PowerShell

PowerShell Remoting: How to Restrict User Commands

How can I restrict the commands users can run when using PowerShell Remoting?

In my previous article, “How to Lock Down a Remote PowerShell with a Constrained Endpoint?,” I described how you can create a new remote PowerShell endpoint that doesn’t require users to have local administrator rights on the remote machine, therefore limiting the actions that can be performed over the remote session to what is allowed by the permissions assigned to the user connecting to the endpoint. Many administrators see remote PowerShell as a security risk, but it’s not necessary for users to have local administrator permissions on the target device.

In this article, I want to show you how to restrict an endpoint even further by limiting the commands that users can run when connecting to a remote device using PowerShell. To achieve this, you need a script that configures the session each time a user connects. While this sounds like it might be complicated, PowerShell 3.0 makes it easy to create the script through a handy cmdlet.

Create a Session Configuration File

In this example, I’m going to limit the session to the PowerShell Active Directory module and go even further by allowing users to run only the Get-ADUser and Unlock-ADAccount cmdlets. The following cmdlet will create a session configuration file (helpdesk.pssc), that I can use when registering a new endpoint.

  • Log on to the server where you want to configure the PowerShell remote endpoint.
  • Right-click the blue PowerShell icon on the desktop taskbar and select Run as Administrator from the menu.
  • In the PowerShell console window, type the following command and press ENTER.
​ New-PSSessionConfigurationFile –ModulesToImport ActiveDirectory –VisibleCmdLets (‘Get-ADUser’, ‘Unlock-ADAccount’) –LanguageMode ‘NoLanguage’ –SessionType ‘RestrictedRemoteServer’ –Path ‘c:\helpdesk.pssc’

The LanguageMode parameter in the above command is set to NoLanguage, which restricts the user to running cmdlets and functions. Script blocks, variables, and operators will be barred. The RestrictedRemoteServer session type includes Exit-PSSession, Get-Command, Get-FormatData, Get-Help, Measure-Object, Out-Default, and Select-Object functions in the session configuration, but nothing else unless additionally specified.

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

PowerShell Remoting: Restricting User Commands constrained endpoint

Create a Constrained Endpoint with Your Session Configuration File

Now that we have our session configuration file (helpdesk.pssc) saved to the local disk, we can create a remote endpoint on the device that restricts users to running just the Get-ADUser and Unlock-ADAccount cmdlets. In the PowerShell console window, run the following command:

​ Register-PSSessionConfiguration –Name ‘HelpDesk’ -ShowSecurityDescriptorUI –Path ‘c:\helpdesk.pssc’

Confirm each configuration step by typing Y and pressing ENTER. A new window will appear allowing you to set permissions using the GUI.

Connect to the Endpoint and Check What Commands Are Accessible to the User

To test your endpoint, you can connect to it from either a remote machine or on the server where the endpoint is configured. In the PowerShell console, run the following command to connect, replacing <servername> with the name of the server where the endpoint is configured:

​ Enter-PSSession -ComputerName <servername> -ConfigurationName ‘HelpDesk’

Now type get-command in the PowerShell console and press ENTER. You should see that only the Get-ADUser and Unlock-ADAccount cmdlets are available to run. To exit the remote session, type exit-pssession and press ENTER.

Related Topics:

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
Live Webinar - Thursday, December 2nd! Active Directory Masterclass: AD Configuration Strategies for Stronger SecurityREGISTER NOW - Thursday, December 2, 2021 @ 1 pm ET

Active Directory (AD) is leveraged by over 90% of enterprises worldwide as the authentication and authorization hub of their IT infrastructure—but its inherent complexity leaves it prone to misconfigurations that can allow attackers to slip into your network and wreak havoc. 

Join this session with Microsoft MVP and MCT Sander Berkouwer, who will explore:

  • Whether you should upgrade your domain controllers to Windows Server
    2019 and beyond
  • Achieving mission impossible: updating DCs within 48 hours
  • How to disable legacy protocols and outdated compatibility options in
    Active Directory

Sponsored by: