Disable-PSRemoting

防止 PowerShell 端點接收遠端連線。

Syntax

Disable-PSRemoting
       [-Force]
       [-WhatIf]
       [-Confirm]
       [<CommonParameters>]

Description

此 Cmdlet 僅適用于 Windows 平臺。

Cmdlet Disable-PSRemoting 會封鎖對本機電腦上所有 PowerShell 第 6 版和更高交談端點組態的遠端存取。 它不會影響Windows PowerShell端點組態。 若要停用Windows PowerShell交談端點組態,請從Windows PowerShell會話內執行 Disable-PSRemoting 命令。

若要重新啟用所有 PowerShell 第 6 版和更高交談端點設定的遠端存取,請使用 Enable-PSRemoting Cmdlet。 若要重新啟用所有Windows PowerShell交談端點設定的遠端存取,請從Windows PowerShell會話內執行 Enable-PSRemoting

注意

如果您想要停用本機 Windows 電腦的所有 PowerShell 遠端存取,您必須從 PowerShell 第 6 版或更新版本的會話中,以及從Windows PowerShell會話內執行此命令。 預設會將Windows PowerShell安裝在所有 Windows 電腦上。

若要停用並重新啟用特定交談端點設定的遠端存取,請使用 Enable-PSSessionConfigurationDisable-PSSessionConfiguration Cmdlet。 若要設定個別端點的特定存取設定,請使用 Set-PSSessionConfiguration Cmdlet 以及 AccessMode 參數。 如需會話設定的詳細資訊,請參閱 about_Session_Configurations

注意

即使在執行 Disable-PSRemoting 之後,您仍然可以在本機電腦上建立回送連線。 回送連線是源自並聯機到相同本機電腦的 PowerShell 遠端會話。 來自外部來源的遠端會話仍會遭到封鎖。 對於回送連線,您必須搭配 EnableNetworkAccess 參數使用隱含認證。 如需回送連線的詳細資訊,請參閱 New-PSSession

此 Cmdlet 僅適用于 Windows 平臺。 它不適用於 Linux 或 macOS 版本的 PowerShell。 若要執行此 Cmdlet,請使用 [ 以系統管理員身分執行 ] 選項啟動 PowerShell。

範例

範例 1:防止遠端存取所有 PowerShell 會話設定

此範例會防止遠端存取電腦上的所有 PowerShell 交談端點組態。

Disable-PSRemoting

WARNING: PowerShell remoting has been disabled only for PowerShell 6+ configurations and does not affect
 Windows PowerShell remoting configurations. Run this cmdlet in Windows PowerShell to affect all PowerShell
 remoting configurations.

WARNING: Disabling the session configurations does not undo all the changes made by the Enable-PSRemoting
 or Enable-PSSessionConfiguration cmdlet. You might have to manually undo the changes by following these steps:
    1. Stop and disable the WinRM service.
    2. Delete the listener that accepts requests on any IP address.
    3. Disable the firewall exceptions for WS-Management communications.
    4. Restore the value of the LocalAccountTokenFilterPolicy to 0, which restricts remote access to
       members of the Administrators group on the computer.

範例 2:防止遠端存取所有 PowerShell 會話設定,而不需確認提示

此範例會防止遠端存取電腦上的所有 PowerShell 交談端點設定,而不提示。

Disable-PSRemoting -Force

WARNING: PowerShell remoting has been disabled only for PowerShell 6+ configurations and does not affect
 Windows PowerShell remoting configurations. Run this cmdlet in Windows PowerShell to affect all PowerShell
 remoting configurations.

WARNING: Disabling the session configurations does not undo all the changes made by the Enable-PSRemoting
 or Enable-PSSessionConfiguration cmdlet. You might have to manually undo the changes by following these steps:
    1. Stop and disable the WinRM service.
    2. Delete the listener that accepts requests on any IP address.
    3. Disable the firewall exceptions for WS-Management communications.
    4. Restore the value of the LocalAccountTokenFilterPolicy to 0, which restricts remote access to
       members of the Administrators group on the computer.

範例 3:執行此 Cmdlet 的效果

此範例顯示使用 Disable-PSRemoting Cmdlet 的效果。 若要執行此命令順序,請使用 [ 以系統管理員身分執行 ] 選項啟動 PowerShell。

停用會話設定之後, New-PSSession Cmdlet 會嘗試建立本機電腦的遠端會話, (也稱為「回送」) 。 因為本機電腦上已停用遠端存取,所以命令會失敗。

Disable-PSRemoting -Force
New-PSSession -ComputerName localhost -ConfigurationName PowerShell.6

WARNING: Disabling the session configurations does not undo all the changes made by the Enable-PSRemoting
 or Enable-PSSessionConfiguration cmdlet. You might have to manually undo the changes by following these steps:
    1. Stop and disable the WinRM service.
    2. Delete the listener that accepts requests on any IP address.
    3. Disable the firewall exceptions for WS-Management communications.
    4. Restore the value of the LocalAccountTokenFilterPolicy to 0, which restricts remote access to
       members of the Administrators group on the computer.

