WinRM UseSSL Hardening


Reading time 3 Minutes

Windows Remote Management Hardening

WinRM is a really powerful tool for configuring, managing and controlling a local or domain environment. For this reason, Windows Remote Management should be secured.

The implementation or the comprehensive roll-out of WinRM can be designed very individually. It always depends on the technical aids as well as the requirements.

In this article, I'll show you another way Windows Remote Management provided via a GPO. However, the prerequisite is that the clients already have certificates.

Certificate-based authentication

If we use WinRM then we admins have to authenticate ourselves with the remote server / workstation (Kerberos). We have to prove that it is us and that we have the right to manage the remote machine. But who can certify that the remote PC is who we think it is? We solve the problem with the help of certificates.

In the standard configuration, WinRM presents itself in this way. It is insecure because everything is allowed, such as insecure authentication protocols and HTTP connections. We want to change that now.

WinRM Default Settings

With basic and domain authentication, the login data are transmitted unencrypted. With certificate-based authentication, data and login data are transmitted in encrypted form.

Examples of commands for configuring authentication

# Configuration of secure authentication methods
winrm set winrm / config / service @ {AllowUnencrypted = ”false”}

winrm set winrm / config / service / auth @ {Basic = ”false”}
winrm set winrm / config / service / auth @ {Kerberos = ”true”}
winrm set winrm / config / service / auth @ {Certificate = "true"}
winrm get winrm / config / service
winrm e winrm / config / listener

# Create a self-signed certificate in a workgroup. In a domain, it should already be on the machine.
New-SelfSignedCertificate –DnsName ([System.Net.Dns] :: GetHostByName ($ env: computerName)). Hostname -CertStoreLocation “cert: \ LocalMachine \ My” -FriendlyName WinRM

# Read out the thumbprint of the certificate
$ Thumb = Get-ChildItem Cert: \ LocalMachine \ My \ | where FriendlyName -eq WinRM | select thumbprint

# Bind the certificate to the HTTPS listener using a thumbprint
New-WSManInstance -ResourceURI winrm / config / Listener -SelectorSet @ {address = ”*”; transport = ”https”} -ValueSet @ {Hostname = [System.Net.Dns] :: GetHostByName (($ env: computerName)) .Hostname; CertificateThumbprint = $ thumb.thumbprint}

# Create listener and bind existing SSL certificate
New-Item -Path WSMan: \ LocalHost \ Listener -Transport HTTPS -Address * -CertificateThumbPrint a957d09864301f802b5aa5f9fae3cd61c974e8c9 -Force

# Set firewall exception
New-NetFirewallRule -DisplayName “Windows Remote Management (HTTPS-In)” -Name “Windows Remote Management (HTTPS-In)” -Profile Any -LocalPort 5986 -Protocol TCP

# Establishing a connection when using a self-signed certificate
Enter-PSSession -ComputerName Win10 -UseSSL -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck) -Credential (Get-Credential)

# Optional
Configure-SMRemoting.exe -get
Configure-SMRemoting.exe -enable
Get-ChildItem WSMan: \ localhost \ Client \ DefaultPorts
winrm delete winrm / config / Listener? Address = * + Transport = HTTP

The goal is to disable the insecure authentication protocols and to set them to HTTPS when establishing a connection. In the Powershell output we can see that a certificate is bound to establish a secure connection.

WinRM hardening

The configuration can only be properly implemented via GPO if the existing client certificate (template) has been configured accordingly.

WinRM certificate configuration

During the implementation we block the insecure port 5985 and do not take any further measures such as removing the HTTP listener. Please note that the server manager needs port 5985.

WinRM secure firewall configuration

The actual configuration is done via task planning. We switch on the HTTPS configuration (listener) via the planned task.

Configure WinRM HTTPS Listener

As a result, we see that a connection with WinRM can only be established via port 5986 and a certificate.

WinRM Connection only with SSL

The .zip file contains everything that is necessary to roll out WinRM. The only thing that should be adjusted is the planned task. The task is currently available for execution at system start. But it should only be a one-time task.

WinRM cannot complete the process

Ein Kommentar

Comments are closed.