5

WinRM has a very difficult to use command line interface and that leads me to believe some settings will be easily reconfigured, overlooked, and eventually exploited.

In other words, insecurity though obscurity.

What security settings should I pay attention to when configuring WinRM on a server?

makerofthings7
  • 50,090
  • 54
  • 250
  • 536

1 Answers1

4

Here is an incomplete list of security-related items I discovered:

Be aware of new defaults

WinRM used to run on ports 80/443 in Vista and Longhorn. That has changed to port "5985" and "5986" recognized by IANA as the new management ports (more info bottom of this page)

Helpful commands

  • The command winrm g winrm/config lists most of the WinRM configuration settings
  • Inbound listeners are shown here: winrm e winrm/config/listener

Configuration

  • Many MSFT support documents recommend running the command Winrm quickconfig, which creates a http listener. A possible vulnerability is that your token is sent unencrypted on port 5985. The alternative is to run: winrm quickconfig -transport:https.

  • Ensure that "EnableCompatibilityHttpListener" and its HTTPS counterpart is set to false on all servers, especially public facing web servers.

  • For machines in the DMZ, or multi-homed machines you may want to prevent a listener on certain interfaces and not others. See winrm help config for more info

Todo/research

  • The wording of this MSFT page indicates that client or server might downlevel negotiate to unencrypted traffic within the HTTP transport. This creates room for a MITM to access credentials. I'm looking into ways to ensure the client always uses SOAP encryption regardless of the transport being used.
makerofthings7
  • 50,090
  • 54
  • 250
  • 536