I have a workgroup of few Win 10 PCs I need to control from a Win7 laptop. All of them have the same user name and password. I’m developing a Powershell script that asks for user’s choice to run Software1, Software2 etc on a remote machine, then it adds a shortcut link to it into StartUp folder on that PC and restarts it. So far I have troubles restarting remote machines in a secure way.
I’ve tried several solutions but they all come with some side effects.
If I Enable-PSRemoting, it sets LocalAccountTokenFilterPolicy to 1, so the command
Restart-Computer -Computername -Force
doesn’t prompt for credentials since they are the same locally and remotely, so I need to create an additional User2 with admin rights, exclude everyone but this User2 from “Force shutdown from a remote system” policy so that it works properly.
Good. Now my machines require password for remote restart. But with PSRemoting enabled any person or malware who has gotten access to my laptop can run
Invoke-Command -ComputerName -ScriptBlock {cmd /c "del c:\*.*" /f /q /s}
without being prompted for credentials on any machine in the workgroup. Is there a way to force authorization in this scenario, when the same username/password are used on client and server?
I’ve also tried remote access with WMI. Same thing. If I disable UAC via LocalAccountTokenFilterPolicy a command like
Invoke-WmiMethod -ComputerName -Class Win32_Process -Name Create -ArgumentList 'cmd /c del c:\*.* /f /q /s'
can be executed without authorization.
I followed Microsoft’s suggested workaround, leaved remote UAC enabled, created User2, granted it all necessary permitions in COM security and WmiMgmt, let WMI through firewall and voila! User1 cannot execute remote WMI commands while User2 can. Well some of them. Shutdown with this command
Invoke-WmiMethod -ComputerName -Class Win32_Process -Name Create -ArgumentList 'shutdown /r'
is a no-go. As well as executing VBS scripst, for instance.
So, eventually I’ve come with a solution. I set LocalAccountTokenFilterPolicy to 1 and assign “Force shutdown from a remote system” policy to User2 only. And I also have to disable Administrator shares by appropriate registry key, otherwise with UAC disabled all files on all of my machines are accessible remotely. I manually share the Startup folder to User2 only. If don’t enable PSRemoting and let WMI through firewall I cannot run code through these windows. Kinda works, but who knows how many holes are still there that I am not aware of?
The last resort – enabling built-in admin account – works like a charm in every situation above. Access problems? Admin password solves them all.
I’m still curious if there a way to shutdown remote machine in a workgroup (not on a domain) having same username/password without disabling UAC or enabling admin account? Or maybe someone could shed light on other strategies for setting a remote machine to run the software of choice on start-up and restart it remotely.