukuphinda uzifake:

$cred = Get-Credential
Enter-PSSession -ComputerName dc01 -Credential $cred
Exit-PSSession

Ukuba into oyifunayo kukuthumela imiyalelo kwiikhompyuter ezininzi ngexesha elinye, isixhobo si I-Invoke-Command ngebhloko yeskripthi. Ngokungagqibekanga, iqalisa ukuya kuthi ga kwi-32 yoqhagamshelo oluhambelanayo (lunokulungiswa nge-ThrottleLimit). Iziphumo zibuyiswa njenge izinto ezilahlekileyo (ngaphandle kweendlela “zokuphila”):

Invoke-Command -ComputerName dc01,sql02,web01 -ScriptBlock { Get-Service -Name W32Time } -Credential $cred

Ufuna ukubiza indlela efana .Yeka() okanye .Qalisa()? Yenze. ngaphakathi kwebhloko yeskripthi kumxholo okude, hayi into elahlekileyo yendawo, kwaye yiloo nto. Ukuba kukho i-cmdlet elinganayo (Yeka-Inkonzo/Qalisa-iNkonzo), kudla ngokukhethwa ukuyisebenzisela ukucaca.

Ukuphepha iindleko zokuqalisa kunye nokuphelisa iiseshini kwifowuni nganye, yenza a Uzingiso lwePSS kwaye uyisebenzise kwakhona kwizicelo ezininzi. Sebenzisa i-New-PSSession ukwenza umdibaniso, kwaye usebenzise i-Invoke-Command-Session ukusebenzisa kwakhona itonela. Ungalibali ukuyivala nge-Susa-PSSession xa ugqibile.

Ukulandelelana, imida kunye nezenzo ezilungileyo

Iinkcukacha ezibalulekileyo: xa kuhanjwa, izinto "+ caba" kwaye zifike njenge deserialized snapshots, kunye neempawu kodwa akukho ndlela. Oku kwenziwa ngabom kwaye kugcina i-bandwidth, kodwa kuthetha ukuba awukwazi ukusebenzisa amalungu aphumeza ingqiqo (njenge .Kill()) kwikopi yendawo. Isisombululo sicacile: cela ezo ndlela. ukude kwaye ukuba ufuna kuphela imihlaba ethile, hluza nge Khetha-Into ukuthumela idatha encinci.

Kwimibhalo, kuthintelwe i-Enter-PSSession (yenzelwe ukusetyenziswa ngokubambisana) kwaye usebenzise i-Invoke-Command enebhloko yeskripthi. Ukuba ulindele iifowuni ezininzi okanye ufuna ukugcina imeko (izinto eziguquguqukayo, iimodyuli ezingenisiweyo), sebenzisa iiseshini ezizingileyo kwaye, ukuba kufanelekile, zikhuphe/ziqhagamshele kwakhona nge-Disconnect-PSSession/Connect-PSSession kwi-PowerShell 3.0+.

Uqinisekiso, i-HTTPS, kunye ne-Off-Domain Scenarios

Kwidomeyini, uqinisekiso lwemveli lu IKerberos Kwaye yonke into ihamba. Xa isixhobo singakwazi ukuqinisekisa igama lomncedisi, okanye uqhagamshela kwi CNAME IP okanye isiteketiso, ufuna enye yezi ndlela zimbini: 1) Umphulaphuli. I-HTTPS enesatifikethi ikhutshwe yi-CA oyithembileyo, okanye 2) yongeza indawo ekuyiwa kuyo (igama okanye i-IP) kwi-TrustedHosts kwaye sebenzisa iziqinisekisoUkhetho lwesibini lukhubaza ungqinisiso olumanyeneyo lwalo mamkeli, ngoko ke yehlisa umda kobuncinane obufunekayo.

Ukuseka umphulaphuli we-HTTPS kufuna isatifikethi (esifanelekileyo kwi-PKI yakho okanye kwi-CA yoluntu), efakwe kwivenkile yeqela kwaye ibophelelwe kwiWinRM. I-Port 5986 / TCP ivulwa kwi-firewall kwaye, ukusuka kumxhasi, isetyenziswe. -Sebenzisa iSSL kwiicmdlets ezikude. Kuqinisekiso lwesatifikethi somxhasi, ungenza imephu yesatifikethi kwiakhawunti yendawo kwaye uqhagamshele nayo -Umprinto weSatifikethi (Ngena-PSSession ayikwamkeli oku ngokuthe ngqo; yenza iseshoni kuqala nge-New-PSSession.)

