Disable-PSRemoting
防止 PowerShell 端點接收遠端連線。
語法
Disable-PSRemoting
[-Force]
[-WhatIf]
[-Confirm]
[<CommonParameters>]Description
此 Cmdlet 僅適用於 Windows 平臺。
Cmdlet 會 Disable-PSRemoting 封鎖對本機計算機上所有 PowerShell 第 6 版和更高會話端點設定的遠端訪問。 它不會影響 Windows PowerShell 端點組態。 若要停用 Windows PowerShell 工作階段端點組態,請從 Windows PowerShell 工作階段內執行 Disable-PSRemoting 命令。
若要重新啟用所有 PowerShell 第 6 版和更高會話端點設定的遠端訪問,請使用 Enable-PSRemoting Cmdlet。 若要重新啟用所有 Windows PowerShell 會話端點設定的遠端訪問,請從 Windows PowerShell 會話內執行 Enable-PSRemoting 。
注意
如果您想要停用本機 Windows 電腦的所有 PowerShell 遠端訪問,您必須從 PowerShell 第 6 版或更新版本的工作階段,以及從 Windows PowerShell 會話內執行此命令。 Windows PowerShell 預設會安裝在所有 Windows 計算機上。
若要停用並重新啟用特定工作階段端點組態的遠端訪問,請使用 Enable-PSSessionConfiguration 和 Disable-PSSessionConfiguration Cmdlet。 若要設定個別端點的特定存取組態,請使用 Set-PSSessionConfiguration Cmdlet 以及 AccessMode 參數。 如需工作階段設定的詳細資訊,請參閱 about_Session_Configurations。
注意
即使在執行 Disable-PSRemoting 之後,您仍然可以在本機計算機上進行回送連線。 回送連線是PowerShell遠端會話,其源自並連線到相同的本機電腦。 來自外部來源的遠端會話仍會遭到封鎖。 針對回送連線,您必須使用 EnableNetworkAccess 參數的隱含認證。 如需回送連線的詳細資訊,請參閱 New-PSSession。
此 Cmdlet 僅適用於 Windows 平臺。 它不適用於Linux或macOS版本的PowerShell。 若要執行此 Cmdlet,請使用 [ 以系統管理員 身分執行] 選項啟動 PowerShell。
範例
範例 1:防止遠端訪問所有 PowerShell 工作階段設定
此範例會防止遠端訪問計算機上的所有PowerShell工作階段端點設定。
Disable-PSRemoting
WARNING: PowerShell remoting has been disabled only for PowerShell 6+ configurations and does not affect
Windows PowerShell remoting configurations. Run this cmdlet in Windows PowerShell to affect all PowerShell
remoting configurations.
WARNING: Disabling the session configurations does not undo all the changes made by the Enable-PSRemoting
or Enable-PSSessionConfiguration cmdlet. You might have to manually undo the changes by following these steps:
1. Stop and disable the WinRM service.
2. Delete the listener that accepts requests on any IP address.
3. Disable the firewall exceptions for WS-Management communications.
4. Restore the value of the LocalAccountTokenFilterPolicy to 0, which restricts remote access to
members of the Administrators group on the computer.範例 2:防止遠端訪問所有 PowerShell 工作階段設定,而不需確認提示
此範例會防止遠端訪問計算機上的所有PowerShell工作階段端點設定,而不會提示。
Disable-PSRemoting -Force
WARNING: PowerShell remoting has been disabled only for PowerShell 6+ configurations and does not affect
Windows PowerShell remoting configurations. Run this cmdlet in Windows PowerShell to affect all PowerShell
remoting configurations.
WARNING: Disabling the session configurations does not undo all the changes made by the Enable-PSRemoting
or Enable-PSSessionConfiguration cmdlet. You might have to manually undo the changes by following these steps:
1. Stop and disable the WinRM service.
2. Delete the listener that accepts requests on any IP address.
3. Disable the firewall exceptions for WS-Management communications.
4. Restore the value of the LocalAccountTokenFilterPolicy to 0, which restricts remote access to
members of the Administrators group on the computer.範例 3:執行此 Cmdlet 的效果
此範例顯示使用 Disable-PSRemoting Cmdlet 的效果。 若要執行此命令順序,請使用 [ 以系統管理員 身分執行] 選項啟動 PowerShell。
停用會話設定之後, New-PSSession Cmdlet 會嘗試建立本機計算機的遠端會話(也稱為「回送」)。 由於本機計算機上已停用遠端訪問,因此命令會失敗。
Disable-PSRemoting -Force
New-PSSession -ComputerName localhost -ConfigurationName PowerShell.6
WARNING: Disabling the session configurations does not undo all the changes made by the Enable-PSRemoting
or Enable-PSSessionConfiguration cmdlet. You might have to manually undo the changes by following these steps:
1. Stop and disable the WinRM service.
2. Delete the listener that accepts requests on any IP address.
3. Disable the firewall exceptions for WS-Management communications.
4. Restore the value of the LocalAccountTokenFilterPolicy to 0, which restricts remote access to
members of the Administrators group on the computer.
