Why RSAT/PSRemoting better than RDP ?

Tagged: 

This topic contains 4 replies, has 4 voices, and was last updated by  Del 4 months, 1 week ago.

  • Author
    Posts
  • #68622

    Del
    Participant

    I am having a meeting next week with our security group.
    I asked them to create a gpo to enable PowerShell remoting on our AD computers

    All of our computers are Windows 7 and above. thank god we don't have xp.

    GPO Creation
    1. Create your GPO, Name "PSR"
    2. Edit the policy.

    Enabling WinRM
    1. Browse to Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service
    2. Depending on the operating system:
    Server 2008 R2 and later: Open the Allow Remote Server management through WinRM policy setting.
    Server 2008 and earlier: Open the Allow automatic configuration of listeners policy setting.
    3. Set the Policy to Enabled.
    4. Set the IPv4 and IPv6 filters to * unless they need something specific there.

    Setting the Firewall Rules
    1. Browse to Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile
    2. Open the Windows Firewall: Define inbound port exceptions policy setting.
    3. Set it to Enabled if it isn't already.
    4. Click the Show… button and add the port exception. We're going to be opening TCP port 5985, so the exception string will
    look something like this:
    5. 5985:TCP:*:enabled:WSMan

    But they want to know Why not only using RDP ?

    I'd really appreciate it if someone can direct me or attach a link why PSRemoting and using RSAT is better than RDP.
    I need a technical/Security article

    Thanks Guys

  • #68625

    John Bruett
    Participant

    Here's a start.

    https://devopscollective.gitbooks.io/secrets-of-powershell-remoting/content/manuscript/powershell-remoting-and-security.html

    directly from the same group that brings you this website more or less.

    Good luck with that discussion, you're doing the right thing.

  • #68656

    Dan Potter
    Participant

    Sounds like a job I'd leave immediately:) The answer is because this is how we manage servers now.

  • #68706

    Zuldan
    Participant

    @Del, we actually use PSRemoting to inceease security. When an administrator RDP's into a server you have very limited options in terms of knowing exactly what they are doing (every mouse click) unless you have a screen recorder on everyone's computer. When you have an administrator log into a server via Powershell, EVERY single action they perform can be recorded/logged.

    See https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html

    You should include the GPO items described in the blog above in your GPO request and target the request as "to increase security" rather than making managing servers easier. As you know security people only care about security.

    Some things to note, the GPO items in the blog are only available in the Windows 10 ADMX files which you can install on Windows 2008 R2 DC's. It's standard pratice to keep your ADMX files up to date. If your DC admins don't want to update ADMX files then the settings can be enabled via the registry. The servers you are connecting to will also need to be running Powershell 5.0 or 5.1 (highly recommend 5.1 as 5.0 is pretty buggy and slow).

    https://www.microsoft.com/en-us/download/details.aspx?id=53430

    Here are great blogs from Microsoft about Powershell security.

    Powershell is the most secure scripting language.

    Good luck and may the force be with you!

    • #68763

      Del
      Participant

      Thank you guys.

You must be logged in to reply to this topic.