- Ukukhipha kude kusebenzisa i-WinRM/WS-Man (HTTP/HTTPS) futhi kuvumela u-1-to-1, 1-to-aningi, kanye namaseshini aqhubekayo anezilawuli zokuphepha.
- Nika amandla i-PSRemoting ilungiselela isevisi, abalaleli, kanye ne-firewall; I-HTTPS idinga isitifiketi esivumelekile kanye nokufana kwe-CN/SAN.
- Imiphumela ibuyiswa ingasekho; izindlela zisetshenziswa ngaphakathi kwe-scriptblock ekude futhi izindawo zokugcina zangokwezifiso zisetshenziselwa ukuthunyelwa okucolile.
Ungase usuvele wenze imisebenzi eminingi nge-PowerShell endaweni, kodwa ukuphi ngempela I-PowerShell Remoting yenza umehluko Kulapho ugijimisa imiyalo emishinini ekude, kungaba embalwa noma amakhulu, ngokuhlanganyela noma ngokuhambisana. Lobu buchwepheshe, obutholakala kusukela ku-Windows PowerShell 2.0 futhi buthuthukisiwe kusukela ngo-3.0, busekelwe ku-WS-Management (WinRM) kanye nokuguqulwa I-PowerShell kushaneli yokuphatha eyirimothi eqinile, enwebekayo nevikelekile.
Okokuqala, kubalulekile ukuqonda imibono emibili ebalulekile: cmdlets nge -ComputerName ipharamitha (isb., Thola Inqubo noma Thola Isevisi) akuyona indlela yesikhathi eside etuswa i-Microsoft, futhi Ukukhipha Ukususwa kwe-PowerShell akusebenzi “njengokugebenga.” Empeleni, iphoqelela ukuqinisekiswa okufanayo, cwaninga amalogi futhi uhloniphe izimvume zakho ezivamile, ngaphandle kokugcina imininingwane noma ukusebenzisa ngomlingo noma yini enamalungelo amakhulu.
Kuyini i-PowerShell Remoting futhi kungani uyisebenzise?
Nge Ukulawula i-PowerShell ithini khipha cishe noma yimuphi umyalo ukude ongakwazi ukuyethula kuseshini yasendaweni, kusukela ezinsizakalweni zokubuza ukuya ekukhipheni ukulungiselelwa, futhi wenze njalo kumakhulu amakhompyutha ngesikhathi esisodwa. Ngokungafani nama-cmdlets amukela -ComputerName (abaningi basebenzisa i-DCOM/RPC), I-Remoting uhamba nge-WS-Man (HTTP/HTTPS), esebenziseka kalula kwi-firewall, ivumela ukufana nokulayisha umsebenzi kumsingathi wesilawuli kude, hhayi iklayenti.
Lokhu kuhumusha kube izinzuzo ezintathu ezingokoqobo: ukusebenza okungcono ekubulaweni okukhulu, ukungqubuzana okuncane kumanethiwekhi enemithetho evimbelayo kanye nemodeli yokuphepha ehambisana ne-Kerberos/HTTPS. Ngaphezu kwalokho, ngokunganciki ku-cmdlet ngayinye ukuze isebenzise isilawuli kude sayo, I-Remoting Isebenza kunoma yisiphi isikripthi noma indima etholakala endaweni oya kuyo.
Ngokuzenzakalelayo, amaseva e-Windows akamuva afika Nokukude kunikwe amandla; ku-Windows 10/11 uyayenza isebenze nge-cmdlet eyodwa. Futhi yebo, ungasebenzisa ezinye iziqinisekiso, izikhathi eziqhubekayo, izindawo zokugcina zangokwezifiso, nokuningi.
Qaphela: Ukukhipha kude akuhambisani nokuvula yonke into. Ngephutha, abalawuli kuphela Bangakwazi ukuxhuma, futhi izenzo zenziwa ngaphansi kobunikazi bazo. Uma udinga ukuthunyelwa okucolisekile, iziphetho zangokwezifiso zikuvumela ukuthi udalule imiyalo ebalulekile kuphela.
Isebenza kanjani ngaphakathi: WinRM, WS-Man namachweba
I-PowerShell Remoting isebenza kumodeli yeseva yeklayenti. Iklayenti lithumela izicelo ze-WS-Management nge I-HTTP (5985/TCP) noma i-HTTPS (5986/TCP). Kokuhlosiwe, isevisi ye-Windows Remote Management (WinRM) iyalalela, ixazulule indawo yokugcina (ukuhlelwa kweseshini), futhi isingathe iseshini ye-PowerShell ngemuva (inqubo ye-wsmprovhost.exe), ukubuyisela imiphumela ye-serialized kuklayenti ku-XML nge-SOAP.
