Windows Server 2012: IT Pros Will Need WS-MAN Remoting Skills (And Not Just for PowerShell)
I'm seeing a worrying trend in the world of Microsoft IT. Let's politely call it the "head in the sand" phenomenon. My theory is that it comes from such a long period -- around a decade, really -- of relatively few major OS-level changes, especially in the Server version of Windows. Not that Windows 2008 didn't feature improvements over 2003, or that R2 didn't improve upon that, but they were largely incremental changes. They were easy to understand, easy to incorporate, or if they didn't interest you, easy to ignore.
That's not the case with Windows Server 2012, and I'm worried because I'm not seeing IT decision makers and IT teams really engaged with what's coming. The "oh, we're not moving to 2012" argument doesn't hold a lot of water with me because you never know. It's easy to have one or two servers creep in, often to support some other need, and before long you've got a lot of 'em.
Specifically, I'm worried about the lack of attention being paid to WS-MAN.
WS-MAN: Not Just for PowerShell
WS-MAN is the protocol that underlies PowerShell Remoting, and it's been available for Windows XP, Windows Vista, Windows 7, Windows Server 2008, Windows Server 2003 and Windows Server 2008 R2 for a few years now. I think many IT shops have felt comfortable ignoring it because it didn't push itself on you. If you wanted it, you learned about it before using it; if you didn't want it, you just ignored it.
That goes away for Windows Server 2012. It enables PowerShell Remoting -- and thus WS-MAN -- by default, because it needs it. Server Manager, you see, has been rebuilt to run on top of PowerShell. And even if you open Server Manager right on the server console, it still needs Remoting to "talk to itself" and make configuration changes. That pattern will grow more and more common as Microsoft starts shifting management tools to PowerShell. In earnest, Remoting makes it much easier for developers to create rich GUIs, built on PowerShell, that manage remote servers. By not distinguishing between "local" and "remote," developers ensure a consistent experience either way -- and help enable headless servers, a direction in which Microsoft is most assuredly heading.
So the idea of, "well, we don't use Remoting, so we'll shut it off" doesn't work anymore --it'd be as effective to just shut of Ethernet. You can't manage new servers without it -- so it's time to start focusing on understanding WS-MAN, and creating a place for it in your environment. Now, while you've got time to plan, rather than later when it's a forgone conclusion and it's just snuck its way -- uncontrolled and unmanaged -- into your environment.
Start by reading "Secrets of PowerShell Remoting," a free guide I put together with the help of fellow MVP Tobias Weltner. There's even an entire chapter on WS-MAN's security architecture, and answers to common security-related questions.
Practice setting up Remoting on your existing machines, even in a lab, so that you can become familiar with it. After all, if Win2012 is going to make you use Remoting, you might as well take advantage of it for other servers too -- and reduce your management overhead.
Don't think of WS-MAN as another protocol to deal with -- think of it as enabling fewer protocols, as it starts to phase out Remote Procedure Calls (RPCs) and the other scattershot protocols that Windows has relied upon for years.
Will there be security concerns about WS-MAN? Assuredly. Interestingly, many of the questions and concerns I've heard raised have has substantially poorer answers when it comes to our existing management protocols. When it comes to WS-MAN, people ask about the security of credentials, the privacy of the communications, and so on -- but I've never heard those questions raised about RPCs, which is what's mainly running your network right now. Keep that in mind, it's completely reasonable to ask the hard questions, but don't set a bar for security that you've never, ever met before, without at least acknowledging that you're doing so.
And keep in mind that WS-MAN isn't optional. I've had folks tell me that their "IT security will never allow it." Doesn't matter what IT security thinks: This thing is coming and it's mandatory for server management. Wrap your head around it now or later – although "now" will let you learn the protocol and make it a welcomed part of your environment.
Is Microsoft Crazy?
Maybe. Have you seen Ballmer jumping around at conferences? That's crazy. But more to the point, is Microsoft crazy in introducing a new management protocol that supports encryption, compression, delegated authentication, secure delegation of credentials, mutual authentication and that only requires a single HTTP(S) port rather than entire ranges?
Um... doesn't sound crazy.
Is Microsoft crazy for replacing a set of 20-year-old protocols with something newer, more manageable and more extensible? Yes -- in much the same way that replacing MS-DOS with Windows was crazy.
I'm not here to justify what MS is doing with the product; that's up to MS. I'm here to help people understand where they're going, so that we can be prepared. You don't have to like it, or agree with it, but you will have to deal with it. Better, I think, to start understanding it now than to wait until it's snuck in and is an uncontrolled part of the environment.
Posted by Don Jones on 05/14/2012 at 1:14 PM