Greetings, PS pros! Strap yourselves in for some background. I’ll post a TL;DR below.
I’m one of the client systems administrators for the financial services arm of a multinational corporation. Part of my duties include second level software and hardware troubleshooting, asset/device management, reporting, etc. We manage about 1,400 clients both onsite and in the field. As you can probably imagine, remote administration of clients is a daily task. While we have some options for some remote task management via a Matrix42 Enterprise Manager that integrates with SCCM (2012, I believe) and System Center, sometimes we need something a bit faster and ad-hoc. Our DNS systems do not update with the frequency we would like, so whenever a user with a mobile device such as a notebook or tablet PC disconnects from the LAN and moves to the WLAN (or vice versa), we can’t reach the machine by host name for the next hour or so. Our current “solution” for this is using PsExec which starts a remote shell as NT Authority\SYSTEM. If any of you security pros (whose company I am working to join as my career progresses) in the audience feel the hair on the back of your neck standing on end, you’re not alone. This solution is not secure. There’s user authentication via Active Directory, but no machine-to-machine mutual authentication; IPv4 addresses are easily spoofed. It is an overly risky way to manage the clients our end users employ to handle the sensitive data of our customers. We want to deliver better value to the business and customers.
In reading “Secrets of PowerShell Remoting” by Don Jones et al, the obvious solution seems to be setting up a HTTPS listener and SSL certificates. My question for you professionals is how best do we go about this? As of this writing, there’s no easy or simple way to do this. Getting a signed SSL certificate from our corporate CA shouldn’t be too difficult, but setting up a trusted host list on every client probably will be. Is it better to give the trusted hosts lists the names of all of the administrator devices? Said admin devices get switched out every three years at the latest. Should we petition the upper IT services echelons for a secure administrative host (jump server) in a DMZ? Should we roll the WinRM and SSL cert setup as a package and deploy via SCCM?
TL;DR: I need to set up HTTPS listeners with SSL certificates on about 1,400 endpoints for PowerShell Remoting. How best should I do that?
I appreciate any guidance or feedback you have to offer, as well as for taking the time to read my wordy post!