1
00:00:00,240 --> 00:00:03,040
So now that we know how to create credentials,

2
00:00:03,040 --> 00:00:05,930
that's at least given us the authentication to get somewhere,

3
00:00:05,930 --> 00:00:08,370
but that doesn't mean that for example,

4
00:00:08,370 --> 00:00:12,780
I can use my Windows 10 workstation and connect across to a

5
00:00:12,780 --> 00:00:16,290
domain controller using PowerShell remoting. So we need to talk

6
00:00:16,290 --> 00:00:19,140
about something called trusted hosts.

7
00:00:19,140 --> 00:00:22,470
So the first question is, what are the trusted hosts?

8
00:00:22,470 --> 00:00:23,030
Well,

9
00:00:23,030 --> 00:00:27,430
workgroup workstations are allowed to remotely manage

10
00:00:27,430 --> 00:00:30,940
domain joined workstations or service.

11
00:00:30,940 --> 00:00:31,330
Now,

12
00:00:31,330 --> 00:00:36,420
the difficulty is that just because remoting is enabled doesn't necessarily

13
00:00:36,420 --> 00:00:41,650
mean that the workgroup workstation or the non‑domain machine can actually

14
00:00:41,650 --> 00:00:45,840
connect to that domain joined workstation or server.

15
00:00:45,840 --> 00:00:51,430
So a trusted host is an entry that will allow both sides

16
00:00:51,430 --> 00:00:54,740
of the equation to trust each other.

17
00:00:54,740 --> 00:00:55,430
Now for example,

18
00:00:55,430 --> 00:00:59,760
you may be on a different domain joined workstation that wants to remotely

19
00:00:59,760 --> 00:01:05,510
manage something also, so that would need to be a trusted host. Or maybe you're

20
00:01:05,510 --> 00:01:08,840
on a workstation that's allowed to remotely manage,

21
00:01:08,840 --> 00:01:12,010
but I need to use different credentials to be able to come across

22
00:01:12,010 --> 00:01:15,940
versus the credentials that might exist on that machine.

23
00:01:15,940 --> 00:01:20,170
So the trusted hosts are effectively machines that wouldn't

24
00:01:20,170 --> 00:01:25,140
normally be allowed to access or remotely manage the server or the

25
00:01:25,140 --> 00:01:28,740
other workstations on a domain, for example.

26
00:01:28,740 --> 00:01:30,900
So why would we use trusted hosts?

27
00:01:30,900 --> 00:01:32,070
Well firstly,

28
00:01:32,070 --> 00:01:36,600
if the remote system we're trying to get to is not part of the domain,

29
00:01:36,600 --> 00:01:41,640
then of course we need to use trusted hosts to be able to communicate across.

30
00:01:41,640 --> 00:01:45,470
Also, if the remote system is part of an untrusted domain,

31
00:01:45,470 --> 00:01:47,570
so something that we're not sure of,

32
00:01:47,570 --> 00:01:50,040
then of course we'll need to utilize this too.

33
00:01:50,040 --> 00:01:51,360
And then of course, lastly,

34
00:01:51,360 --> 00:01:54,440
if we're connecting to the remote system using local

35
00:01:54,440 --> 00:01:57,460
credentials instead of domain credentials that we would

36
00:01:57,460 --> 00:02:01,140
normally push from one location to another.

37
00:02:01,140 --> 00:02:06,440
So three kind of different reasons of why we should use those trusted hosts.

38
00:02:06,440 --> 00:02:09,730
So what is a trusted host entry and what is it made up of?

39
00:02:09,730 --> 00:02:10,050
Well,

40
00:02:10,050 --> 00:02:15,630
the first thing is it contains an IP Version 4 Address. It could also contain

41
00:02:15,630 --> 00:02:20,350
an IP Version 6 Address, so, we need those kind of entries.

42
00:02:20,350 --> 00:02:24,390
It could also be a fully qualified domain name or a domain

43
00:02:24,390 --> 00:02:27,940
name, or we could be utilizing a wildcard.

