MCPMag.com

Sign up for our newsletter.

I agree to this site's Privacy Policy.

Prof. Powershell

Do You Trust Me?

Configuring a Trusted Host can come to the rescue in some remoting situations, and it's PowerShell friendly.

When setting up remoting in PowerShell 2.0, you usually have very little to do if running in a domain. You can run the Enable-PSRemoting cmdlet on each machine, or use Group Policy to configure remoting and the WSMAN service. However there may be situations where you want a secure remote session between non-domain members. In those situations you most likely will need to configure a TrustedHost.

You configure the Trusted Host on the receiving computer. So if I want to connect to Server01 from WG-Win7-01, I need to add WG-Win7-01 as a trusted computer on Server01. If Server01 is in a domain I can use Group Policy. Create or modify a GPO and navigate to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WInRM Client and add the trusted computers. Follow the instructions for adding multiple computers.

After the GPO is applied, you should be able to make a secure connection. When using TrustedHost Windows is assuming that you know what you are doing. There is no computer authentication like there is in a domain setting. You are vouching for the security of the host.

You can also use Windows PowerShell to add a computer to the trusted hosts list. You'll need to configure a setting using the WSMan Provider. On Server01 I would need to open a PowerShell window as administrator and run this command:

PS C:\> set-item WSMan:\localhost\Client\TrustedHosts -value WG-Win7-01

To verify I can use Get-Item to retrieve the setting:

PS C:\> get-item WSMan:\localhost\Client\TrustedHosts

If you want to specify multiple computers, you'll need to use a comma-separated string or wildcards:

PS C:\> set-item WSMan:\localhost\Client\TrustedHosts -value "chi-clt-07,Lab02,Test01"

If you need to add computer names in the future, know that Set-Item doesn't have a way to append values. Any value you specify will overwrite the existing values:

PS C:\> $current=(get-item WSMan:\localhost\Client\TrustedHosts).value
PS C:\> $current+=",testdsk23,alpha123"
PS C:\> set-item WSMan:\localhost\Client\TrustedHosts –value $current

In the first line I save the current trusted hosts to a variable, $current. In the second line I append a comma separated list. Don't forget to start with a comma. Finally the last line resets the TrustedHosts value with the new value in $current. You can see why using a Group Policy is a much better approach.

Actually, using Trusted Hosts should be the exception rather than the rule. You'll have much better security and fewer headaches if you stick to remoting in a domain configuration.

About the Author

Jeffery Hicks is a Microsoft MVP in Windows PowerShell, Microsoft Certified Trainer and an IT veteran with over 20 years of experience, much of it spent as an IT consultant specializing in Microsoft server technologies with an emphasis in automation and efficiency. He works today as an independent author, trainer and consultant. Jeff writes the popular Prof. PowerShell column for MPCMag.com and is a regular contributor to the Petri IT Knowledgebase and 4SysOps. If he isn't writing, then he's most likely recording training videos for companies like TrainSignal or hanging out in the forums at PowerShell.org. Jeff's latest books are Learn PowerShell 3 in a Month of Lunches, Learn PowerShell Toolmaking in a Month of Lunches and PowerShell in Depth: An Administrators Guide. You can keep up with Jeff at his blog http://jdhitsolutions.com/blog, on Twitter at twitter.com/jeffhicks and on Google Plus (http:/gplus.to/JeffHicks)

comments powered by Disqus

Reader Comments:

Thu, Jun 14, 2012 John Kirk

"You configure the Trusted Host on the receiving computer." Actually, it's the other way around. E.g. if I want to run WinRS on my PC to connect to a server (outside my domain) then my PC has to list that server as a Trusted Host. The TrustedHosts list on the server can be completely empty. It would make more sense to be the way you said, but that's not the way Microsoft have implemented it.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above