Isikhathi sokuqala uma unika amandla Ukukhipha Isilawuli kude, abalaleli bayamiswa, okuhlukile kwe-firewall kuyavulwa, bese kwakhiwa ukulungiselelwa kweseshini. Kusuka ku-PowerShell 6+, izinhlelo eziningi ziyahlangana, kanye Nika amandla-PSRemoting Ibhalisa izindawo zokugcina ngamagama abonisa inguqulo (isibonelo, i-PowerShell.7 ne-PowerShell.7.xy).
Uma uvumela i-HTTPS kuphela endaweni yakho, ungakha i- mlaleli ophephile ngesitifiketi esikhishwe yi-CA ethenjwayo (kunconyiwe). Kungenjalo, enye indlela ukusebenzisa i-TrustedHosts ngendlela elinganiselwe, eqaphela ubungozi, ezimweni zeqembu lomsebenzi noma amakhompyutha angewona awesizinda.
Qaphela ukuthi i-Powershell Remoting ingaba khona kanye nama-cmdlets nge -ComputerName, kodwa IMicrosoft iphusha i-WS-Man njengendlela evamile neyobufakazi besikhathi esizayo yokuphatha okukude.
Inika amandla i-PowerShell Remoting and Useful Parameters
Ku-Windows, vele uvule i-PowerShell njengomlawuli bese ugijima Nika amandla-PSRemoting. Uhlelo luqala i-WinRM, lulungise i-autostart, lunike amandla umlaleli, futhi ludale imithetho efanele yokuvikela umlilo. Kumakhasimende anephrofayela yenethiwekhi yomphakathi, ungakuvumela ngamabomu lokhu nge -SkipNetworkProfileCheck (bese uqinisa ngemithetho ethile):
Enable-PSRemoting
Enable-PSRemoting -Force
Enable-PSRemoting -SkipNetworkProfileCheck -Force
I-syntax nayo ivumela, -Qinisekisa y -Kuthiwani uma ukulawula ushintsho. Khumbula: Itholakala kuphela ku-Windows, futhi kufanele usebenzise ikhonsoli ephakeme. Imithetho edaliwe iyahluka phakathi kwe-Server kanye ne-Client editions, ikakhulukazi kumanethiwekhi omphakathi, lapho ngokuzenzakalelayo ikhawulelwa ku-subnet yasendaweni ngaphandle kokuthi unwebe isikophu (isibonelo, nge-Set-NetFirewallRule).
Ukufaka kuhlu izilungiselelo zeseshini esezirekhodiwe kakade futhi uqinisekise ukuthi yonke into isilungile, sebenzisa Thola-PSSessionConfigurationUma i-PowerShell.x nezindawo zokugcina zokugeleza komsebenzi zivela, uhlaka Lokukude luyasebenza.
Amamodi okusetshenziswa: 1 kuye ku-1, 1 kuya kwabaningi, namaseshini aqhubekayo
Uma udinga ikhonsoli esebenzisanayo kukhompuyutha eyodwa, vula ku Faka-PSSessionUkwaziswa kuzovela, futhi yonke into oyenzayo izoya kumsingathi wesilawuli kude. Ungasebenzisa kabusha ukuqinisekisa nge-Get-Credential ukuze ugweme ukuphinda ukuzifaka:
$cred = Get-Credential
Enter-PSSession -ComputerName dc01 -Credential $cred
Exit-PSSessionUma okufunayo kuwukuthumela imiyalo kumakhompyutha amaningana ngesikhathi esisodwa, ithuluzi I-Invoke-Command nge-scriptblock. Ngokuzenzakalelayo, yethula ukuxhumana okufika ku-32 ngesikhathi esisodwa (okushintshwayo nge -ThrottleLimit). Imiphumela ibuyiswa njenge izinto ze-deserialized (ngaphandle kwezindlela “ezibukhoma”):
Invoke-Command -ComputerName dc01,sql02,web01 -ScriptBlock { Get-Service -Name W32Time } -Credential $credUdinga ukuncenga indlela efana .Stop() noma .Qala()? Kwenze. ngaphakathi kwe-scriptblock kumongo oqhelile, hhayi into yasendaweni engashiyiwe, futhi yilokho. Uma kukhona i-cmdlet efanayo (Misa-Isevisi/Qala-Isevisi), ngokuvamile kungcono ukuyisebenzisela ukucaca.