New-PSSession : [localhost] Connecting to remote server localhost failed with the following error
message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ New-PSSession -ComputerName localhost -ConfigurationName PowerShell.6
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.Management.A\u2026tion.RemoteRunspace:RemoteRunspace)
[New-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed範例 4:執行此 Cmdlet 和 Enable-PSRemoting 的效果
此範例顯示使用 Disable-PSRemoting 和 Enable-PSRemoting Cmdlet 之會話組態的效果。
Disable-PSRemoting 用來停用所有 PowerShell 工作階段端點組態的遠端訪問。 Force 參數會隱藏所有使用者提示。 Get-PSSessionConfiguration和 Format-Table Cmdlet 會顯示電腦上的工作階段設定。
輸出顯示具有網路令牌的所有遠端使用者都被拒絕存取端點組態。 只要本機計算機上的系統管理員群組連線到本機(也稱為回送),並使用隱含認證,就允許存取端點組態。
Disable-PSRemoting -Force
Get-PSSessionConfiguration | Format-Table -Property Name, Permission -AutoSize
Enable-PSRemoting -Force
Get-PSSessionConfiguration | Format-Table -Property Name, Permission -AutoSize
Name Permission
---- ----------
PowerShell.6 NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed ...
PowerShell.6.2.0 NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed ...
Name Permission
---- ----------
PowerShell.6 NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed ...
PowerShell.6.2.0 NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed ...Cmdlet 會 Enable-PSRemoting 重新啟用電腦上所有 PowerShell 工作階段端點設定的遠端存取。 Force 參數會隱藏所有使用者提示,並在不提示的情況下重新啟動 WinRM 服務。 新的輸出會顯示 已從所有會話設定中移除 AccessDenied 安全性描述元。
範例 5:具有已停用會話端點設定的回送連線
此範例示範如何停用端點組態,並示範如何成功對已停用的端點進行回送連線。 Disable-PSRemoting 會停用所有 PowerShell 工作階段端點組態。
Disable-PSRemoting -Force
WARNING: PowerShell remoting has been disabled only for PowerShell 6+ configurations and does not affect
Windows PowerShell remoting configurations. Run this cmdlet in Windows PowerShell to affect all PowerShell
remoting configurations.
WARNING: Disabling the session configurations does not undo all the changes made by the Enable-PSRemoting
or Enable-PSSessionConfiguration cmdlet. You might have to manually undo the changes by following these steps:
1. Stop and disable the WinRM service.
2. Delete the listener that accepts requests on any IP address.
3. Disable the firewall exceptions for WS-Management communications.
4. Restore the value of the LocalAccountTokenFilterPolicy to 0, which restricts remote access to
members of the Administrators group on the computer.
New-PSSession -ComputerName localhost -ConfigurationName powershell.6 -Credential (Get-Credential)
PowerShell credential request
Enter your credentials.
User: UserName
Password for user UserName: ************
New-PSSession: [localhost] Connecting to remote server localhost failed with the following error message
: Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
New-PSSession -ComputerName localhost -ConfigurationName powershell.6 -EnableNetworkAccess
Id Name Transport ComputerName ComputerType State ConfigurationName Availability
-- ---- --------- ------------ ------------ ----- ----------------- ------------
1 Runspace1 WSMan localhost RemoteMachine Opened powershell.6 Available第一次嘗試 New-PSSession 建立本機計算機的遠端會話。 ConfigurationName 參數可用來指定已停用的 PowerShell 端點。 認證會透過 Credential 參數明確傳遞至 命令。 這種類型的聯機會經過網路堆疊,而不是回送。 因此,對已停用端點的連線嘗試失敗,且 拒絕 存取錯誤。
第二次使用 New-PSSession 也會嘗試建立本機計算機的遠端會話。
在此情況下,它會成功,因為它是略過網路堆疊的回送連線。
符合下列條件時,會建立回送連線:
- 要連線的計算機名稱是 『localhost』。
- 不會傳入任何認證。 目前登入的使用者(隱含認證)用於連線。
- 會使用 EnableNetworkAccess 參數。
如需回送連線的詳細資訊,請參閱 New-PSSession 檔。
範例 6:停用所有 PowerShell 遠端端點組態
此範例示範如何執行 Disable-PSRemoting 命令不會影響 Windows PowerShell 端點組態。 Get-PSSessionConfiguration 在 Windows PowerShell 內執行會顯示所有端點組態。 我們看到 Windows PowerShell 端點設定未停用。
Disable-PSRemoting -Force
powershell.exe -command 'Get-PSSessionConfiguration'
WARNING: PowerShell remoting has been disabled only for PowerShell 6+ configurations and does not affect
Windows PowerShell remoting configurations. Run this cmdlet in Windows PowerShell to affect all PowerShell
remoting configurations.
