the Internet Windows Android
Expand
the main

WinRM service does not listen to WS Management requests. How to activate Windows Remote Management using Group Policy

WinRM and WinRS are innovation in Windows Vista., Windows Server 2003 R2, Windows Server 2008 (and Server 2008 Core). These are new powerful. command lineSupporting system administrators improved remote management and remote execution of programs on Windows machines. However, they need to first turn on, in addition, you will need some time to study their functionality. You are lucky: This article has everything you need to start using these funds right today!

What is Windows Remote Management (WinRM)?

Windows Remote Management (reduced WinRM) is a new user-friendly remote control service for Windows Server 2003 R2, Windows Vista and Windows Server 2008. WinRM is a "server" component of this remote control application, and WinRS (Windows Remote Shell - Remote wednesday Windows) - This is a "client" for WinRM, which runs on a remote computer, trying to remotely manage the WinRM server. However, it should notice that WinRM must be installed on both computers so that WinRS can work and receive information about the remote system. WinRM is based on Web Services for Management (WS-Management) standards. This means that WinRM uses the HTTP (port 80) protocol and SOAP requests to perform work. It's good because the HTTP requests are easy to forward through the firewall. From this there is a good and bad effect: on the one hand, it will be easier to control the remote computer through the Internet, but, on the other hand, the attacker is easier to remotely attack the same computer. Another small advantage of using the port 80 is that there is no need to open other ports on the server if the incoming HTTP connections have already been allowed.

According to Microsoft, WinRM is "a new Microsoft remedy for establishing an API-based API for system control." So if you were previously interested in studying such money, it seems to me that the fact that "this new standard Microsoft "makes it worthy of study.

You may already be familiar with the Windows Management Instrumentation (WMI) database (Windows Management Toolkit). But, just in case, I will say that this database contains all sorts of information about the hardware and software Computer. Almost every application manager windows systemThe WMI database level is lowered to perform all administrative tasks on this PC.

WinRM will use the WMI database to perform tasks similar to those you may have been performed using others software like VBScript. The advantage of WinRM is that it uses HTTP (port 80), as I said, besides, there is even special codeallowing WinRM to divide incoming connections to port 80 with an IIS component, which may already be working with this port.

WinRM supports different types Authentication to prevent accomplishment of administrative tasks to your customers and servers. Of course, you need to remember that, including WinRM, you open another way to attack your system. However, as I am for any open Port.If authentication and encryption are installed as it should be assumed that you have taken all reasonable precautions.

The manufacturer of your software manager may have already scheduled to use WinRM in the following releases of their software, so you may already use WinRM through other applications. However, you can use this component and own it, using the command winrm.cmd.. With this CLI tool, you can very just extract information from the WMI database for any task you solve.

As you will see below, WinRM has a command line interface with multiple parameters. WinRM reference information will be shown even when it is not enabled on your system.

Figure 1: WinRM command line parameters

How to enable and use winrm?

If you are using Windows 2008 Server, WinRM is already installed, but not enabled by default. This is a good precaution. The easiest way to check whether WinRM is enabled and whether it is run on your machine, it goes to the command prompt and dial:

winRM Enumerate WinRM / Config / Listener

If you do not receive a response, it means that WinRM is not running. To adjust WinRM on automatic start and permission remote access Use the command winRM QuickConfig, eg:

C: \\ Users \\ Administrator\u003e winRM QuickConfig WinRM IS Not Set Up to Allow Remote Access to this Machine for Management.THE FOLLOWING CHANGES MUST BE MADE:CREATE A WINRM LISTENER ON HTTP: // * TO Accept WS-MAN Requests to An IP on This Machine.Make these Changes? y. WinRM Has Been Updated for Remote Management.Created A WinRM Listener ON http: // * to accept WS-Man Requests to An IP on This Machine.C: \\ Users \\ Administrator\u003e

After configuring QuickConfig, I restarted the listing command with the following results:

C: \\ Users \\ Administrator\u003e winRM E WinRM / Config / Listener ListenerAddress \u003d *Transport \u003d http.Port \u003d 80.HostName.Enabled \u003d True.URLPREFIX \u003d WSMAN.Certificatethumbprint.Listeningon \u003d 10.253.15.98, 127.0.0.1, :: 1, Fe80 :: 5EFE: 10.253.15.98% 11, Fe80 :: 9583: 2148: E1EF: 6444% 10C: \\ Users \\ Administrator\u003e

Now I know WinRM is enabled.

