Author Posts

January 4, 2018 at 5:20 pm

I am trying to enable PowerShell remoting on all domain devices and then restricting them to only listen for one "script server" (with the potential to add more hosts later). When I run the command below, I am able to run a remote command successfully on the remote machine via my script server:

enable-psremoting -confirm:$false

However, when I try to restrict the client to listen to the server I'm running the commands from, I receive an error. Here is the command I'm running to restrict the listening to the server:

Remove-WSManInstance winrm/config/Listener -SelectorSet @{Address="*";Transport="http"}
New-WSManInstance winrm/config/Listener -SelectorSet @{Address="IP:10.62.23.3";Transport="http"}
Restart-Service winrm -Force

After running same remote command:

Error:
[COMPUTERNAME] Connecting to remote server COMPUTERNAME failed with the following error message : The WinRM client sent a request to an HTTP server and got a response
saying the requested HTTP URL was not available. This is usually returned by a HTTP server that does not support the WS-Management protocol. For more information, see the
about_Remote_Troubleshooting Help topic.

I'm basically trying to keep the environment as locked down as possible and only allow remoting from one server, without passing credentials (only using kerberos). Any ideas?

January 5, 2018 at 6:34 pm

Sssssooooo.... a listener is something you set up on a machine to tell it which local IP addresses to listen on – not which IP addresses they should expect communications to come from. So if you set up a listener "on" 192.168.11.4, and the machine doesn't actually have that IP address bound to a NIC, then it won't work.

I'm not entirely following your client/server layout – it might make sense to refer to them as ComputerA and ComputerB, or something, so I'm more clear on who is trying to talk to whom.

January 5, 2018 at 8:16 pm

Wouldn't it be easier to tell the firewall to only accept connections on the port to that IP address?

January 5, 2018 at 8:28 pm

I'm not sure what would be easier at this point – Trying to figure out the best way to accomplish this. I want to enable remoting from:
ComputerA to ComputerB
ComputerA to ComputerC
ComputerA to ComputerD
etc.

I don't want Computer B, C, D to be able to remote anywhere.

However, I believe I have found a way to use certificates to enforce SSL on port 5986. However, with the ability to use "SkipCACheck" and "SKipCNCheck" switches with New-PSSessionOption, I don't see a way to enforce authentication with certificate/CA. If I'm unable to find a way to force certificate authentication, I will have to enable remoting only FROM ComputerA to any device. Any thoughts/suggestions on either approach?

January 5, 2018 at 8:31 pm

"I don't want Computer B, C, D to be able to remote anywhere."

That's not a feature Remoting supports. Outbound traffic isn't controlled at the WS-MAN level. You'd need to enforce this with firewall policy.

January 5, 2018 at 8:32 pm

I'd change the firewall on computer A to allow outgoing PS remoting and the firewall on the others to allow only incoming PS remoting from computer A and block outbound. You could do this through group policy or get your network guys to write an rule in the firewalls to do the same. I tend to prefer rules on the network side (or both!) to prevent stolen windows creds from changing the windows firewall.

January 5, 2018 at 8:38 pm

Based on your response, I have another question. I have been doing some testing and currently able to remote from ComputerA to ComputerB. However, when I check the firewall rules on ComputerA, I don't see any outgoing rule for Windows Remote Management (only inbound). Are you just saying I would leave ComputerA as is, allow inbound traffic on ALL hosts, but create a new rule to disable all outbound traffic on those hosts (except for ComputerB?

Do you know of a way to enforce the use of certificates or can "SkipCACheck" and "SKipCNCheck" always be used? If I can enforce the use of certificates and only allow an HTTPS listener, I think that would be the most secure method.

January 5, 2018 at 8:43 pm

Computer A would have a firewall rule that allows outgoing

Computers, B – X would have a rule that allows incoming, blocks outgoing.

I cannot answer the questions about "SkipCACheck" and "SKipCNCheck", I bet Don will be able to though. But remember, if you leave the non secure ports open, people will always be able to get to it on those ports! You could always close off the non secure ports, and only have the SSL port, which is all firewall rules as well. Whether it be windows or network firewall.

January 5, 2018 at 8:54 pm

SSL has two purposes: Authenticating the server that you're connecting to, and encrypting the transmission.

-SkipCACheck and -SkipCNCheck basically let you skip the authentication. The originating machine will accept any certificate if you specify those. So you still get encryption – but you don't really know who you're talking to. I should point out that if you have people likely to use these internally, then that's an HR problem. There's no technical way to prevent someone from using them, but if you have people dumb enough to do so, fire those people rather than entrusting them with these abilities.

You SHOULD only use HTTPS listeners. If you do so, then you're enforcing encryption no matter what gets specified on the parameters.