44
00:02:27,940 --> 00:02:31,430
So the wildcard is actually quite common, even though it's not the most secure.

45
00:02:31,430 --> 00:02:36,330
Often people will just enable it and say wildcard anybody can connect, but in

46
00:02:36,330 --> 00:02:40,410
a more secure environment we'll obviously need to register the specific IP

47
00:02:40,410 --> 00:02:44,490
addresses or the fully qualified domain name of the host that needs to

48
00:02:44,490 --> 00:02:49,400
connect to the other place. Now to create trusted host entries, what we're

49
00:02:49,400 --> 00:02:53,640
going to do here is we can use what's called winrm as a command. So this is

50
00:02:53,640 --> 00:02:58,740
inside the command prompt itself, so, cmd, you launch that on windows, you

51
00:02:58,740 --> 00:03:04,230
can say winrm, and then you set the trusted host parameter here to, for

52
00:03:04,230 --> 00:03:07,740
example, the IP address of the machine that you're going to be connecting

53
00:03:07,740 --> 00:03:09,440
from.

54
00:03:09,440 --> 00:03:13,750
We can also achieve the same thing by using PowerShell, which does the exact

55
00:03:13,750 --> 00:03:20,040
same process it uses called Set‑Item, and then sets the WSMan property for

56
00:03:20,040 --> 00:03:24,140
trusted hosts to be that specific IP address.

57
00:03:24,140 --> 00:03:29,150
And then of course, we can add trusted host entries just using direct

58
00:03:29,150 --> 00:03:33,080
PowerShell. So instead of creating it we can actually go ahead and

59
00:03:33,080 --> 00:03:36,590
retrieve the values and then add something to it.

60
00:03:36,590 --> 00:03:41,200
So, for example, let's say you have a server that already has trusted host

61
00:03:41,200 --> 00:03:46,700
entries for seven machines, but you need to append another one to it, then we

62
00:03:46,700 --> 00:03:52,470
can do it this way. We can basically retrieve, by using Get‑Item, the list of

63
00:03:52,470 --> 00:03:57,500
trusted host entries already, and then you'll see in the Set‑Item, we're able

64
00:03:57,500 --> 00:04:00,420
to go to Set‑Item ‑Path,

65
00:04:00,420 --> 00:04:03,470
blah, blah, blah, TrustedHosts, and then we can see we have the

66
00:04:03,470 --> 00:04:08,540
variable, comma, and then the new one that we need to add.

67
00:04:08,540 --> 00:04:11,890
So let's talk about Globomantics trusted hosts for a second.

68
00:04:11,890 --> 00:04:15,220
So right now we obviously have some specific pieces.

69
00:04:15,220 --> 00:04:16,950
We have an Active Directory Server,

70
00:04:16,950 --> 00:04:22,040
we have a File Server, and then of course we have an Administration Workspace.

71
00:04:22,040 --> 00:04:25,260
Everything on the left‑hand side there is domain joined.

72
00:04:25,260 --> 00:04:29,740
So we have the Active Directory, the File Server are all connected together,

73
00:04:29,740 --> 00:04:34,240
but on the admin side we are not domain joined.

74
00:04:34,240 --> 00:04:38,680
So in order for the workstation on the right‑hand side there to connect and

75
00:04:38,680 --> 00:04:42,010
remotely manage the Active Directory server or the File Server,

76
00:04:42,010 --> 00:04:46,300
we would need to add trusted host entries, and the trusted

77
00:04:46,300 --> 00:04:48,560
host entry would be something like this.

78
00:04:48,560 --> 00:04:55,160
So, Set‑Item WSMan TrustedHosts, and then you'll see the IP address of the

79
00:04:55,160 --> 00:05:00,230
Administration Workstation. And the trusted host entries would be added to

80
00:05:00,230 --> 00:05:09,000
the Active Directory Server and the File Server, and anything else that existed in that domain joined environment.