By the way, if you want to disable WinRM, you need to use such a command:

winRM Delete WinRM / Config / Listener? iPadress \u003d * + Transport \u003d http

To use WinRM, all nodes interacting with it must be members of the same domain as a node with WinRM.

What is WinRS and how to use it?

WinRS is an abbreviation for Windows Remote Shell (remote Wednesday Windows). With WinRS, you can make remote requests for windows with Windows on which WinRM is running. However, do not forget that your machine also needs to run WinRM to work with WinRS.

As you see in the diagram below, winRS. It is a full-featured command line tool with a huge number of reference information on work and it.

Figure 2: WinRS command line parameters

One of the most ordinary ways Using WinRS is the execution of commands on a remote machine. Of course, this interaction occurs using the HTTP protocol (port 80) (default).

Below is an example of using WinRS: I executed commands on the Localhost node. I launched two commands: '' ver'And' dir C:'. In each case, adequate information was received in response.

Figure 3: Demonstration of WinRS commands

RESULTS

WinRM and WinRS are very powerful new funds about which system windows administrators Just obliged to find out. Think about the possibilities of remote control with WinRM / WINRS! You can install programs, change settings, solve problems (of course, if the problem is not in the network interaction). You can go further and connect WinRS with a script to perform these tasks on multiple computers. Also, remember that regardless of whether you use these funds or not, your software managing system, Soon they will use them anyway.

Wet

Auto parts for your car in any region.

Sometimes I am in St. Petersburg for Affairs, threw a link to the company, which offers the daily rent of apartments in St. Petersburg. Not bad alternative to hotels.

10/17/2011 Don Jones

I realized that the creators of PowerShell were somewhat lazy, and that's good. They did not want to encode the -ComputerName parameter for each team, so created general System Under the name "Remote Interaction". Essentially, this system activates any command to run on a remote computer. You can even run different commands that exist on a remote computer, but are missing on yours. This means that you do not need to constantly install each team on your workstation. This remote system is very effective and gives a number of interesting administrative capabilities.

When I started using PowerShell, I got carried away with the get-service team and noticed that it has a -ComputerName parameter. Does this mean that you can connect to the service and from other computers? After a series of experiments, I found that it was just what was written. I became interested and began to look for -computername parameters from other teams. And upset when I found out that there were only a few of them.

PowerShell provides two types of remote interaction: remote interaction one to one (1: 1) and remote interaction one to several (1: n). Before talking about them, I want to clarify some basics.

Basics of remote interaction in PowerShell

Remote PowerShell interaction works almost like Telnet and other old remote control technologies. When you run the command, it actually starts on a remote computer. All that returns to your computer is the result of this team. In contrast to Telnet or Secure Shell (SSH), PowerShell uses a new communication system protocol called Web Services for Management (WS-Management). The protocol acts on top of HTTP or HTTP Secure (HTTPS), which makes it easier to lay a route through firewalls, if necessary, since the protocol uses only one port to establish communication. The implementation of WS-Management from Microsoft is in the form of a background service, which is called Windows Remote MANAGEMENT. WinRM is installed with PowerShell 2.0 and starts the default on servers like Windows Server 2008 R2. On Windows 7, it is installed by default, but not activated. You need to activate WinRM on those computers to which you want to send a command. The computer you are physically needed to launch WinRM service.

All PowerShell commands produce objects as output. When you run the command remotely, its output needs to be covered in a form that can be easily transmitted over the network using the HTTP or HTTPS protocol. So, PowerShell automatically converts output objects in xML fileswhich are transmitted over the network. Having achieved your computer, they are converted back to objects with which PowerShell can work. However, these transformed back objects are actually instant pictures. They cannot update themselves every minute. Thus, if you have to get to objects that are processes running on a remote computer, the result resulting will be true only for a particular period of time during which these objects have been generated. Values, such as the use of memory and processor, will not change. Moreover, you will not be able to make converted back objects to do something. For example, you cannot order the object to stop yourself. This is the basic restriction of remote interaction, but it will not prevent you from working and perform interesting tasks.

There are only a few basic requirements in order to use the remote interaction system.

  • As your computer (it is a local computer) and one of those you want to send a command (it is a remote computer), should work with Windows PowerShell 2.0? Windows XP is outdated windows versionTo which you can install PowerShell 2.0. In this way, old version Also can take part in the remote session.
  • Ideally, local and remote computers must be members of a domain or members of trusted / trust domains. With the system of remote interaction, you can work outside the domain, but it is difficult, and here I will not tell about it. To learn more about this scenario, refer to the PowerShell Help section, where the remote_trubleshooting says.

