As Powershell becomes more and more popular, it appears that using WINRM may end up being a better option than using PSEXEC from SysInternals for remote management. Given that WINRM is disabled by default, however, I wonder what type of security holes it would create to enable the service on all domain members. Obviously the attack surface would be increased, but would it be any worse than the default administrative shares or enabling SSH?
1 Answers
"Security holes" I think is a bit subjective. You need local administrator credentials to connect to WINRM.
It does increase the attack surface of the system, and it is disabled by default because it's not one of the top n services used by most administrators.
WINRM uses SOAP (WCF), which uses HTTP.sys, which makes it a prime target for attack.
Is it insecure? No. Is it insecure if it's enabled and it's never used? Not really, but there could be a vulnerability found in the future, and it would make you feel kinda dumb for enabling the thing when you don't ever use it and get attacked because of it.
If you are okay with that particular scenario, then sure it's no worse than the default shares. But it all depends on what kind of environment you are in. If you need or want to use WINRM for management of your machines, then you are probably fine to start it.
- 15,155
- 3
- 37
- 66