Windows Server 2012 comes with a new feature that allows you to administrate the server via a PowerShell command line in any modern browser including Smartphones.
This sounds cool and scary at the same time.
I am evaluating this option and are wondering what the risks are?
This is my current setup:
- Running on Server 2012 Core
- Stand-alone server no domain involved.
- The site is running under SSL (required by PowerShell Web Access)
- It is protected by Windows Authentication (to add another level of security)
- The url for it is not the default one but a hard to guess deep url.
- There is a single user set up to use the feature.
- maxSessionsAllowedPerUser is set to one. This means that even if the password of the single user was sniffed, a second session for the same user is not allowed.
- After the user is done with his work, he changes his password. This is done via a script on the server. The first half of the password is a constant secret and the second half is typed by the user. This way the full password never goes over the line.
- Each complex password is used only once.
To get any work done on the server the user has to be an administrator.
PoweShell Web Access is a 1.0 product, so there may be bugs in it.
Considering all this, is it advisable to use this in production on a server expose to the public internet?