Winrm Review

Now let's go to WinRM because you need to set the settings for this service to start remote interaction. Again I repeat, you only need to set the WinRM and PowerShell remote interaction settings on a remote computer. In most environments in which I worked, administrators activated a remote interaction system on each computer running with XP versions or more new. This makes it possible to penetrate the desktop and portable computers unnoticed, which can be very useful (this means that users of such computers will not know what you are doing).

It is impossible to say that WinRM is something special for PowerShell. WinRM can lay traffic to multiple administrative applications. Essentially, WinRM acts as a dispatcher. When traffic appears, WinRM decides which application must interact with it, and marks it with the name of the recipient application. The receiving application must register with WinRM, so WinRM will be able to listen to the incoming traffic on his behalf. In other words, you need not only to activate WinRM, but also register Power Shell as a finite point for WinRM.

Most. simple way Performing both tasks is to start PowerShell on behalf of the administrator and executing the enable-psremoting command. You can see the manual on another command called Set-WsmanQuickconfig. No need to run the command. It will make enable-psremoting for you, and it also performs a few more steps that are necessary to establish remote interaction and work. In essence, the enable-psremoting command launches WinRM service, sets its settings to start automatically, registers PowerShell as the end point and even sets exceptions to Windows Firewall in order to resolve the incoming WinRM traffic.

If you do not want to bypass all computers for activating remote interaction, you can use the object group Policy GROUP POLICY OBJECT (GPO). The necessary GPO settings are embedded in Windows Server 2008 R2 domain controllers. Just open the GPO and go along the COMPUTER Configuration \\ route

Administrative Templates \\ Windows Components. At the bottom of the list you will find both Remote Shell and Windows Remote Management (WRM), the settings of which must be set. The Help section about the problems of the remote interaction system (remote_trubleshooting) will give you detailed instructions on how to do it. View How to Enable Remoting In An Enterprise and How to Enable Listeners by Using A Group Policy in Help.

WinRM 2.0 (which is used PowerShell) by default uses the TCP 5985 port for HTTP and port 5986 for HTTPS. This ensures that WinRM will not conflict with locally installed web servers that are configured to listen to ports 80 and 443. You can set the WinRM settings to use alternative ports, but I do not recommend this. Fir you leave these ports, all PowerShell remote access commands will work fine. If you change these ports, you will always have to specify an alternative port when you start the remote access command. This means you will have to print more. If you need to edit the port, you can enter the command:

WinRM SET WINRM / CONFIG / LISTENER? Address \u003d * + transport \u003d http @ (port \u003d "1234")

Figures 1234 mean the port you need. Here this command is written in several lines, but you need to enter it in one line. The same applies to all other teams described in the article. If you need to use HTTPS instead of HTTP, you can modify this command to configure the new HTTPS port. Must admit that there is a way to set WinRM settings on local computers in order to use alternative default ports. Thus, you do not need to constantly define an alternative port when you run the remote access command. But let's work with the default settings specified by Microsoft.

If you feel in the GPO settings in Remote Shell, you will notice that you can set, for example, how long the remote session will remain inactive before the server will interrupt it; How many simultaneously operating users can access the remote server at a time; How many memory and processes each remote shell can use; The maximum number of remote shells that users can open at a time. These settings will help make sure your servers are not overwhelmed by forgetful administrators. However, by default, you need to be an administrator to use remote interaction, so you should not worry about ordinary users who clog out your servers.

Remote interaction 1: 1

Using a 1: 1 remote interaction, you essentially get access to the command line on one remote computer. Any commands that you give are run right on a remote computer, and you see the results in the command line window. Partly it looks like use Remote Desktop. Connection, except for the fact that you are limited to the PowerShell command line. The PowerShell remote interaction system uses part of the resources that Remote Desktop requires, so it has a much smaller impact on your servers.

In order to establish a 1: 1 connection with a remote computer called Server-R2, you need to run

ENTER-PSSESSION -COMPUTERNAME SERVER-R2

Assuming that you activated a remote interaction system on a remote device, the computer is in the same domain itself, and your network is working fine, you will receive the desired connection. PowerShell allows you to know that you have reached the target by changing the command line invitation to

PS C: \\\u003e

The part informs you that everything you do is happening on the Server-R2. After that, you can run any commands you want. You can even import any modules and add PowerShell extensions (PSSNapins) to be located on a remote computer.

