PowerShell Remoting - Restricting to one server/IP address

This topic contains 8 replies, has 3 voices, and was last updated by  Don Jones 4 months, 2 weeks ago.

  • Author
    Posts
  • #90802

    Jeff
    Participant

    I am trying to enable PowerShell remoting on all domain devices and then restricting them to only listen for one "script server" (with the potential to add more hosts later). When I run the command below, I am able to run a remote command successfully on the remote machine via my script server:

    enable-psremoting -confirm:$false

    However, when I try to restrict the client to listen to the server I'm running the commands from, I receive an error. Here is the command I'm running to restrict the listening to the server:

    Remove-WSManInstance winrm/config/Listener -SelectorSet @{Address="*";Transport="http"}
    New-WSManInstance winrm/config/Listener -SelectorSet @{Address="IP:10.62.23.3";Transport="http"}
    Restart-Service winrm -Force

    After running same remote command:

    Error:
    [COMPUTERNAME] Connecting to remote server COMPUTERNAME failed with the following error message : The WinRM client sent a request to an HTTP server and got a response
    saying the requested HTTP URL was not available. This is usually returned by a HTTP server that does not support the WS-Management protocol. For more information, see the
    about_Remote_Troubleshooting Help topic.

    I'm basically trying to keep the environment as locked down as possible and only allow remoting from one server, without passing credentials (only using kerberos). Any ideas?

  • #90880

    Don Jones
    Keymaster

    Sssssooooo.... a listener is something you set up on a machine to tell it which local IP addresses to listen on – not which IP addresses they should expect communications to come from. So if you set up a listener "on" 192.168.11.4, and the machine doesn't actually have that IP address bound to a NIC, then it won't work.

    I'm not entirely following your client/server layout – it might make sense to refer to them as ComputerA and ComputerB, or something, so I'm more clear on who is trying to talk to whom.

  • #90895

    Jon
    Participant

    Wouldn't it be easier to tell the firewall to only accept connections on the port to that IP address?

    • #90896

      Jeff
      Participant

      I'm not sure what would be easier at this point – Trying to figure out the best way to accomplish this. I want to enable remoting from:
      ComputerA to ComputerB
      ComputerA to ComputerC
      ComputerA to ComputerD
      etc.

      I don't want Computer B, C, D to be able to remote anywhere.

      However, I believe I have found a way to use certificates to enforce SSL on port 5986. However, with the ability to use "SkipCACheck" and "SKipCNCheck" switches with New-PSSessionOption, I don't see a way to enforce authentication with certificate/CA. If I'm unable to find a way to force certificate authentication, I will have to enable remoting only FROM ComputerA to any device. Any thoughts/suggestions on either approach?

    • #90899

      Jon
      Participant

      I'd change the firewall on computer A to allow outgoing PS remoting and the firewall on the others to allow only incoming PS remoting from computer A and block outbound. You could do this through group policy or get your network guys to write an rule in the firewalls to do the same. I tend to prefer rules on the network side (or both!) to prevent stolen windows creds from changing the windows firewall.

    • #90901

      Jeff
      Participant

      Based on your response, I have another question. I have been doing some testing and currently able to remote from ComputerA to ComputerB. However, when I check the firewall rules on ComputerA, I don't see any outgoing rule for Windows Remote Management (only inbound). Are you just saying I would leave ComputerA as is, allow inbound traffic on ALL hosts, but create a new rule to disable all outbound traffic on those hosts (except for ComputerB?

      Do you know of a way to enforce the use of certificates or can "SkipCACheck" and "SKipCNCheck" always be used? If I can enforce the use of certificates and only allow an HTTPS listener, I think that would be the most secure method.

    • #90902

      Jon
      Participant

      Computer A would have a firewall rule that allows outgoing

      Computers, B – X would have a rule that allows incoming, blocks outgoing.

      I cannot answer the questions about "SkipCACheck" and "SKipCNCheck", I bet Don will be able to though. But remember, if you leave the non secure ports open, people will always be able to get to it on those ports! You could always close off the non secure ports, and only have the SSL port, which is all firewall rules as well. Whether it be windows or network firewall.

  • #90898

    Don Jones
    Keymaster

    "I don't want Computer B, C, D to be able to remote anywhere."

    That's not a feature Remoting supports. Outbound traffic isn't controlled at the WS-MAN level. You'd need to enforce this with firewall policy.

  • #90905

    Don Jones
    Keymaster

    SSL has two purposes: Authenticating the server that you're connecting to, and encrypting the transmission.

    -SkipCACheck and -SkipCNCheck basically let you skip the authentication. The originating machine will accept any certificate if you specify those. So you still get encryption – but you don't really know who you're talking to. I should point out that if you have people likely to use these internally, then that's an HR problem. There's no technical way to prevent someone from using them, but if you have people dumb enough to do so, fire those people rather than entrusting them with these abilities.

    You SHOULD only use HTTPS listeners. If you do so, then you're enforcing encryption no matter what gets specified on the parameters.

You must be logged in to reply to this topic.