Lab: Configure PowerShell WebAccess for management

Now that I have my Lab configured and set up to accept remoting from my Client machine, I want to set up a small Hyper-V lab onto this Host.

Since my goal is to manage as much as possible through PowerShell, my current setup will run into the following problem:
I can remote into my lab host, but due to single-hop remoting, it is not recommended to daisy chain sessions.

In case you DO want this, you can look at the following articles that will give you more insight on multihop remoting.
A small insight on what is required:

What is the goal and what is required?

The goals I have are quite simple:

  • PowerShell access to my Host machine
  • PowerShell access to my Guest VM’s
  • It has to be secure, following Best Practice

In order to obtain these goals I first have to figure out what the best practice is, since I can already access Host machine.

According to a PowerPoint presentation made by  Lee Holmes [part of the PowerShell team since v.1] CredSSP should only be used in case of Highly Trusted Servers, because otherwise

‘This opens you up to credential theft, so is disabled by default on both the client and the server’

Ok, so I need another way to get access to my Hosts, which allows access to my Guest VM’s without having to multihop remote or RDP to my Host machine.

In comes PowerShell WebAccess!
This allows us to connect to the Host machine as console and through that session I can remote onto my Guest VM’s!

The Code

Getting this all done required 4 steps that can easily be done through PowerShell:

  • Install PowerShell WebAccess
  • Configure the PowerShell WebAccess Web Application – Gateway
  • Configure a restrictive authorization rule
  • Use PowerShell WebAccess

Installing PowerShell Web Access

To install PowerShell WebAccess is quite simple, but first let’s check if it’s not already installed or perhaps requires source media:

In my case this has not been done yet, so we’ll go ahead and install this.
Do note that PowerShell WebAccess required IIS as Web Server, so this will also get installed.

Reboot the machine if required, but normally you should be ready to continue.

Configure the PowerShell WebAccess Web Application – Gateway

Now that we have PowerShell WebAccess installed, we need to configure it for usage.
We can do this using

As the added parameter implies, this will set up a self signed certificate which is recommended for test environments only.
The certificate will expire in 90 days after which you should re-assign a new self-signed certificate.
When setting up a secure production environment be sure to use a valid certificate signed by a CA.

This  command will configure a few things for you:

  • Install the PSWA Web Application
  • Install the PSWA Application Pool
  • Install PSWA within the IIS Default Web Site container
  • Automatically configures IIS to run on the default website under https://[servername]/pswa
  • Bind a self signed certificate to the PSWA Web Application

In case you want to set up a valid certificate, use the following command

And configure the certificate through bindings on IIS Manager.

Configure a restrictive authorization rule

Now that we have the Role installed and the Gateway configured, we need to define who is actually allowed to access PowerShell WebAccess on this machine.
We can do this by explicitly granting access to users through the following commands.
Do note, there is no GUI alternative to add or manage there permissions, PowerShell will be required!

Now in case of a test environment, you won’t to be too picky on who can access your machine, but in case of production you should make sure to configure these settings with care!

As the command implies, all users, connecting to all computers, are allowed granted access to all configurations.

In case you want to restrict this access a little bit more, you can do this by simply defining the provided parameters with more detail.
For my environment I personally restricted the UserName to the local administrator, just because I can 🙂

Use PowerShell WebAccess

Now that everything’s configured, let’s give it a test run!

Open your browser to the server’s name or FQDN

PSWA

To log in there’s one tiny thing to keep in mind:

In the User name field, be sure to provide it in the format you’ve defined your PswaAuthorizationRule, so in my case CONTOSO-SRV001\administrator instead of simply Administrator.

PSWA2

 

You have full [secure] access to your Host VM, providing access to all Cmdlets, tab-completion etc. and you can now securely remote onto your Guest VM’s.

 

Happy scripting! 🙂

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Script Dumpster: Online-ADComputers

The Problem

Today I ran into something simple….but I just wanted to get it solved through PowerShell and make the solution re-usable.

We had found a machine in Active Directory which didn’t turn up in the physical inventory check…
And worse of all, the machine was active!

The Script

This script simply checks if machines with a specific name [or in a specific OU] is online at the moment.
If it’s online, it will try and figure out who’s actually logged on to the machine.

The output of course is in objects, so you can use whatever kind of formatting on the result of the script

Happy scripting! 🙂

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Script Dumpster: Merge-CSV

The Problem

A customer required the inventory of product keys for various products on all network systems.
I had used a tool which scanned all machines and nicely produced a .csv file for each machine it had scanned.

Ideally I wanted to have a single .csv file which I could then filter against, either using Excel or PowerShell.

The Function

Check the examples notes on how to use the function.

Happy scripting! 🙂

Facebooktwittergoogle_plusredditpinterestlinkedinmail