Cyber Defense

Script to Configure PowerShell Remoting to Use SSL

PowerShell remoting can use SSL encryption when the -UseSSL switch is used with the Enter-PSSession or Invoke-Command cmdlets. But simply installing an SSL-compatible certificate is not enough to enable remoting with SSL. The WS-Management (WSMAN) listener for PowerShell must be configured correctly to use an SSL certificate, and this isn't very much fun to do by hand.

In the Securing Windows (SEC505) course at SANS, we use a PowerShell script to configure the WSMAN listener with a certificate automatically, or, if there are multiple available computer certificates, to list the available certificates and simply ask the user which one to use. The script is named Configure-RemotingForSSL.ps1. It is located in the SEC505 zip file in the Day6-PowerShellRemoting folder. All the other scripts in the zip file are in the public domain too.

Command-Line Use

There are no command-line parameters for the script, just run it to have a certificate selected automatically or to be prompted which certificate to use. If you already have an SSL certificate configured for remoting, the script will prompt whether to replace those settings (not the certificate, just the settings) or to exit without changes. The script is deliberately simple so that it is appropriate for teaching and easy to edit. Feel free to customize for your environment.

Requirements

Note that the script will not install PowerShell, enable remoting, or install a certificate from your PKI. There are plenty of guides for these tasks on the Internet, and the SEC505 course has a day on PKI too. Remoting requires PowerShell 2.0 or later, and the user must be a member of the Administrators local group to manage WSMAN settings. The about_Remote_Requirements file also has more information about these prerequisites (in PowerShell, run "get-help about_Remote_Requirements"). Cheers

Caveats & Legal Disclaimers

The script is free and in the public domain, you may use it for any purpose whatsoever without restriction. However, that being said...

THIS SCRIPT IS PROVIDED "AS IS" WITH NO WARRANTIES OR GUARANTEES OF ANY KIND, INCLUDING BUT NOT LIMITED TO MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. ALL RISKS OF DAMAGE REMAINS WITH THE USER, EVEN IF THE AUTHOR, SUPPLIER OR DISTRIBUTOR HAS BEEN ADVISED OF THE POSSIBILITY OF ANY SUCH DAMAGE. IF YOUR STATE DOES NOT PERMIT THE COMPLETE LIMITATION OF LIABILITY, THEN DO NOT DOWNLOAD OR USE THE SCRIPT. NO TECHNICAL SUPPORT WILL BE PROVIDED.

 

 

Post a Comment






Captcha


* Indicates a required field.