In this article we will be discussing how to create a role assignment for enabling PowerShell remoting and enforcing MFA on use of the PowerShell application. This steps would be useful in cases where you want to add an extra layer of security if users need to be running elevated PowerShell commands on remote machines. Centrify has incorporated the access to PowerShell Remoting starting with our 18.1 Release (Windows agent 3.5.1).



About PowerShell Remoting:

Using the WS-Management protocol, Windows PowerShell remoting lets you run any Windows PowerShell command on one or many remote computers. In addition to allowing establish persistent connections, Powershell remoting will enable you to start 1:1 interactive sessions, and run scripts on multiple computers. PowerShell remoting will require Administrator privileges in the target systems.

Prerequisites:

1) PowerShell Remoting requires PowerShell version 2.0,
2) .NET Framework 2.0 and Windows Remote Management 2.0
3) Windows 7 or higher Windows Server 2008 R2 or higher
4) MFA for Windows has been enabled on the source machine as per the below instructions:
https://centrify.force.com/support/Article/How-To-Windows-MFA-with-Centrify-Identity-Platform-26597



Roles and Rights

1) We will begin by creating two Windows rights. One is an Applications right and one is a Network Access right.

2) Open the Centrify Access Manager console and expand the zone where the source and target Windows machines reside.

3) Expand:  Authorization > Windows Right Definitions > Applications:





4) Right-click on Applications and choose "New Windows Application"

4a) General tab - Give it a name that can easily be remembered for why it exists.

4b) Match Criteria tab - Click the 'Edit' button. But before the details get entered here, just open a PowerShell window. Then go back to the Definition Settings window and choose 'Import Process' and select the PowerShell process that is already running. It will fill in the details for you. It should look something like below:







4c) Run As tab - Activate the radio button for 'Self with added group privileges' and choose 'Add Built-in Groups' and choose the Administrators group. Make sure to check the mark for 'Require multi-factor authentication.' So that it looks like below:





4d) Once the tabs look correct and you are ready to proceed, click Apply then OK.


5) For the Network Access right, right-click on Network Access and choose 'New Network Access' as shown below:




5a) General tab - Choose a name and description.


5b) Access tab - Activate the 'Self with added group privileges' button and choose the Administrators group using the 'Add Built-in Groups' button. MFA is not required here since it has already been enabled in the previous section. Screenshot of what it should look like:



5c) Choose Apply then OK.


6) The last steps in this process are to create a role definition and add the previous two rights to this role.


6a) Right-click on Role Definitions, choose 'Add Role'






6b) General tab - Add a name and description.
6c) System Rights tab - Place a checkmark next to 'Remote login is allowed' and 'PowerShell remote access is allowed' (as shown below).



6d) Authentication tab - Can remain unchanged.
6e) Audit tab - Can remain unchanged unless you would like to require auditing of this role activity. In that case choose 'Audit Required.'
6f) Custom Attributes tab - Can remain unchanged.


7) Add the Application right and Network Access right to the PowerShell role definition.



7a) Right-click the PowerShell role definition and choose 'Add Right'





7b) Once the pop-up window opens, choose your Application and Network rights that were created in steps 4 and 5 above. It should look something like this:





8) Assign this role to your users at the zone level.



PowerShell Settings

9) The next step is to enable PowerShell Remoting on the target machine. On that machine, open Windows PowerShell (as admin) and enter the following command:


PS C:Windows\system32> Enable-PSRemoting -Force





10) Log into the source Windows machine and run the following command to make the new role take effect:

C:\> dzflush



11) Hold the shift key and right-click the PowerShell Icon from the taskbar or start menu then choose 'Run with Privilege..'







12) Choose the PowerShell role definition that had been created earlier:






13) You should now be getting an MFA prompt, according to what has been set in the Authentication Policy in your Cloud Portal:





14) Now, enter the following command to start a remote PowerShell session:


PS C:\Users> Enter-PSsession






15) Finally, enter the hostname of the machine you are trying to connect to (Using the short or full DNS name should work)






16) You will see that you are connected as the hostname will be shown in square brackets. In this example, we connected to the hostname of WIN2012-1

*Note - the user must have login privileges to the destination machine to be able to login remotely through PowerShell. This can be done either using the local security policy (secpol.msc) or through Group Policy.*