Authentication

How to ensure the Test-WSMan cmdlet doesn’t give you false positives?

by

I was recently creating some health check tests that would use both the Get-CimInstance and Invoke-Command cmdlets. These use the Windows Remote Management (WinRM) protocol. To make the process more efficient I added a function that first tests that WinRM is enabled and healthy on the remote host using the Test-WSMan cmdlet.

That was working well until I hit a couple of unhealthy machines and received a response from Test-WSMan that provided misleading information. Just by using the basic command line with no other parameters gave me a positive response.

Test-WSMan Sick Machine

Read more

Installing, Configuring, Securing and Using MDT Webservices – Part 2

by

In Part 1 we walked through the installation and configuration of Deployment Webservices. In this part we will focus on securing the Webservice.

There are five (5) main areas that I focus on to lock down the Webservice, and I’ll include two (2) optional areas for consideration:

  1. Use Request Filtering, which is basically what the old URL Scan morphed into from IIS 7 (Windows 2008) and above. Request Filtering gives a tighter level of control over the settings and where they are applied than URL Scan ever did.
  2. Authentication – Disable anonymous authentication. That should be a no-brainer!
  3. Authorization Rules – Only allow specific users access.
  4. Changing the authenticatedUserOverride serverRuntime setting to UseWorkerProcessUser. IIS 7.5 (Windows 2008 R2) and above allows us to configure IIS so that the worker process identity is used for accessing resources, such as the file system, whilst the authenticated user is only used for authorization purposes. This means that you only need to set NTFS permissions for the worker process identity.
  5. Setting NTFS Permissions on the DeploymentWebservice folder for the worker process identity.
  6. Optionally, you can also exclude some of the higher risk AD Functions.
  7. Optionally, you can also SSL enable the site with a certificate.

Read more