I-hop yesibini kunye nokuthunyelwa kweziqinisekiso

I-"double hop" eyaziwayo ibonakala xa, emva kokuxhuma kwiseva, ufuna loo mncedisi ukufikelela kwi- umthombo wesithathu egameni lakho (umzekelo, isabelo se-SMB). Kukho iindlela ezimbini zokuvumela oku: I-CredSSP kunye ne-resource-based contrained delegation ye-Kerberos.

Con I-CredSSP Uvumela umxhasi kunye nomthetheli ukuba anikezele ngokucacileyo iziqinisekiso, kwaye useta umgaqo-nkqubo (GPO) ukuvumela ugunyaziso kwiikhompyuter ezithile. Iyakhawuleza ukuyiqwalasela, kodwa ikhuseleke kancinci kuba iziqinisekiso zihamba ngokubhaliweyo okucacileyo ngaphakathi kwetonela efihliweyo. Soloko unciphisa imithombo kunye neendawo.

Eyona ndlela ikhethwayo kwi-domain yi Unyanzelise abathunywa beKerberos (abathunywa abaxhomekeke kwizibonelelo) kwiAD yanamhlanje. Oku kuvumela isiphelo ukuba sithembele ekufumaneni abathunywa ukusuka kwindawo ephakathi ngeenkonzo ezithile, ukuthintela ukuveza isazisi sakho kuqhagamshelo lokuqala. Ifuna abalawuli besizinda samva nje kunye ne-RSAT ehlaziyiweyo.

Iindawo zokuphela zesiko (Ulungelelwaniso lweSeshini)

Enye yegugu le-Remoting iyakwazi ukubhalisa iindawo zoqhagamshelwano nge izakhono ezilungiselelweyo kunye nemida. Kuqala uvelisa ifayile ngeNew-PSSessionConfigurationFile (iimodyuli zokulayisha kwangaphambili, imisebenzi ebonakalayo, iziteketiso, iPolicy Execution, iModi yoLwimi, njl.njl.), kwaye emva koko uyibhalisa ngeRegister-PSSessionConfiguration, apho unokuseta khona. RunAsCredential kunye neemvume (SDDL okanye GUI interface nge -ShowSecurityDescriptorUI).

Kugunyaziso olukhuselekileyo, veza kuphela oko kuyimfuneko nge-VisibleCmdlets/-VisibleFunctions kwaye ukhubaze ukubhalwa kwasimahla ukuba kufanelekile Imo yoLwimi eMiselwe uLwimi okanye NoLanguage. Ukuba ushiya iFullLanguage, umntu unokusebenzisa ibhloko yeskripthi ukubiza imiyalelo engachazwanga, ethi, idityaniswe ne-RunAs, iya kuba ngumngxuma. Yila ezi siphelo ngekama elinamazinyo amancinane kwaye ubhale umda wazo.

Imimandla, iiGPO, kunye neGrouware

Kwi-AD ungathumela i-Powershell Remoting kwisikali nge-GPO: vumela uqwalaselo oluzenzekelayo lwabaphulaphuli beWinRM, seta inkonzo kuZenzekelayo, kwaye udale ngaphandle kwe-firewall. Khumbula ukuba ii-GPO zitshintsha iisetingi, kodwa azisoloko zivula inkonzo ngoko nangoko; ngamanye amaxesha kufuneka uqalise kwakhona okanye unyanzelise i gpupdate.

Kumaqela okusebenza (engeyo-domain), qwalasela i-Remote nge Yenza-PSRemoting, seta i-TrustedHosts kumxhasi (winrm set winrm/config/client @{TrustedHosts=»host1,host2″}) kwaye usebenzise iziqinisekiso zendawo. Kwi-HTTPS, unokunyuka izatifikethi ezizisayinileyo, nangona kucetyiswa ukuba usebenzise i-CA ethembekileyo kunye qinisekisa igama oya kusisebenzisa kwi-ComputerName kwisatifikethi (i-CN/SAN match).