Ukuze ugweme izindleko zokuqala nokuphetha amaseshini kukholi ngayinye, dala a I-PSSession eqhubekayo futhi uphinde uyisebenzise ezicelweni eziningi. Sebenzisa i-New-PSSession ukuze udale uxhumano, futhi usebenzise i-Invoke-Command-Session ukuze usebenzise kabusha umhubhe. Ungakhohlwa ukuyivala nge-Remove-PSSession uma usuqedile.
I-serialization, imikhawulo kanye nemikhuba emihle
Imininingwane ebalulekile: lapho uhamba, izinto "+flaten" futhi zifika njenge izithombe ze-deserialized, ngezakhiwo kodwa azikho izindlela. Lokhu kwenziwa ngamabomu futhi kulondoloza umkhawulokudonsa, kodwa kusho ukuthi awukwazi ukusebenzisa amalungu asebenzisa ingqondo (njenge-.Kill()) kukhophi yendawo. Isixazululo sisobala: cela lezo zindlela. ukude futhi uma udinga izinkambu ezithile kuphela, hlunga ngokuthi Khetha-Into ukuze uthumele idatha encane.
Kumaskripthi, gwema i-Enter-PSSession (ehloselwe ukusetshenziswa ngokuhlanganyela) futhi usebenzise i-Invoke-Command ngamabhulokhi weskripthi. Uma ulindele izingcingo eziningi noma udinga ukugcina isimo (okuguquguqukayo, amamojula angenisiwe), sebenzisa izikhathi eziqhubekayo futhi, uma kusebenza, zinqamule/zixhume kabusha nge-Disconnect-PSSession/Connect-PSSession ku-PowerShell 3.0+.
Ukuqinisekisa, i-HTTPS, kanye Nezimo Ezingaphandle Kwesizinda
Esizindeni, ukufakazela ubuqiniso bomdabu AmaKerberos Futhi konke kugeleza. Uma idivayisi ingakwazi ukuqinisekisa igama leseva, noma uxhuma ku-CNAME IP noma isibizo, udinga eyodwa yalezi zinketho ezimbili: 1) Umlaleli. I-HTTPS enesitifiketi ekhishwe yi-CA oyithembayo, noma 2) engeza indawo (igama noma i-IP) kuma-TrustedHosts futhi sebenzisa iziqinisekisoInketho yesibili ikhubaza ukuqinisekiswa okuhlanganyelwe kwalowo msingathi, ngakho yehlisa isikophu sibe ngobuncane obudingekayo.
Ukusetha isilaleli se-HTTPS kudinga isitifiketi (esikahle esivela ku-PKI yakho noma i-CA yomphakathi), esifakwe esitolo seqembu futhi siboshwe ku-WinRM. I-Port 5986/TCP ibe isivulwa ku-firewall futhi, kusukela kuklayenti, isetshenziswa. -Sebenzisa i-SSL kuma-cmdlets akude. Ukuze uthole ukuqinisekiswa kwesitifiketi seklayenti, ungakwazi ukumepha isitifiketi ku-akhawunti yendawo futhi uxhumane nayo -Izigxivizo zeSitifiketi (I-Enter-PSSession ayikwamukeli lokhu ngokuqondile; dala iseshini kuqala nge-New-PSSession.)
I-hop yesibili kanye nokuthunyelwa kweziqinisekiso
I-"double hop" edumile ivela lapho, ngemva kokuxhuma kuseva, udinga leyo seva ukuze ufinyelele i- insiza yesithathu egameni lakho (isb., isabelo se-SMB). Kunezindlela ezimbili zokuvumela lokhu: I-CredSSP kanye nokuthunyelwa kwe-Kerberos okukhawulelwe okusekelwe esisetshenziswa.
Nge I-CredSSP Unika amandla iklayenti nomxhumanisi ukuthi anikeze ngokusobala imininingwane, futhi usetha inqubomgomo (GPO) ukuze ivumele ukuthunyelwa kumakhompyutha athile. Iyashesha ukuyilungisa, kodwa ivikeleke kancane ngoba imininingwane ihamba ngombhalo ocacile ngaphakathi komhubhe obethelwe. Hlala ubeke umkhawulo emithonjeni nezindawo oya kuzo.
