Remote Powershell (over the WinRm protocol) is a great method to manage and monitor your Windows fleet securely and easily from a central location. I’ve summarised below how I would deploy the WinRM configurations to your Windows servers so they can be accessed remotely by monitoring and management platforms, and much more.
This is a very loose set of instructions to configure HTTPS WinRM for Remote Powershell and will require you to Google parts to fully understand what to do.
General Requirements
- Windows Active Directory Domain - we will be using Group Policy to deploy the config and an AD account to authenticate when connecting
- Up to date Windows Server devices - deploying may be fine, but actually connecting to the devices may not work very well if you’re using an out of date device
- Certificate Authority - doesn’t need to be a properly separated root/issuing setup
Deployment
- Create a new Active Directory account to be used as a Service Account for connections. If it’s being used for monitoring your could use Svc.Monitoring@domain.tld
- Create a new Group Policy and ensure the below configuration items are present:
- Scope to whichever OU contains the devices you’d like to configure.
- Ensure you are setting the security filtering to at least Domain Computers. Although Authenticated Users will work.
- Windows Firewall Rule allowing inbound access to port 5986/TCP from your management IP addresses
- Windows Firewall Rule allowing ping echo IPv4 response from your management IP addresses
- Enable automatic certificate deployment and enrolment
- Add your service account (Svc.Monitoring@domain.tld) to the local administrators group
- Add a scheduled task which runs once a day, to run this specific command:
winrm quickconfig -transport:https -quiet.
This actually configures the WinRM HTTPS listener and will only work if the appropriate certificate exists on the device.
- Ensure you have created appropriate forward/reverse DNS records on your AD domain controllers to allow kerberos authentication
- Create a new certificate template which includes the DNS name of the device in the subject. Change the security options so ‘Domain Computers’ automatically enrol and ‘autoenrol’ the certificate. Ensure you have actually deployed the template.
- You should now be able to connect to the remote machine from your management server using kerberos authentication and remote powershell over WinRM.
