PowersShell Trusted Hosts Illusive Windows Server 2016 Interactions.

Anonymous
2020-12-10T20:00:27.14+00:00

Hello I am having a Issue where I want to talk to my nanosever in PowerShell, however I must add in the other subnetted addresses when the DHCP changes for nanoserver and it jumps subnets so I can PSSession back into it. I have added the new sever IP address as a trusted host for WimRM however, I can not see it under trusted hosts inside of Windows Server 2016 Group Policy Rules. This should display a list of trusted hosts inside of this GPO, right? It should clear as day for security tracking and logging? Also if it is disabled how does PowerShell not match the rules once it added a host?

Is there a way to show what is a trusted host list inside of the registry? It has options to add a host but this does not display the trusted hosts I added inside of PowerShell. The registry is missing this capability it seems.

This is a bit Illusive here. Can you help shed some light on this issue? It is clearly listed I mean you can see it under the commands inside of Powershell, Windows Registry is a more simple tool for less techy people. So why would this not be more clear maybe also have a log linked into it? What was a trusted host when was it and when it was deleted?

Even Get-PSSessions does not display this illusive connection

This might cause some concern.

46909-trustedhosts-registry-interaction-missing.png
I can add trusted hosts but they do not display inside of the GOP or inside of the Server manager logs. I can view them with

get-item wsman:\localhost\client\trustedhosts

helps with my hypotheses to show there is information that can be linked into the GPO or the Windows Server manager.

47018-illusiveinteractions.png

47081-notlisted.png

Does not display what my get-item wsman:\localhost\client\trustedhosts display, the program substructure is not linking them both. or a log of what was added or removed.

47042-illusive-ineractions-need-logs.png

Get-PSSession should display what I am logged onto, as you can see both host names are shown inside of Windows Server, but nothing is diplayed as connected when this command is shown, also no logs of timers of connections and disconnections.

Get-PSSession should display what I am linked to for Windows Server, I am connected to a Microsoft Nanoserver as you can see with the hostname. This is not displaying what is connected as if a backdoor connection is running.

The hostname command shows current hostname of the device you are on.

The Get-PSSession command should show what active PSSession connections are running however it displayed nothing and went to the next command prompt. I have a active connection that Get-PSSession command is not displaying

47497-get-pss.png

This shows no active connections even if I am remoted into the Nanoserver.

47485-connections.png

"localhost" command used however, the main server non connected Powershell still displays no link to the Nanoserver, Within the Nanoserver you can see its linked however. This is ran with a active session into Nanoserver.

I am looking for Logs, dates and times and current connections.

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,510 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,103 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,838 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Jenny Feng 14,131 Reputation points
    2020-12-11T09:07:01.44+00:00

    Hi,

    I think you should set up the registry in GPO before you can see it in PowerShell.
    https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsRemoteManagement::TrustedHosts
    Note: This is a third-party link and we do not have any guarantees on this website. And Microsoft does not make any guarantees about the content.

    Hope above information can help you.

    ============================================
    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Anonymous
    2020-12-11T19:42:45.97+00:00

    Thanks for your reply,
    This question is still for a security standpoint and does not let a manager see inside of Windows Server to Track active connections and interactions with Nanoserver or containers running.

    1. No Active PSSessions are listed as linked to Nanoserver as when I run Get-PSSession displays no active links even when connected to Nanoserver as shown in the photo.
    2. I am looking for a way to review what connections happened or occurred and if a connection is created inside of Windows Server PowerShell, Yes I can not see it inside of the GOP settings. This has no log like a backdoor now.
    3. If a illusive Nanoserver is running how can we track it from inside Windows Server? This is not for the every day user, this is for the Administration side that has access to Windows Server. As you can see on my post I did PSSession into Nanoserver and nothing is listed for trusted hosts or live active sessions. I want to see who created the Nanoserver much like a SID, when it was made, when the connections happened, when trusted hosts are added or deleted, and make it so a non tech savvy manger could use GUI based server manager and review logs. Not the every day user, just users with administrative access.
    4. What is the Nanoserver hierarchy now that this illusive backdoor tool has moved to containers.

    This is for me considered a backdoor when even the System administrators have trouble as you can see tracking such illusive issues.

    Microsoft's Nanoserver comes with Windows Server install disks, this is not a outside vendor set of software. With Docker, Sandbox, and many others now interacting with isolated containers, how does management or administrators review such computer usages.

    This is from a class textbook setting the Nanoserver up. I understand it. However I want to understand how to review it, how to place this tool and the logs into a GUI based "graphical user interface" for the manager or system administrator to work with.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.