How do you secure your environment while using Powershell 2.0 remoting ? (PCI Compliance)


Hi All,

How do you secure your Windows domain environment while still enabling the Powershell 2.0 remoting capabilities (WinRM invoke-item) ?

because at the moment my company datacenter would like to implement tight security policy according to this guideline: https://www.pcisecuritystandards.org/ ?

normally I use the Powershell for managing and monitoring the Exchange Server, Active Directory and VMware vSphere environment.

Any kind of help and suggestion would be greatly appreciated.

Cheers,

JJ
LVL 1
jjozAsked:
Who is Participating?
 
Tony MassaCommented:
You can, but it would interfere with servers that have IIS using 443.

If you don't need 443, then you can certainly change the command to

Winrm create winrm/config/listener?Address=*+Transport=HTTPS @{Port="443"}
0
 
Tony MassaCommented:
http://technet.microsoft.com/en-us/library/cc782312(WS.10).aspx

Using HTTPS will meet the PCI requirements
0
 
Tony MassaCommented:
Even better, you should place a firewall between your servers with PCI data and the rest of your environment, and let only required traffic through.  If you do that, the rest of your environment is not automatically included in the scope of PCI required computers.

Easier said than done, I know, but it does greatly reduce the chance of PCI audit failures.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
jjozAuthor Commented:
ok, is there a way to enable Powershell to listen on HTTPS port or just in the certain secure port ?
0
 
Tony MassaCommented:
http://msdn.microsoft.com/en-us/library/aa384372%28v=vs.85%29.aspx

Create an HTTPS listener by typing the following command: winrm quickconfig -transport:https. Be aware that you must open port 5986 (Default HTTPS port in 2.0) for HTTPS transport to work.
0
 
Tony MassaCommented:
Your servers should have a SSL certificate to make this work.  If you have a corporate CA, then you should have auto enrollment enabled for your servers.

To remove the HTTP listener on your servers, you can run the following command:
winrm delete winrm/config/listener?Address=*+Transport=HTTP

Open in new window


To use WinRS (Remote PS Command Shell), you can connect to the HTTPS listener by running the following Powershell command
Enter-PSSession -ComputerName servername.yourdomain.org -UseSSL

Open in new window


The FQDN is required if your certificate server is issuing certificates with FQDN as the CN
0
 
Tony MassaCommented:
To create a HTTPS listener on a custom HTTPS port, use the following command:
Winrm create winrm/config/listener?Address=*+Transport=HTTPS @{Port="8888"}

Open in new window

0
 
jjozAuthor Commented:
hm.. can we use port 443 instead ?
0
 
jjozAuthor Commented:
Many thanks man !
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.