Windows Remote Management & Shell (WinRM & WinRS) PDF

This lesson covers the following topics: - WinRM - Authentication - Remote Management Tools - Group Policies **WinRM** Windows Remote Management (WinRM) is a remote management protocol that uses the Simple Object Access Protocol to communicate with remote computers and servers. WinRM is installed with current versions of the Windows operating system. However, administrative privileges are required to enable and use WinRM. Enabling WinRM configures the: - WinRM service *Startup type* to *Automatic (Delayed Start)* . - LocalAccountTokenFilterPolicy to grant administrative rights remotely to local users. - WinRM listener to accept WS-Man requests. - Necessary firewall exceptions. **Authentication** Windows Remote Management provides security between computers using authentication and message encryption. Keep in mind the following regarding authentication: - In a domain, Active Directory provides authentication. You can use Group Policy to configure the settings on the computer within the domain. These policies are stored in the *Remote Management* node of *Computer Configuration* under WinRM Client and WinRM Service policies. - To authenticate to a computer not in the Active Directory domain, run the **winrm set winrm/config/client @{TrustedHosts=\" *computername* \"}** command to add the name of the remote computer to the TrustedHosts table on the local computer. Windows Remote Shell (WinRS) uses a command line interface to manage a remote computer. Keep in mind the following: - To connect to the target computer, run **winrs** **-r: *hostname*** along with the command you want to execute. - If the computer resides on the same network segment as the target computer, use the host computer\'s NetBIOS name. - Otherwise, use the hostname\'s fully qualified domain name (FQDN). - Options available are: - Use the **-U** parameter to specify the username if you need to authenticate to the target computer. - Use the **-p** parameter to specify a password. If you do not use **-p** to specify the password, you will be prompted to enter a password after you execute the command. - If the target computer is in the same domain as the management computer, you can use Group Policy to push down WinRS options. These policies are in the *Remote Shell* node of *Computer Configuration* . You can use Group Policy to configure various settings, such as: - Idle timeout - The maximum number of concurrent Remote Shells - Remote Shell access - WinRS sets up HTTP listeners on ports 80 or 443. These are allowed by most firewalls. PsExec is a remote management application that is part of the PsTools tool component of the Windows Sysinternals Suite from Microsoft. PsExec: - Is similar to WinRS in that you can execute programs on remote systems. - Provides full interactivity for console applications, making the applications appear to run locally. - Does not require client-side software (e.g., software for the remote computer). Windows PowerShell is a command line shell and scripting language designed for system administration and automation, enabling IT professionals and developers to control and automate remote systems. PowerShell: - Is built on the.NET Framework. - Automates administrative tasks. - Provides access to data stores, such as the Registry and certificate store, in the same way the file system is accessed. - Uses specialized, built-in PowerShell commands, known as cmdlets. Cmdlets: - Allow you to manage a computer from a command line. - Use a verb and a noun connected by a dash. Examples are **Get-Help** , **Get-Process** , and **Start-Service** . - Can execute single commands or large scripts. - Allow stringing together the actions of two or more cmdlets, known as *pipelining* (also called *piping* ). Output from the first cmdlet is fed into the second cmdlet, and so on. - PowerShell provides help for each cmdlet. The syntax is **Get-Help** ***cmdletname** .* To get more detailed information, use the **detail** parameter. For example, use **Get-Help Get-VirtualCOMPort -detailed** to display detailed help information about the **Get-VirtualCOMPort** cmdlet. Computer Management is a Microsoft Management Console (MMC) component that includes common snap-ins used to manage local or remote computers. Computer Management: - Provides a graphical interface. - Can be accessed by right-clicking on the Windows **Start** button and selecting **Computer Management** or from **Control** **Panel** by selecting **System and Security** \> **Administrative Tools** \> **Computer Management**. To manage a remote computer with Computer Management, select **Connect to another computer\...** from either the **Action** menu or by right-clicking **Computer Management (Local)**. - Allows you to browse for the computer you want to manage remotely. - Allows you to locally load an MMC from the command line to manage a remote computer. Open an elevated command window and enter the name of the console to load along with the computer name to load the console on. The syntax is ***MMCname* .msc /computer *=hostname*** - Be aware that you must make sure that the console you use supports remote computer administration, otherwise, the console will load on and manage the local computer. Microsoft Quick Assist is a built-in feature on newer versions of Windows. Quick Assist: - Enables remote access and control of a Windows client. - Requires both the admin\'s computer and the receiving computer to have a reliable internet connection, and both giver and receiver need a valid Microsoft account. - Can be accessed by typing in **Quick Assist** to the search field in the taskbar. **Group Policies** Use group policies in the following locations to configure security for both WinRM and WinRS: - Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management - Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Shell Remote Desktop lets users access a remote computer and use it as if they were physically sitting at that remote computer. This lesson covers the following topics: - Remote Desktop - Troubleshooting Remote Desktop **Remote Desktop** Remote Desktop is useful to the technical support staff, allowing them to configure, manage, and troubleshoot client desktops remotely. It can also be used by mobile workers to access and use corporate network resources. With Remote Desktop, the remote host, called the server, is left running and ready to accept a connection. Then the client establishes the connection and logs on. Enabling Remote Desktop Remote Desktop can be enabled/disabled using the Settings app or Control Panel. - From the Settings app: - 1. Go to System \> Remote Desktop and then use the slide bar to set the desired setting. 