Even permission will remain the same. Your copy of PowerShell will work with the same security marker with which it is running. PowerShell makes it using Kerberos, so does not pass the username and password over the network. Any command that you run on a remote computer will run under your credentials, so everything, on the execution of what you have permission, you can do. It looks like registration directly from the computer console and using a copy of the PowerShell of this computer. It is almost like that. Here are a few differences.

  • If you have a PowerShell script for your profile on a remote computer, it will not start when you connect using the remote access system. Simply put, profiles are a package of commands that are automatically started each time you open the command line window. They are used to automatically load extensions, modules, and the like.
  • You are limited to a remote computer execution policy. For example, the policy of your computer is installed on remotesigned so that you can run local unsigned scripts. If the remote computer policy is set to restricted (default setting), it will not allow you to run any scripts when you interact remotely.

Many PowerShell teams go in pairs: one makes something else - the opposite of it. In our case, enter-PSSession connects you to a remote computer, and exit-pssession closes this connection. EXIT-PSSession does not need any parameters. After starting, the remote connection is closed, and the invitation of your command line window is returned back to normal form. What if you forget to run Exit-PSSession? Do not worry. PowerShell and WinRM are able to find out what you did, and close the remote connection if necessary.

I want to give one advice. When you connect to a remote computer, do not run Enter-PSSession on it until you do not fully realize what you are doing. For example, you work on Computer. You are connected to Server-R2. In the PowerShell string you run

PS C: \\\u003e ENTER-PSSESSION SERVER-DC4

Now Server-R2 contains an open connection from Server-DC4. This creates a "remote interaction chain", which is difficult to track. In addition, your servers are no need overloaded. There may be moments when you need to do this (for example, Server-DC4 is behind the firewall and you cannot get direct access to it, so you need to use Server-R2 as an intermediary). However, the general rule is as follows: Try to avoid chains of remote interaction.

Remote interaction 1: n

One of the most interesting things in PowerShell is a remote interaction 1: n. It allows you to send commands to several remote computers at the same time - full-scale distributed calculations. Each computer separately will execute the command and send you the results. Everything is done using the Invoke-Command command in this form:

INVOKE-COMMAND -COMPUTERNAME SERVER-R2, SERVER-DC4, SERVER12 -COMMAND (GET-EVENTLOP SECURITY -NEWEST 200 | WHERE ($ _. EventID -EQ 1212))

The team in external curly brackets is transmitted to all three remote computers. By default, PowerShell can communicate with 32 computers immediately. If you define more than 32 computers, they will be built. Then, when one computer completes the work, the command performs the following. If you really have a high-speed network and powerful computers, you can increase their quantity using the ThrottleLimit command. Read about how to use this option in Invoke-Command, you can on the Help page.

The only parameter you will not see on the Help page of this command is the Command parameter. He, as I have already shown, works fine. The Command parameter is a pseudonym or short name for the ScriptBlock parameter, which is listed on the Help page. It is easier to use Command for me, so I tend to use it instead of Scriptblock, but they work equally.

If you read the Help page for Invoke-Command carefully, you also noticed the parameter that allows you to specify the script file, not the command. The FilePath parameter allows you to send a script to deleted computers; This means that you can automate some complex tasks, and each computer will perform your share of work.

Now focus on the Computer Name parameter. In the example of the Invoke-Command code, I had a list of computer names, separated by commas. If you have a lot of computers, then you may not want to print their names every time you connect to them. Instead, you can create a text file that contains one computer name on one line, without commas, quotes or something else. For example, if your text file was named WebServers.txt, you would use such a code:

Invoke-Command -Command (DIR) -ComputerName (Get-Content Webservers.txt)

Round brackets make PowerShell first execute the Get-Content command - it looks like round brackets in mathematics work. Then the GET-CONTENT results are invested in the -ComputerName parameter.

You can also request a computer name in Active Directory, but it is more difficult. In order to find a computer, you can use the Get-Adcomputer command, but you do not insert this command in the parentheses, as they did in Get-Content. Why not? Get-Content issues simple text strings, while Get-Adcomputer manufactures computer objects. The -ComputerName parameter awaits strings. If he had to receive "Computer" objects, I would not know what to do with them. Therefore, if you want to use Get-Adcomputer, you need to get values \u200b\u200bfrom the Name properties of computer objects. Like this:

Invoke-Command -Command (DIR) -ComputerName (Get-Adcomputer -Filter * -SearchBase "OU \u003d Sales, DC \u003d Company, DC \u003d PRI" | SELECT-Object -Expand Name)

In parentheses, computer objects are transmitted to the SELECT-Object command, and the -Expand parameter is used to find out the Name properties of these computer objects. The result of the expression in brackets is a set of computer names, not computer objects. Computers' names are just what is needed by the -Commeter Name parameter.

