Access to PS Remoting Client info in the constrained endpoint

%3CLINGO-SUB%20id%3D%22lingo-sub-144518%22%20slang%3D%22en-US%22%3EAccess%20to%20PS%20Remoting%20Client%20info%20in%20the%20constrained%20endpoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-144518%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20a%20way%20to%20query%20out%20PS%20Remoting%20Client%20details%20(like%20hostname%2C%20IP%20address%2C%20etc.)%20via%20the%20script%5Cadvanced%20function%20that's%20exposed%20through%20the%20constrained%20endpoint%3F%3C%2FP%3E%0A%3CP%3EThe%20scenario%20is%20that%20a%20new%20Windows%20Server%20VM%20(that's%20not%20domain%20joined)%20need%20to%20connect%20to%20an%20PowerShell%20endpoint%20using%20some%20credentials%20that%20are%20hardcoded%20into%20the%20VM%20template%20and%20I%20need%20the%20script%20running%20on%20the%20endpoint%20to%20be%20able%20to%20confirm%20that%20it%20is%20actually%20this%20particular%26nbsp%3Bclient%20connecting%20(say%20by%20checking%20if%20there's%20a%20VM%20with%20such%20an%20IP%20running%20on%20a%20hypervisor)%20and%20not%20someone%20else%20pretending%20to%20be%20one%20by%20reusing%20those%20hardcoded%20credentials.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-144518%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EWindows%20PowerShell%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-144923%22%20slang%3D%22en-US%22%3ERe%3A%20Access%20to%20PS%20Remoting%20Client%20info%20in%20the%20constrained%20endpoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-144923%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%2C%20thanks%20for%20the%20quick%20reply.%20If%20I%20expose%20Get-ComputerInfo%20cmdlet%2C%20it%20would%20give%20me%20the%20details%20of%20the%20endpoint%20host%20machine%20and%20not%20of%20the%20client%2C%20unless%20there's%20a%20way%20to%20have%20it%20executed%20on%20the%20client%20side%2C%20is%20there%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBeing%20able%20to%20query%20client's%20IP%20and%20hostname%2C%20will%20allow%20me%20to%20perform%20additional%20checks%20from%20the%20endpoint%20host%20side%20to%20make%20sure%20that%20it%20was%20not%20spoofed.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20agree%2C%20that%20using%20something%20like%20a%20cert%20authentication%20would%20be%20much%20a%20better%20approach%2C%20but%20currently%20I%20can't%20figure%20out%20a%20way%20to%20securely%20inject%20a%20new%20cert%20into%20each%20new%20VM%20(I'm%20building%20them%20using%20MDT%2C%20btw).%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-144700%22%20slang%3D%22en-US%22%3ERe%3A%20Access%20to%20PS%20Remoting%20Client%20info%20in%20the%20constrained%20endpoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-144700%22%20slang%3D%22en-US%22%3E%3CP%3EWell%2C%20depends%20on%20what%20you%20have%20configured%20for%20the%20endpoint.%20You%20might%20want%20to%20add%20some%20specific%20cmdlets%20to%20the%20session%20config%20file%2C%20such%20as%20Get-ComputerInfo.%20Or%20expose%20the%20env%3A%20PsDrive%2C%20etc.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20scenarios%20like%20this%2C%20it's%20best%20to%20use%20something%20like%20certificate%20auth.%20IP%2C%20hostname%2C%20machine%20name%20-%20all%20can%20easily%20be%20changed%2Fspoofed.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Is there a way to query out PS Remoting Client details (like hostname, IP address, etc.) via the script\advanced function that's exposed through the constrained endpoint?

The scenario is that a new Windows Server VM (that's not domain joined) need to connect to an PowerShell endpoint using some credentials that are hardcoded into the VM template and I need the script running on the endpoint to be able to confirm that it is actually this particular client connecting (say by checking if there's a VM with such an IP running on a hypervisor) and not someone else pretending to be one by reusing those hardcoded credentials.

2 Replies

Well, depends on what you have configured for the endpoint. You might want to add some specific cmdlets to the session config file, such as Get-ComputerInfo. Or expose the env: PsDrive, etc.

 

For scenarios like this, it's best to use something like certificate auth. IP, hostname, machine name - all can easily be changed/spoofed.

@Vasil Michev, thanks for the quick reply. If I expose Get-ComputerInfo cmdlet, it would give me the details of the endpoint host machine and not of the client, unless there's a way to have it executed on the client side, is there?

 

Being able to query client's IP and hostname, will allow me to perform additional checks from the endpoint host side to make sure that it was not spoofed.

 

I agree, that using something like a cert authentication would be much a better approach, but currently I can't figure out a way to securely inject a new cert into each new VM (I'm building them using MDT, btw).