Implementing Powershell .20 (WinRM Invoke-Item) in the secure Datacenter environment

Question

How do you secure your Windows domain environment while still enabling the Powershell 2.0 remoting capabilities (WinRM invoke-item) ?

Because at the moment my company datacenter would like to implement tight security policy according to this guideline: https://www.pcisecuritystandards.org/ ?

Normally I use the Powershell for managing and monitoring the Exchange Server, Active Directory and VMware vSphere environment. With Windows Server 2008, 2003 and XP as the client.

Any kind of help and suggestion would be greatly appreciated.

Cheers,

Answer 1

We are in a similar situation. We also haven't enabled PS Remoting due to security precautions, but here's what I do know:

• Lock down the trusted hosts that are allowed to connect to a remote computer:

Set-Item WSMan:\localhost\Client\TrustedHosts ControllerComputerDNSnamesOrIPs

• Lock down commands that can be run remotely: see http://powershell.com/cs/media/p/7257.aspx and search the page for "session configurations"

• The entire remote session is encrypted: http://blogs.technet.com/b/ilvancri/archive/2010/03/31/techdays-follow-up-remote-powershell-what-s-encrypted.aspx

I'm no security expert, but I do appreciate the security risks involved. I would like to hear from others who have identified potential security issues, and what can be done to mitigate them.