WARNING: Disabling the session configurations does not undo all the changes made by the Enable-PSRemoting
or Enable-PSSessionConfiguration cmdlet. You might have to manually undo the changes by following these steps:
1. Stop and disable the WinRM service.
2. Delete the listener that accepts requests on any IP address.
3. Disable the firewall exceptions for WS-Management communications.
4. Restore the value of the LocalAccountTokenFilterPolicy to 0, which restricts remote access to
members of the Administrators group on the computer.
Name : microsoft.powershell
PSVersion : 5.1
StartupScript :
RunAsUser :
Permission : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote
Management Users AccessAllowed
Name : microsoft.powershell.workflow
PSVersion : 5.1
StartupScript :
RunAsUser :
Permission : BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed
Name : microsoft.powershell32
PSVersion : 5.1
StartupScript :
RunAsUser :
Permission : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote
Management Users AccessAllowed
Name : PowerShell.6
PSVersion : 6.2
StartupScript :
RunAsUser :
Permission : NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators
AccessAllowed, BUILTIN\Remote Management Users AccessAllowed
Name : PowerShell.6.2.2
PSVersion : 6.2
StartupScript :
RunAsUser :
Permission : NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators
AccessAllowed, BUILTIN\Remote Management Users AccessAllowed
powershell.exe -command 'Disable-PSRemoting -Force'
powershell.exe -command 'Get-PSSessionConfiguration'
WARNING: Disabling the session configurations does not undo all the changes made by the Enable-PSRemoting or
Enable-PSSessionConfiguration cmdlet. You might have to manually undo the changes by following these steps:
1. Stop and disable the WinRM service.
2. Delete the listener that accepts requests on any IP address.
3. Disable the firewall exceptions for WS-Management communications.
4. Restore the value of the LocalAccountTokenFilterPolicy to 0, which restricts remote access to members of the
Administrators group on the computer.
Name : microsoft.powershell
PSVersion : 5.1
StartupScript :
RunAsUser :
Permission : NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators
AccessAllowed, BUILTIN\Remote Management Users AccessAllowed
Name : microsoft.powershell.workflow
PSVersion : 5.1
StartupScript :
RunAsUser :
Permission : NT AUTHORITY\NETWORK AccessDenied, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management
Users AccessAllowed
Name : microsoft.powershell32
PSVersion : 5.1
StartupScript :
RunAsUser :
Permission : NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators
AccessAllowed, BUILTIN\Remote Management Users AccessAllowed
Name : PowerShell.6
PSVersion : 6.2
StartupScript :
RunAsUser :
Permission : NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators
AccessAllowed, BUILTIN\Remote Management Users AccessAllowed
Name : PowerShell.6.2.2
PSVersion : 6.2
StartupScript :
RunAsUser :
Permission : NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators
AccessAllowed, BUILTIN\Remote Management Users AccessAllowed若要停用這些端點組態, Disable-PSRemoting 命令必須從 Windows PowerShell 會話內執行。 現在,從 Windows PowerShell 內執行會顯示 Get-PSSessionConfiguration 已停用所有端點組態。
範例 7:防止遠端訪問具有自定義安全性描述元的會話設定
此範例示範 Disable-PSRemoting Cmdlet 會停用所有工作階段設定的遠端訪問,這些設定包含具有自定義安全性描述元的會話設定。
Register-PSSessionConfiguration 會 建立測試 會話組態。 FilePath 參數會指定自定義會話的會話組態檔。 ShowSecurityDescriptorUI 參數會顯示設定會話組態許可權的對話方塊。 在 [許可權] 對話框中,我們會為指定的使用者建立自定義的完整訪問許可權。
Get-PSSessionConfiguration和 Format-Table Cmdlet 會顯示會話組態及其屬性。 輸出顯示 測試 會話組態允許所指示使用者的互動式存取和特殊許可權。
Disable-PSRemoting 停用所有工作階段設定的遠端訪問。
Register-PSSessionConfiguration -Name Test -FilePath .\TestEndpoint.pssc -ShowSecurityDescriptorUI -Force
Get-PSSessionConfiguration | Format-Table -Property Name, Permission -Wrap
Disable-PSRemoting -Force
Get-PSSessionConfiguration | Format-Table -Property Name, Permission -Wrap
New-PSSession -ComputerName localhost -ConfigurationName Test
Name Permission
---- ----------
PowerShell.6 NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed,
BUILTIN\Remote Management Users AccessAllowed
PowerShell.6.2.0 NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed,
BUILTIN\Remote Management Users AccessAllowed
Test NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed,
User01 AccessAllowed
WARNING: Disabling the session configurations does not undo all the changes made by the Enable-PSRemoting
or Enable-PSSessionConfiguration cmdlet. You might have to manually undo the changes by following these steps:
1. Stop and disable the WinRM service.
2. Delete the listener that accepts requests on any IP address.
3. Disable the firewall exceptions for WS-Management communications.
4. Restore the value of the LocalAccountTokenFilterPolicy to 0, which restricts remote access to
members of the Administrators group on the computer.
