Increase PowerShell remoting security with two simple techniques

In this article, I will discuss two simple methods to improve PowerShell remoting security. The first is by temporarily increasing the local administrator privileges. The second is by changing the password automatically in the script.

One of the aspects of PowerShell I use the most is running remote tasks on many computers at once. Using Invoke-Command, admins can easily and quickly perform tasks on remote computers by running it from one computer and “fanning” out to many at once. It is in my opinion one of the great features of PowerShell and is a great improvement from the old PSExec technique.

Although PowerShell encrypts all remote communication via Kerberos by default in a domain environment, I like to add in some additional security. It helps me sleep at night, which at many times is when these tasks are running.

In my example scenario, I want to run a script that uses Invoke-Command to restart the Windows Update service on remote machines. Here is the part of the script that does this:

Invoke-Command -ComputerName Test-1,Test-2 -Credential $Credential -ScriptBlock {
    Restart-Service wuauserv

Fairly simple, right? Now let’s add some security to this script.

Temporarily increasing privileges

Restarting services requires local administrator access, so the account we will use to remote to these machines must have that. Many times sysadmins will just keep an account in the local administrator group at all times and use it when needed.

This of course is bad practice if you think about it. If this account is compromised, it now has access to any machine that has that account in the local administrator group. For this reason, why not use PowerShell to increase the permissions needed for this account when the script runs and then remove them when the script finishes?

One way to use this method is to have an Active Directory security group, in this case Local-Admins.


Comments are closed.