Why RSAT/PSRemoting better than RDP ?

PowerShell Help
1

I am having a meeting next week with our security group.
I asked them to create a gpo to enable PowerShell remoting on our AD computers

All of our computers are Windows 7 and above. thank god we don’t have xp.

GPO Creation

  1. Create your GPO, Name “PSR”
  2. Edit the policy.

Enabling WinRM

  1. Browse to Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service
  2. Depending on the operating system:
    Server 2008 R2 and later: Open the Allow Remote Server management through WinRM policy setting.
    Server 2008 and earlier: Open the Allow automatic configuration of listeners policy setting.
  3. Set the Policy to Enabled.
  4. Set the IPv4 and IPv6 filters to * unless they need something specific there.

Setting the Firewall Rules

  1. Browse to Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile
  2. Open the Windows Firewall: Define inbound port exceptions policy setting.
  3. Set it to Enabled if it isn’t already.
  4. Click the Show… button and add the port exception. We’re going to be opening TCP port 5985, so the exception string will
    look something like this:
  5. 5985:TCP:*:enabled:WSMan

But they want to know Why not only using RDP ?

I’d really appreciate it if someone can direct me or attach a link why PSRemoting and using RSAT is better than RDP.
I need a technical/Security article

Thanks Guys

2

Here’s a start.

https://devopscollective.gitbooks.io/secrets-of-powershell-remoting/content/manuscript/powershell-remoting-and-security.html

directly from the same group that brings you this website more or less.

Good luck with that discussion, you’re doing the right thing.

3

Sounds like a job I’d leave immediately:) The answer is because this is how we manage servers now.

4

@Del, we actually use PSRemoting to inceease security. When an administrator RDP’s into a server you have very limited options in terms of knowing exactly what they are doing (every mouse click) unless you have a screen recorder on everyone’s computer. When you have an administrator log into a server via Powershell, EVERY single action they perform can be recorded/logged.

See Greater Visibility Through PowerShell Logging | Mandiant

You should include the GPO items described in the blog above in your GPO request and target the request as “to increase security” rather than making managing servers easier. As you know security people only care about security.

Some things to note, the GPO items in the blog are only available in the Windows 10 ADMX files which you can install on Windows 2008 R2 DC’s. It’s standard pratice to keep your ADMX files up to date. If your DC admins don’t want to update ADMX files then the settings can be enabled via the registry. The servers you are connecting to will also need to be running Powershell 5.0 or 5.1 (highly recommend 5.1 as 5.0 is pretty buggy and slow).

Here are great blogs from Microsoft about Powershell security.

https://blogs.technet.microsoft.com/ashleymcglone/2016/06/29/whos-afraid-of-powershell-security/

Powershell is the most secure scripting language.

Good luck and may the force be with you!

5

Thank you guys.