Name Permission
---- ----------
PowerShell.6 NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed,
BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed
PowerShell.6.2.0 NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed,
BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed
Test NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed,
BUILTIN\Administrators AccessAllowed, User01 AccessAllowed
New-PSSession : [localhost] Connecting to remote server localhost failed with the following error message
: Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ New-PSSession -ComputerName localhost -ConfigurationName Test
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.Management.A\u2026tion.RemoteRunspace:RemoteRunspace)
[New-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : AccessDenied,PSSessionOpenFailed現在 和 Get-PSSessionConfiguration Format-Table Cmdlet 會顯示 所有網路使用者的 AccessDenied 安全性描述元已新增至所有工作階段設定,包括 測試 工作階段設定。 雖然其他安全性描述元並未變更,但「network_deny_all」安全性描述元會優先使用。 嘗試用來 New-PSSession 連線到 測試 會話組態,說明這一點。
範例 8:重新啟用所選會話設定的遠端訪問
此範例示範如何只對選取的會話設定重新啟用遠程訪問。 停用所有會話設定之後,我們會重新啟用特定會話。
Cmdlet Set-PSSessionConfiguration 可用來變更 PowerShell.6 會話設定。 AccessMode 參數,其值為 Remote re-allow remote access to the configuration。
Disable-PSRemoting -Force
Get-PSSessionConfiguration | Format-Table -Property Name, Permission -AutoSize
Set-PSSessionConfiguration -Name PowerShell.6 -AccessMode Remote -Force
Get-PSSessionConfiguration | Format-Table -Property Name, Permission -AutoSize
WARNING: Disabling the session configurations does not undo all the changes made by the Enable-PSRemoting
or Enable-PSSessionConfiguration cmdlet. You might have to manually undo the changes by following these steps:
1. Stop and disable the WinRM service.
2. Delete the listener that accepts requests on any IP address.
3. Disable the firewall exceptions for WS-Management communications.
4. Restore the value of the LocalAccountTokenFilterPolicy to 0, which restricts remote access to
members of the Administrators group on the computer.
Name Permission
---- ----------
PowerShell.6 NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Adm ...
PowerShell.6.2.0 NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Adm ...
Name Permission
---- ----------
PowerShell.6 NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\ ...
PowerShell.6.2.0 NT AUTHORITY\NETWORK AccessDenied, NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Adm ...參數
-Confirm
執行 Cmdlet 之前先提示您確認。
| 類型: | SwitchParameter |
| 別名: | cf |
| Position: | Named |
| 預設值: | False |
| 必要: | False |
| 接受管線輸入: | False |
| 接受萬用字元: | False |
-Force
強制命令執行,而不要求使用者確認。
| 類型: | SwitchParameter |
| Position: | Named |
| 預設值: | None |
| 必要: | False |
| 接受管線輸入: | False |
| 接受萬用字元: | False |
-WhatIf
顯示執行 Cmdlet 後會發生的情況。 未執行 Cmdlet。
| 類型: | SwitchParameter |
| 別名: | wi |
| Position: | Named |
| 預設值: | False |
| 必要: | False |
| 接受管線輸入: | False |
| 接受萬用字元: | False |
輸入
None
您無法使用管線將物件傳送至此 Cmdlet。
輸出
None
此 Cmdlet 不會傳回任何輸出。
備註
此 Cmdlet 僅適用於 Windows 平臺。
停用會話設定並不會復原 或
Enable-PSSessionConfigurationCmdlet 所做的Enable-PSRemoting所有變更。 您可能必須手動復原下列變更。- 停止並停用 WinRM 服務。
- 刪除接受任何IP位址要求的接聽程式。
- 停用 WS-Management 通訊的防火牆例外狀況。
- 將 LocalAccountTokenFilterPolicy 的值還原為 0,這會限制電腦上 Administrators 群組成員的遠端訪問。
會話端點組態是一組設定,可定義會話的環境。 連接到計算機的每個會話都必須使用計算機上註冊的其中一個會話端點組態。 藉由拒絕所有工作階段端點設定的遠端訪問,您可以有效地防止遠端使用者建立連線到電腦的會話。
