Setting up PSRemoting securely on many clients

Greetings, PS pros! Strap yourselves in for some background. I’ll post a TL;DR below.

I’m one of the client systems administrators for the financial services arm of a multinational corporation. Part of my duties include second level software and hardware troubleshooting, asset/device management, reporting, etc. We manage about 1,400 clients both onsite and in the field. As you can probably imagine, remote administration of clients is a daily task. While we have some options for some remote task management via a Matrix42 Enterprise Manager that integrates with SCCM (2012, I believe) and System Center, sometimes we need something a bit faster and ad-hoc. Our DNS systems do not update with the frequency we would like, so whenever a user with a mobile device such as a notebook or tablet PC disconnects from the LAN and moves to the WLAN (or vice versa), we can’t reach the machine by host name for the next hour or so. Our current “solution” for this is using PsExec which starts a remote shell as NT Authority\SYSTEM. If any of you security pros (whose company I am working to join as my career progresses) in the audience feel the hair on the back of your neck standing on end, you’re not alone. This solution is not secure. There’s user authentication via Active Directory, but no machine-to-machine mutual authentication; IPv4 addresses are easily spoofed. It is an overly risky way to manage the clients our end users employ to handle the sensitive data of our customers. We want to deliver better value to the business and customers.

In reading “Secrets of PowerShell Remoting” by Don Jones et al, the obvious solution seems to be setting up a HTTPS listener and SSL certificates. My question for you professionals is how best do we go about this? As of this writing, there’s no easy or simple way to do this. Getting a signed SSL certificate from our corporate CA shouldn’t be too difficult, but setting up a trusted host list on every client probably will be. Is it better to give the trusted hosts lists the names of all of the administrator devices? Said admin devices get switched out every three years at the latest. Should we petition the upper IT services echelons for a secure administrative host (jump server) in a DMZ? Should we roll the WinRM and SSL cert setup as a package and deploy via SCCM?

TL;DR: I need to set up HTTPS listeners with SSL certificates on about 1,400 endpoints for PowerShell Remoting. How best should I do that?

I appreciate any guidance or feedback you have to offer, as well as for taking the time to read my wordy post!

If you get an SSL cert on each machine, and you set up HTTPS listeners, you don’t need to manage trusted hosts at all. The certificate creates the trust.

Are the clients in AD? Auto-enrollment would be easiest for getting certificates out. From there, Group Policy or a simple machine startup script would enable Remoting.

Wow, a response from the man himself!

Yes, all of the clients are enrolled in AD. We have separate OU’s for mobile vs workstation devices, but they’re all on the same domain. Let me confer with the server administration team and see if they’re willing to set up a policy for this. Thanks very much for the response! I enjoy your videos and talks, by the way. The rant you went on explaining why classes in PS were unnecessary I found particularly funny. “They’re appealing to C# developers… who should just code in C#!”

Hi Nate,

Just a couple of alternatives that I’ve used in the past:

a) If the machines are VMware VMs - you can use PowerCLI’s Invoke-VMScript to install the cert and configure PS Remoting via VMTools - I’ve done this at scale via vRealize Orchestrator workflows.

b) Powershell DSC (orchestrated by a tool such as Ansible or Puppet with the relevant DSC module).

Food for thought depending on your toolset.

Dan