How to Lock Down a Remote PowerShell with a Constrained Endpoint

How can I use constrained endpoints to lock down remote PowerShell access?

When considering whether to allow PowerShell to run on servers, security has been a concern for some system administrators. Despite its powerful and wide-reaching feature set, PowerShell was designed with security in mind from the bottom up, and it is the most secure means of managing Windows Server. In this article, I’m going to show you how to configure a constrained endpoint on Windows Server 2012 to make sure users can only perform a limited set of tasks when connecting to PowerShell remotely.

PowerShell remoting is enabled in Windows Server 2012 out-of-the-box, and by default only users with local administrator privileges can connect to the default endpoint. An endpoint is a set of configuration parameters that determine what permissions and features are available to users connecting to PowerShell across the network. Luckily, it’s possible to create your own custom endpoints. For instance, you might like to create an endpoint that allows helpdesk users to connect remotely to a server without local administrator permissions, and to restrict users to performing a limited set of tasks.

Create a New Endpoint

Login to your server with an account that has local administrator permissions and follow the instructions:

  • Right-click the blue PowerShell icon on the desktop taskbar and select Run as Administrator from the menu.
  • In the PowerShell console, type Get-PSSessionConfiguration and press Enter. This will show you all the existing endpoints on the server. You’ll see the microsoft.powershell endpoint requires users to be a member of the built-in Administrators or Remote Management Users group.
  • To create a new endpoint for your helpdesk, type Register-PSSessionConfiguration -Name “Helpdesk” in the PowerShell window and press Enter. Type Y and press Enter to confirm the action.
  • Type Y and press Enter again to confirm restarting the WinRM service.
  • Now we need to set permissions on the new endpoint. Type Set-PSSessionConfiguration –Name Helpdesk –ShowSecurityDescriptorUI and press Enter. Type Y and press Enter to confirm the action.
  • A new window will appear allowing you to set permissions using the GUI. In this case I’m going to give an AD group called Helpdesk full access to the new endpoint. Click OK in the permissions dialog when you’re done.

Configure Constrained Endpoints for Remote PowerShell Access: permissions

Sponsored Content

What is “Inside Microsoft Teams”?

“Inside Microsoft Teams” is a webcast series, now in Season 4 for IT pros hosted by Microsoft Product Manager, Stephen Rose. Stephen & his guests comprised of customers, partners, and real-world experts share best practices of planning, deploying, adopting, managing, and securing Teams. You can watch any episode at your convenience, find resources, blogs, reviews of accessories certified for Teams, bonus clips, and information regarding upcoming live broadcasts. Our next episode, “Polaris Inc., and Microsoft Teams- Reinventing how we work and play” will be airing on Oct. 28th from 10-11am PST.

  • Type Y and press Enter again to confirm restarting the WinRM service.
  • Type Get-PSSessionConfiguration and press Enter again, and you’ll see your new endpoint listed.

PowerShell is security transparent, so when users who are only a member of the Helpdesk group connect to the endpoint, they will only be able to perform tasks which their Windows permissions permit.

Connect to the new endpoint

To make a connection to the new endpoint, open PowerShell on a remote computer and type Enter-PSSession -ComputerName <servername> -ConfigurationName Helpdesk and press Enter, replacing <servername> with the name of the remote server where the new endpoint was created.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (3)

3 responses to “How to Lock Down a Remote PowerShell with a Constrained Endpoint”

  1. Thank you for this article – is it possible to accomplish something similar for local users? I’d like to restrict a specific local user account to only performing the types of tasks described in this article.

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by: