Is it possible to setup the WinRM Service to accept connections only on a certain IP list?
I know that this is achieavable in CredSSP or NTLM scenarios by setting up the TrustedHosts configuration.
However Domain Kerberos authentication seem to bypass that and all hosts can connect to a server if WinRM listener is up by providing proper credentials.
This alone provide enough security as only the authorized users would be able to estabilish connection.
However is there a way to provide a hardening to this on host level in the WinRM Service Setup?
Through my researches I've found documentation about a property of WinRM configuration named IP Filter thats seems to be the solution to that, that seems to be setup on commands below:
winrm set winrm/config/Listener?Address=*+Transport=HTTP @{IPFilter="IP Address"}
Set-Item -Path WSMan:\localhost\Listener\Listener* -Value IP Address
Set-WSManInstance -ResourceURI winrm/config/Listener -SelectorSet @{Address="IP Address";Transport="HTTP"} -ValueSet @{Enabled="true";IPFilter="IP Address"}
Those commands always pont to errors related to the property in question doesn't exist, so I wonder if that used to be a thing on Windows Server versions before 2012 R2 and above, which is the system I'm testing right now.
I know that an alternative would be using Windows Firewall, however, the Deny Rules are absolute and don't accept excessions, so its possible to bypass it by creating complementary rules alongside the Allow Rule which limited scope, which isn't ideal.
Thanks in advance.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 94%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EW%3C/text%3E%3C/svg%3E)