Manage machines using PowerShell in untrusted domains

Manage machines using PowerShell in untrusted domains

Q. How can I manage remote machines that are not part of a trusted domain using PowerShell?

A. Typically you will manage machines that are part of your domain or that are in a trusted domain which means Kerberos can be used for the authentication and assures mutual authentication (the target server really is who it says it is). When connecting to machines outside of the trusted boundary (including workgroup machines) there are two options:

  • Add the machines to the TrustedHosts list (which means they are trusted so much we don't care about mutual authentication)
  • Use SSL to the target (which will use the SSL certificate to confirm the identity of the target)

Care should be used when using TrustedHosts as to not enable for anything as this is saying to not perform mutual authentication on any systems and defeats the purpose which is to protect your machine from connecting to an impersonator machine. Also restrict TrustedHosts to the smallest possible set of machines. TrustedHosts also has to be maintained on all machines initiating PowerShell which contrasts with using SSL where the configuration is performed on the target system and can then be leveraged from any source system.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish