Disable-PSRemoting
阻止 PowerShell 终结点接收远程连接。
语法
Disable-PSRemoting
[-Force]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
说明
cmdlet Disable-PSRemoting
阻止对本地计算机上所有 PowerShell 版本 6 及更高版本的会话终结点配置的远程访问。 它不会影响Windows PowerShell终结点配置。 若要禁用Windows PowerShell会话终结点配置,请从Windows PowerShell会话中运行 Disable-PSRemoting
命令。
若要重新启用对所有 PowerShell 版本 6 及更高版本的会话终结点配置的远程访问,请使用 Enable-PSRemoting
cmdlet。 若要重新启用对所有Windows PowerShell会话终结点配置的远程访问,请从Windows PowerShell会话中运行 Enable-PSRemoting
。
注意
如果要禁用对本地 Windows 计算机的所有 PowerShell 远程访问,则必须从 PowerShell 版本 6 或更高版本的会话和Windows PowerShell会话中运行此命令。 默认情况下,Windows PowerShell安装在所有 Windows 计算机上。
若要禁用并重新启用对特定会话终结点配置的远程访问,请使用 Enable-PSSessionConfiguration
和 Disable-PSSessionConfiguration
cmdlet。 若要设置单个终结点的特定访问配置,请使用 Set-PSSessionConfiguration
cmdlet 和 AccessMode 参数。 有关会话配置的详细信息,请参阅 about_Session_Configurations。
注意
即使在运行 Disable-PSRemoting
后,仍可以在本地计算机上建立环回连接。 环回连接是源自并连接到同一本地计算机的 PowerShell 远程会话。 来自外部源的远程会话仍会被阻止。 对于环回连接,必须沿 EnableNetworkAccess 参数使用隐式凭据。 有关环回连接的详细信息,请参阅 New-PSSession。
此 cmdlet 仅在 Windows 平台上可用。 它在 Linux 或 macOS 版本的 PowerShell 上不可用。 若要运行此 cmdlet,请使用“ 以管理员身份运行” 选项启动 PowerShell。
示例
示例 1:阻止远程访问所有 PowerShell 会话配置
此示例阻止远程访问计算机上的所有 PowerShell 会话终结点配置。
Disable-PSRemoting
WARNING: PowerShell remoting has been disabled only for PowerShell 6+ configurations and does not affect
Windows PowerShell remoting configurations. Run this cmdlet in Windows PowerShell to affect all PowerShell
remoting configurations.
WARNING: Disabling the session configurations does not undo all the changes made by the Enable-PSRemoting
or Enable-PSSessionConfiguration cmdlet. You might have to manually undo the changes by following these steps:
1. Stop and disable the WinRM service.
2. Delete the listener that accepts requests on any IP address.
3. Disable the firewall exceptions for WS-Management communications.
4. Restore the value of the LocalAccountTokenFilterPolicy to 0, which restricts remote access to
members of the Administrators group on the computer.
示例 2:在没有确认提示的情况下阻止远程访问所有 PowerShell 会话配置
本示例禁止在未提示的情况下远程访问计算机上的所有 PowerShell 会话终结点配置。
Disable-PSRemoting -Force
WARNING: PowerShell remoting has been disabled only for PowerShell 6+ configurations and does not affect
Windows PowerShell remoting configurations. Run this cmdlet in Windows PowerShell to affect all PowerShell
remoting configurations.
WARNING: Disabling the session configurations does not undo all the changes made by the Enable-PSRemoting
or Enable-PSSessionConfiguration cmdlet. You might have to manually undo the changes by following these steps:
1. Stop and disable the WinRM service.
2. Delete the listener that accepts requests on any IP address.
3. Disable the firewall exceptions for WS-Management communications.
4. Restore the value of the LocalAccountTokenFilterPolicy to 0, which restricts remote access to
members of the Administrators group on the computer.
示例 3:运行此 cmdlet 的效果
此示例演示使用 Disable-PSRemoting
cmdlet 的效果。 若要运行此命令序列,请使用“ 以管理员身份运行” 选项启动 PowerShell。
禁用会话配置后, New-PSSession
cmdlet 会尝试创建与本地计算机的远程会话, (也称为“环回”) 。 由于在本地计算机上禁用了远程访问,因此命令将失败。
Disable-PSRemoting -Force
New-PSSession -ComputerName localhost -ConfigurationName PowerShell.6
WARNING: Disabling the session configurations does not undo all the changes made by the Enable-PSRemoting
or Enable-PSSessionConfiguration cmdlet. You might have to manually undo the changes by following these steps:
1. Stop and disable the WinRM service.
2. Delete the listener that accepts requests on any IP address.
3. Disable the firewall exceptions for WS-Management communications.
4. Restore the value of the LocalAccountTokenFilterPolicy to 0, which restricts remote access to
members of the Administrators group on the computer.