If you are not familiar with Get-Adcomputer, let's see what this team does. The -Filter parameter determines that all computers must be included in the results, and the -Search Base parameter prescribes PowerShell so that it began to look for computers in the organizational Sales (OU) organizational group in the company.pri domain. The Get-Adcomputer command is available only in Windows Server 2008 R2 and in Windows 7 after setting the Remote Server Administration Tools utility set. In these operating systemsoh, you run

Import-Module ActiveDirectory

in order to download commands for the directory service to the command shell so that they can be used.

There is something else!

All these examples were shown for peer sessions of remote interaction. If you are going to restore the connection with the same computers (or computer) several times in a short period of time, you can create reused, permanent sessions. It is very useful if the connection requires alternative credentials, the port number is not default or something else that requires additional parameters.

To create permanent sessions, you need to use the new-pssession command, then save them in a variable for easy access. For example, the following code creates a session of remote interaction with three computers and saves them in a $ sessions variable:

$ Sessions \u003d New-Pssession -Computername One, Two, Three -Port 5555 -Credential Domain \\ Administrator

The sessions of the remote interaction are closed automatically when you close the command shell, but before that time they can take memory and slightly load the processor on local and remote systems. In order to accurately close them, you can use the Remove-Pssession command:

$ sessions | Remove-Pssession

When you need to re-open sessions, you can use the Invoke-Command command:

INVOKE-COMMAND -COMMAND (DIR) -Session $ Sessions

Or you can apply ENTER-PSSession:

ENTER-PSSESSION -Session $ Session

Note that in the Enter-PSSession code, only one session of the remote interaction opens again. The index variable 1 reports PowerShell that it must re-open the session with the computer called TWO (the index is counted from the zero value).

As we see, the benefit from the remote interaction of PowerShell is a lot. If you use it, you will make sure how much it will expand the horizons of your activity.

Don Jones ( [Email Protected]) - Technical instructor on PowerShell (www.windowsitpro.com/go/donjoneespower), author of more than 35 books. Has the title of Microsoft MVP



I somehow have problems with WinRM on two servers.

1. SetSpn.
One problem was that SPN entry HTTP /<имя сервера> were registered for some "left" account User.

Found these records team
setspn -f -q * /<имя сервера>

Then deleted them with commands
setspn -d http /<имя сервера>.<имя домена> <имя домена>\<левая учётная запись>
setspn -d http /<имя сервера> <имя домена>\<левая учётная запись>

Then enable-psremoting -force was successful.

2. Language Pack
And on the second server was the tricky problem allegedly with firewall Unable to Check the Status of the Firewall, I have rummaged a bunch of sites, and the decision found intuitively based on the answer about the installed Language Pack.

WinRM QuickConfig
WinRM Service Is Alady Running On This Machine.
WSManfault.
Message
Providerfault.
WSManfault.
Message \u003d Unable to Check the Status of the Firewall.

ERROR NUMBER: -2147024894 0x80070002
The System Cannot Find The File Specified.

The answer was written that this error It is treated by removing additional Language Pack.
But I entered otherwise. I have an English Operation with an additional Russian Language Pack. I just changed the interface language into Russian.
Control panel, language and regional standards, languages \u200b\u200band keyboards changed the interface language from England to Russian.
Run Logoff and entered again. Opened PowerShell and repeated WinRM QuickConfig

PS C: \\ Windows \\ System32\u003e WinRM QC

WinRM service is not configured to resolve the remote computer management.
The following changes must be made:

Create WinRM listener to http: // * To receive WS-MAN queries on any of the IP addresses of this computer.

Run the changes? Y.

WinRM service updated for remote control.

Created WinRM listener on http: // * To receive WS-MAN requests on any of the IP addresses of this computer.

It was successful, but still not enough.

Access denied error appeared when trying to execute commands remotely on this server from another computer.

NEW-PSSession: [<имя сервера>] Connecting to Remote Server<имя сервера> FAILED WITH THE FOLLOWING ERROR MESSAGE: Access Is Denied. For more information, see about the about_remote_trubleshooting Help Topic.