Ii-cmdlets eziphambili kunye ne-syntax

Iqela le-commandos ligubungela i I-90% yeemeko zemihla ngemihla. Ukuvula/ukucima:

Enable-PSRemoting    
Disable-PSRemoting

Iseshoni esebenzayo 1 ukuya ku-1 kwaye uphume:

Enter-PSSession -ComputerName SEC504STUDENT 
Exit-PSSession

1 kwabaninzi, ngokuhambelana kunye neziqinisekiso:

Invoke-Command -ComputerName dc01,sql02,web01 -ScriptBlock { Get-Service W32Time } -Credential $cred

Iiseshoni eziqhubekayo kwaye usebenzise kwakhona:

$s = New-PSSession -ComputerName localhost -ConfigurationName PowerShell.7
Invoke-Command -Session $s -ScriptBlock { $PSVersionTable }
Remove-PSSession $s

Uvavanyo kunye neWinRM Iluncedo:

Test-WSMan -ComputerName host
winrm get winrm/config
winrm enumerate winrm/config/listener
winrm quickconfig -transport:https

Amanqaku asebenzayo kwi-firewall, inethiwekhi kunye namazibuko

Vula i-5985/TCP ye-HTTP kunye ne-5986/TCP ye-HTTPS kwikhompyuter ekujoliswe kuyo nakwi. nayiphi na i-firewall ephakathiKubathengi beWindows, Yenza i-PSRemoting idale imigaqo yesizinda kunye neeprofayile zabucala; kwiiprofayile zoluntu, kukhawulelwe kwi-subnet yendawo ngaphandle kokuba uguqula umda nge-Set-NetFirewallRule -RemoteAddress Nayiphi na (ixabiso onokuthi ulivavanye ngokusekelwe kumngcipheko wakho).

Ukuba usebenzisa udibaniso lwe-SOAR/SIEM olusebenzisa imiyalelo ekude (umzekelo ukusuka kwi-XSOAR), qiniseka ukuba umncedisi une Isisombululo seDNS kwinginginya, uqhagamshelo kwi-5985/5986, kunye neenkcazi ezineemvume ezaneleyo zasekhaya. Kwezinye iimeko, ukuqinisekiswa kwe-NTLM/Basic kunokufuna ukulungiswa (umzekelo, ukusebenzisa umsebenzisi wendawo kwiSiseko nge-SSL).

Yenza i-PSRemoting Parameters (Isishwankathelo sokuSebenza)

-Qinisekisa ucela isiqinisekiso phambi kokuba uphumeze; -Force akazihoyi izilumkiso kwaye wenze utshintsho oluyimfuneko; -SkipNetworkProfileCheck yenza iRemote kuthungelwano lomxhasi woluntu (ithintelwe ngokungagqibekanga kwi-subnet yendawo); -WhatIf ibonisa ukuba kuya kwenzeka ntoni ngaphandle kokufaka utshintsho. Ukongeza, njengawo nawuphi na umgangatho we-cmdlet, iyaxhasa iiparamitha eziqhelekileyo (-Verbose, -ErrorAction, etc.).

Khumbula ukuba "Vumela" akwenzi abaphulaphuli okanye izatifikethi zeHTTPS kuwe; ukuba ufuna isiphelo ukuya-ekugqibeleni ufihlo ukusuka ekuqaleni kunye noqinisekiso olusekwe kwi izatifikethi, qwalasela umphulaphuli we-HTTPS kwaye uqinisekise i-CN/SAN ngokuchasene negama oya kulisebenzisa kwi-ComputerName.

I-WinRM eluncedo kunye ne-PowerShell ye-Remoting Commands

Abanye izinto ezibalulekileyo zebhedi imihla ngemihla:

winrm get winrm/config
winrm enumerate winrm/config/listener
Set-NetFirewallRule -Name 'WINRM-HTTP-In-TCP' -RemoteAddress Any
Test-WSMan -ComputerName host -Authentication Default -Credential (Get-Credential)
New-PSSession -ComputerName host 
Enter-PSSession -ComputerName host 
Enable-PSRemoting -SkipNetworkProfileCheck -Force

Xa ulawula iWindows kwisikali, ukuRemoting kukuvumela ukuba usuke “kwikhompyuter ukuya kwikhompyuter” uye kwindlela echazayo nekhuselekileyo. Ngokudibanisa iiseshoni eziqhubekayo, ukuqinisekiswa okuqinileyo (Kerberos / HTTPS), iziphelo ezithintelweyo, kunye nemikhondo ecacileyo yoxilongo, ufumana isantya kunye nolawulo ngaphandle kokuncama ukhuseleko okanye uphicotho. Ukuba uphinda umisele ukusebenza kwe-GPO kunye neemeko ezizodwa (i-TrustedHosts, i-double hop, izatifikethi), uya kuba neqonga eliqinileyo elikude lemisebenzi yemihla ngemihla kunye nokuphendula ngesiganeko.