New-PSSession : [localhost] Connecting to remote server localhost failed with the following error
message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ New-PSSession -ComputerName localhost -ConfigurationName PowerShell.6
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.Management.A\u2026tion.RemoteRunspace:RemoteRunspace)
[New-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed
示例 4:运行此 cmdlet 和 Enable-PSRemoting 的影响
此示例显示了使用 Disable-PSRemoting
和 Enable-PSRemoting
cmdlet 对 会话配置的影响。
Disable-PSRemoting
用于禁用对所有 PowerShell 会话终结点配置的远程访问。 Force 参数取消了所有用户提示。 Get-PSSessionConfiguration
和 Format-Table
cmdlet 显示计算机上的会话配置。
输出显示,所有具有网络令牌的远程用户都被拒绝访问终结点配置。 只要本地计算机上的管理员组在本地连接终结点配置, (也称为环回) 并使用隐式凭据进行连接,就允许他们访问终结点配置。
Disable-PSRemoting -force
Get-PSSessionConfiguration | Format-Table -Property Name, Permission -Auto
Enable-PSRemoting -Force
Get-PSSessionConfiguration | Format-Table -Property Name, Permission -Auto
Name Permission
---- ----------
PowerShell.6 NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed ...
PowerShell.6.2.0 NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed ...
Name Permission
---- ----------
PowerShell.6 NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed ...
PowerShell.6.2.0 NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed ...
cmdlet Enable-PSRemoting
重新启用对计算机上的所有 PowerShell 会话终结点配置的远程访问。 Force 参数禁止显示所有用户提示,并在不提示的情况下重启 WinRM 服务。 新的输出显示 AccessDenied 安全描述符已从所有会话配置中删除。
示例 5:具有已禁用会话终结点配置的环回连接
此示例演示如何禁用终结点配置,以及如何成功与已禁用的终结点建立环回连接。 Disable-PSRemoting
禁用所有 PowerShell 会话终结点配置。
Disable-PSRemoting -Force
WARNING: PowerShell remoting has been disabled only for PowerShell 6+ configurations and does not affect
Windows PowerShell remoting configurations. Run this cmdlet in Windows PowerShell to affect all PowerShell
remoting configurations.
WARNING: Disabling the session configurations does not undo all the changes made by the Enable-PSRemoting
or Enable-PSSessionConfiguration cmdlet. You might have to manually undo the changes by following these steps:
1. Stop and disable the WinRM service.
2. Delete the listener that accepts requests on any IP address.
3. Disable the firewall exceptions for WS-Management communications.
4. Restore the value of the LocalAccountTokenFilterPolicy to 0, which restricts remote access to
members of the Administrators group on the computer.
New-PSSession -ComputerName localhost -ConfigurationName powershell.6 -Credential (Get-Credential)
PowerShell credential request
Enter your credentials.
User: UserName
Password for user UserName: ************
New-PSSession: [localhost] Connecting to remote server localhost failed with the following error message
: Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
New-PSSession -ComputerName localhost -ConfigurationName powershell.6 -EnableNetworkAccess
Id Name Transport ComputerName ComputerType State ConfigurationName Availability
-- ---- --------- ------------ ------------ ----- ----------------- ------------
1 Runspace1 WSMan localhost RemoteMachine Opened powershell.6 Available
首次使用 New-PSSession
尝试创建与本地计算机的远程会话。 ConfigurationName 参数用于指定禁用的 PowerShell 终结点。 凭据通过 Credential 参数显式传递给命令。 这种类型的连接通过网络堆栈,不是环回。 因此,尝试与禁用的终结点的连接失败,并出现 “拒绝访问 ”错误。
第二次 New-PSSession
使用 还会尝试创建与本地计算机的远程会话。
在这种情况下,它会成功,因为它是绕过网络堆栈的环回连接。
满足以下条件时,将创建环回连接:
- 要连接到的计算机名称为“localhost”。
- 未传入任何凭据。 当前登录的用户 (隐式凭据) 用于连接。
- 使用 EnableNetworkAccess 开关参数。
有关环回连接的详细信息,请参阅 New-PSSession 文档。
示例 6:禁用所有 PowerShell 远程处理终结点配置
此示例演示如何运行 Disable-PSRemoting
命令不会影响Windows PowerShell终结点配置。 Get-PSSessionConfiguration
运行Windows PowerShell显示所有终结点配置。 我们看到未禁用Windows PowerShell终结点配置。
Disable-PSRemoting -Force
powershell.exe -command 'Get-PSSessionConfiguration'
WARNING: PowerShell remoting has been disabled only for PowerShell 6+ configurations and does not affect
Windows PowerShell remoting configurations. Run this cmdlet in Windows PowerShell to affect all PowerShell
remoting configurations.
