|
|
@@ -0,0 +1,36 @@
|
|
|
+---
|
|
|
+title: Windows Remote Management (WinRM)
|
|
|
+categories: [cheatsheets]
|
|
|
+tags: [security, windows]
|
|
|
+---
|
|
|
+
|
|
|
+# Windows Remote Management (WinRM)
|
|
|
+
|
|
|
+Current Version: 3.0
|
|
|
+
|
|
|
+## Ports
|
|
|
+
|
|
|
+* HTTPS: 5986 (prefered)
|
|
|
+* HTTP: 5985
|
|
|
+
|
|
|
+## Configuring WinRM within workgroups
|
|
|
+
|
|
|
+* When having no DOMAIN in place, Kerberos can't be used for mutual authentication
|
|
|
+* Then, a `trusted hosts list` must be used¹
|
|
|
+ - Not as a replacement for authentication!
|
|
|
+ - `Set-Item WSMan:localhost\client\trustedhosts -value “<host>”`
|
|
|
+* Use HTTPS and not HTTP to ensure that Server validity can be verified to prevent impersonation
|
|
|
+ - Using Kerberos + HTTP, the packets are encrypted anyway, HTTPS is still prefered due to above mentioned Server integrity verification.
|
|
|
+* Disable Basic Authentication if possible, if it must be used, only in combination with HTTPS
|
|
|
+ - Digest Authentication is prefered (if Kerberos is not available)
|
|
|
+ - Digest configuration via HTTP is **not** considered secure
|
|
|
+
|
|
|
+
|
|
|
+¹ [https://docs.microsoft.com/en-us/windows/win32/winrm/installation-and-configuration-for-windows-remote-management](https://docs.microsoft.com/en-us/windows/win32/winrm/installation-and-configuration-for-windows-remote-management)
|
|
|
+
|
|
|
+
|
|
|
+
|
|
|
+## Sources:
|
|
|
+
|
|
|
+* [Microsoft Documentation](https://docs.microsoft.com/en-us/windows/win32/winrm/portal)
|
|
|
+*
|
Marius Schwarz