New-PSSession : [localhost] Connecting to remote server localhost failed with the following error
 message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ New-PSSession -ComputerName localhost -ConfigurationName PowerShell.6
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : OpenError: (System.Management.A\u2026tion.RemoteRunspace:RemoteRunspace)
 [New-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed

範例 4:執行此 Cmdlet 和 Enable-PSRemoting的效果

此範例顯示使用 Disable-PSRemotingEnable-PSRemoting Cmdlet 的會話組態效果。

Disable-PSRemoting 用來停用所有 PowerShell 交談端點設定的遠端存取。 Force 參數會抑制所有使用者提示。 Get-PSSessionConfigurationFormat-Table Cmdlet 會在電腦上顯示會話組態。

輸出顯示具有網路權杖的所有遠端使用者都拒絕對端點組態的存取。 只要本機電腦上的系統管理員群組連線在本機 (也稱為回送) 並使用隱含認證,就允許存取端點組態。

Disable-PSRemoting -force
Get-PSSessionConfiguration | Format-Table -Property Name, Permission -Auto

Enable-PSRemoting -Force
Get-PSSessionConfiguration | Format-Table -Property Name, Permission -Auto

Name               Permission
----               ----------
PowerShell.6       NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed ...
PowerShell.6.2.0   NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed ...

Name               Permission
----               ----------
PowerShell.6       NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed ...
PowerShell.6.2.0   NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed ...

Cmdlet Enable-PSRemoting 會重新啟用電腦上所有 PowerShell 交談端點設定的遠端存取。 Force參數會隱藏所有使用者提示,並在不提示的情況下重新開機 WinRM 服務。 新的輸出顯示 AccessDenied 安全性描述元已從所有會話設定中移除。

範例 5:具有已停用交談端點設定的回送連線

此範例示範如何停用端點組態,並示範如何成功對停用的端點進行回送連線。 Disable-PSRemoting 停用所有 PowerShell 交談端點組態。

Disable-PSRemoting -Force

WARNING: PowerShell remoting has been disabled only for PowerShell 6+ configurations and does not affect
 Windows PowerShell remoting configurations. Run this cmdlet in Windows PowerShell to affect all PowerShell
 remoting configurations.

WARNING: Disabling the session configurations does not undo all the changes made by the Enable-PSRemoting
 or Enable-PSSessionConfiguration cmdlet. You might have to manually undo the changes by following these steps:
    1. Stop and disable the WinRM service.
    2. Delete the listener that accepts requests on any IP address.
    3. Disable the firewall exceptions for WS-Management communications.
    4. Restore the value of the LocalAccountTokenFilterPolicy to 0, which restricts remote access to
       members of the Administrators group on the computer.

New-PSSession -ComputerName localhost -ConfigurationName powershell.6 -Credential (Get-Credential)

PowerShell credential request
Enter your credentials.
User: UserName
Password for user UserName: ************

New-PSSession: [localhost] Connecting to remote server localhost failed with the following error message
 : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.

New-PSSession -ComputerName localhost -ConfigurationName powershell.6 -EnableNetworkAccess

Id Name       Transport ComputerName  ComputerType   State   ConfigurationName   Availability
 -- ----       --------- ------------  ------------   -----   -----------------   ------------
 1  Runspace1  WSMan     localhost     RemoteMachine  Opened  powershell.6           Available

第一次嘗試 New-PSSession 建立本機電腦的遠端會話。 ConfigurationName參數可用來指定停用的 PowerShell 端點。 認證會透過 Credential 參數明確傳遞至命令。 這種類型的連線會通過網路堆疊,而不是回送。 因此,對停用端點的連線嘗試失敗,並 拒絕存取 錯誤。

的第二個用法 New-PSSession 也會嘗試建立本機電腦的遠端會話。 在此情況下,它會成功,因為它是略過網路堆疊的回送連線。

符合下列條件時,就會建立回送連線:

  • 要連線的電腦名稱稱是 'localhost'。
  • 不會傳入任何認證。 目前登入的使用者 (隱含認證) 用於連線。
  • 使用 EnableNetworkAccess參數。

如需回送連線的詳細資訊,請參閱 New-PSSession 檔。

範例 6:停用所有 PowerShell 遠端端點設定

此範例示範如何執行 Disable-PSRemoting 命令不會影響Windows PowerShell端點組態。 Get-PSSessionConfiguration在 Windows PowerShell內執行 會顯示所有端點組態。 我們看到Windows PowerShell端點組態並未停用。

Disable-PSRemoting -Force
powershell.exe -command 'Get-PSSessionConfiguration'

WARNING: PowerShell remoting has been disabled only for PowerShell 6+ configurations and does not affect
 Windows PowerShell remoting configurations. Run this cmdlet in Windows PowerShell to affect all PowerShell
 remoting configurations.