Then I repeated enable-psremoting

PS C: \\ Windows \\ System32\u003e Enable-Psremoting

Fast setting WinRM.
Run the "set-wsmanquickconfig" command for inclusion on this computer Remote control using WinRM service.
Necessary actions.
1. Run or restart (if already running) WinRM service.
2. Changing the type of WinRM service to "autorun".
3. Creating a listener to receive requests on any IP address.
4. Configure firewall exceptions for WS-Management's traffic traffic (HTTP protocol only).

Proceed?

(The default value is "Y"): a
WinRM service is already configured to receive requests on a computer.
WinRM is already configured to resolve remote computer management.

the confirmation
Do you really want to do this action?
Execution of the operation "Registration of the session configuration" Over the target object "Session Configuration
"Microsoft.powershell32" was not found. The command "Register-PSSessionConfiguration Microsoft.powershell32 will be executed
-ProcessoRarchitecture X86 -Force "To create a" Microsoft.Powershell32 "session configuration. WinRM service will
restarted. ".
[Y] yes - y [a] Yes For all - a [n] No - n [l] No for all - l [s] Suspend - s [?] Help
(The default value is "Y"): a

After that, WinRM on this server earned as it should.

In this article, I will try to tell how to centrally activate and configure the Windows Remote Management (WINRM) service on all target computers using Group Policy. Let me remind you that Windows Remote Management is a special service that allows administrators to be able to remotely access and manage client and server Windows OS (and, I think if you previously used the Microsoft SysInternals utility set, the WRM should like it).
Take the usual PC with, and on which it is not activated windows feature REMOTE MANAGEMENT. At the command prompt, we introduce the following command:


The following error message should appear, indicating that WRM is not set:
WSMAN FAULT. The Client Cannot Connect to the Destination Specified in the Request. ERROR NUMBER: - 2144108526 0x80338012

If you need to configure WinRM manually on a separate system, it is enough to type the command:

WinRM QuickConfig

In the event that you need to configure WinRM on the computers group, you can use the special parameters of the Group Policy. The policy of interest is located in the section: Computer Configuration -\u003e Policies -\u003e Windows Components -\u003e Windows Remote Management (WinRM) -\u003e WinRM SERVICE. Need to activate the following parameters:
ALLOW AUTOMATIC CONFIGURATION OF LISTENERS
Allow Basic Authentication


In the IPv4 Filter section, indicate *, which means that the computer can receive connections (and therefore control commands) from anywhere, it means that the sheets on the computer will receive requests on all IP interfaces.


Then in the Computer Configuration section -\u003e Policies -\u003e Windows Components -\u003e Windows Remote Shell activate the item:
ALLOW REMOTE SHELL ACCESS


And finally, you need to specify the startup type from the Windows Remote Service service to "Automatic" (Automatically). Let me remind you that you can manage the method for running services from the next section of the Group Policy: Computer Configuration -\u003e Windows Settings -\u003e Security Settings -\u003e System Services.


After activating WinRM using group policy, you will check the service status using the familiar team:


Make sure that the WinRM service start type is set in automatic. Although on the fact the type of launch "automatic with a delay", because By default, a start-up delay (DelayedAutostart \u003d 1 parameter in the HKEY_LOCAL_MACHINE \\ System \\ CurrentControlSet \\ SERVICES \\ WINRM) is specified for the WinRM service.

Now, after activating WinRM, using group policies, this system can be controlled remotely using WinRS commands. The following command will open the command line running on the remote system:

WinRS -R: Computer01 CMD

After the command line appears, you can perform and see the result of the execution of any commands on a remote computer, as if you work for it locally. Note that on your control computer WinRM should also be activated.

Setting the remote interaction in PowerShell (part 1)

To ensure the possibility of remote interaction with using PowerShell, It is necessary to make some settings. The number of these settings depends on the operating system, the network environment, security requirements (and also God knows what). As quite a lot of settings, I will try to talk about the most important of them. Let's go…

Enable remote control

In order to manage a remote computer, you need to solve remote interaction on this computer. The exception is Windows Server 2012, where all the remote control features are enabled by default. For all other operating systems it is necessary:

1. Start the WinRM service and put it on autorun;
2. Create a listener (listener), which will listen to control requests;
3. Include on firewall rule allowing WS-Management traffic.

To configure one computer, the easiest to use the enable-psremoting cmdlet. It will make all the necessary actions, and will also register the default session configuration. In order to suppress confirmation requests, you can add the -Force parameter. The console must be launched with administrator rights, otherwise an error will be issued.

IN domain environment You can use group policies to configure PS Remoting.

