Not many can claim 25 years on the Internet! Join us in celebrating this milestone. Learn more about our history, and thank you for being a part of our community!
I have a star structure of server and clients. Evert client is connected directly to the server, NIC to NIC.
I am using windows.
I wish that the server will be able to run apps on the clients. I can disable the firewalls if needed.
What is the best way to do this?
Current solution is just a “commander” app that runs on all the clients and server and connects via a TCP socket.
Is there a better way to so this? 3rd party solution? Service? Something else?
Zurtan said:
Is there a better way to so this? 3rd party solution? Service? Something else?
Windows already has remote management options, including remoting powershell scripts which can then basically do anything. On Linux you have SSH, and if you want you can also run SSH clients/servers Windows, in fact recent versions (Server 2019 and Windows 10 I believe) include OpenSSH as a built in optional feature.
This would also take care of all the issues around securing the connection and providing authentication, although care must still be taken in password and key management. A “run remote program/app/command” is extremely dangerous.
If your doing this as part of a larger project, then yes sure a TCP socket is a starting point. For simplicity of firewall ideally everything connects to the server and keeps the connection while running. Definitely limit it to only be able to do the things intended though.
An open TCP port that allows anyone on the network to run a command is the definition of an easily exploitable security hole. Someone could just hook a machine up to the network and issue commands.
I second the recommendation of using built-in remote administration, which is either PowerShell remoting on Windows, or SSH on Unix / MacOS. Together with this feature goes credentials that authorize the connections. For PowerShell, that's often controlled through a shared Active Directory server, and you'll have to memorize a AD credential on the server that is authorized for each of the clients. For SSH it takes the form of the appropriate generated private key on the server, and installed public keys on the cilents.
Finally, if the reason you want to run commands is for some kind of orchestration or cluster management system, then you could also look at infrastructure provisioning systems like Terraform, Chef, or something along those lines. Or if you go all containerized, you could do this with Kubernetes or Nomad or something like that.
I have an app that runs on the server. I want this app to boot up the clients on the end computers.
Imagine the app opens, then you press connect. The client side app is not necessarily running. So you would want the server app to have the option to run the client side app.
Think of a scenario where you have a very simple user who just want to press a bit and the app needs to start up and run, and be ready without any further intervention.
Does PowerShell allow me to store the credentials on the server as a file? Or does the User have to enter a password every time he wants to connect via powershell?
Is there a silent mode for the server to run powershell?
Are you using Windows or Linux? I'm going to assume Windows here.
If you use Active Directory, and all the Windows machines are joined to the same domain, then as long as the process executing on the central machine has and identity with execution authority on the other hosts, it should be able to do this without the login dialog.
If you're using random non-domain Windows machines, then you will need to, at a minimum, do the authentication to each separate machine once, and “save credentials” (which you can do manually, or through API calls.)
Everything you need to know about running PowerShell commands remotely can be read here: https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7
Note that that article assumes the joined-domain model. (This is the general Windows Server and Windows Enterprise model.)
You can also use SSH, assuming you configure all the computers. At that point, credentials needed end up meaning putting the right public key on each of the “slave” machines: https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/ssh-remoting-in-powershell-core?view=powershell-7
In general, Windows is not a good server platform for things like this. The Linux/UNIX model is generally easier to work with for cluster coordination. Although of course, with enough willpower, you can make it work. I've heard of the Gears of War servers requiring admins to press an “OK” button on thousands of servers to install some Gaming For Windows update to support their Xbox network games.
If you're old-school, you can also try PSExec: https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
So just to clarify.
Zurtan said:
The client side app is not necessarily running.
Are you only interested on one application on the client side? You don't need a full featured remote administration method, you just want this one application?
If so I really think just have that application run on the client side all the time (like the SSH daemon etc. has to anyway). You can make it run on startup, and it doesn't need to make a visible window or anything until needed. And it can connect to the server (over say TLS!) avoiding some of the networking problems with server→client connections, especially if going outside a LAN environment.
Remote access has a lot of security concerns, especially if those will be other peoples computers, so if it's a single app I don't see the need.
Setting up remote access with generally mean doing something on the client computers / domain (e.g. creating an account with a known password, enabling remote access, etc.) so “install the client app as a start-on-login” seems about the same.
Zurtan said:
Does PowerShell allow me to store the credentials on the server as a file? Or does the User have to enter a password every time he wants to connect via powershell?
Yes you can store credentials. You should never ask for another users personal credentials, so this will generally be for another account/login you create on the domain (similar for Linux) with the relevant permissions.
