Manage PSSessionConfigurations

This topic contains 5 replies, has 3 voices, and was last updated by Profile photo of Boe Prox Boe Prox 3 years, 1 month ago.

  • Author
    Posts
  • #13495
    Profile photo of B D
    B D
    Participant

    Dear Powershell community,

    I'm planning to use a set of powershell endpoints (helpdesk, development, admins, audit,...) to manage a bunch of highly secure workstations. With the New-PSSessionConfigurationFile command I created the endpoints which are restricted to use only specific modules (ModulesToImport) and it's functions within. This all is working well so far.
    However I do not see any way how I can get a list of which modules (and cmdlets, functions, providers,...) are allowed on a specific endpoint after the setup. The Get-PSSessionConfiguration does not show this information. For me it is important that I can run a command regularly which evaluates the allowed modules on the endpoints.
    On a broader perspective I would like to now if there is any tool which can manage these endpoints. I can imagine that in a big environment, where one would want to use endpoints as role based access, this should be manageable.

    Best regards,

    B.

  • #13514
    Profile photo of Richard Siddaway
    Richard Siddaway
    Moderator

    I'm not aware of any tool for managing endpoints – its still a manual proposition. Though in theory you might be able to get DSC to do some of the work for you.

    The only way I can think of to get the list of modules etc through the endpoint is to connect to the endpoint and run get-command. You could put the results into a file and then use compare-object to test current list of commands vs those in the file

  • #13515
    Profile photo of B D
    B D
    Participant

    Ok thanks for the answer.

    Am I missing something with the design idea of using different powershell endpoints (helpdesk, development, admins, audit,…) which are restricted by module(s) they can use?

    Anyone has an idea of tools that are coming to manage these different endpoints in large environments?

  • #13541
    Profile photo of Boe Prox
    Boe Prox
    Participant

    In order to see what modules have been allowed to exist on a remote constrained endpoint is to look at the configuration file. You can do something like this to bring it up in the ISE for review:

    ise (Get-PSSessionConfiguration -Name 'NameOfSession').Configfilepath

    From there, you can review each configuration setting (note that some which are not in use will be commented out) and see any what all has been set.

    Depending on how restricted your endpoint is, you may or may not be able to dig around much if you actually connect to the endpoint. For instance if using NoLanguage then you have no access to the PowerShell language which includes variables, type accelerators, etc...

    As far as a tool to manage these, I have not heard of any tool either that is out or currently being built. As Richard said, this is a manual process currently to build out constrained endpoints.

    Hope this helps...

  • #13549
    Profile photo of B D
    B D
    Participant

    So it seems that non-default sessions are saves in the path "C:\Windows\System32\WindowsPowerShell\v1.0\SessionConfig" with _.pssc.
    I can alter the .pssc files there and this gives direct result when i reconnect the session.

    Is it possible in some way to sing these .pssc files to be sure the specific endpoints can be changed easily?

  • #13597
    Profile photo of Boe Prox
    Boe Prox
    Participant

    Just for clarification, are talking about signing a .pssc file? As far as I know, that cannot be done. This is not really a script but a configuration file that uses a hash table to specify the level of constraint for your remote endpoint.

You must be logged in to reply to this topic.