WinRS: Microsoft's Disappointing Answer to SSH for Remote Administration

Filed under: Security — Written by Chrissy on Wednesday, January 16th, 2008 @ 8:23 am

I'm currently playing with Windows Server 2008 Core and I'm really at a loss trying to figure out why Microsoft seems to go out of its way not to adopt SSH. SSH seems like such an easy and straightforward answer to remote administration. Unix administrators have long used SSH but Windows administrators are given WinRS, a command line tool that requires that you run it each time you need to execute a command on a remote system. So instead of arriving at a remote prompt as you would with SSH and simply typing "ipconfig", you must type "winrs -r:myserver ipconfig"

winrs -r:myserver every time!

I'm hoping things have changed in Windows 2008, but so far, I can't find any way for WinRS to be interactive. A blog post on TechNet back in 2006 suggests that interactivity is going to be a feature at some point:

Currently any commands you execute can't be interactive or prompt for input. WinRS just executes what you specify and returns the results.

Unfortunately, it's nearly a year and a half later and no progress seems obvious. I hope I'm wrong and someone can show me the light or, even better, perhaps we'll see PowerShell+SSH hit the final version of Windows 2008. Many admins already have an SSH client as part of their toolkit and sure, WinRS runs over HTTP(S) and opening just one port is nice but the same goes for SSH. Port 22 or 80, I don't really care. WinRS seems to have its value, but not as a replacement for SSH. Give me SSH or give me both.

7 Comments   -
  • Comment by Aaron K | January 30, 2008 @ 11:47 pm

    Try this:
    winrs -r:myserver cmd

    then you will have an interactive shell....

  • Comment by Craig | April 1, 2008 @ 4:55 pm

    Also try psexec, although I am sure you are well aware of this tool

  • Comment by RobD. | June 18, 2008 @ 1:22 pm

    Aaron K's comment is true, you can open an interactive prompt with his instructions.

    WinRS (remote shell) and WinRM (remote management) are Microsoft's implementation of WS-Management, which in the future may be used to manage not only operating systems, but bare hardware and mobile devices. Yes, there is overlap with SSH, but eventually it should do everything SSH does and more.

    Check out http://en.wikipedia.org/wiki/WS-Management

    ...and also this blog post for more on WinRM:

    http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2008/02/23/remotely-managing-your-server-core-using-winrm-and-winrs.aspx

  • Comment by ecard guy | August 24, 2008 @ 1:39 pm

    So are there any other limitations to remote shell compared to SSH now that this inactive question is answered?

    I'm asking about functionality but another big thing I hate is having to know multiple ways of doing things for linux/windows. I know they are different OS but it sure is nice when everybody is on one standard.

  • Comment by jmi | November 11, 2008 @ 12:57 am

    ECARD GUY: I've looked (very briefly) at the links provided and I'm not seeing anything about tunelling connections or file transfer, two of the really useful things SSH does alongside providing a remote shell.

  • Comment by Jason | December 3, 2008 @ 2:57 am

    Are there other limitations... well, I'm just beginning to discover server 2008 and am having a bit of a rough time with remote admin without launching my local vmware install and using remote desktop over windows. As best I can tell winrs works okay over a slow connection--but it's all SOAP based. Now I've got to have a webserver running on the host with all of the normal associated risks.

    Here's what I'm used to doing with ssh that I can't tell how to do with winrs:
    * Running a VPN through it
    * Tunneling a socks5 proxy through it if I don't have remote root access to run a VPN (ssh -D 1080)
    * passwordless authentication via keys or ssh-agent
    * fixed commands
    * restricting where a user with a given key can login
    * restrict the commands a given key can use
    * All the other handy crap I can do with bash. Oh yeah...it's linked against the marvelous readline library, which actually lets me effectively admin over a slow link.

    Looks like this will be yet another windows server I'll end up tossing cygwin onto...

  • Pingback Windows 2008 Telnet (not SSH) Server at Mike Conigliaro | May 11, 2009 @ 11:14 am

    [...] Update According to Microsoft, there will be “a technology like this included in Windows Server 2008 called WinRS; or Windows Remote Shell. This command line tool allows administrators to remotely execute most cmd.exe commands using the WS_Management protocol.” Too bad it sucks! [...]

RSS feed for comments on this post. TrackBack URL

Leave your comment