2. (Optional) Select Advanced settings and select **Require computers to use Network Level Authentication to connect**. This is the most secure method for Remote Desktop connections. - From Control Panel: - 3. Select **System and Security**. 4. Select **Allow remote connections to this computer**. 5. Click **Apply** and **OK**. 6. (Optional) Select **Allow connections only from computers running Remote Desktop with Network Level Authentication**. This is the most secure method for Remote Desktop connections. Managing Remote Desktop users The following are required to establish a Remote Desktop session: - By default, members of the Administrators group can connect to a computer remotely. To allow other users to access the system using a remote desktop session, make those user accounts members of the Remote Desktop Users group. To do this, open the Setting app and go to the Remote Desktop page. Then, click **Select users that can remotely access this PC**. - The user\'s account must be configured with a password. User accounts with blank passwords cannot be used to gain remote access. - If a user is logged on to the host computer or if the computer is locked, the remote client must log on using the current user account or an account with administrative privileges. The logged-on user will be logged off. Accessing remote computers Remote Desktop Connection provides a graphical user interface for establishing a remote session. On Windows 10, this is a default app and can be accessed by typing **Remote Desktop Connection** in the taskbar search box. Using Remote Desktop Keep in mind the following regarding Remote Desktop: - To copy files from the local hard drive to the remote machine hard drive: - 1. Open the Remote Desktop Connection app and expand **Show Options**. 2. Select the Local Resources tab. 3. Under Local devices and resources, click **More**. 4. Expand and select: **Drivers** \> **Local Disk (C:)** , or the drives that contain the files you will transfer. 5. Click **OK**. - A Remote Desktop Connection file can be created to store Remote Desktop settings for a remote computer that is accessed frequently. - To improve the load time of commonly-used graphics, enable **Persistent bitmap caching** on the Experience tab of the Remote Desktop Connection options (see steps above). This will cache graphics locally. Leave the remaining settings on the Experience tab, such as Menu and window animation, unchecked. This will improve performance by not displaying graphic-intensive operations that the host system may be using. Clear the **Desktop Background** option to prevent the desktop background on the remote computer from displaying on the local computer. - A print job can be sent from the remote desktop system to a printer connected to that system. A print job can also be sent from the remote computer system to a printer connected to the local computer system. Location Aware Printing does not work through remote desktop connections, as the mobile device must be physically connected to that network to be able to automatically configure the printer as the default. **Troubleshooting Remote Desktop** When using Remote Desktop, the following problems may be encountered: Cannot connect If a user cannot connect to the remote computer, check the following. - The computer may not have enough memory. If this is a problem, close other programs and then try to connect again. - There might be a network failure. If the user is trying to connect from home, make sure the router is turned on and has a valid network connection. - The connection to the computer: - - Make sure the computer name is correct. - If the computer name does not work, try connecting using the remote device\'s IP address. - Verify that any required VPN connection is active. - A firewall, either on the remote computer or a network firewall in the path might be locking the Remote Desktop port. - Remote connections might not be enabled on the remote computer. - The remote computer might be too busy to accept any more connections. Wait for a while and then try again. Cannot log on If the user cannot log on to the remote computer, make sure the user account is a member of the Remote Desktop Users group and that the user account has a password. Ensure that you are using the full name, such as. Cannot copy text If the user cannot copy text from the remote computer to the local computer, redirect the clipboard. Screen goes blank If a password-protected screen saver is in use, it might cause the screen to go blank when the user minimizes the Remote Desktop Connection dialog box. Fix this by removing the password-protected option on the screen saver. Blank screen saver When the screen saver on the Remote Desktop comes on, the screen is blank by default. This is not a problem. **Enable Remote Assistance** Remote Assistance allows a person who has computer problems to request help from another user, such as a help desk technician or workstation support professional. The person offering assistance can view the desktop of the requester. With the requester\'s permission, the person assisting can also take control of the remote computer and perform actions on it, such as opening files and running programs. The user sends an invitation requesting help. To enable Remote Assistance: 1. Open the **Settings** app and type **remote assistance** in its search box. Then select **Allow Remote Assistance invitations to be sent from this computer**. The System Properties dialog is then opened to the *Remote* tab. 2. Under *Remote Assistance* , select **Allow Remote Assistance connections to this computer**. 