Okunye okuthandwayo esizindeni yi- kuphoqe ithimba le-Kerberos (ukuthunyelwa okuphoqelekile okusekelwe esisetshenziswa) ku-AD yesimanje. Lokhu kuvumela indawo yokugcina ukuthembela ekwamukeleni ukuthunyelwa okuvela endaweni emaphakathi ukuze uthole amasevisi athile, ukugwema ukuveza ubunikazi bakho ekuxhumekeni kokuqala. Idinga izilawuli zesizinda zakamuva kanye ne-RSAT ebuyekeziwe.
Amaphoyinti Okugcina Angokwezifiso (Ukucushwa Kweseshini)
Enye yamagugu e-Remoting ukwazi ukubhalisa izindawo zokuxhuma nge amakhono kanye nemikhawulo elungiselelwe. Okokuqala ukhiqiza ifayela nge-New-PSSessionConfigurationFile (amamojula ozowalayisha kuqala, imisebenzi ebonakalayo, iziteketiso, i-ExecutionPolicy, i-LanguageMode, njll.), bese uyibhalisa ku-Register-PSSessionConfiguration, lapho ungasetha khona. RunAsCredential kanye nezimvume (i-SDDL noma i-GUI interface ene -ShowSecurityDescriptorUI).
Ukuze udlulise amandla okuphephile, veza kuphela lokho okudingekayo nge -VisibleCmdlets/-VisibleFunctions futhi ukhubaze ukubhalwa kwamahhala uma kufaneleka nge LanguageMode RestrictedLanguage noma NoLimi. Uma ushiya i-FullLanguage, othile angasebenzisa ibhlokhi yeskripthi ukuze acele imiyalo engavezwanga, okuthi, kuhlanganiswe nama-RunAs, kungaba umgodi. Dizayina lezi zindawo zokugcina ngekama lamazinyo futhi ubhale phansi ububanzi bazo.
Izizinda, ama-GPO, kanye ne-Groupware
Ngo-AD ungasebenzisa i-Powershell Remoting esikalini nge-GPO: vumela ukucushwa okuzenzakalelayo kwabalaleli be-WinRM, setha isevisi ku-Othomathikhi, futhi udale okuhlukile kwe-firewall. Khumbula ukuthi ama-GPO ashintsha izilungiselelo, kodwa awahlali evula isevisi ngaso leso sikhathi; ngezinye izikhathi udinga ukuqala kabusha noma ukuphoqa i-gpupdate.
Emaqenjini okusebenza (okungewona wesizinda), lungiselela Ukulahlwa kude nge Nika amandla-PSRemoting, setha i-TrustedHosts kuklayenti (winrm set winrm/config/client @{TrustedHosts=»host1,host2″}) futhi usebenzise imininingwane yasendaweni. Ku-HTTPS, ungakwazi ukukhweza izitifiketi ezizisayinele wena, nakuba kutuswa ukusebenzisa i-CA ethembekile futhi qinisekisa igama ozolisebenzisa kokuthi -ComputerName kusitifiketi (ukufana kwe-CN/SAN).
Ama-cmdlets angukhiye kanye ne-syntax
Idlanzana lama-commandos limboza i- I-90% yezimo zansuku zonke. Ukuze uvule/uvale:
Enable-PSRemoting
Disable-PSRemotingIseshini esebenzisanayo 1 ukuya ku-1 bese uphuma:
Enter-PSSession -ComputerName SEC504STUDENT
Exit-PSSession1 kwabaningi, ngokuhambisana neziqinisekiso:
Invoke-Command -ComputerName dc01,sql02,web01 -ScriptBlock { Get-Service W32Time } -Credential $credIzikhathi eziqhubekayo futhi usebenzise kabusha:
$s = New-PSSession -ComputerName localhost -ConfigurationName PowerShell.7
Invoke-Command -Session $s -ScriptBlock { $PSVersionTable }
Remove-PSSession $sUkuhlola kanye WinRM Iwusizo:
Test-WSMan -ComputerName host
winrm get winrm/config
winrm enumerate winrm/config/listener
winrm quickconfig -transport:httpsAmanothi awusizo kuma-firewall, inethiwekhi namachweba
Vula i-5985/TCP ye-HTTP kanye ne-5986/TCP ye-HTTPS kukhompuyutha eqondiwe nokuvula. noma iyiphi i-firewall ephakathiKumaklayenti e-Windows, Vumela-PSRemoting kudala imithetho yesizinda kanye namaphrofayili ayimfihlo; kumaphrofayela asesidlangalaleni, kukhawulelwe ku-subnet yasendaweni ngaphandle uma uguqula isikophu nge-Set-NetFirewallRule -RemoteAddress Any (inani ongalihlola ngokusekelwe kubungozi bakho).
