Workgroup PowerShell Remoting
Introduction
If you haven't yet read my blog post on enabling PowerShell Remoting I would give that a read over first, this will give you some further background information into PowerShell Remoting. I won't be covering how to enable PowerShell Remoting in this post again, this will demonstrate how to configure a workgroup computer to work with PowerShell Remoting.
It also guides you through a set of instructions on how to secure PowerShell Remoting, which ensures settings such as unencrypted communication are enforced to be off.
In this post I will guide you through the various options available to you for enabling PowerShell Remoting on a workgroup/standalone computer.
Is using SSL required?
Some guides I have seen simply add your remote machine to your trusted hosts, the problem with this is that it disables the mutual authentication. This can be dangerous if you are Remoting over the internet as you are unable to verify the endpoint you are connecting to is indeed the one you intended.
For local LAN Remoting, it's a moot point in my view. Ensuring you have mutual authentication in place is a good thing to ensure you have no man in the middle (MITM) attacks, however this presents a low risk.
Setting up an entire group of workgroup servers to use HTTPS would be cumbersome and the effort out weighs the risks. Don't forget that all traffic over the HTTP protocol is still encrypted, you have just lost the ability of mutual authentication.
My personal view is that I would always look to enable HTTPS Remoting as it adds that further layer of protection.
Configuring TrustedHosts for Remoting
Ok so lets first look at how we setup Remoting using trusted hosts, again I can't state enough to follow my previous guide on how to harden PowerShell Remoting first.
Firstly on our admin machine, the machine you wish to remote from you will need to launch an administrative PowerShell window.
Now if you issue the command;
Get-Item WSMan:\localhost\Client\TrustedHosts
You should hopefully be given a table of results with the Value column being empty.
To add a trusted host you can either place a * or IP address/hostname, placing a * will trust all hosts you connect to. I would recommend adding in the host you are looking to trust.
To trust a host you now issue the following command;
Set-Item WSMan:\localhost\Client\TrustedHosts RemoteMachine
This will now trust PowerShell Remoting connections to RemoteMachine.
You have now configured using TrustedHosts for workgroup Remoting.
Configuring HTTPS for Remoting
This is slightly more complicated but my preferred option, as it presents the best security for workgroup Remoting.
Firstly you will need a valid certificate for this to be made possible, luckily starting from Windows 2012/8 you can complete this by creating a self signed certificate.
This script below will configure PowerShell Remoting using HTTPS, remove listeners for HTTP and export the certificate in use ready for you to import to an administering computer.
# Generate a new self signed certificate
$RCert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My\ -DnsName RemoteMachine, RemoteMachine.example.com, '192.168.1.1'
# Export the generated certificate to the desktop
Export-Certificate -Cert $RCert -FilePath (Join-Path $env:USERPROFILE 'Desktop\RemotingCert')
# Enable PowerShell Remoting
Enable-PSRemoting -SkipNetworkProfileCheck -Force
# Get all the listeners for WSMAN that are using HTTP and remove them to stop HTTP connections
Get-ChildItem WSMan:\Localhost\listener | Where -Property Keys -eq 'Transport=HTTP' | Remove-Item -Recurse
# Add in the newly created certificates thumbprint to enable a listener on HTTPS
New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $RCert.Thumbprint –Force
# Allow remote incoming connections on 5986
New-NetFirewallRule -DisplayName 'WinRM (HTTPS-In)' -Name 'WinRM (HTTPS-In)' -Profile Any -LocalPort 5986 -Protocol TCP
The DnsName parameter is important as it should have a comma separated list of your hostnames/IPs that will be used for connection.
All that is left to do is import the exported certificate to your administrative computer;
Import-Certificate -Filepath 'C:\RemotingCert' -CertStoreLocation 'Cert:\LocalMachine\Root'
Once imported your machine now can trust the remote certificate presented and mutual authentication can take place.
Entering a Remote Session
Depending on the configuration you chose to use you can enter a remote PowerShell session by either using HTTPS (SSL) or not.
Using HTTP
Enter-PSSession -ComputerName RemoteMachine -Credential (Get-Credential)
Using HTTPS
Enter-PSSession -ComputerName RemoteMachine -UseSSL -Credential (Get-Credential)
You will be prompted to enter your username and password for the remote machine, if all is working you should be presented with a remote shell.