3. (Optional) Click **Advanced** and then configure the amount of time an invitation can remain open. Times can be configured in hours, minutes, or days. **Initiate Remote Assistance** To initiate a Remote Assistance session: 1. In the Windows search box located on the taskbar, type **remote assistance** and then select **Invite someone to connect to your PC and help you, or offer to help** found under *Best match* . 2. Select **Invite someone you trust to help you**. 3. Select an invitation type. The requester has three options: 1. Save this invitation as a file 1. When this option is selected: 1. The invitation file is created. 2. The Windows Remote Assistance program is opened, and a password for the session is shown. Remote Desktop Connection sign on 3. Right-click the password and select Copy password. 4. The Windows Remote Assistance window is left open, and the invitation file and password must be manually attached to an email message and sent to the person who is assisting. 2. Use email to send the invitation 5. When this option is selected, the user\'s default email program is launched, and the invitation is automatically attached to a new message. 3. Use Easy Connect 6. This option allows an invitation to be delivered directly to the person assisting through a network connection. However, this option requires that both the requester and the helper have access to Microsoft\'s global peer-to-peer network. Many (if not most) organizational firewalls block access to this network by default. If this is the case, use one of the above options instead. 4. Send the invitation and password to the person providing help using one of the methods described above. 5. Once received, the invitation file is run by the support person and the password is entered. The computer\'s desktop is displayed on the helper\'s screen in the Windows Remote Assistance program. 6. (Optional) In some cases, the helper needs to control the computer\'s mouse and keyboard. From the menu bar of the Windows Remote Assistant program, select **Request control**. A dialog is shown on your computer asking for permission to grant control to the helper. Click **Yes** if you approve of this. **Additional Information** When working with Remote Assistance, consider the following additional information: - Remote Assistance uses Remote Desktop Protocol (RDP) to access the remote target computer. - Remote Assistance must be enabled on the target computer. (See the instructions above.) - The firewalls on both computers must be configured to allow Remote Assistance connections. This is done by opening TCP port 3389 (the default). - By default, the requester must initiate the invitation. However, in a corporate environment, Active Directory can be configured to allow the expert to initiate a Remote Assistance connection. - Invitations require a password and have an expiration date. Expired invitations cannot be used. - With permission, the helper can take control of the user\'s computer. The user can regain control of the computer at any time by pressing the **Esc** key or selecting **Stop sharing**. To use the Esc key to stop sharing control, you must configure that option in the Settings found in the menu bar. - The helper cannot copy files from a user\'s computer. The user must explicitly send any files the helper may need. Microsoft Intune\'s Remote Help is a feature that allows IT administrators to provide remote assistance to users on devices that are managed by the Intune app. This lesson covers the following topics: - Remote Help benefits - Implement Remote Helpo - Role-based access control (RBAC) **Remote Help Benefits** Remote Help in Intune provides a secure, centralized, and scalable solution for managing devices. It offers granular access control, detailed reporting and monitoring, and integration with other Intune features to provide a comprehensive device management solution for IT administrators. **Implement Remote Help** To implement Remote Help, an IT administrator first needs to enable the feature in the Intune console. Once enabled, the administrator can initiate a Remote Help session with a user by sending a request to the device. The user must then accept the request to allow the administrator to remotely access their device.\ \ During the Remote Help session, the administrator can perform tasks such as configuring settings, installing applications, and resolving issues. The user can also observe what the administrator is doing and can terminate the session at any time.