IT Decision Maker

Blog archive

Windows Server 2012: IT Pros Will Need WS-MAN Remoting Skills (And Not Just for PowerShell)

I'm seeing a worrying trend in the world of Microsoft IT. Let's politely call it the "head in the sand" phenomenon. My theory is that it comes from such a long period -- around a decade, really -- of relatively few major OS-level changes, especially in the Server version of Windows. Not that Windows 2008 didn't feature improvements over 2003, or that R2 didn't improve upon that, but they were largely incremental changes. They were easy to understand, easy to incorporate, or if they didn't interest you, easy to ignore.

That's not the case with Windows Server 2012, and I'm worried because I'm not seeing IT decision makers and IT teams really engaged with what's coming. The "oh, we're not moving to 2012" argument doesn't hold a lot of water with me because you never know. It's easy to have one or two servers creep in, often to support some other need, and before long you've got a lot of 'em.

Specifically, I'm worried about the lack of attention being paid to WS-MAN.

WS-MAN: Not Just for PowerShell
WS-MAN is the protocol that underlies PowerShell Remoting, and it's been available for Windows XP, Windows Vista, Windows 7, Windows Server 2008, Windows Server 2003 and Windows Server 2008 R2 for a few years now. I think many IT shops have felt comfortable ignoring it because it didn't push itself on you. If you wanted it, you learned about it before using it; if you didn't want it, you just ignored it.

That goes away for Windows Server 2012. It enables PowerShell Remoting -- and thus WS-MAN -- by default, because it needs it. Server Manager, you see, has been rebuilt to run on top of PowerShell. And even if you open Server Manager right on the server console, it still needs Remoting to "talk to itself" and make configuration changes. That pattern will grow more and more common as Microsoft starts shifting management tools to PowerShell. In earnest, Remoting makes it much easier for developers to create rich GUIs, built on PowerShell, that manage remote servers. By not distinguishing between "local" and "remote," developers ensure a consistent experience either way -- and help enable headless servers, a direction in which Microsoft is most assuredly heading.

So the idea of, "well, we don't use Remoting, so we'll shut it off" doesn't work anymore --it'd be as effective to just shut of Ethernet. You can't manage new servers without it -- so it's time to start focusing on understanding WS-MAN, and creating a place for it in your environment. Now, while you've got time to plan, rather than later when it's a forgone conclusion and it's just snuck its way -- uncontrolled and unmanaged -- into your environment.

Learning WS-MAN
Start by reading "Secrets of PowerShell Remoting," a free guide I put together with the help of fellow MVP Tobias Weltner. There's even an entire chapter on WS-MAN's security architecture, and answers to common security-related questions.

Practice setting up Remoting on your existing machines, even in a lab, so that you can become familiar with it. After all, if Win2012 is going to make you use Remoting, you might as well take advantage of it for other servers too -- and reduce your management overhead.

Don't think of WS-MAN as another protocol to deal with -- think of it as enabling fewer protocols, as it starts to phase out Remote Procedure Calls (RPCs) and the other scattershot protocols that Windows has relied upon for years.

Will there be security concerns about WS-MAN? Assuredly. Interestingly, many of the questions and concerns I've heard raised have has substantially poorer answers when it comes to our existing management protocols. When it comes to WS-MAN, people ask about the security of credentials, the privacy of the communications, and so on -- but I've never heard those questions raised about RPCs, which is what's mainly running your network right now. Keep that in mind, it's completely reasonable to ask the hard questions, but don't set a bar for security that you've never, ever met before, without at least acknowledging that you're doing so.

And keep in mind that WS-MAN isn't optional. I've had folks tell me that their "IT security will never allow it." Doesn't matter what IT security thinks: This thing is coming and it's mandatory for server management. Wrap your head around it now or later – although "now" will let you learn the protocol and make it a welcomed part of your environment.

Is Microsoft Crazy?
Maybe. Have you seen Ballmer jumping around at conferences? That's crazy. But more to the point, is Microsoft crazy in introducing a new management protocol that supports encryption, compression, delegated authentication, secure delegation of credentials, mutual authentication and that only requires a single HTTP(S) port rather than entire ranges?

Um... doesn't sound crazy.

Is Microsoft crazy for replacing a set of 20-year-old protocols with something newer, more manageable and more extensible? Yes -- in much the same way that replacing MS-DOS with Windows was crazy.

I'm not here to justify what MS is doing with the product; that's up to MS. I'm here to help people understand where they're going, so that we can be prepared. You don't have to like it, or agree with it, but you will have to deal with it. Better, I think, to start understanding it now than to wait until it's snuck in and is an uncontrolled part of the environment.


Posted by Don Jones on 05/14/2012 at 1:14 PM

comments powered by Disqus

Reader Comments:

Sun, Feb 2, 2014

Hi,Ie2€™ve figured out what the prbolem is:Every thing works fine on my local machine but as soon as I upload it to my server I would get the above errors which didne2€™t make any sense to at all.You see in my example when I uploaded a new web-site by default ite2€™s a .NET 1 Frame work, after them changing it to a .NET 2 Frame work. I sat pulling my hear out not know what the stupid prbolem is since theree2€™s hardly any help on the errore2€™s that were faced with. Well after many hours foaming from the month, I noticed that my hosting provider didne2€™t move it over to a .NET 2 Frame work. So I guess thate2€™s it really just make sure that it runs on a .NET 2 Frame work and the prbolem should hopefully disappear.Regards,Ash [url=]xznrhvequa[/url] [link=]skfffe[/link]

Mon, Jan 20, 2014

Too many http://q DOT too little space, thanks!

Sun, Jan 19, 2014

It works with SQL Server 2008 and SQL Server 2008 R2. I just added this to the original post as well. SQL Server 2008 and SQL Server 2008 R2 are two diferfent releases of SQL Server.

Fri, Jun 1, 2012

I feel its a bad thing MS is moving away from the GUI to scripting. Scripting has its place but so does the GUI.

Fri, May 18, 2012 Zach Loeber

Love the points mentioned here. Anyone who has had to battle with (or perform implementations as) the infrastructure team at a company for RPC ports totally can get behind the following excerpt of your article, "Don't think of WS-MAN as another protocol to deal with -- think of it as enabling fewer protocols, as it starts to phase out Remote Procedure Calls (RPCs) and the other scattershot protocols that Windows has relied upon for years." Yes, there are registry hacks and such you can use to reduce the massive port ranges required for rpc related services but honestly it is long past time to just get past using the protocol all together. Good article sir!

Tue, May 15, 2012 Marco Shaw

RE: Lulu asking for an email address Doesn't concern me. I'd give my email address any day for something *free* that might be useful...

Tue, May 15, 2012 Don Jones

FYI: I use Lulu because they handle much of the multi-format conversion pain. They don't collect any money (hence the "free" part), and they don't provide me or anyone else with any information that you provide to them. You can also download the MOBI version directly from (Lulu doesn't do that format, so I have to do it myself), and the link on the site goes directly to the file - no registration needed. I assure everyone that I have no interest whatsoever in getting your e-mail address and spamming you. I don't want it. Lulu just helps me make this available in the formats everyone wants.

Tue, May 15, 2012

A guide is not free if I have to give out an email address or create an account on Lulu to get it.

Tue, May 15, 2012 Karthik Twin Cities, MN

Thank for writing such an interesting article. I am working for a Fortune 25 company and Struggling to convince my Windows Server Build team to enable powershell remoting when building a server , but it has been futile so far. it is good to know that windows 2012 is doing this by default.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.