WinRM Security

Lucas Campos 21 Reputation points
2023-05-30T19:07:53.2633333+00:00

Is it possible to setup the WinRM Service to accept connections only on a certain IP list?

I know that this is achieavable in CredSSP or NTLM scenarios by setting up the TrustedHosts configuration.

However Domain Kerberos authentication seem to bypass that and all hosts can connect to a server if WinRM listener is up by providing proper credentials.

This alone provide enough security as only the authorized users would be able to estabilish connection.

However is there a way to provide a hardening to this on host level in the WinRM Service Setup?

Through my researches I've found documentation about a property of WinRM configuration named IP Filter thats seems to be the solution to that, that seems to be setup on commands below:

winrm set winrm/config/Listener?Address=*+Transport=HTTP @{IPFilter="IP Address"}

Set-Item -Path WSMan:\localhost\Listener\Listener* -Value IP Address

Set-WSManInstance -ResourceURI winrm/config/Listener -SelectorSet @{Address="IP Address";Transport="HTTP"} -ValueSet @{Enabled="true";IPFilter="IP Address"}

Those commands always pont to errors related to the property in question doesn't exist, so I wonder if that used to be a thing on Windows Server versions before 2012 R2 and above, which is the system I'm testing right now.

I know that an alternative would be using Windows Firewall, however, the Deny Rules are absolute and don't accept excessions, so its possible to bypass it by creating complementary rules alongside the Allow Rule which limited scope, which isn't ideal.

Thanks in advance.

Windows for business | Windows Server | User experience | Other
Windows for business | Windows Server | Devices and deployment | Configure application groups
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Will 425 Reputation points
    2023-07-30T09:26:38.51+00:00

    So as you know the default ports for WinRM are:

    HTTP - 5985

    HTTPs - 5986

    So yeah you can set up the service to restrict IP's. - the defaults for the listeners both IPv4 and IPv6 are set to * (any IP) by default.

    If you open a command prompt and type winrm help config, it'll show you how to do this

    User's image

    Of course, the other ways would be:

    1. Create a firewall rule in Windows Defender Firewall and enforce the rule for WinRM and lock it down to the one IPs.
    2. Create a firewall rule/ACL etc. on yoru network gear to only accept authorized IP's
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.