Uma usebenzisa ukuhlanganiswa kwe-SOAR/SIEM esebenzisa imiyalo ekude (isb. kusuka ku-XSOAR), qiniseka ukuthi iseva ine Ukulungiswa kwe-DNS kubabungazi, ukuxhumana ku-5985/5986, nemininingwane enezimvume ezanele zendawo. Kwezinye izimo, ukuqinisekiswa kwe-NTLM/Basic kungase kudinge ukulungiswa (isb., ukusebenzisa umsebenzisi wasendaweni kokuthi Okuyisisekelo nge-SSL).
Nika amandla i-PSRemoting Parameters (Isifinyezo Sokusebenza)
- Qinisekisa ucela isiqinisekiso ngaphambi kokwenza; -Phoqa azinaki izixwayiso futhi wenze izinguquko ezidingekayo; -I-SkipNetworkProfileCheck inika amandla Ukulahlwa kude kumanethiwekhi amaklayenti omphakathi (kunqunyelwe ngokuzenzakalela ku-subnet yendawo); -WhatIf ikubonisa ukuthi yini engenzeka ngaphandle kokufaka izinguquko. Ukwengeza, njenganoma iyiphi i-cmdlet evamile, iyasekela imingcele evamile (-Verbose, -ErrorAction, njll.).
Khumbula ukuthi "Vumela" akukudali abalaleli be-HTTPS noma izitifiketi; uma udinga ukubethela ngasemaphethelweni kusukela ekuqaleni nasekuqinisekiseni ngokususelwe kokuthi izitifiketi, lungiselela isilaleli se-HTTPS futhi uqinisekise i-CN/SAN ngokumelene negama ozolisebenzisa ku-ComputerName.
I-WinRM Ewusizo kanye ne-PowerShell Remoting Commands
Abanye izinto ezibalulekile eziseceleni kombhede usuku nosuku:
winrm get winrm/config
winrm enumerate winrm/config/listener
Set-NetFirewallRule -Name 'WINRM-HTTP-In-TCP' -RemoteAddress Any
Test-WSMan -ComputerName host -Authentication Default -Credential (Get-Credential)
New-PSSession -ComputerName host
Enter-PSSession -ComputerName host
Enable-PSRemoting -SkipNetworkProfileCheck -ForceLapho uphatha iWindows esikalini, Ukukhipha Ubude obuthile kukuvumela ukuthi usuke kokuthi "ikhompyutha uye kwikhompyutha" uye endleleni echazayo nevikelekile. Ngokuhlanganisa izikhathi eziqhubekayo, ukuqinisekiswa okuqinile (i-Kerberos/HTTPS), izindawo zokugcina ezikhawulelwe, nokulandela okucacile kokuxilongwa, uthola isivinini nokulawula ngaphandle kokudela ukuphepha noma ukucwaninga. Uma futhi wenza kusebenze i-GPO ngendlela efanele futhi uphathe kahle amacala akhethekile (Ama-TrustedHosts, i-double hop, izitifiketi), uzoba nenkundla ekude eqinile yokusebenza kwansuku zonke kanye nokuphendula kwesigameko.
Umhleli okhethekile kwezobuchwepheshe kanye nezindaba ze-inthanethi onolwazi olungaphezu kweminyaka eyishumi kumidiya ehlukene yedijithali. Ngisebenze njengomhleli kanye nomdali wokuqukethwe kwe-e-commerce, ukuxhumana, ukumaketha ku-inthanethi kanye nezinkampani zokukhangisa. Ngike ngabhala kumawebhusayithi ezomnotho, ezezimali neminye imikhakha. Umsebenzi wami nawo uwuthando lwami. Manje, ngokusebenzisa izihloko zami ku Tecnobits, ngizama ukuhlola zonke izindaba namathuba amasha izwe lobuchwepheshe elisinikeza lona nsuku zonke ukuze sithuthukise izimpilo zethu.