Windows Remote Management (WinRM) is used by the Windows connection manager to connect to nodes agentlessly.

Enabling WinRM via Group Policy

Using Windows Group Policy to enable WinRM provides users with an interface to centralize the management and configuration of WinRM for new and existing Active Directory computers. This article explains the steps required to create and apply an “Enable WinRM” Group Policy Object.

Creating the Group Policy Object (Windows Server 2012 R2)

  1. Click Start, Run, and type “gpedit.msc” to open the Windows Group Policy Object Editor window
  2. Find the Windows Remote Management (WinRM) GPO under Computer Configuration\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service
  3. Select the Allow remote server management through WinRM setting and click edit policy setting from the left information pane to open the Allow remote server management through WinRM configuration window

    winrm-group-policy-01

  4. Click on the Enable radio button and type in * for both IPv4 and IPv6 filter boxes as shown below and click Apply and OK to save the settings.

    w600

Enabling HTTPS WinRM for Systems Not Connected to a Domain

When used between two systems on a domain, WinRM uses Kerberos to authenticate that the target server is trusted. Agentless scanning of non-domain-joined systems requires additional setup.

WinRM on the Connection Manager host must be able to authenticate the target system. This is achieved with certificates.

To perform agentless scanning on non-domain systems, the following is required:

  • An HTTPS WinRM listener on the scan target, with a certificate that is considered valid on the Connection Manager host
  • Basic authentication configured on the scan target WinRM listener, to allow local account user authentication
  • Firewall rules on the scan target to permit traffic to the HTTPS WinRM listener port (default 5986)
  • A TrustedHosts entry for the target in the WinRM configuration on the Connection Manager host

The following documentation describes the creation of a self-signed certificate on a target host and the configuration of an HTTPS WinRM listener service. It exports the self-signed certificate to a predictable location for importation into the trusted certificate store on the Connection Manager host.

Importing the certificate on the Connection Manager host and modifying the WinRM TrustedHosts list are manual steps, described further on.

Note that WinRM over HTTPS uses port 5986 by default, which will have to be configured on the scan target’s Node Edit page in UpGuard.

Remote Endpoint Configuration

Starting with the remote endpoint that we are wanting to initiate a connection to, the following PowerShell script will configure everything we need for HTTPS communication to be setup and will also (optionally) remove access for HTTP. You may need to first enable the ability to run scripts on your system using the command Set-ExecutionPolicy RemoteSigned.

Before you start, you may optionally set $VerbosePreference = "Continue" to view the status of the script during runtime. Run the following script on the client node that you wish to connect to:

Connection Manager Endpoint Configuration

The next step that is required is to transfer the winrm.crt file to the machine that will initiate HTTPS WinRM connections to remote endpoints.

First, copy the winrm.crt file from the current user’s home directory to the Windows Connection Manager host server. To install the self-signed certificate that we created on the host, we can use the following PowerShell command:

Verification of Certificate Installation

Optionally, you can verify that the certificate has been stored correctly on both the Windows CM host server and the remote endpoint servers using the certificate add-in of the Microsoft Management Console (MMC).

  1. Type ‘mmc’ on the Start screen and launch the mmc console.
  2. Navigate to File > Add/Remove Snap-in…
  3. Double click on Certificates from the Available snap-ins.
  4. Choose ‘Computer account’, followed by the ‘Local computer’. Hit OK to finish adding.
  5. Navigate to the Personal\Certificates folder from the sidebar.
  6. The certificate corresponding to the hostname or IP address should be in that folder.

Adding Remote Endpoints to the List of Trusted Hosts

To quickly add the remote endpoint server node to the list of trusted hosts on your Windows CM machine, you may run the following command, replacing "machineA" with the hostname or IP Address of your machine:

winrm set winrm/config/client ‘@{TrustedHosts="machineA"}’

You may also add more to the list of Trusted Hosts, as the string passed into the TrustedHosts key is a comma separated list of values which it will recognize. A quicker way to add remote endpoints if you choose to write a script for it is by working with the PSDrive (WSMan:\):

You can retrieve a list of your TrustedHosts by running the following command on your Windows CM host:

Get-Item WSMan:\localhost\Client\TrustedHosts

To set TrustedHosts (replace machineA etc. where appropriate):

Set-Item WSMan:\localhost\Client\TrustedHosts -Value "machineA,machineB,machineC"

Wildcards are also accepted:

Set-Item WSMan:\localhost\Client\TrustedHosts -Value "192.168.140.*,machine*,*"

Verification of WinRM HTTPS Connectivity

To verify that HTTPS WinRM is setup, you can run the command:

Enter-PSSession -ComputerName COMPUTERNAME.DOMAIN.COM -UseSSL -Credential (Get-Credential)

where you will be prompted to enter the credentials of the user you would like to connect as (connection manager service account) to the remote endpoint. You should expect to successfully connect to the remote endpoint server from your PowerShell console.

Finally, your WinRM node in UpGuard can now be edited to use the port 5986.

Additional Help

Tags: https winrm gpo