In the Computer Configuration \\ Policies \\ Windows Settings \\ System Services section, you will include the "Windows Remote Management (WS-Management" policy. It sets the start mode for WinRM service.

In the Computer Configuration \\ Administrative Templates \\ Windows Components \\ Windows Remote Management (WinRM) \\ WINRM SERVICE, you turn on the "Allow Automatic Configuration of Listeners" policy, which creates a listener on the port 5985 (port for http by default). Additionally, you can specify which IP can be connected. If there is no need for iP filtration, just put the sign *, which means to receive connections from any address.

Then go to the Computer Configuration \\ Windows Settings \\ Security Settings \\ Windows Firewall section and create a new rule in the COMPUTER CONFIGURATION \\ Windows Firewall SEECURITY SECURITY \\ INBOUND RULES. Select Predefined (predefined rules) item and select Windows Remote Management in the list.

Please note that you can choose two modes of operation - a stance and compatible. In the first case, the port 5985 will be opened by the default WinRM, in the second - port 80 (for compatibility with old WinRM versions). Both are chosen by default.

Configure configuration between computers

For remote connection PowerShell uses mutual authentication between computers. This means that before establishing the connection, the remote machine must confirm its authenticity. Simply put, if you connect to a computer named SRV1, then before installing the connection it (SRV1) must prove you that it really is it, otherwise the connection will not be installed.

If computers are members of a single domain, or are in different, but trusting each other domains, then mutual authentication will be executed domain Services. The main thing is that the computer name is allowed to the IP address and corresponding to the computer name in Active Directory.

Attention:when connected, you need to specify valid computers' names, i.e. Since they are specified in Active Directory. If the computer enters the local domain, you can simply specify the name of the computer, for example SRV1.. To specify a computer name from another domain you need to specify a complete domain name (FQDN) - Srv1.contoso.com. If you specify the IP address, or some other DNS name (for example, CNAME ALIAS), then mutual authentication will not work.

If one or both of the computer are not included in the domain, then for mutual authentication there are two options: add a remote machine to the Trusted Hosts list or use SSL.

Trusted Hosts.

Adding a computer to Trusted Hosts - the path is simple, but less secure. For computers in Trusted Hosts, mutual authentication is actually disabled. Therefore, it is worth using this way with great care.

You can add a computer to trusted nodes using PowerShell. In order to create a list of trusted hosts and add the SRV1 computer to it, we use the command:

Set-Item WSMAN: \\ Localhost \\ Client \\ TrustedHosts -Value SRV1.Contoso.com

When adding multiple computers, their names can be listed through the comma. It is allowed to specify not only the name, but the IP address of the computer. Also supports substitution symbols. For example, you can add all computers from the Contoso.com domain to trusted hosts, specifying the value of * .contoso.com, or at all without exception:

SET-ITEM WSMAN: \\ Localhost \\ Client \\ TrustedHosts -Value *

To add a computer name to an existing list of trusted nodes, you must first save the current value in the variable, and then assign the value to the split-split list, which includes the current and new values. For example, to add a SRV2 computer to a list of trusted nodes, use the following command:

$ Curr \u003d (Get-Item WSMAN: \\ Localhost \\ Client \\ TrustedHosts )Value
Set-Item WSMAN: \\ Localhost \\ Client \\ trustedhosts -value "$ Curr, srv2.contoso.com"

Well, and see the list of trusted nodes, you can command:

Get-Item WSMAN: \\ Localhost \\ Client \\ TrustedHosts

Also, to add to TrustedHosts, you can use Group Policy. In the Computer Configuration \\ Administrative Templates \\ Windows Components \\ Windows Remote Management (WinRM) \\ WinRM Client, turn on the "Trusted Hosts" policy and add names or IP addresses of computers through the comma. The wildcards are supported.

Note: If trustedhosts are configured via GPO, then the PS cannot be changed. The same applies to all other settings PS Remoting.

Connection using SSL is the most protected version of remote interaction. But compared to the rest of the way it is quite complicated in the setting, so it will have to tinker a little.

First, to use this method, we need digital sSL certificate For the machine to which we are going to connect. Obtaining a certificate - a separate topic, we will not stop on it. In the test environment I will use the Makecert utility that is part of Windows SDK, and create a self-signed certificate:

mAKECERT -A SHA1 -R -PE -N "CN \u003d WKS8" -EKU 1.3.6.1.5.5.7.3.1 -SS My -Sr Localmachine -Sky Exchange -Sp "Microsoft RSA Schannel Cryptographic Provider" -Sy 12 -m 12 "C: \\ Myssl.cer"

This command will create an SSL certificate for a period of a year and placed it in the local computer certificate store. Please note that the certificate must be issued to the same name that you will specify in the connection command.

