In our current workflow, we have to RDP to several servers just to know if a service is up-and-running. We do not have admin rights to those servers but are allowed to view, start and stop services.
We would like to use Powershell Remoting instead. Something like
(1..8)|%{gsv -c "server$($_" -n "*ourservice*"}
would be both easier and faster to do.
Am I correct that by adding our users to the WinRMRemoteWMIUsers
group
- We can execute the command (our concern).
- We can't do anything to the system we couldn't be doing right now by just by RDP'ing to it (security management's concern).
Edit
Following extract taken from Secrects of Powershell Remoting seems to addres the security concerns
powershellorg · Secrets of PowerShell Remoting
Neither PowerShell nor Remoting are a "Back Door" for Malware
This is a major misconception. Keep in mind that, by default, PowerShell does not execute scripts. When it does so, it can only execute commands that the executing user has permission to run - it does not execute anything under a super-privileged account, and it bypasses neither existing permissions nor security.
and
Bottom line: Because of the way it works, PowerShell Remoting does not allow any user, authorized or not, to do anything that they could not do through a dozen other means
The risk is an attacker may have access via PowerShell if an account in that group is compromised. Evaluating the risk of that access and the compensating controls is something you need to determine based on your environment.
To answer your followup, I don't believe anyone can provide a general assumption/conclusion that the account could also logon using RDP. If the account/server(s) is configured for smartcard required, no they could not logon using RDP.
Security is about assessing risk and implementing compensating controls. A constructive counter proposal may be to suggest:
PowerShell Remoting sample event commandline:
WinRS sample event commandline: