Grafvision - Fotolia


How to safely plug in PowerShell Web Access for remote management

While PowerShell Web Access is a convenient way to maintain remote servers, there are security considerations to weigh.

A business with multiple branch offices may not have IT staff in place at each location. But administrators can...

use remote management capabilities to perform various tasks that would otherwise require an on-site visit.

Microsoft PowerShell Web Access, which debuted in Windows Server 2012, allows a user to manage remote systems with PowerShell through a web browser. There is a catch that comes with this convenience: Administrators must abide by the limits of PowerShell Web Access and ensure systems remain secure.

Advantages of PowerShell Web Access

The main advantage to PowerShell Web Access is IT can configure it to access critical systems. There are times when an administrator gets a notification about a critical issue on a remote system, cannot diagnose the problem, and needs to take corrective action quickly.

While Microsoft provides other ways to access Windows Server remotely -- remote PowerShell and Remote Desktop Protocol (RDP) -- both methods require a specific configuration of the client device. RDP access, for example, depends on the presence of an RDP client. Similarly, remote PowerShell requires administrators to install PowerShell on the client device.

In contrast, PowerShell Web Access just needs a web browser that can run JavaScript. This lets an administrator manage a remote system from a smartphone, a public computer in a hotel, a non-Windows tablet or just about any other device.

Limited powers

The main advantage to PowerShell Web Access is IT can configure it to access critical systems.

While PowerShell Web Access has identical behavior to a normal PowerShell session in most situations, it does have limitations.

Microsoft only supports the use of specific browsers, a list that includes:

  • Windows Internet Explorer 8.0, 9.0, 10.0 and 11.0;
  • Mozilla Firefox 10.0.2;
  • Google Chrome 17.0.963.56m for Windows;
  • Apple Safari 5.1.2 for Windows;
  • Apple Safari 5.1.2 for Mac OS;
  • Windows Phone 7 and 7.5;
  • Google Android WebKit 3.1 Browser Android 2.2.1 (Kernel 2.6);
  • Apple Safari for iPhone operating system 5.0.1; and
  • Apple Safari for iPad 2 operating system 5.0.1.

Microsoft does not test or support other browsers that accept cookies, run JavaScript, and run HTTPS websites, but does expect them to work.

Most of the other PowerShell Web Access downsides relate to lost functionality in function keys and hot keys. For example, in a normal PowerShell session, the F5 key scans backward through the command history, but this capability does not exist in PowerShell Web Access. Administrators cannot use function keys such as F1, F2 and F3. Hot keys, such as Ctrl+Break, Alt+Space+C, and Ctrl+End, are also disabled. Administrators can find the full list of the unsupported keyboard commands in Microsoft's documentation.

PowerShell users familiar with double hop -- when the admin establishes a remote session inside a PowerShell Web Access session -- and nested progress displays will find PowerShell Web Access restricted. They also cannot change the color of the display. Aside from these and a few other similar constraints, PowerShell Web Access behaves the same as a normal PowerShell session.

Keep security locked down

Because PowerShell Web Access provides a connection to the live servers, security is a serious concern. PowerShell Web Access does not grant any additional permissions; if an administrator lacks the authority to perform a particular operation through PowerShell, then that administrator cannot perform the operation with PowerShell Web Access.

Aside from following normal PowerShell security policies, the IT staff can set up authorization rules to limit the actions an administrator can take from the web-based console. An administrator can't log in to PowerShell Web Access unless they were granted permission. Simply having normal administrative permissions is not enough to get into PowerShell Web Access. Use the Add-PswaAuthorizationRule cmdlet to grant access for the web console.

PowerShell Web Access requires the use of the web server or Internet Information Services (IIS) role, so security can be further enhanced at the IIS layer. Some organizations, for example, configure IIS to require administrators to provide a valid client certificate as well as the usual set of credentials.

Next Steps

Everything to know about PowerShell in Office 365

Helpful PowerShell script examples for administrators

Learn about the latest update to PowerShell

Dig Deeper on Windows administration tools