When considering whether to allow PowerShell to run on servers, security has been a concern for some system administrators. Despite its powerful and wide-reaching feature set, PowerShell was designed with security in mind from the bottom up, and it is the most secure means of managing Windows Server. In this article, I’m going to show you how to configure a constrained endpoint on Windows Server 2012 to make sure users can only perform a limited set of tasks when connecting to PowerShell remotely.
PowerShell remoting is enabled in Windows Server 2012 out-of-the-box, and by default only users with local administrator privileges can connect to the default endpoint. An endpoint is a set of configuration parameters that determine what permissions and features are available to users connecting to PowerShell across the network. Luckily, it’s possible to create your own custom endpoints. For instance, you might like to create an endpoint that allows helpdesk users to connect remotely to a server without local administrator permissions, and to restrict users to performing a limited set of tasks.
Login to your server with an account that has local administrator permissions and follow the instructions:
PowerShell is security transparent, so when users who are only a member of the Helpdesk group connect to the endpoint, they will only be able to perform tasks which their Windows permissions permit.
To make a connection to the new endpoint, open PowerShell on a remote computer and type Enter-PSSession -ComputerName <servername> -ConfigurationName Helpdesk and press Enter, replacing <servername> with the name of the remote server where the new endpoint was created.