PowerShell Remoting Security - Second Hop without CredSSP

This topic contains 6 replies, has 5 voices, and was last updated by Profile photo of Josh Wright Josh Wright 1 week, 6 days ago.

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • #48351
    Profile photo of Josh Wright
    Josh Wright
    Participant

    Hi All,

    I am looking to enable PowerShell Remoting in my new company and have always previously just enabled CredSSP to resolve the Second Hop issue.
    However, on this occasion, I have had to investigate further and came across some interesting information regarding the security concerns with CredSSP, especially when using it to connect to Workstations, which as domain joined but are not always as trusted as servers.

    I then came across a Presentation from Lee Holmes where he addresses this with the two potential options:

    –Update the permissions on the remote resource (i.e.: file server) to grant access to the machine account of the remoting host rather than the users.

    OR

    –Provide explicit credentials to remote resources. For example, New-PSDrive \\FileServer\Share –Credential (…), or net use \\FileServer\Share

    I thought that this was an interesting solution and would be a quick fix.
    I was expecting to create a DFS Share and add permissions for domain computers to have access to it.
    Then host scripts, logs and software on this share to allow access to PS Remoting sessions.

    This does not seem to work, even when adding the ANONYMOUS USER to the permissions.

    I then came across a method that creates a Custom PSSessionConfiguration and sets a RunAsUser and stores the password.
    This can then be using when initiating the PS Remoting session and does seem to eliminate the Second Hop issue.

    Does anyone have any suggestions to this topic as the CredSSP appears to create a significant security vulnerability.
    I understand that I can add security to only allow delegation by computers that are *.domain.local etc. But I still see this being an issue when accessing work stations.

    I have scoured Google, but am flooded with the basics.

    Would love to hear some creative ideas!

    Josh

    #48356
    Profile photo of Don Jones
    Don Jones
    Keymaster

    When you're crossing domain boundaries, there aren't any great options – custom PSSessionConfigurations probably being the best of the lot. You can also look into configuring Kerberos delegation in AD – but obviously, only within a domain, and it's a domain-wide thing, so it's not super-granular.

    #48408
    Profile photo of Mark Prior
    Mark Prior
    Participant

    i struggled with this for a long time a couple of years ago also, and as you say most of what is around is basics & points you back in the direction. So far i have just continued to use CredSSP, can you post a link to the custom PSSession stuf you found, would mind a read

    thanks

    #48412
    Profile photo of Josh Wright
    Josh Wright
    Participant

    Hi Don,

    Appreciate your input on this!

    We are not actually crossing domain boundaries – this is purely PS remoting to domain joined PCs and Servers all in one domain.

    Regarding the Kerberos Delegation, am I correct in thinking that this would have to be done domain wide to allow all PCs and Servers to delegate my credentials?

    @Mark, see below for the link to the article I used.
    To summarize, I ran the following:

    Register-PSSessionConfiguration -Name Remoting -RunAsCredential domain\remotinguser

    This then prompts for a password, which is then stored as a secure string.
    I was also not entirely sure if this was safe/secure...

    I just feel like this might be better than passing the Hash of my own account that has local admin permissions to servers and workstation, plus other permissions.

    Then to use it, run the following:

    Enter-PSSession -ComputerName DC -ConfigurationName Remoting

    https://blogs.msdn.microsoft.com/sergey_babkins_blog/2015/03/18/another-solution-to-multi-hop-powershell-remoting/

    Or am I just over complicating this and should trust CredSSP with the Trusted hosts setting of *.domain.local ?

    Thanks

    Josh

    #48418
    Profile photo of Edmond Yee
    Edmond Yee
    Participant

    Josh,

    I also ran into the double hop problem when setting up PowerShell Web Access. I ended up using the same solution as you did, with making a separate config for our admins to use RunAsCredential with. The only annoying thing with this is that they need to update the PSSessionConfiguration every time they change their password.

    Do you have the Windows Remote Management Framework on your servers? I am able to do an enter-pssession to other servers without entering a config name or credential while logged in with domain account. You may just need to setup your main admin server as a TrustedHost

    #52878
    Profile photo of Ashley McGlone
    Ashley McGlone
    Participant

    Try this for solving the double hop issue securely:

    Ashley McGlone
    GoateePFE

    #54082
    Profile photo of Josh Wright
    Josh Wright
    Participant

    Thank you very much for the notice Ashley!
    I don't think we are quite ready with the 2012 domain controllers, but nice to know there are some good workarounds out there! 🙂

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.