When I set WSMan:\localhost\Client\TrustedHosts on the server, it still allows access from client machines inside the domain. Instead, I'd like to disallow domain members by default. The calling user is an admin on both the client and server machines, but to reduce the attack surface for malware, I'd like to disallow access from every machine but the intended client.
Asked
Active
Viewed 945 times
0
durette
- 164
- 8
-
Can you use the Windows Firewall and only allow that one client inbound access? – Mass Nerder Jul 03 '18 at 20:06
1 Answers
0
Like explained in this article: Enabling PowerShell remoting for only a specified set of IP addresses.
(for each client pc1/pc2/pc...) you have to:
enable-psremoting
next: remove the winrm-listener that was created by enable-psremoting
Remove-WSManInstance winrm/config/Listener -SelectorSet @{Address="*";Transport="http"}
now the machine listens to nobody, so you have to create a new listener for the admin-client
New-WSManInstance winrm/config/Listener -SelectorSet @{Address="IP:10.11.12.13";Transport="http"}
now restart the winrm service
spsv winrm -pass | sasv -pass |gsv #*
(you have to run PowerShell as admin)
\*
*spsv = stop-service // sasv = start-service // gsv = get-service // -pass = -passThrough*
EBGreen
- 1,443
- 11
- 10
-
This is how to change which listener IP is used, which is useful for a machine with multiple interrfaces, like with a DMZ. I only have one IP on this machine but only want to allow access from a particular client. – durette Jun 30 '18 at 14:27