May 25, 2015 at 5:39 pm #25618
I'm looking for a secure way to remotely execute commands and scripts. I've been testing the Windows Update PowerShell Module from (url)https://gallery.technet.microsoft.com/scriptcenter/2d191bcd-3308-4edd-9de2-88dff796b0bc/view/Discussions#content(/url). When I remotely run many of the commandlets from this module, I get an Access Denied error. From what I've read, this is because even though the user I'm using to remote into the computer with has administrative privileges, certain things like downloading things from the internet or running executables are not allowed for security reasons. I'm looking for a secure way to get around this. I'm reluctant to hack around in the registry to accomplish this goal. Our ultimate goal is to find a management solution to replace our existing one, and this small test is a part of that end-goal.
Thanks in advance!
May 25, 2015 at 5:44 pm #25619
I haven't used this module, but you may be running into the "second hop" remoting problem here. You can try enabling CredSSP, as a test, and see if that gets things working. If so, that'll confirm that this is the problem.
A better solution would probably be for the author of this module to include a -ComputerName and -Credential parameter directly in the module's functions. Since it appears to be based on WMI anyway, the underlying commands all support those parameters, and then you wouldn't have to worry about enabling CredSSP (which can be a bit of a security risk.)
May 25, 2015 at 6:00 pm #25620
Take a look at "Secrets of PowerShell Remoting" (free ebook); as Dave surmises, you're likely running into the fact that your delegated credential can't, by default, be used to access non-local resource on the machine you're remoting into. This can be securely extended; it simply isn't done so by default. It has nothing to do with running executables or downloading per se.
Another problem – one that often arises with older COM-based APIs, even when they're "wrapped" by a .NET API or a PowerShell module – can be that when you remote into a computer, you don't get a full user profile. Components that expect one will often fail. That's poor component design, not a security problem, and isn't usually easy to address.
You must be logged in to reply to this topic.