After receipt, the certificate must be added to Trusted Root Authority (trusted root certification centers). To do this, open the certificate and click on the "Install Certificate" button.

The certificate imports wizard starts. Specify the location of the "Local PC" repository.

As a repository, choose "trusted root certification centers".

Now our certificate is trusted. Opening it again, and on the "Composition" tab, we find a certificate imprint (Certificatethumbprint). Copy it in the clipboard.

You can now create a listener for HTTPS. Open the PowerShell Console and enter the command:

New-wsmaninstance winrm / config / listener -selectorset @ (address \u003d '*'; transport \u003d 'https') -valueset @ (hostname \u003d 'wks8'; certificatethumbrint \u003d 'xxx')

In the Certificatethumbrint field, insert the certificate imprint copied in the previous paragraph.

Exceptions of firewall Windows (if it is turned on) For a new listener, you must be configured manually, automatically they will not be created. Therefore, we will create a new rule for incoming traffic on the TCP 5986 and 443 ports:

New-NetFirewallrule -DisplayName "Windows Remote Management (HTTPS)" -Direct InBoundocol TCP -Localport 5986,443 -action Allow -Enabled True

Also, to create the rule, you can use the graphic snap or utility of the Netsh command line, who is more like.

Next, we go to the SRV1 computer from which we will connect. Because I use a self-signed certificate, it will have to add to trusted root certificates and on the client. Copy Myssl.cer certificate file on SRV1 and install the command:

cERTUTIL -ADDSTORE ROOT C: \\ Myssl.cer

That's all, the setting is completed. Now you can connect. Open the interactive session on the WKS8 team:

ENTER-PSSESSION -Credential WKS8 \\ kirill -usessl

Please note that when connected via SSL, you must enter credentials, as well as specify the connection type. Then everything is as usual.

Disable checks

When connected via SSL, it is checked that the certificate has been issued by a trusted certification authority and released for this machine. Simply put, the name in the certificate must match the name specified in the Connection command, and the certificate publisher must be in the list of trusted root certification centers. If a non-compliance with these conditions is found when checking, the connection will not take place.

In principle, this is correct, but if necessary, the verification can be canceled. To do this, in the session properties there are two parameters:

SkipCacheck - cancels the verification of the certificate publisher;
-SkipCnCheck - cancels checking computer name conformity.

Create a new session using these parameters can be for example here:

$option \u003d New-PssessionOption -Skipcacheck -SkipcnCheck
ENTER-PSSESSION -COMPUTERNAME WKS8 -SessionOption $ Option -Credential WKS8 \\ Kirill -usessl

True, in this case, the meaning of SSL certificates is lost, and then it is easier to use Thrusted Hosts. But there is such an opportunity, and it is necessary to know about it.

Additional settings

Starting with the second version, WinRM by default listens to port 5985 for HTTP and 5986 for HTTPS. For compatibility with old versions (or not to open additional ports on the firewall), you can additionally enable listeners on traditional ports 80 and 443. For http:

SET-ITEM WSMAN: \\ Localhost \\ SERVICE \\ ENABLECOMPATILITYHTTPLISTENER $ TRUE

And for https:

Set-Item WSMAN: \\ Localhost \\ SERVICE \\ ENABLECOMPATILIBILITYHTTPSLISTENER $ TRUE

The same can be done using group policies. To do this, in the Computer Configuration \\ Administrative Templates \\ Windows Components \\ Windows Remote Management (WinRM) \\ WINRM SERVICE (WINRM SERVICE (TURN ON COMPATILITY HTTP LISTENER and TURN ON COMPATILITY HTTPS LISTENER "policies.

The default ports can be changed and indicate to listen to any non-standard port, for example port 8080:

Set-Item WSMAN: \\ Localhost \\ listener \\ listener * \\ port -Value 8080

Note: Installing listeners on non-standard ports will slightly increase safety. However, keep in mind that if the default port will have every time you can specify it manually when connected.

That's all. In the articles, consider the configuration of remote sessions, creating endpoints (endpoint), and something else on the little things 🙂

Did not find an answer to your question? Look at here
Extension to work with files in the web clientExtension to work with files in the web client
Error correctionFixing the error "Server refused access via POP3" when connecting Gmail mail!
1 does not start on windows 101 does not start on windows 10