Powershell: Enable secure Windows/Powershell Remoting over https


these are the steps to enable Windows Powershell remoting secured by TLS

Check your Network connection profile. Set-WSManQuickConfig expects that the Network profile is at least private or domain.

Enable Windows Remoting. By powershell

PS D:\> Set-WSManQuickConfig

or command line

D:\> winrm quickconfig

Enable Powershell remoting

PS D:\> Enable-PSRemoting

Check for a machine Certificate. In a domain environment a certificate should be installed.

PS D:\> dir CERT:\LocalMachine\My\

If no certicate is installed create self signed certificate

PS D:\> New-SelfSignedCertificate  -DnsName "$ENV:COMPUTERNAME" -KeyAlgorithm RSA -KeyLength 2048 -NotAfter ((Get-Date).AddYears(10)) -CertStoreLocation "cert:\LocalMachine\My" 
PS D:\> dir CERT:\LocalMachine\My\

If you use a domain machine certificate enable https and disable http

C:\> winrm quickconfig -transport:https

If you use a selfsigned certicate determine CertificateThumbprint and the hostname

PS D:\> (Get-ChildItem Cert:\LocalMachine\my).Thumbprint
PS D:\> (Get-ChildItem Cert:\LocalMachine\my).DnsNameList
Punycode     Unicode
--------     -------
yourHostname yourHostname

Change to a cmd windows and enable https

C:\> winrm create winrm/config/listener?Address=*+Transport=HTTPS @{Hostname="yourHostname";CertificateThumbprint="F3880C95203CA33770BFC314FC5923EF74C47000";Port="5986"}

or with powershell

PS D:\> New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint "F3880C95203CA33770BFC314FC5923EF74C47000" -Hostname "yourHostname" –Force

Disable http the winrm way

C:\> winrm delete winrm/config/Listener?Address=*+Transport=HTTP

Or the powershell way

PS D:\> Get-ChildItem WSMan:\localhost\Listener | ?{$_.Keys -contains "Transport=HTTP"}|remove-item -recurse -Confirm:$false

Check listener

Winrm enumerate winrm/config/listener

If not member of a domain the trusted host(s) must be set.

C:\> winrm set winrm/config/client '@{TrustedHosts="yourComputerWhoShouldAbleToConnect"}'

Install a firewall rule

C:\> netsh advfirewall firewall add rule name="Windows Remote Management (HTTPS-In)" dir=in protocol=tcp localport=5986 profile=any enable=yes action=allow

On the remote machine: Start a session. When a selfsigned certicate is used:

PS D:\> Enter-PSSession -ComputerName theRemoteComputer -UseSSL -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck) -Credential (Get-Credential)
[theRemoteComputer ]: PS C:\Users\myUser\Documents>

The Session Option (New-PSSessionOption -SkipCACheck -SkipCNCheck) can omitted if the selfsigned certificate is imported to the Root CA store

Or with certificate signed by a CA

PS D:\> Enter-PSSession -ComputerName theRemoteComputer -UseSSL 
[theRemoteComputer ]: PS C:\Users\myUser\Documents>

This opens the GUI to alter the permissions of the WinRM service

PS D:\> Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI

To just show the permissions

PS D:\> ConvertFrom-SddlString (get-item WSMan:\localhost\Service\RootSDDL).Value


Advertisment to support michlstechblog.info

Time limit is exhausted. Please reload CAPTCHA.

Original Theme by Schiy · Powered by WordPress