Security Concerns with Enabling Unrestricted PowerShell Remoting

powershellSecurity

I'd like to propose to the IT department at my organization that we enable PowerShell remoting on our production machines to make administering them easier. I feel that unrestricted access would be much easier than dealing with signing:

>Set-ExecutionPolicy Unrestricted

Is this a big no-no for production machines? Would this open up a major security hole, or would it be safely restricted to those who already only have administrative privileges on the machine?

Best Answer

Personally, I would go with RemoteSigned instead of Unrestricted. You can read about the differences here.

This is the snippet that matters:

-- RemoteSigned: Requires that all scripts and configuration files downloaded from the Internet be signed by a trusted publisher.

-- Unrestricted: Loads all configuration files and runs all scripts. If you run an unsigned script that was downloaded from the Internet, you are prompted for permission before it runs.

RemoteSigned will still let you run in-house scripts without signing, but items distributed via the Internet has to be signed.

All that being said, do you really need to run the actual scripts on the servers? If you're running management tasks from your workstation that modify a server, you don't need to set any of that. These settings only affect scripts run locally on the machine in question.

Related Solutions

Powershell – Enabling Powershell Remoting, Access is denied

Just ran into and solved this problem on a couple of systems. In this particular case, these two systems were not part of a domain, and the user account was not the original "Administrator" account, but rather a newer account that was also a member of the local Administrators group.

The solution came from the following blog post I wandered across: WinRM Access is Denied on Local Computer. In short, run the following from a command prompt (launched as Administrator):

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

After that, re-launch the PowerShell prompt as admin and re-run Enable-PSRemoting, that simple.

Powershell remoting with active directory

Try this: On a computer joined to the domain in question, right-click on the Powershell Start Menu icon or shortcut and choose "Run as administrator". Enter the credentials of a Domain Administrator account. Then try the Powershell commands. They should run in the context of a Domain Administrator account and you should have no authorization problems.

Note, if you are logged on to the domain-joined computer with a local admin account, this might not work, because when you choose "Run as administrator" it will run it as a local administrator without prompting for credentials. Either log on to the computer as a user who is not an administrator or as a Domain Administrator.

Best Answer

Related Solutions

Powershell – Enabling Powershell Remoting, Access is denied

Powershell remoting with active directory

Related Topic