Secure Remote Powershell

Secure Remote Powershell

What can you do with it?

With Remote Powershell you can execute commands on a computer by using a temporary or persistent connection. As a result, You can use the complete Powershell framework and the modules, which are installed on the remote computer.

Remote Powershell can be used for all kind of reasons. For instance, I’m using a remote powershell script in a CI/CD setup. (wiki) During the deployment, a new secure website is created and certificates for TLS are installed.

Why Secure?

Without a secure connection all information is visible during transport to the remote machine. Therefore, the possibility of man in the middle attack is always present.

It will take a bit more effort to make the connection secure. However, that is not enough reason not do it. So, that’s the reason I add the secure part in this blog. If you have any problems setting up secure remote powershell, please leave a comment. I’m happy to help you get it right.

Self-signed Certificate

To create a secure connection we certainly need to have a certificate. For this solution I’m creating a Self-signed Certificate. (wiki) This certificate is used on the remote machine and won’t be visible to any client.

We’re going to use PowerShell with the New-SelfSignedCertificate cmdlet. This cmdlet is part of the Public Key Infrastructure module (PKI)

# Create Self-signed certificate
$Cert = New-SelfSignedCertificate -DnsName doctorwho.bluecape.nl -CertStoreLocation cert:\LocalMachine\My

Download the full script at the end of the blog post.

Execute the above script on the remote machine. After that you should see the certificate installed on the machine. (open the Certificate Manager Tool with “certmgr”)

certmgr-server
Click on the image to enlarge

This self-signed certificate is generated with the following default settings:

  • Cryptographic algorithm: RSA
  • Key length: 2048 bit
  • Acceptable key usage: Client Authentication and Server Authentication
  • The certificate can be used for: Digital SignatureKey Encipherment
  • Validity period: 1 year.

It’s important to know making Remote Powershell to work, it needs Server Authentication in the certificate.

Web Services for Management (WSMAN)

Remote Powershell is using the WSMAN web services to create a secure connection. The next code will enable a https listener to wsman.
It’s using the thumbprint of the generated self-signed certifcate.

New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint -Force

Download the full script at the end of the blog post.

The new listener will accept all IP-addresses (see asterisk * sign). Of course, you can make this more specific to your needs.

Enabling Remote Powershell

It’s really easy to enable Remote Powershell. Therefore, just execute the following command to enable Remote Powershell on the remote machine.

Enable-PSRemoting

Download the full script at the end of the blog post.

You have to run this command only one time on each machine that will receive commands. In other words, you do not have to run it on machine that only send commands.

Firewalls & Ports

A final step to enable Remote Powershell is to add a firewall rule related to the default port 5986.

New-NetFirewallRule -DisplayName 'WinRM Remote Powershell HTTPS-In' -Name 'WinRM Remote Powershell HTTPS-In' -Profile Any -LocalPort 5986 -Protocol TCP

Download the full script at the end of the blog post.

The result

That’s it. The machine is ready to receive a remote connection. let’s try this out on your client-machine.

client test remote connection
Click on the image to enlarge

It’s now possible to execute all kind of command on the remote machine!

Please leave a comment below if you like this or have any questions. Thank you!

Download scripts here.

Leave a Reply