Remoting question

This topic contains 2 replies, has 2 voices, and was last updated by  TJ Anon 4 years ago.

  • Author
    Posts
  • #11170

    TJ Anon
    Participant

    So.... I am reworking our GPO that enables us to run powershell commands on remote machines to make it correct instead of expedient. Boss asks me why we need exceptions for WinRM and WSMan on 5985 in the GPO. I didn't think anything would run without those exceptions but I tested anyway. I disabled that part of the GPO and *everything* ran! Still! What am I missing? I thought you had to open that port for anything to work. We have two built-in exceptions in that GPO: Remote Eventlog Management, and Windows Remote Management.

    Everything (the commands I tested):
    enter-pssession, dir
    copy-item
    get-service
    get-winevent
    get-ciminstance

    The part of the GPO that I removed for the test is found in Computer Configuration, Adminstrative Templates, Network, Network Connections, Windows Firewall, Domain Profile, Windows Firewall: Define inbound program exceptions. At the moment it is set to Disabled for testing.

  • #11172

    Don Jones
    Keymaster

    WS-Managament absolutely requires 5985 (by default; you can of course change it). What's very possible is that disabling the GPO didn't *also disable the existing firewall exception*, meaning the exception was still in place and active. "Disabled" prevents the GPO from pushing a specification but doesn't necessarily undo any exceptions that were already in place.

    You definitely need 5985 if you're using non-SSL WinRM, unless you've redefined the port to something else.

  • #11173

    TJ Anon
    Participant

    OK. I changed the GPO to "not configured" for that setting. Then ran the same test. I got one failure and the rest worked. Is this more in line with what should happen? Or am I still doing something wrong?

    fail: get-service
    work: get-winevent
    enter-pssession, dir
    get-ciminstance
    copy-item

    Anticipating more questions from the boss... is there any way to come up with a list of which cmdlet uses this port (or WS-Management or WinRM)? I'm tempted to just tell her that Don Jones says to just "get over it". But I don't think that will fly. :p

You must be logged in to reply to this topic.