WARNING: Disabling the session configurations does not undo all the changes made by the Enable-PSRemoting
 or Enable-PSSessionConfiguration cmdlet. You might have to manually undo the changes by following these steps:
    1. Stop and disable the WinRM service.
    2. Delete the listener that accepts requests on any IP address.
    3. Disable the firewall exceptions for WS-Management communications.
    4. Restore the value of the LocalAccountTokenFilterPolicy to 0, which restricts remote access to
       members of the Administrators group on the computer.

Name          : microsoft.powershell
PSVersion     : 5.1
StartupScript :
RunAsUser     :
Permission    : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote
                Management Users AccessAllowed

Name          : microsoft.powershell.workflow
PSVersion     : 5.1
StartupScript :
RunAsUser     :
Permission    : BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed

Name          : microsoft.powershell32
PSVersion     : 5.1
StartupScript :
RunAsUser     :
Permission    : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote
                Management Users AccessAllowed

Name          : PowerShell.6
PSVersion     : 6.2
StartupScript :
RunAsUser     :
Permission    : NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators
                AccessAllowed, BUILTIN\Remote Management Users AccessAllowed

Name          : PowerShell.6.2.2
PSVersion     : 6.2
StartupScript :
RunAsUser     :
Permission    : NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators
                AccessAllowed, BUILTIN\Remote Management Users AccessAllowed

powershell.exe -command 'Disable-PSRemoting -Force'
powershell.exe -command 'Get-PSSessionConfiguration'

WARNING: Disabling the session configurations does not undo all the changes made by the Enable-PSRemoting or
Enable-PSSessionConfiguration cmdlet. You might have to manually undo the changes by following these steps:
    1. Stop and disable the WinRM service.
    2. Delete the listener that accepts requests on any IP address.
    3. Disable the firewall exceptions for WS-Management communications.
    4. Restore the value of the LocalAccountTokenFilterPolicy to 0, which restricts remote access to members of the
Administrators group on the computer.

Name          : microsoft.powershell
PSVersion     : 5.1
StartupScript :
RunAsUser     :
Permission    : NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators
                AccessAllowed, BUILTIN\Remote Management Users AccessAllowed

Name          : microsoft.powershell.workflow
PSVersion     : 5.1
StartupScript :
RunAsUser     :
Permission    : NT AUTHORITY\NETWORK AccessDenied, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management
                Users AccessAllowed

Name          : microsoft.powershell32
PSVersion     : 5.1
StartupScript :
RunAsUser     :
Permission    : NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators
                AccessAllowed, BUILTIN\Remote Management Users AccessAllowed

Name          : PowerShell.6
PSVersion     : 6.2
StartupScript :
RunAsUser     :
Permission    : NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators
                AccessAllowed, BUILTIN\Remote Management Users AccessAllowed

Name          : PowerShell.6.2.2
PSVersion     : 6.2
StartupScript :
RunAsUser     :
Permission    : NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators
                AccessAllowed, BUILTIN\Remote Management Users AccessAllowed

若要停用這些端點組態, Disable-PSRemoting 必須在Windows PowerShell會話內執行 命令。 現在, Get-PSSessionConfiguration 從內部執行 Windows PowerShell會顯示所有端點組態都已停用。

範例 7:防止遠端存取具有自訂安全性描述元的會話設定

此範例示範 Cmdlet 會 Disable-PSRemoting 停用遠端存取包含具有自訂安全性描述元之會話組態的所有會話設定。

Register-PSSessionConfiguration 會建立 測試 會話組態。 FilePath參數會指定自訂會話的會話組態檔。 ShowSecurityDescriptorUI參數會顯示一個對話方塊,可設定會話設定的許可權。 在 [許可權] 對話方塊中,我們會為指定的使用者建立自訂的完整存取權限。

Get-PSSessionConfigurationFormat-Table Cmdlet 會顯示會話組態及其屬性。 輸出顯示 測試 會話組態允許所指示使用者的互動式存取和特殊許可權。

Disable-PSRemoting 停用所有會話設定的遠端存取。

Register-PSSessionConfiguration -Name Test -FilePath .\TestEndpoint.pssc -ShowSecurityDescriptorUI -Force
Get-PSSessionConfiguration | Format-Table -Property Name, Permission -Wrap

