Starting with the London release, ServiceNow Discovery will support PowerShell Remoting. So far, Discovery supports Windows Management Instrumentation (WMI), which is commonly used across the industry in the enterprise management solution. So, how does PowerShell Remoting differ from the capabilities we already have? Why should a customer go through the trouble of enabling this feature when so many tools are available that don’t have a dependency on PowerShell Remoting?
Access to an Admin share for an LDAP account is considered as a security risk in many enterprises. Another issue is that protocols like WMI use Distributed COM (DCOM). This may work well on a single internal network, but it causes problems when these tools need to traverse firewalls or play nice with intrusion prevention or other security systems.
PowerShell Remoting is a solution to some of the security and consistency issues that IT professionals currently work around. It’s built on Microsoft’s implementation of the Web Services for Management (WSMan) protocol, and it uses the Windows Remote Management (WinRM) service to manage communication and authentication. This framework was designed to be a secure and reliable method for managing computers that’s built on well-known standards like Simple Object Access Protocol (SOAP) and Hypertext Transfer Protocol (HTTP).
A major advantage over other methods of remote management is that a single port is used for every application that uses WSMan. Instead of poking different holes in a firewall for every application, only the port used by WSMan needs to be configured, and the WinRM service will make sure the traffic gets routed to the correct application.
By default, WS-Man and PowerShell remoting use port 5985 and 5986 for connections over HTTP and HTTPS, respectively. This is much friendlier to network firewalls when compared to other legacy communication protocols such as DCOM and RPC, which use numerous ports and dynamic port mappings. Remoting is enabled by default on Windows Server 2012 and it is required by the server manager console to communicate with other Windows servers, and even to connect to the local computer where the console is running.
“PowerShell Remote is recommended from ServiceNow, because the discovery is faster and is more secure”.
Enabling PowerShell Remoting on a Local Computer
You may need to enable Remoting on Windows clients, older Windows Server operating systems, or Windows Server 2012 if it has been disabled.
Microsoft Just Enough Administration (JEA)
Just Enough Administration enables role-based administration through PowerShell Remoting. It extends the existing constrained endpoint infrastructure by allowing non-administrators to run specific commands, scripts and executables as an administrator.
“Microsoft Windows PowerShell and JEA simplify the process of moving from global administrator accounts to limited local accounts, a best practice in securing Windows Server-based systems.”
Just Enough Administration (JEA) is a security technology that enables delegated administration for anything that can be managed with PowerShell. With JEA, you can:
- Reduce the number of administrators on your machines by leveraging virtual accounts or group managed service accounts that perform privileged actions on behalf of regular users.
- Limit what users can do by specifying which cmdlets, functions, and external commands they can run.
- Better understand what your users are doing with transcripts and logs that show you exactly which commands a user executed during their session.
Windows admin can refer Microsoft documentation to get more details on how to activate JEA.
ServiceNow Property Settings
- ServiceNow Discovery with Microsoft JEA (KB0697317)
- Just Enough Administration (JEA) First Look
- Microsoft JEA Documentation
|Note: If the device does not support PowerShell Remote (PowerShell under version 3.0) Discovery will use WMI with PowerShell as a fallback strategy.|