how to lock down WinRM service?
Additional Group Policy Settings for Enabling WinRM over HTTPS
To ensure a secure and robust configuration for enabling Windows Remote Management (WinRM) over HTTPS, additional Group Policy settings can be configured. These settings will further enhance security, improve compatibility, and provide more control over the remote management environment.
Below are the additional GPO settings that can be applied:
Step 1: Configure GPO for WinRM Client
- Open Group Policy Management Console (GPMC):
-
Press
Win + R, typegpmc.msc, and press Enter. -
Edit the Existing GPO:
-
Right-click the GPO created earlier ("Enable WinRM with HTTPS and Auto-Enrollment") and select Edit.
-
Navigate to WinRM Client Settings:
-
Go to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Client.
-
Set Trusted Hosts:
- Double-click on "Trusted Hosts".
- Set it to Enabled.
-
Add the names or IP addresses of the computers that are allowed to connect using WinRM. Use wildcards (e.g.,
*.domain.com) to specify multiple hosts. -
Specify Maximum Number of Concurrent Operations:
- Double-click "Allow maximum number of concurrent operations".
-
Set it to Enabled and define the maximum number of concurrent operations that the WinRM client can establish. The default is
5. -
Configure CredSSP for Authentication:
- Go to Computer Configuration > Policies > Administrative Templates > System > Credentials Delegation.
- Double-click "Allow delegating fresh credentials with NTLM-only server authentication".
- Set it to Enabled and specify the list of servers for which the credentials can be delegated.
Step 2: Configure GPO for WinRM Service
- Navigate to WinRM Service Settings:
-
Go to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service.
-
Allow Remote Shell Access:
- Double-click on "Allow remote server management through WinRM".
- Set it to Enabled.
-
Ensure that the IPv4 and IPv6 Filter settings allow connections from the required IP ranges or addresses.
-
Configure the Maximum Number of Concurrent Users:
- Double-click "Allow maximum number of connections".
-
Set it to Enabled and specify the maximum number of users that can connect concurrently to the WinRM service. The default value is
25. -
Set Timeouts for Idle and Operation Timeout:
- Double-click "Allow WinRM service to receive requests from remote computers".
-
Set it to Enabled and configure the Idle Timeout (e.g.,
240000milliseconds) and Operation Timeout as needed. -
Enable Compatibility HTTP Listener:
- Double-click "Allow compatibility HTTP listener".
- Set it to Enabled. This setting allows older systems to connect using HTTP for management purposes while you transition to HTTPS.
Step 3: Configure Additional Security Settings
- Enable Secure Connections with HTTPS:
-
Ensure that WinRM is configured to use only HTTPS by restricting the allowed listeners:
- Go to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service > Allow unencrypted traffic.
- Set it to Disabled to enforce encrypted communication only.
-
Disable Basic Authentication:
- Go to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service > Allow Basic authentication.
-
Set it to Disabled to prevent the use of basic (plaintext) authentication.
-
Enable Kerberos Authentication:
- Go to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service > Allow Kerberos authentication.
- Set it to Enabled to ensure Kerberos authentication is always used.
Step 4: Apply the Policy and Test Configuration
- Close the GPO Editor:
-
Save and close the Group Policy Management Editor.
-
Force Group Policy Update:
- On the target servers, open a command prompt with administrative privileges and run:
powershell
gpupdate /force
- Verify WinRM Configuration:
- Test the configuration using the following command:
powershell
Test-WsMan -ComputerName <ServerName>
Summary of Additional GPO Settings
By applying these additional GPO settings, you enhance the security and control of your WinRM environment:
- WinRM Client Configuration:
- Set trusted hosts and maximum concurrent operations.
- Configure CredSSP for secure authentication.
- WinRM Service Configuration:
- Allow remote shell access and set maximum connections.
- Enable timeouts and compatibility listeners.
- Security Settings:
- Enforce HTTPS, disable basic authentication, and enable Kerberos.
Additional Considerations
- Audit and Monitoring: Regularly audit WinRM logs and monitor connections for unauthorized access attempts.
- Testing: Test all configurations in a controlled environment before applying them widely to ensure they meet your organization's security policies.
Pure PowerShell Implementation
Here's a script to apply these additional settings using PowerShell:
# Define variables $gpoName = "Enable WinRM with HTTPS and Auto-Enrollment" $trustedHosts = "*.domain.com" # Replace with your domain or specific hosts $maxConcurrentOperations = 5 $maxConnections = 25 $idleTimeoutMs = 240000 $operationTimeoutMs = 60000 # Function to configure additional GPO settings for WinRM function Configure-AdditionalGPOSettings { # Import GroupPolicy module Import-Module GroupPolicy # Set trusted hosts Write-Output "Configuring Trusted Hosts..." Set-GPRegistryValue -Name $gpoName -Key "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" -ValueName "TrustedHosts" -Type String -Value $trustedHosts # Set maximum concurrent operations Write-Output "Configuring maximum concurrent operations..." Set-GPRegistryValue -Name $gpoName -Key "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client" -ValueName "MaxConcurrentOperations" -Type DWORD -Value $maxConcurrentOperations # Allow remote server management through WinRM Write-Output "Allowing remote server management through WinRM..." Set-GPRegistryValue -Name $gpoName -Key "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" -ValueName "AllowAutoConfig" -Type DWORD -Value 1 # Set maximum connections Write-Output "Configuring maximum connections..." Set-GPRegistryValue -Name $gpoName -Key "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" -ValueName "MaxConnections" -Type DWORD -Value $maxConnections # Set timeouts Write-Output "Configuring timeouts..." Set-GPRegistryValue -Name $gpoName -Key "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" -ValueName "IdleTimeout" -Type DWORD -Value $idleTimeoutMs Set-GPRegistryValue -Name $gpoName -Key "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" -ValueName "OperationTimeout" -Type DWORD -Value $operationTimeoutMs # Disable basic authentication Write-Output "Disabling Basic Authentication..." Set-GPRegistryValue -Name $gpoName -Key "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" -ValueName "AllowBasic" -Type DWORD -Value 0 # Enable Kerberos authentication Write-Output "Enabling Kerberos Authentication..." Set-GPRegistryValue -Name $gpoName -Key "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" -ValueName "AllowKerberos" -Type DWORD -Value 1 # Enforce HTTPS-only connections Write-Output "Disabling unencrypted traffic..." Set-GPRegistryValue -Name $gpoName -Key "HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service" -ValueName "AllowUnencryptedTraffic" -Type DWORD -Value 0 } # Execute additional GPO configuration Write-Output "Applying additional GPO settings for WinRM..." Configure-AdditionalGPOSettings Write-Output "Additional GPO configuration completed successfully!"
How to Use the PowerShell Script
- Run PowerShell as Administrator: Open PowerShell with elevated privileges.
-
Save the Script: Save the script as
Configure-Additional-WinRM-GPO.ps1. - Execute the Script:
powershell
.\Configure-Additional-WinRM-GPO.ps1