Disable-PSRemoting -Force
Get-PSSessionConfiguration | Format-Table -Property Name, Permission -Wrap
New-PSSession -ComputerName localhost -ConfigurationName Test

Name               Permission
----               ----------
PowerShell.6       NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed,
                   BUILTIN\Remote Management Users AccessAllowed
PowerShell.6.2.0   NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed,
                   BUILTIN\Remote Management Users AccessAllowed
Test               NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed,
                   User01 AccessAllowed

WARNING: Disabling the session configurations does not undo all the changes made by the Enable-PSRemoting
 or Enable-PSSessionConfiguration cmdlet. You might have to manually undo the changes by following these steps:
    1. Stop and disable the WinRM service.
    2. Delete the listener that accepts requests on any IP address.
    3. Disable the firewall exceptions for WS-Management communications.
    4. Restore the value of the LocalAccountTokenFilterPolicy to 0, which restricts remote access to
       members of the Administrators group on the computer.

Name               Permission
----               ----------
PowerShell.6       NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed,
                   BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed
PowerShell.6.2.0   NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed,
                   BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed
Test               NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed,
                   BUILTIN\Administrators AccessAllowed, User01 AccessAllowed

New-PSSession : [localhost] Connecting to remote server localhost failed with the following error message
 : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ New-PSSession -ComputerName localhost -ConfigurationName Test
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : OpenError: (System.Management.A\u2026tion.RemoteRunspace:RemoteRunspace)
 [New-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed

現在 和 Get-PSSessionConfigurationFormat-Table Cmdlet 會顯示所有網路使用者的 AccessDenied 安全性描述元已新增至所有會話設定,包括 測試 會話設定。 雖然其他安全性描述元並未變更,但「network_deny_all」安全性描述元優先。 這是透過嘗試連線 New-PSSession測試 會話組態所說明。

範例 8:重新啟用對所選會話設定的遠端存取

此範例顯示如何只對選取的工作階段設定重新啟用遠端存取。 停用所有會話設定之後,我們會重新啟用特定的會話。

Cmdlet Set-PSSessionConfiguration 可用來變更 PowerShell.6 會話組態。 AccessMode參數,其值為Remote重新啟用對組態的遠端存取。

Disable-PSRemoting -Force
Get-PSSessionConfiguration | Format-Table -Property Name, Permission -Auto

Set-PSSessionConfiguration -Name PowerShell.6 -AccessMode Remote -Force
Get-PSSessionConfiguration | Format-Table -Property Name, Permission -Auto

WARNING: Disabling the session configurations does not undo all the changes made by the Enable-PSRemoting
 or Enable-PSSessionConfiguration cmdlet. You might have to manually undo the changes by following these steps:
    1. Stop and disable the WinRM service.
    2. Delete the listener that accepts requests on any IP address.
    3. Disable the firewall exceptions for WS-Management communications.
    4. Restore the value of the LocalAccountTokenFilterPolicy to 0, which restricts remote access to
       members of the Administrators group on the computer.

Name                 Permission
----                 ----------
PowerShell.6         NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Adm ...
PowerShell.6.2.0     NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Adm ...

Name                 Permission
----                 ----------
PowerShell.6         NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\ ...
PowerShell.6.2.0     NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Adm ...

參數

-Confirm

在執行 Cmdlet 前提示您確認。

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:False
Accept pipeline input:False
Accept wildcard characters:False
-Force

強制執行命令而不要求使用者確認。

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-WhatIf

顯示執行 Cmdlet 後會發生的情況。 Cmdlet 並不會執行。

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:False
Accept pipeline input:False
Accept wildcard characters:False

輸入

None

您無法使用管線將任何物件傳送至此 Cmdlet。

輸出

None

此 Cmdlet 不會產生任何輸出。

備註

此 Cmdlet 僅適用于 Windows 平臺。

  • 停用會話組態並不會復原 或 Enable-PSSessionConfiguration Cmdlet 所做的 Enable-PSRemoting 所有變更。 您可能必須手動復原下列變更。

    1. 停止及停用 WinRM 服務。
    2. 刪除接受任何 IP 位址上之要求的接聽程式。
    3. 停用 WS-Management 通訊的防火牆例外。
    4. 將 LocalAccountTokenFilterPolicy 的值還原為 0,以限制對電腦上之 Administrators 群組成員的遠端存取。
  • 交談端點組態是一組設定,可定義會話的環境。 連接到電腦的每個會話都必須使用電腦上註冊的其中一個交談端點組態。 藉由拒絕所有交談端點設定的遠端存取,您可以有效地防止遠端使用者建立連線到電腦的會話。