As one of the main purposes of PowerShell is automating administration tasks, PowerShell remoting (PSRemoting) plays a big part in administrating multiple computers at the same time: using only a single command, you can run the same command line on hundreds of computers.

But similar to when you work with individual computers, PSRemoting is only as secure as your configuration: if you don’t lock the door of your house, burglars can break into it.

And that’s the same case for computers, as well as for PSRemoting: if you don’t harden your configuration and use insecure settings, attackers can leverage that and use your computers against you.

In this chapter, you will not only learn the basics of PSRemoting and how to enable and configure it – you will also discover the best practices for maintaining a secure PSRemoting configuration. While PSRemoting is inherently secure, there...

The following are the technical requirements for this chapter:

• PowerShell 7.3 and above
• Visual Studio Code
• Wireshark
• A test lab with a domain controller and one or more test machines
• Access to the GitHub repository for Chapter03: https://github.com/PacktPublishing/PowerShell-Automation-and-Scripting-for-Cybersecurity/tree/master/Chapter03

PowerShell was designed to automate administration tasks and simplify the lives of system administrators. Remote management was a part of this plan from the very beginning, as outlined by Jeffrey Snover in the Monad Manifesto from 2002: https://www.jsnover.com/blog/2011/10/01/monad-manifesto/. However, to ship version 1.0 promptly, some features, including PSRemoting, were not included until later versions. PSRemoting was officially introduced in version 2.0 and further improved in version 3.0.

It quickly became one of the most important core functionalities and nowadays supports many other functions within PowerShell, such as workflows.

While PSRemoting can work with a variety of authentication methods, the default protocol for domain authentication is Kerberos. This is the most secure and commonly used method of authentication in Active Directory environments, which is where most people using PSRemoting are likely to be operating. So, when Kerberos...

There are different ways to enable PSRemoting for your system(s). If you only work with a few machines in your lab, you might want to enable it manually. But as soon as you want to enable PSRemoting in a big environment, you might want to enable and configure PSRemoting centrally. In this section, we will have a look at both methods. The following table provides an overview of which method takes which configuration actions:

Table 3.2 – Enabling PSRemoting – different methods

Please note that the Enable-PSRemoting method is a subpart of the manual configuration; to configure HTTP and HTTPS listeners, additional steps must be taken. Let’s explore what is needed to manually configure PSRemoting, which could be useful in a test scenario, for example.

Enabling PowerShell remoting manually

If you want to enable PSRemoting on a single machine, this can be done manually by using the Enable-PSRemoting command...

In this chapter, you might have read the term endpoint several times.

If we are talking about endpoints, we are not talking about one computer: PSRemoting is designed to work with multiple endpoints on a computer.

But what exactly is an endpoint?

When we are talking about PowerShell endpoints, each endpoint is a session configuration, which you can configure to offer certain services or which you can also restrict.

So, every time we run Invoke-Command or enter a PowerShell session, we are connecting to an endpoint (also known as a remote session configuration).

Sessions that offer fewer cmdlets, functions, and features, as those that are usually available if no restrictions are in place, are called constrained endpoints.

Before we enable PSRemoting, no endpoint will have been configured on the computer.

You can see all the available session configurations by running the Get-PSSessionConfiguration command:

PSRemoting traffic is encrypted by default – regardless of whether a connection was initiated via HTTP or HTTPS. The underlying protocol that’s used is WS-Man, which is decoupled to allow it to be used more broadly. PSRemoting uses an authentication protocol, such as Kerberos or NTLM, to authenticate the session traffic, and SSL/TLS is used to encrypt the session traffic, regardless of whether the connection was initiated via HTTP or HTTPS.

But similar to every other computer, PSRemoting is only as secure as the computer that’s been configured. And if you don’t secure your administrator’s credentials, an attacker can extract and use them against you.

Therefore, you should also put effort into hardening your infrastructure and securing your most valuable identities. You will learn more about Active Directory security and credential hygiene in Chapter 6, Active Directory – Attacks...

Sometimes, you may want to run a command remotely but have not configured PSRemoting. Some cmdlets provide built-in remoting technologies that can be leveraged.

All commands that offer a built-in remoting technology have one thing in common: typically, they all have a parameter called -ComputerName to specify the remote endpoint.

To get a list of locally available commands that have the option to run tasks remotely, use the Get-Command -CommandType Cmdlet -ParameterName ComputerName command:

> Get-Command -ParameterName ComputerName

CommandType  Name               Version    Source

-----------  ----               -------    ------

Cmdlet       Connect-PSSession  3.0...

To ensure optimal security and performance when using PSRemoting, it’s important to follow the best practices enforced by the product. These practices are designed to minimize the risk of security breaches and ensure that your remote management tasks run smoothly.

Authentication:

• If possible, use only Kerberos or NTLM authentication.
• Avoid CredSSP and basic authentication whenever possible.
• In the best case, restrict the usage of all other authentication mechanisms besides Kerberos/NTLM.
• SSH remoting – configure public key authentication and keep the private key protected.

Limit connections:

• Limit connections via firewall from a management subnet (hardware and software if possible/available).

PSRemoting’s default firewall policies differ based on the network profile. In a Domain, Workgroup, or Private network profile, PSRemoting is available to all by default (assuming they have valid credentials). In...

After reading this chapter, you should be familiar with how to use PowerShell remotely, using PSRemoting. You learned what options exist in PowerShell to establish remote connections, which enables you to not only manage Windows machines but also other operating systems, such as macOS and Linux.

You also learned what endpoints are and can create basic custom endpoints. You will strengthen this ability later in Chapter 10, Language Modes and Just Enough Administration (JEA), but you already know the basics.

Then, you learned a lot about authentication protocols that can be used and even more about security considerations when working with those protocols. You should also be aware of how easily an adversary can obtain decrypted credentials if a weak authentication protocol is used.

You should now be able to configure PSRemoting manually and centrally, which helps you set up your initial PSRemoting configuration in your production environment.

Last but not least, you...

If you want to explore some of the topics that were mentioned in this chapter, take a look at these resources.

Authentication:

• RFC 2617 – HTTP authentication (basic and digest authentication): https://tools.ietf.org/html/rfc2617
• Credential Security Support Provider (CredSSP) protocol:
  • https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-cssp/85f57821-40bb-46aa-bfcb-ba9590b8fc30
  • https://ldapwiki.com/wiki/Wiki.jsp?page=CredSSP
• Public key authentication:
  • https://en.wikipedia.org/wiki/Public-key_cryptography
  • https://www.ssh.com/ssh/public-key-authentication

CIM:

• CIM cmdlets: https://devblogs.microsoft.com/powershell/introduction-to-cim-cmdlets/
• CIM standard by DMTF: https://www.dmtf.org/standards/cim

DCOM:

• DCOM remote protocol: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dcom/4a893f3d-bd29-48cd-9f43-d9777a4415b0

OMI:

• Open Management Infrastructure (OMI): https://cloudblogs...