WARNING: Disabling the session configurations does not undo all the changes made by the Enable-PSRemoting
or Enable-PSSessionConfiguration cmdlet. You might have to manually undo the changes by following these steps:
1. Stop and disable the WinRM service.
2. Delete the listener that accepts requests on any IP address.
3. Disable the firewall exceptions for WS-Management communications.
4. Restore the value of the LocalAccountTokenFilterPolicy to 0, which restricts remote access to
members of the Administrators group on the computer.
Name : microsoft.powershell
PSVersion : 5.1
StartupScript :
RunAsUser :
Permission : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote
Management Users AccessAllowed
Name : microsoft.powershell.workflow
PSVersion : 5.1
StartupScript :
RunAsUser :
Permission : BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed
Name : microsoft.powershell32
PSVersion : 5.1
StartupScript :
RunAsUser :
Permission : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote
Management Users AccessAllowed
Name : PowerShell.6
PSVersion : 6.2
StartupScript :
RunAsUser :
Permission : NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators
AccessAllowed, BUILTIN\Remote Management Users AccessAllowed
Name : PowerShell.6.2.2
PSVersion : 6.2
StartupScript :
RunAsUser :
Permission : NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators
AccessAllowed, BUILTIN\Remote Management Users AccessAllowed
powershell.exe -command 'Disable-PSRemoting -Force'
powershell.exe -command 'Get-PSSessionConfiguration'
WARNING: Disabling the session configurations does not undo all the changes made by the Enable-PSRemoting or
Enable-PSSessionConfiguration cmdlet. You might have to manually undo the changes by following these steps:
1. Stop and disable the WinRM service.
2. Delete the listener that accepts requests on any IP address.
3. Disable the firewall exceptions for WS-Management communications.
4. Restore the value of the LocalAccountTokenFilterPolicy to 0, which restricts remote access to members of the
Administrators group on the computer.
Name : microsoft.powershell
PSVersion : 5.1
StartupScript :
RunAsUser :
Permission : NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators
AccessAllowed, BUILTIN\Remote Management Users AccessAllowed
Name : microsoft.powershell.workflow
PSVersion : 5.1
StartupScript :
RunAsUser :
Permission : NT AUTHORITY\NETWORK AccessDenied, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management
Users AccessAllowed
Name : microsoft.powershell32
PSVersion : 5.1
StartupScript :
RunAsUser :
Permission : NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators
AccessAllowed, BUILTIN\Remote Management Users AccessAllowed
Name : PowerShell.6
PSVersion : 6.2
StartupScript :
RunAsUser :
Permission : NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators
AccessAllowed, BUILTIN\Remote Management Users AccessAllowed
Name : PowerShell.6.2.2
PSVersion : 6.2
StartupScript :
RunAsUser :
Permission : NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators
AccessAllowed, BUILTIN\Remote Management Users AccessAllowed
若要禁用这些终结点配置,Disable-PSRemoting
必须从Windows PowerShell会话中运行命令。 现在,Get-PSSessionConfiguration
从内部运行 Windows PowerShell显示已禁用所有终结点配置。
示例 7:阻止远程访问具有自定义安全描述符的会话配置
此示例演示 cmdlet Disable-PSRemoting
禁用对包含具有自定义安全描述符的会话配置的所有会话配置的远程访问。
Register-PSSessionConfiguration
创建 测试 会话配置。 FilePath 参数指定自定义会话的会话配置文件。 ShowSecurityDescriptorUI 参数显示一个对话框,用于设置会话配置的权限。 在“权限”对话框中,我们为指定的用户创建自定义完全访问权限。
Get-PSSessionConfiguration
和 Format-Table
cmdlet 显示会话配置及其属性。 输出显示 ,测试 会话配置允许对指示的用户进行交互式访问和特殊权限。
Disable-PSRemoting
禁用对所有会话配置的远程访问。
Register-PSSessionConfiguration -Name Test -FilePath .\TestEndpoint.pssc -ShowSecurityDescriptorUI -Force
Get-PSSessionConfiguration | Format-Table -Property Name, Permission -Wrap
Disable-PSRemoting -Force
Get-PSSessionConfiguration | Format-Table -Property Name, Permission -Wrap
New-PSSession -ComputerName localhost -ConfigurationName Test
Name Permission
---- ----------
PowerShell.6 NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed,
BUILTIN\Remote Management Users AccessAllowed
PowerShell.6.2.0 NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed,
BUILTIN\Remote Management Users AccessAllowed
Test NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed,
User01 AccessAllowed
WARNING: Disabling the session configurations does not undo all the changes made by the Enable-PSRemoting
or Enable-PSSessionConfiguration cmdlet. You might have to manually undo the changes by following these steps:
