?
Solved

How do you secure your environment while using Powershell 2.0 remoting ? (PCI Compliance)

Posted on 2011-04-19
9
Medium Priority
?
885 Views
Last Modified: 2012-05-11

Hi All,

How do you secure your Windows domain environment while still enabling the Powershell 2.0 remoting capabilities (WinRM invoke-item) ?

because at the moment my company datacenter would like to implement tight security policy according to this guideline: https://www.pcisecuritystandards.org/ ?

normally I use the Powershell for managing and monitoring the Exchange Server, Active Directory and VMware vSphere environment.

Any kind of help and suggestion would be greatly appreciated.

Cheers,

JJ
0
Comment
Question by:jjoz
  • 6
  • 3
9 Comments
 
LVL 17

Expert Comment

by:Tony Massa
ID: 35432818
http://technet.microsoft.com/en-us/library/cc782312(WS.10).aspx

Using HTTPS will meet the PCI requirements
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 35432883
Even better, you should place a firewall between your servers with PCI data and the rest of your environment, and let only required traffic through.  If you do that, the rest of your environment is not automatically included in the scope of PCI required computers.

Easier said than done, I know, but it does greatly reduce the chance of PCI audit failures.
0
 
LVL 1

Author Comment

by:jjoz
ID: 35437670
ok, is there a way to enable Powershell to listen on HTTPS port or just in the certain secure port ?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 17

Expert Comment

by:Tony Massa
ID: 35437755
http://msdn.microsoft.com/en-us/library/aa384372%28v=vs.85%29.aspx

Create an HTTPS listener by typing the following command: winrm quickconfig -transport:https. Be aware that you must open port 5986 (Default HTTPS port in 2.0) for HTTPS transport to work.
0
 
LVL 17

Assisted Solution

by:Tony Massa
Tony Massa earned 2000 total points
ID: 35437935
Your servers should have a SSL certificate to make this work.  If you have a corporate CA, then you should have auto enrollment enabled for your servers.

To remove the HTTP listener on your servers, you can run the following command:
winrm delete winrm/config/listener?Address=*+Transport=HTTP

Open in new window


To use WinRS (Remote PS Command Shell), you can connect to the HTTPS listener by running the following Powershell command
Enter-PSSession -ComputerName servername.yourdomain.org -UseSSL

Open in new window


The FQDN is required if your certificate server is issuing certificates with FQDN as the CN
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 35437966
To create a HTTPS listener on a custom HTTPS port, use the following command:
Winrm create winrm/config/listener?Address=*+Transport=HTTPS @{Port="8888"}

Open in new window

0
 
LVL 1

Author Comment

by:jjoz
ID: 35437977
hm.. can we use port 443 instead ?
0
 
LVL 17

Accepted Solution

by:
Tony Massa earned 2000 total points
ID: 35440257
You can, but it would interfere with servers that have IIS using 443.

If you don't need 443, then you can certainly change the command to

Winrm create winrm/config/listener?Address=*+Transport=HTTPS @{Port="443"}
0
 
LVL 1

Author Closing Comment

by:jjoz
ID: 35617047
Many thanks man !
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question