Mark Minasi's Reader Forum
Mark Minasi's Reader Forum
Home | Profile | Register | Active Topics | Active Polls | Members | Search | FAQ | Minasi Forum RSS Feed
Username:
 Password:
Save Password
Forgot your Password?

 All Forums
 HALP! Questions on Windows and Windows Server
 PowerShell
 PSRemoting		  New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

Nobody
Here To Stay

USA
184 Posts
Status: offline
Posted - 04/11/2012 :  11:29:17 PM  Show Profile  Visit Nobody's Homepage  Reply with Quote
Are there any good reasons not enable PSRemoting? Specifically in a large enterprise. Servers and workstations?
aka - Matt
www.SnowTrek.org

JeffWouters
Here To Stay

Netherlands
147 Posts
Status: offline
Posted - 04/12/2012 :  12:49:52 AM  Show Profile  Visit JeffWouters's Homepage  Click to see JeffWouters's MSN Messenger address  Look at the Skype address for JeffWouters  Reply with Quote
Hi Matt,
It's pretty secure (haven't encountered a security breach due to that) though I find that the documentation about this is a bit lacking in my opinion...
A few tips though:
1) Enable script execution for signed scripts and please don't set it to "Unrestricted" ;-)
2) By using "set-item wsman:localhost\client\trustedhosts -value mgmtserver01" you can set up that only mgmtserver01 is allowed to remote to this machine.
3) On older (XP) systems, set the following local policy to "Classic": Security Settings > Local Policies > Security Options > Network Access: Sharing and Security Model for local accounts

In my opinion the benefits for an admin/consultant of PowerShell Remoting are just plain amazing :-D
Greetsz,
Jeff.
Go to Top of Page

jhicks
Here To Stay

USA
283 Posts
Status: offline
Posted - 04/12/2012 :  10:46:20 AM  Show Profile  Visit jhicks's Homepage  Reply with Quote
I think in an enterprise environment PowerShell remoting is almost required. It is much more secure and network friendly. I think many network admins fear it because they don't fully understand it. The best approach is to use Group Policy to configure remoting, the listener and the necessary firewall ports. If you are never going to run a script in a remote session, you can leave the execution policy for remote machines as Restricted. You can run all the scripts you want from your desktop and securely manage remote machines.
Jeffery Hicks
Windows PowerShell MVP

http://jdhitsolutions.com.blog
http://twitter.com/JeffHicks
http://www.ScriptingGeek.com
Now Available: Managing Active Directory with Windows PowerShell: TFM 2nd ed.
Go to Top of Page

Nobody
Here To Stay

USA
184 Posts
Status: offline
Posted - 04/12/2012 :  11:45:49 AM  Show Profile  Visit Nobody's Homepage  Reply with Quote
I'm going to request that we enable it, but I want to be prepared to stand my ground. I couldn't really find any good reasons not to. JHicks nailed it, in that what isn't understood is feared. Around here they'd take away our toilet paper if they knew we were using it.

I am guilty of setting execution policy to unrestricted on my workstation, but I haven't had a need to change it on remote machines. I know this is an area I need to work on. Learning about_signing is right at the top of my powershell list.

Thanks for the feedback!
aka - Matt
www.SnowTrek.org
Go to Top of Page

Nobody
Here To Stay

USA
184 Posts
Status: offline
Posted - 04/12/2012 :  11:55:45 AM  Show Profile  Visit Nobody's Homepage  Reply with Quote
I'm already hanging my head in shame. My execution policy is now remotesigned.
aka - Matt
www.SnowTrek.org
Go to Top of Page

JeffWouters
Here To Stay

Netherlands
147 Posts
Status: offline
Posted - 04/12/2012 :  3:29:07 PM  Show Profile  Visit JeffWouters's Homepage  Click to see JeffWouters's MSN Messenger address  Look at the Skype address for JeffWouters  Reply with Quote
My execution policy on my laptop is set to bypass... but in customer environments it's always "signed" :-)
Greetsz,
Jeff.
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Mark Minasi's Reader Forum © 2002-2011 Mark Minasi Go To Top Of Page
This page was generated in 0.09 seconds. Snitz Forums 2000