1. Stop and disable the WinRM service.
2. Delete the listener that accepts requests on any IP address.
3. Disable the firewall exceptions for WS-Management communications.
4. Restore the value of the LocalAccountTokenFilterPolicy to 0, which restricts remote access to
members of the Administrators group on the computer.
Name Permission
---- ----------
PowerShell.6 NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed,
BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed
PowerShell.6.2.0 NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed,
BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed
Test NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed,
BUILTIN\Administrators AccessAllowed, User01 AccessAllowed
New-PSSession : [localhost] Connecting to remote server localhost failed with the following error message
: Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ New-PSSession -ComputerName localhost -ConfigurationName Test
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.Management.A\u2026tion.RemoteRunspace:RemoteRunspace)
[New-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed
现在, Get-PSSessionConfiguration
和 Format-Table
cmdlet 显示所有网络用户的 AccessDenied 安全描述符已添加到所有会话配置,包括 测试 会话配置。 尽管不会更改其他安全描述符,但“network_deny_all”安全描述符优先。 尝试使用 New-PSSession
连接到 测试 会话配置说明了这一点。
示例 8:重新启用对所选会话配置的远程访问
此示例演示如何重新启用仅到选定会话配置的远程访问。 禁用所有会话配置后,我们将重新启用特定会话。
cmdlet Set-PSSessionConfiguration
用于更改 PowerShell.6 会话配置。 值为 Remote 的 AccessMode 参数重新启用对配置的远程访问。
Disable-PSRemoting -Force
Get-PSSessionConfiguration | Format-Table -Property Name, Permission -Auto
Set-PSSessionConfiguration -Name PowerShell.6 -AccessMode Remote -Force
Get-PSSessionConfiguration | Format-Table -Property Name, Permission -Auto
WARNING: Disabling the session configurations does not undo all the changes made by the Enable-PSRemoting
or Enable-PSSessionConfiguration cmdlet. You might have to manually undo the changes by following these steps:
1. Stop and disable the WinRM service.
2. Delete the listener that accepts requests on any IP address.
3. Disable the firewall exceptions for WS-Management communications.
4. Restore the value of the LocalAccountTokenFilterPolicy to 0, which restricts remote access to
members of the Administrators group on the computer.
Name Permission
---- ----------
PowerShell.6 NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Adm ...
PowerShell.6.2.0 NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Adm ...
Name Permission
---- ----------
PowerShell.6 NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\ ...
PowerShell.6.2.0 NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Adm ...
参数
-Confirm
提示你在运行 cmdlet 之前进行确认。
Type: | SwitchParameter |
Aliases: | cf |
Position: | Named |
Default value: | False |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Force
强制运行命令而不要求用户确认。
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-WhatIf
显示运行该 cmdlet 时会发生什么情况。 此 cmdlet 未运行。
Type: | SwitchParameter |
Aliases: | wi |
Position: | Named |
Default value: | False |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
输入
None
不能通过管道将任何对象传递给此 cmdlet。
输出
None
此 cmdlet 将不生成任何输出。
备注
此 cmdlet 仅在 Windows 平台上可用。
禁用会话配置不会撤消 或
Enable-PSSessionConfiguration
cmdlet 所做的Enable-PSRemoting
所有更改。 你可能需要手动撤消以下更改。- 停止并禁用 WinRM 服务。
- 删除接受任何 IP 地址上的请求的侦听器。
- 禁用 WS-Management 通信的防火墙例外。
- 将 LocalAccountTokenFilterPolicy 的值还原为 0,这将限制对计算机上 Administrators 组成员的远程访问。
会话终结点配置是定义会话环境的一组设置。 连接到计算机的每个会话都必须使用在计算机上注册的会话终结点配置之一。 通过拒绝对所有会话终结点配置的远程访问,可以有效地阻止远程用户建立连接到计算机的会话。