![\"Hey,](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/q-for-powertip.jpg\")
Hey, Scripting Guy!, is there a better way to lock down my remote endpoint by using something other than a startup script?<\/p>\nSummary<\/b>: Boe Prox teaches you how to build a constrained endpoint by using a configuration file.<\/p>\n
Hey, Scripting Guy!, is there a better way to lock down my remote endpoint by using something other than a startup script?<\/p>\n
—SH<\/p>\n
![\"Hey,](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/a-for-powertip.jpg\")
Hello SH, Honorary Scripting Guy, Boe Prox, here today filling in for my good friend, The Scripting Guy. This is the third part in a series of five posts about Remoting Endpoints. The series includes:<\/p>\n
In yesterday’s post, I was able to restrict the commands that are available from a remote Windows PowerShell session by using a startup script to create a constrained endpoint. Today I am going to show you how to create a constrained endpoint by using a configuration file, which became available in Windows PowerShell 3.0.<\/p>\n
Although startup scripts work great and were a necessity in Windows PowerShell 2.0, they are optional for configuring constrained remote endpoints since Windows PowerShell 3.0 because a session configuration file (.pssc) makes the process much easier to work with.<\/p>\n
So what is a session configuration file and what does it look like? The .pssc file is used with Register-PSSessionConfiguration<\/b>, and it is used in the Path<\/b> parameter. After the session configuration has been registered, the file is copied to the C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\SessionConfig folder.<\/p>\n
It is saved in the following format: SessionName_GUID.pssc<\/b>. The GUID is the same as that in the .pssc file and the same as what you would see when you use Get-PSSessionConfiguration<\/b> and view the GUID<\/b> property. It is a text file that contains a hash table that allows you to specify various parts of the remote endpoint.<\/p>\n
To building a session configuration file, we use the New-PSSessionConfigurationFile<\/b> cmdlet. Looking at the Help file for this cmdlet, you can see that there are a lot of parameters, which cover all aspects of the configuration file.<\/p>\n You have a number of options for creating the file. You can specify the parameters you want to use and supply the proper arguments, build a hash file, and splat the parameters into the cmdlet. I plan to use splatting to build my file. But before that, I am going to run the cmdlet with only the Path<\/b> parameter, which will create a default configuration file. Then I’ll edit it by using the ISE. This way I can show you everything that is available to edit.<\/p>\n Creating a blank session configuration file is as simple as running the following command:<\/p>\n New-PSSessionConfigurationFile -Path "ConstainedSession.pssc"<\/p>\n We can then open the file by using the ISE and view the contents of the empty configuration file.<\/p>\n As you can see, there is quite a bit of stuff here that you can adjust, based on your requirements. Only a few items are actually enabled by default (such as Language<\/b> and SessionType<\/b>) because of the need for the remote endpoint to work properly.<\/p>\n If you recall from yesterday’s post, Language<\/b> is important to determine what you will allow for this remote endpoint. Its current setting of FullLanguage<\/b> is not what I plan to use because it opens everything in the Windows PowerShell language. I want to stick with NoLanguage<\/b> to restrict the use of variables and .NET types (to name a couple).<\/p>\n Now that we have that out of the way, I am going to build the configuration file:<\/p>\n New-PSSessionConfigurationFile -Path 'PrinterAuditSession.pssc' `<\/p>\n -SessionType RestrictedRemoteServer `<\/p>\n -LanguageMode NoLanguage `<\/p>\n -ModulesToImport PrintManagement, Microsoft.PowerShell.Management `<\/p>\n -VisibleCmdlets Get-Service `<\/p>\n -VisibleFunctions Get-Printer,Get-PrintJob<\/p>\n Let me break down some of this before I create the session:<\/p>\n Path<\/b> Name of the file that will be created from the cmdlet.<\/p>\n SessionType <\/b>Determines what commands will be made available when the session is started. By specifying RestrictedRemoteServer<\/b>, I am allowing only the 7 proxy functions that are required for the remote session to work properly. <\/b><\/p>\n LanguageMode<\/b> By defining the language as NoLanguage<\/b>, I ensure that whoever uses this session will not have access to the PowerShell language which includes no variables, .Net types, etc…<\/p>\n VisibileCmdlets<\/b> Besides the 7 proxy functions, I want to include a couple of other cmdlets that the user can make use of.