什么原因会导致 PowerShell Remoting 使用高带宽?

tag-icon tag-icon active-directory windows-server-2008-r2 powershell windows-10 remoting
什么原因会导致 PowerShell Remoting 使用高带宽?

我为一家组织从事 IT 工作,该组织目前正在设置(或允许我设置)Active Directory 域。目前,它仍在使用 1 个 DC 和 1 个客户端进行测试。一两周前,我们的交换机提醒我们域控制器和加入域的计算机之间的流量过大。它将其报告为“Windows 文件共享”,这似乎有点多。数据量约为每周 30 到 40 GB,这没有任何意义,因为这些是测试机器,大部分时间都处于闲置状态。

我们今天确认了所有流量都在端口 445 上。我在加入域的计算机上运行了 Wireshark,立即注意到约 90% 的数据包中出现了特定的组策略路径。该策略具有相同的 GUID,我使用 GPMC 将 GUID 追踪到Allow PowerShell Remoting几周前设置的 GPO,以便允许 PowerShell 远程处理。

这个 GPO 所做的一切正如其名称所示 - 打开每台机器上远程处理所需的端口并允许传入连接,如文档中所述,以便 PS 远程处理可以正常工作。我刚刚禁用了 GPO,但在过去几个小时内,它导致 DC 和客户端之间的流量约为 4 GB。这可能是“正常”的吗?为什么 PS-Remoting 会使用这么多带宽?如何修复?

这是在 PowerShell 中生成的 GPO 的 HTML 报告 - 下面的格式不太好,但太大而无法截屏:

Computer Configuration (Enabled)
Policies
Windows Settings
Scripts
Startup
For this GPO, Script order: Not configured
Name    Parameters
netsh.bat   
Security Settings
System Services
Windows Remote Management (WS-Management) (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
Windows Firewall with Advanced Security
Global Settings
Policy  Setting
Policy version  2.10
Disable stateful FTP    Not Configured
Disable stateful PPTP   Not Configured
IPsec exempt    Not Configured
IPsec through NAT   Not Configured
Preshared key encoding  Not Configured
SA idle time    Not Configured
Strong CRL check    Not Configured
Inbound Rules
Name    Description
Windows Remote Management - Compatibility Mode (HTTP-In)    Compatibility mode inbound rule for Windows Remote Management via WS-Management. [TCP 80]
This rule may contain some elements that cannot be interpreted by current version of GPMC reporting module  
Enabled True
Program System
Action  Allow
Security    Require authentication
Authorized computers    
Authorized users    
Protocol    6
Local port  80
Remote port Any
ICMP settings   Any
Local scope Any
Remote scope    Any
Profile All
Network interface type  All
Service All programs and services
Allow edge traversal    False
Group   Windows Remote Management
Windows Remote Management (HTTP-In) Inbound rule for Windows Remote Management via WS-Management. [TCP 5985]
This rule may contain some elements that cannot be interpreted by current version of GPMC reporting module  
Enabled True
Program System
Action  Allow
Security    Require authentication
Authorized computers    
Authorized users    
Protocol    6
Local port  5985
Remote port Any
ICMP settings   Any
Local scope Any
Remote scope    Any
Profile All
Network interface type  All
Service All programs and services
Allow edge traversal    False
Group   Windows Remote Management
Connection Security Settings
Administrative Templates
Policy definitions (ADMX files) retrieved from the local machine.
Windows Components/Windows Remote Management (WinRM)/WinRM Service
Policy  Setting Comment
Allow remote server management through WinRM    Enabled 
IPv4 filter:    *
IPv6 filter:    
Syntax:
Type "*" to allow messages from any IP address, or leave the
field empty to listen on no IP address. You can specify one
or more ranges of IP addresses.
Example IPv4 filters:
2.0.0.1-2.0.0.20, 24.0.0.1-24.0.0.22
*
Example IPv6 filters:
3FFE:FFFF:7654:FEDA:1245:BA98:0000:0000-3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562
*
User Configuration (Enabled)
No settings defined.

相关内容