Windows Remote Management Hardening
WinRM is a really powerful tool for configuring, managing and controlling a local or domain environment. For this reason, Windows Remote Management should be secured.
The implementation or the comprehensive roll-out of WinRM can be designed very individually. It always depends on the technical aids as well as the requirements.
In this article, I'll show you another way Windows Remote Management provided via a GPO. However, the prerequisite is that the clients already have certificates.
If we use WinRM then we admins have to authenticate ourselves with the remote server / workstation (Kerberos). We have to prove that it is us and that we have the right to manage the remote machine. But who can certify that the remote PC is who we think it is? We solve the problem with the help of certificates.
In the standard configuration, WinRM presents itself in this way. It is insecure because everything is allowed, such as insecure authentication protocols and HTTP connections. We want to change that now.
With basic and domain authentication, the login data are transmitted unencrypted. With certificate-based authentication, data and login data are transmitted in encrypted form.
The goal is to disable the insecure authentication protocols and to set them to HTTPS when establishing a connection. In the Powershell output we can see that a certificate is bound to establish a secure connection.
The configuration can only be properly implemented via GPO if the existing client certificate (template) has been configured accordingly.
During the implementation we block the insecure port 5985 and do not take any further measures such as removing the HTTP listener. Please note that the server manager needs port 5985.
The actual configuration is done via task planning. We switch on the HTTPS configuration (listener) via the planned task.
As a result, we see that a connection with WinRM can only be established via port 5986 and a certificate.
The .zip file contains everything that is necessary to roll out WinRM. The only thing that should be adjusted is the planned task. The task is currently available for execution at system start. But it should only be a one-time task.