All our managed Windows Server 03+ machines are enabled for and connect fine via RDP. However, I would like a less heavy central management (command line based?) to mass manage and maintain the systems with the ability to deligate updates via unintrusive methods (i.e. no interrupt in our user productivity).

A traditional Systems Management Software with centralized console would be great, however, half of our 100+ servers and workstations are on their own local networks. Some are domains, some are in workgroups.

We have clients all over the US. The initial setup of course was not my decision, but I've now been tasked with finding a more streamlined method for sending out updates, patches, and fixes to the different types of clients we have with the different versions of the product we support. I was leaning towards something SSH based. I know that can authenticate using RDP without sacrificing security, and every client of ours is required to maintain an admin account for us. So plugging in all our information, what software can be best leveraged for our situation?

I've thought of Putty, but that only maintains open sessions with individual tabs. There wouldn't be a way for us to distribute fixes based off of a group we would pre define. Unless I'm understanding wrong. Could definitely use some help on this one, it's going to save a lot time for our IT team to get at least something basic in place.

It would be best if it could run off of the credentials we have stored for everyone on RDP, otherwise we have 300-325 clients that we'll need to explain the changes in their infrastructure, which will require planned down time for everyone. Trying to avoid that one.

  • 3,514
  • 2
  • 22
  • 31
  • 1
  • Looks like oyu need to create a single top level mgmt domain, and let all other domains trust that domain. That should be a first step in sanatizing this hogdepodge into a single uniformed domain. – oɔɯǝɹ Oct 18 '14 at 10:48
  • I'm more than a little bit shocked that you have so many server computers under management and don't have some kind of centralized toolset. That's costing your company a _lot_ of money, potentially. – Evan Anderson Oct 19 '14 at 10:16

1 Answers1


I think you're thinking is constrained by capabilities of client software (like an RDP client or PuTTY), rather than thinking bigger-picture of leveraging scripting and to automate tasks. I'm also concerned that you may well already have major security issues with your current method of handling credentials, and you don't want to move forward with that.

In terms of remote management of servers I think you'd do well to think about it in terms of the problem: "How can I securely and reliably execute programs on remote servers in a manner that can be automated, logged, and audited?" Once you have that, everything else can follow.

Powershell remoting, on Windows Server 2008 and later versions of Windows is probably a good way to go.

For Windows Server 2003 I'd look into using an SSH server. I'm partial to the Cygwin build of OpenSSH, but there are others out there, too. There are a variety of SSH clients out there. Some are like PuTTY, and geared toward interactive use. Others, like the Plink tool (part of the PuTTY suite) are geared toward command-line use that you can leverage in simple shell scripts. Finally, there are many libraries that can allow you to "talk" SSH from scripting languages, too.

I'm sure there are shiny off-the-shelf products that could help you, too. Given the older versions of Windows that you have to support you can't take advantage of Desired State Configuration, which could well help with your newer versions of Windows. Configuration management tools like Puppet, CFEngine, or Chef might be helpful, too (though I'm not sure that your problem falls squarely into the "configuration management" realm).

Once you have the ability to execute programs on the remote servers with authentication tied to the local or domain account databases on those servers some of your problems are solved.

You will still need to think about a mechanism to manage the credentials you have stored for these servers. It sounds like these credentials have Administrator-level access to hundreds of server computers, sitting behind firewalls in your Customers' networks, that already have remote administration tools installed today. There are attackers who would love to get at that, especially if your company handles "interesting" data (financial, healthcare, etc).

Ideally, you really don't want the credentials being put into the hands of individual employees. Rather, you'd want some type of "proxy" system that handles performing the authentication on behalf of your employees. Then you can tie in some nice auditing to see which employees have accessed various Customer systems. I can certainly imagine, for example, a case where a rogue former employee leaves a back door in a Customer system. Being able to track down what other Customer systems that former employee had access to would be gold, in terms of saving face w/ your Customers. There are limitless nightmare scenarios there that I can imagine. Centrally controlling and logging access to those security credentials is critical.

What you don't want are a bunch of scripts sitting around with credentials in them. Those kinds of things are gold for attackers.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328