When I started working in IT, it was common for IT staff to use Remote Desktop, WinVNC, or Symantec pcAnywhere for remote server administration. Fast forward fifteen years, and while pcAnywhere isn’t around anymore, Remote Desktop is still used as the primary means of administering Windows Server in many organizations. There’s nothing wrong with Remote Desktop per se but it’s not the most secure or scalable way to manage Windows.
PowerShell vs. Remote Desktop vs. Windows Privilege Management
PowerShell provides a secure way to manage Windows Servers. That includes PowerShell Remoting. There are several reasons why PowerShell is a preferred method for managing Windows Server. However, utilizing privileged access management solutions like BeyondTrust Endpoint Privilege Management provides IT staff with a deeper set of capabilities, outside and including windows server management.
Just Enough Administration (JEA)
Users can be granted more granular access to perform administrative tasks on PowerShell endpoints. When users log in to servers using Remote Desktop, they can do anything that their privileges allow, which often means ‘everything’ because they have an account with local or domain admin rights. But when users connect to a remote server using PowerShell Just Enough Administration (JEA), the endpoint can be constrained so that only a handful of cmdlets, functions, or even command parameters can be run on the remote – server regardless of the privileges held by the user.
Alternatively, standard users can connect to PowerShell remote endpoints and run commands in the context of a local administrator. The connecting user doesn’t need to know the password for the administrator account. These endpoints can also be constrained to restrict what users are able to do on the remote device.
JEA is considered an administration tool, not a solution for least privilege. It’s not designed to solve the privilege problem. In fact, JEA creates additional privileged accounts to use as a RunAs account, which is local on each server/workstation where the tool is used.
Just Enough Administration can be complicated to set up and maintain, and not all applications are PowerShell-enabled. PowerBroker proactively identifies applications and tasks that require administrator privileges and automatically generates rules for privilege elevation. This capability allows admins to control the rights of applications, system tasks, etc. easier and with a broader scope than what is natively available.
Every action that a user performs using PowerShell can be logged—that also applies to users connecting to PowerShell Remoting endpoints. Module logging, which has been available since PowerShell 3.0, records pipeline execution details and it can be enabled for all modules or just for those you select.
But the problem with module logging is that if the code is obfuscated in a script using various types of encryption, module logging may not record the execution details. When script block logging is enabled, PowerShell records not only the obfuscated code but also the de-obfuscated code. Starting in PowerShell 5.0, script block logging is automatically activated if a script uses suspicious commands or scripting techniques. Script block logging can also be enabled to run on all executed script blocks.
PowerShell transcripts record all activity in a user session and transcription can be manually enabled by users for each session as required. But it is possible to enable system-wide transcription in Group Policy. Finally, the ‘Log script block execution start/stop events’ Group Policy setting can record when script blocks stop and start to the Event Log.
Windows privilege management solutions like BeyondTrust Endpoint Privilege Management include logging capabilities that capture privileged and non-privileged behavior that occurs outside of PowerShell.
Scalability for Cloud Computing and Datacenters
PowerShell is scalable; it can be used to perform tasks against multiple devices at the same time. Imagine a scenario where you need to change a setting across hundreds of servers. Remote Desktop would require you to log in to each server individually and manually change the required setting. But PowerShell can be used to change the setting on hundreds of servers using just one command.
Windows Admin Center
There are times, however, when a GUI is helpful. Microsoft's Remote Server Administration Tools (RSAT) haven't changed much since their inception in Windows 2000. Most of the RSAT tools use Remote Procedure Calls (RPC), meaning that they aren’t firewall-friendly. And Task Manager is missing from RSAT, so sysadmins can’t get an overview of disk, CPU, memory, and network utilization.
The Windows Admin Center (WAC) is Microsoft’s GUI management strategy for Windows Server going forwards. It allows sysadmins to manage Windows Server using a web-based application that works using well-established and secure management protocols and standards, like WinRM, Windows Instrumentation Management (WIM), and PowerShell Remoting. WAC is extensible, allowing Microsoft and third-parties to add management tools quickly and easily. At the time of release, WAC can be used to manage full Windows Server, Server Core, Hyper-V Server, Azure Backup, hyper-converged infrastructure (HCI), and Azure IaaS virtual machines.
Get Serious About Security
PowerShell was designed to be secure from the get-go and allows for far more granular control than Remote Desktop, along with the ability to log and search all actions, answering the who, what, when, where, and how questions that are critical when investigating a security breach or unsanctioned change. The comprehensive logging might even allow you to identify unwanted activity before it impacts your environment if you have security information and event management (SIEM) software in place. And WAC offers a new way to manage servers where a GUI is more appropriate, replacing the aging and user-unfriendly Microsoft Management Consoles (MMCs).
It’s clear that Microsoft offers many capabilities, including JEA, that address routine administration. Most companies don’t have the time, experience, or skill set to set up, maintain, and customize this functionality. In addition, some of these Windows functions assume that all assets are at the most current functional operating system levels. And, while these administrative functions will work, IT admins may find themselves spending substantial time trying to pull disparate data together to generate reports for auditing purposes.
Another consideration to Windows security would be to utilize a solution designed specifically for enterprise-wide privileged access management. The BeyondTrust Privileged Access Management Platform is an integrated solution that provides control and visibility over all privileged accounts, users, and activity.
If you’d like to know more about managing Windows Server using PowerShell and the Windows Admin Center, check out my on-demand webinar, A Technical Deep Dive: Windows Server Remote Management using PowerShell and the Windows Admin Center. I will explain how to configure custom PowerShell Remoting endpoints so that users can use PowerShell Remoting without needing administrative privileges on the target server, and much more.
Russell Smith, IT Consultant & Security MVP
Russell Smith specializes in the management and security of Microsoft-based IT systems. In addition to blogging about Windows and Active Directory for the Petri IT Knowledgebase, Russell is a Contributing Editor at CDW’s Biztech Magazine.
Russell has more than 15 years of experience in IT, has written a book on Windows security, co-authored one for Microsoft’s Official Academic Course (MOAC) series and has delivered several courses for Pluralsight.