\ \ Remote Help was designed for IT administrators who manage devices in an enterprise environment. It allows them to resolve issues more effectively without needing to physically access the user\'s device. This feature is especially useful in remote work scenarios where IT administrators and users are not co-located. **Role-Based Access Control (RBAC)** The most distinguishing feature of Remote Help is the use of role-based access control because it provides an additional layer of security by ensuring that only authorized users can initiate Remote Help sessions. This helps to protect devices and sensitive information from unauthorized access. RBAC also allows administrators to assign roles and permissions to different users or groups depending on their job responsibilities and the tasks they need to perform in the Intune console. For example, an administrator can create a custom role for help desk support staff that includes permissions to initiate sessions, but not other administrative tasks. When a computer system is experiencing issues, there are several troubleshooting tools available to help you solve whatever is occurring. Before trying to fix any issue, be sure to gather as much information as you can about it. You can combine that information with your knowledge and past troubleshooting experiences to reduce the troubleshooting time and correctly diagnose the issue. This lesson covers the following topics: - Windows Memory Diagnostics tool - Windows diagnostics - Startup Repair - Device and application monitoring **Windows Memory Diagnostics Tool** Memory issues are some of the most common types of hardware problems. Problems with memory can cause a variety of errors, the most annoying of which include Windows not starting or crashing. Since these types of errors can be difficult to detect, Microsoft provides the Windows Memory Diagnostics tool. When run, this tool tests the computer\'s memory and, if possible, marks bad areas so Windows can block those portions of memory. If there are too many errors, it\'s best to replace the bad memory. Even if Windows Memory Diagnostics indicates that there are no problems, you may still have faulty memory. No tool is perfect. You may need to delve deeper into your system. **Windows Memory Diagnostics** Windows Memory Diagnostics includes three testing levels: Basic, Standard, and Extended. - The Basic test includes three memory checks. - The Standard test includes all the basic tests, plus five additional tests. - The Extended test includes all the Standard tests, plus nine more tests. **Windows Diagnostics** To keep the system running smoothly, Windows includes the ability to automatically fix certain critical problems. When possible, Windows will also recommend non-critical fixes that can be automatically implemented after prompting for approval. **Startup Repair** You can use Startup Repair to automatically fix common startup problems. When initiated, Startup Repair scans the computer, analyzes all the startup files, and tries to determine the source of the problem. If it determines the cause of the failure, it will try to fix the problem automatically so the computer system can start correctly. If, for some reason, Startup Repair can't fix the system, you will be notified. If the Windows system detects a startup failure during the boot process, it will automatically load the Startup Repair tool. **InTune** Intune is a mobile device management (MDM) solution that is ensures users and devices comply with security requirements. This empowers users to be productive wherever and whenever they want. It also helps to protect the organization's valuable data, assets, and intellectual property. Intune\'s compliance and conditional access policies define specific rules and settings that users and devices must meet to be granted access. Users and devices can be blocked if they don\'t meet the prescribed requirements. If users do meet the criteria, they can be given access to email, apps, and corporate resources. Using Intune, an organization can: - Specify compliance rules and settings for users and devices. - Indicate what actions will be taken when a device is not compliant. - Align with conditional access policies to block access to users or devices that are not compliant. **Compliance Policies** Compliance policy settings are applied to every device. They set the standard for how Intune interacts with your device. Compliance policy settings can be managed through the settings under *Endpoint security* . Compliance policy settings include: Mark devices with no compliance policy assigned as: This setting applies to devices that have not been assigned a compliance policy. There are two settings: - If enabled, devices that aren't sent a compliance policy are not compliant. - If disabled, devices that aren't sent a compliance policy are considered compliant. - If enabled, devices without a device compliance policy are considered not compliant. Enhanced jailbreak detection: This setting applies to devices that have been jailbroken. Enhanced jailbreak detection has two settings: - If enabled, enhanced jailbreak detection is used to block jailbroken devices. - If disabled, jailbroken devices are not blocked. Compliance status validity period (days): This setting determines how often devices need to report on their compliance policies. If a device does not report within this time period, the device is considered not compliant. **Device Compliance Policies** Device compliance policies: - Deploy compliance policies to all a users\' devices or to a single device. - Set rules and settings that determine whether a user or device is compliant. - Identify actions to be taken when a device is not compliant. Non-compliant devices could result in the following: - A remotely locked device. - An email regarding the noncompliance. - Deletion of all company data from the device. **Conditional Access Policies** Intune device policies can be implemented with or without conditional access. Conditional access looks at device compliance based on rules and incoming signals to make a policy decision to allow or block the device access. When devices don\'t comply with policy rules, they are denied access to company resources. Here are a few of the signals that are considered by Intune: - Device encryption - Jailbroken or rooted devices - OS version (minimum and maximum) - Windows Device Health Attestation - PIN or password configuration - Location - Protocol

Windows Remote Management & Shell (WinRM & WinRS) PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue