Reputation: 6863
PowerShell Remoting, Second hop and delegation
I am looking for the most secure way to implement WinRM in situations where Second hop comes up. Specifically I want to run a script from an arbitrary but singular management machine, and initiate remote sessions on all workstations, using passed credentials of a single specific management user. Those remote sessions there need to be able to second hop to specific shares on a file server, to access the appropriate resources. I know CredSSD is pretty weak, so I am looking for something better. Richard Siddaway mentions "AD based delegation" here, but the best information I have found about Delegation is from MS here, and all the delegation options say "Does not support the second hop for WinRM". So, IS there a secure way to enable Second Hopping, for a single specified user or group, via Active Directory? Ideally I would love to limit second hop to JUST the specified third server/share, and only for the specified user or group. So, any remote session using different credentials can't second hop, and the correct credentials can't second hop to other resources. Is that even remotely doable?
Upvotes: 0
Views: 3279
Answers (1)
Reputation: 16096
It's apparent you have been looking into this, yet, have you seen to below approaches to ascertain if they can get you to your goal?
PowerShell Remoting Kerberos Double Hop Solved Securely
Are you facing issues with PowerShell remoting and credentials? You remote into your jump box, but then any remoting beyond there gets a big red ACCESS DENIED. Maybe you’ve tried CredSSP, but people say that isn’t safe. Read today’s post for a completely legit, secure, safe, and easy way to enable Kerberos double hop for PowerShell remoting.
Another solution to multi-hop PowerShell remoting
I've discovered another solutions for the problem of two hops in the PowerShell remoting, that I haven't seen anywhere in my searches on the Internet. I'm sure that some people know about it but it doesn't seem to be widely known.
Update to your last comment
This...
most secure way to implement WinRM
... and this...
My hope is to find a solution that an overprotective/paranoid IT Manager can still sign off on. If my understanding is wrong I would love to be educated.
It can really be a matter of opinion. Meaning, what is secure enough for one is not for another.
So, that first must be fleshed out before you can say yey or ney to any option.
- Does one mean end to risk management/security of the pipe between source to destination? (so host to host mutual auth, SSL, SDI-server and domain isolation, etc.)
- Does one mean, security the data moving through the pipe? Encrypting at the source, decrypting on the destination, or obfuscating code?
Some, I will say WinRM is inherently insecure since it defaults to HTTP. Most networks are not leveraging mutual auth internally, RBAC for specific functions/operations/connections, SDI, etc. There are many articles on WinRM security as well as ones on options to address it.
Securing WinRM
WinRMSecurity - PowerShell | Microsoft Docs
Is WinRM Secure or do I need HTTPs?
How To: Configure WINRM for HTTPS
Then there is the use of JEA
Risk Management/Security is all about layers and trade-offs. Cost, posture vs usability, DR, and maintenance of said deployment.
Upvotes: 1
Related Questions
- Powershell Remoting with credential
- Handling the Double Hop Problem in Remote PowerShell Queries with Plaintext Credential Storage
- setup kerberos constrained delegation powershell
- Powershell remoting - Policy does not allow the delegation of user credentials
- SSPI sql access fails in remote powershell request due to double-hop failure, constrained delegation
- Cross-Domain Remoting - Issues determining which credentials to use
- Implicit Remoting Authentication Double Hop issue
- Kerberos delegation and port-specific SPNs
- PS Remoting failing: The computer must be trusted for delegation and the current user account must be configured to allow delegation."
- Powershell v2 remoting and delegation