All authenticated access from Server A is subject to security breach if Server A turns rogue. The actual Session established with Server B will still be with their own credentials,Įnabling proper auditing and access permissions on the final endpoint. By severely constraining the commands available on Server A, you can prevent users from actually accessing them directly. You can then apply them to the connection to Server B.
You can store the proxy credentials on Server A. You cannot control what account has access through the proxy.Given your scenario however I'm assuming you have are having several issues in this process: From Server A they can then jump to Server B, authenticating to the proxy with their own credentials, accessing Server B with their own credentials.This configuration is extremely constrained in what actions it allows (ideally, you only want to offer 3 commands: New-PSSession, Remove-PSSession, Invoke-RemoteCommand (Custom function that invokes command on the remote endpoint). Users log in to that Server using CredSSP authentication. On Server A, create a new PowerShell configuration, granting all users that should have it access permissions.On Server B they access local functionalityįrom that I'd say this would be the default connection path:.From this Server A they connect to Server B through a Proxy.You have any arbitrary number of users, connecting from any number of clients.
0 kommentar(er)