<\/p>\n VisibleFunctions<\/b> Depending on the modules that I choose to import, some of the commands may be functions. I want to make sure that I allow functions which would be required for whoever connects to this endpoint.<\/p>\n ModulesToImport<\/b> By default, no modules are available nor can the user import modules while in this session. I can determine what modules will be made available and already imported using this. Note that only the cmdlets that I specify in VisibleCmdlets will be available in the constrained session.<\/p>\n Next is to actually create the session that will be made available to our users:<\/p>\n Register-PSSessionConfiguration -Name PrinterAudit -Path PrinterAuditSession.pssc –ShowSecurityDescriptorUI<\/p>\n I’ll type A<\/b> to allow the services to restart and allow the session to be made available for user consumption.<\/p>\n I am removing the default groups and only allowing the PrinterAuditors<\/b> group to have access to connect to this endpoint. They only need the Execute permissions, so this will be enough.<\/p>\n Let’s let them connect and try it out! I will connect with an account that has PrinterAuditors<\/b> rights and see what I have access to do:<\/p>\n Enter-PSSession -ComputerName 'boe-pc' -ConfigurationName PrinterAudit<\/p>\n After some exploring, I see that I can check printers and services, but I cannot make any changes while I am connected to the remote endpoint.<\/p>\n [boe-pc]: PS>Get-Command<\/p>\n [boe-pc]: PS>Get-Printer<\/p>\n [boe-pc]: PS>Add-Printer<\/p>\n [boe-pc]: PS>Get-Service Spooler<\/p>\n [boe-pc]: PS>Stop-Service Spooler<\/p>\n With that, you can see what it takes to configure a constrained remote endpoint by using a pssession<\/b> configuration file.<\/p>\n SH, that is all there is to customizing a constrained remote endpoint by using a configuration file. What happens if we want a user to have access to a command (or commands), but want to further limit what they can do? How about giving a user access to run that command on a system that they do not have access to without giving them the rights to that system? Stay tuned…<\/p>\n Remote Endpoint Week will continue tomorrow when I will show you how this can be done by creating a proxy function and using delegated administration on the remote endpoint.<\/p>\n I invite you to follow the Scripting Guys on Twitter<\/a> and Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a>, or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow.<\/p>\n Boe Prox, Honorary Scripting Guy<\/b><\/p>\n","protected":false},"excerpt":{"rendered":" Summary: Boe Prox teaches you how to build a constrained endpoint by using a configuration file. Hey, Scripting Guy!, is there a better way to lock down my remote endpoint by using something other than a startup script? —SH Hello SH, Honorary Scripting Guy, Boe Prox, here today filling in for my good friend, The […]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[162,496,56,497,45],"class_list":["post-1695","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-boe-prox","tag-endpoint","tag-guest-blogger","tag-remote","tag-windows-powershell"],"acf":[],"blog_post_summary":" Summary: Boe Prox teaches you how to build a constrained endpoint by using a configuration file. Hey, Scripting Guy!, is there a better way to lock down my remote endpoint by using something other than a startup script? —SH Hello SH, Honorary Scripting Guy, Boe Prox, here today filling in for my good friend, The […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/1695","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=1695"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/1695\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=1695"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=1695"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=1695"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"Image](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/ConfigFile1.png\" "\\"Image")
<\/a><\/p>\n![\"Image](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/5165.2.png\" "\\"Image")
<\/a><\/p>\n![\"Image](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/ConfigFile3.png\" "\\"Image")
<\/a><\/p>\n![\"Image](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/ConfigFile4.png\" "\\"Image")
<\/a><\/p>\n![\"Image](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/ConfigFile5.png\" "\\"Image")
<\/a><\/p>\n![\"Image](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/ConfigFile6.png\" "\\"Image")
<\/a><\/p>\n