Secure Solutions for PowerShell Remote Script Execution

This topic contains 2 replies, has 3 voices, and was last updated by Profile photo of Don Jones Don Jones 1 year, 5 months ago.

  • Author
  • #25618
    Profile photo of Joseph Odell
    Joseph Odell

    I'm looking for a secure way to remotely execute commands and scripts. I've been testing the Windows Update PowerShell Module from (url) When I remotely run many of the commandlets from this module, I get an Access Denied error. From what I've read, this is because even though the user I'm using to remote into the computer with has administrative privileges, certain things like downloading things from the internet or running executables are not allowed for security reasons. I'm looking for a secure way to get around this. I'm reluctant to hack around in the registry to accomplish this goal. Our ultimate goal is to find a management solution to replace our existing one, and this small test is a part of that end-goal.

    Thanks in advance!

  • #25619
    Profile photo of Dave Wyatt
    Dave Wyatt

    I haven't used this module, but you may be running into the "second hop" remoting problem here. You can try enabling CredSSP, as a test, and see if that gets things working. If so, that'll confirm that this is the problem.

    A better solution would probably be for the author of this module to include a -ComputerName and -Credential parameter directly in the module's functions. Since it appears to be based on WMI anyway, the underlying commands all support those parameters, and then you wouldn't have to worry about enabling CredSSP (which can be a bit of a security risk.)

  • #25620
    Profile photo of Don Jones
    Don Jones

    Take a look at "Secrets of PowerShell Remoting" (free ebook); as Dave surmises, you're likely running into the fact that your delegated credential can't, by default, be used to access non-local resource on the machine you're remoting into. This can be securely extended; it simply isn't done so by default. It has nothing to do with running executables or downloading per se.

    Another problem – one that often arises with older COM-based APIs, even when they're "wrapped" by a .NET API or a PowerShell module – can be that when you remote into a computer, you don't get a full user profile. Components that expect one will often fail. That's poor component design, not a security problem, and isn't usually easy to address.

You must be logged in to reply to this topic.