Prof. Powershell

Do You Trust Me?

Configuring a Trusted Host can come to the rescue in some remoting situations, and it's PowerShell friendly.

When setting up remoting in PowerShell 2.0, you usually have very little to do if running in a domain. You can run the Enable-PSRemoting cmdlet on each machine, or use Group Policy to configure remoting and the WSMAN service. However there may be situations where you want a secure remote session between non-domain members. In those situations you most likely will need to configure a TrustedHost.

You configure the Trusted Host on the receiving computer. So if I want to connect to Server01 from WG-Win7-01, I need to add WG-Win7-01 as a trusted computer on Server01. If Server01 is in a domain I can use Group Policy. Create or modify a GPO and navigate to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WInRM Client and add the trusted computers. Follow the instructions for adding multiple computers.

After the GPO is applied, you should be able to make a secure connection. When using TrustedHost Windows is assuming that you know what you are doing. There is no computer authentication like there is in a domain setting. You are vouching for the security of the host.

You can also use Windows PowerShell to add a computer to the trusted hosts list. You'll need to configure a setting using the WSMan Provider. On Server01 I would need to open a PowerShell window as administrator and run this command:

PS C:\> set-item WSMan:\localhost\Client\TrustedHosts -value WG-Win7-01

To verify I can use Get-Item to retrieve the setting:

PS C:\> get-item WSMan:\localhost\Client\TrustedHosts

If you want to specify multiple computers, you'll need to use a comma-separated string or wildcards:

PS C:\> set-item WSMan:\localhost\Client\TrustedHosts -value "chi-clt-07,Lab02,Test01"

If you need to add computer names in the future, know that Set-Item doesn't have a way to append values. Any value you specify will overwrite the existing values:

PS C:\> $current=(get-item WSMan:\localhost\Client\TrustedHosts).value
PS C:\> $current+=",testdsk23,alpha123"
PS C:\> set-item WSMan:\localhost\Client\TrustedHosts –value $current

In the first line I save the current trusted hosts to a variable, $current. In the second line I append a comma separated list. Don't forget to start with a comma. Finally the last line resets the TrustedHosts value with the new value in $current. You can see why using a Group Policy is a much better approach.

Actually, using Trusted Hosts should be the exception rather than the rule. You'll have much better security and fewer headaches if you stick to remoting in a domain configuration.

About the Author

Jeffery Hicks is an IT veteran with over 25 years of experience, much of it spent as an IT infrastructure consultant specializing in Microsoft server technologies with an emphasis in automation and efficiency. He is a multi-year recipient of the Microsoft MVP Award in Windows PowerShell. He works today as an independent author, trainer and consultant. Jeff has written for numerous online sites and print publications, is a contributing editor at Petri.com, and a frequent speaker at technology conferences and user groups.

comments powered by Disqus
Most   Popular