Goatee PFE

Blog of Microsoft Premier Field Engineer Ashley McGlone featuring PowerShell scripts for Active Directory.

PowerShell Remoting Exposed: How To Command Your Minions

I hope to meet you at

PowerShell Summit North America 2014

PowerShell Remoting Exposed: How To Command Your Minions

  • Comments 2
  • Likes

We have many words to describe those who do the boss's dirty work:  minion, henchman, and toadie.  My personal favorite is "toadie", as referenced in A Christmas Story.  You can tour the house just outside of Cleveland, Ohio.  Of course I got my picture taken with the leg lamp.

"So what does 'toadie' have to do with PowerShell?" you ask.  Everything.  We PowerShell-writing IT pros are like emperors.  We sit in the royal cube on the royal throne and make royal decrees like:

  • "Go fetch hotfixes from those servers."
  • "Fix that NIC setting on the DCs."
  • "How many days until my vacation week?"

From this vantage point we write "toadie" scripts to go do our bidding across the empire.  Call them "scripted minions" if you like.

Today we are diving into PowerShell remoting to understand five different methods for commanding our army of minions.  We will also examine the protocols and requirements under the hood so we know exactly what we are getting.  The information below comes from some testing in my home lab where I captured network traces of each remoting technology to see the ports, protocols, and protections employed between two Windows Server 2008 R2 member servers.  The capture file is attached at the end of the article.

 

Method #1:  The Computername Switch

Remoting Command Get-Process -Computername computer1
Protocols RPC, Remote Registry (RRP), SMB2
Port 445
Data Encryption Encrypted
Supported OS Windows 2000 and above
Data Returned Object
Pros Works against older OSes
Does not require WinRM
Cons Limited to cmdlets that support the Computername switch

  Method #2:  WMI

Remoting Command Get-WMIObject Win32_Process -Computername computer1
Protocols WMI/RPC/DCOM
Port Random high port
Data Encryption Clear text
Supported OS Windows 2000 and above
Data Returned Object
Pros Works against older OSes
Does not require WinRM
Cons Random high ports
Transmits data in clear text

  Method #3:  PowerShell Remoting Interactively

Remoting Command Enter-PSSession computer1
Get-Process
Exit-PSSession
Protocols HTTP (wsman), MIME, SOAP, XML
Port 5985
Data Encryption Encrypted
Supported OS Windows 7/2008 R2 and above
Older OSes with WINRM install
Data Returned In an interactive session all data remains on the remote host.
Pros Single port required
Supports any cmdlet
Built in on Windows 7/2008 R2
Cons Requires WinRM on older OSes
Requires configuration to allow it (Enable-PSRemoting or GPO)

  Method #4:  PowerShell Remoting Commands

Remoting Command Invoke-Command -Computername computer1 -Scriptblock {Get-Process}
Protocols HTTP (wsman), MIME, SOAP, XML
Port 5985
Data Encryption Encrypted
Supported OS Windows 7/2008 R2 and above
Older OSes with WINRM install
Data Returned Deserialized object
Pros Single port required
Supports any cmdlet
Built in on Windows 7/2008 R2
Cons Requires WinRM on older OSes
Requires configuration to allow it (Enable-PSRemoting or GPO)

  Method #5:  WMI Tunneling Through PowerShell Remoting

Remoting Command Invoke-Command -Computername computer1 -Scriptblock {Get-WMIObject Win32_Process}
Protocols HTTP (wsman), MIME, SOAP, XML
Port 5985
Data Encryption Encrypted
Supported OS Windows 7/2008 R2 and above
Older OSes with WINRM install
Data Returned Deserialized object
Pros Single port required
WMI data encrypted on the wire
Cons Requires WinRM on older OSes
Requires configuration to allow it (Enable-PSRemoting or GPO)

 

Now you have some ideas for collecting data remotely, and there are many variations of the examples listed above.  For example, you can pass multiple computer names to the Computername switch:

Get-Process -Computername computer1, computer2, computer3

Or you could pipe a list of computer names into any of these commands:

Get-Content computers.txt | Foreach-Object {Get-Process -Computername $_}

To scale remoting commands out to hundreds of computers explore using Invoke-Command with the switches -AsJob and -ThrottleLimit.

For more information try these lines at the PowerShell console:

  • Get-Help * -Parameter Computername
  • Get-Help about_remote
  • Get-Help about_remote_FAQ
  • Get-Help about_remote_output
  • Get-Help about_remote_requirements
  • Get-Help about_remote_troubleshooting
  • Get-Help PSSession
  • Get-Help about_pssessions
  • Get-Help about_pssession_details

Now go unleash your PowerShell minions!

Attachment: remoting.cap.zip

Can you help me?  Yes!

If you would like to have me or another Microsoft PFE visit your company and assist with the ideas presented in this blog post, then contact your Microsoft Premier Technical Account Manager (TAM) for booking information.

For more information about becoming a Microsoft Premier customer email PremSale@microsoft.com.  Tell them GoateePFE sent you.

Sharing Links
Comments
  • Thanks for tonight's presentation. Good Deal!

  • thanks!

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment