The best approach to access server in DMZ (outside domain) from LAN via command line (MS Windows)

command-line-interfacedmzremote-accesswindows-server-2008windows-server-2008-r2

I have two servers:

SVR1 (Windows Server 2008) in LAN – part of domain

SVR2 (Windows Server 2008) in DMZ – workgroup

I need to access SVR2 from SVR1 via command line batch – copy some files and execute sc command to manage services on SVR2. This batch is scheduled so I need to access SVR2 without credentials input.

The only possibility I know is to have the same username and password on both servers but it is not so graceful and it is potential risk.

What is the best approach to solve my problem? It would be the best to do it without third party software.

Best Answer

Since SVR1 and SVR2 are not part of the same AD domain, you will need to store credentials for SVR2 somewhere on SVR1 for your automated script to access.

Using WinRM and sufficiently updated Powershell, Powershell Remoting will let you establish a connection from SVR1 to SVR2 and do whatever you can think of on a command line in an automatic fashion.

You can save a password in the Windows Credential Vault using Powershell and your script can access the credentials from the Credential Vault:

https://gallery.technet.microsoft.com/scriptcenter/How-to-add-credentials-to-c8e9bd5f

I would recommend this as a slightly better way to store credentials. The older, classic way of storing credentials was to do something like this:

read-host -assecurestring | convertfrom-securestring | out-file operationspassword.txt

Then in your script, "decrypt" the password like so:

$pass = Get-Content operationspassword.txt | convertto-securestring
$creds = New-Object -Typename System.Management.Automation.PSCredential -argumentlist "SRV2\admin",$pass

The "encrypted" creds are only decryptable by the same account and on the same machine where they were originally encrypted, so you can't just steal the text representation of the SecureString and use it somewhere else. But it's still kind of unprofessional to store creds this way and I don't really advise it in general.

Also don't forget to modify your Powershell TrustedHosts list to allow connections to the "untrusted" machine... you must do this because you're not using Kerberos or SSL.

That reminds me... use SSL for WinRM connections for better security: http://support.microsoft.com/kb/2019527

Windows 2008 WinRM ports are 80 (HTTP) and 443 (HTTPS).

Microsoft soon realized that those ports were kind of already in use, and so:

Windows 2008 R2 and above WinRM ports are 5985 (HTTP) and 5986 (HTTPS).

Related Solutions

Windows – Does Windows Have a Built-in ZIP Command for Command Line?

It's not built into Windows, but it's in the Resource Kit Tools as COMPRESS,

C:\>compress /?

Syntax:

COMPRESS [-R] [-D] [-S] [ -Z | -ZX ] Source Destination
COMPRESS -R [-D] [-S] [ -Z | -ZX ] Source [Destination]

Description:
Compresses one or more files.

Parameter List:
-R Rename compressed files.

-D Update compressed files only if out of date.

-S Suppress copyright information.

-ZX LZX compression. This is default compression.

-Z MS-ZIP compression.

Source Source file specification. Wildcards may be
used.

Destination Destination file | path specification.
Destination may be a directory. If Source is
multiple files and -r is not specified,
Destination must be a directory.

Examples:

COMPRESS temp.txt compressed.txt
COMPRESS -R *.*
COMPRESS -R *.exe *.dll compressed_dir

Windows – What’s the command-line utility in Windows to do a reverse DNS look-up

ping -a w.x.y.z

Should resolve the name from the IP address if the reverse lookup zone has been set up properly. If the reverse lookup zone does not have an entry for the record, the -a will just ping without a name.

Best Answer

Related Solutions

Windows – Does Windows Have a Built-in ZIP Command for Command Line?

Windows – What’s the command-line utility in Windows to do a reverse DNS look-up

Related Topic