WS-Man (Web Services for Management) 1.2 Published

  • Article

The DMTF recently published the Web Services for Management (WS-Man) standard version 1.2. This release of the WS-Man specification clarifies support for the latest encryption protocols, which has been required by organizations and governmental agencies such as the US Government NIST program.

WS-Man is a SOAP-based protocol that can be used with any transport, although it is primarily used with HTTP and HTTPS.  The older versions of the WS-Man specification made specific references to older versions of TLS (Transport Layer Security) that have proven to be insufficient.  The updated version more clearly decouples the protocol and the transport to ensure that interoperability is not dependent on specific versions of encryption algorithms, including TLS.  There is no functional change with the updated WS-Man 1.2 specification.  

Microsoft, an active member of the DMTF, contributed and edited the updated WS-Man specification. The Microsoft implementation of WS-Man is known as Windows Remote Management (WinRM), and has been a part of Windows since Windows 7 / Windows Server 2008 R2.  The WinRM implementation of WS-Man conforms with the latest NIST requirements described in NIST Special Publication 800 -52r1 . WinRM leverages HTTP.SYS, which implements and enables configuration of the most recent and industry-standard secure transport protocol layer, as described in these two articles:

· Configuring WINRM for HTTPS

· The Configuring WinRM to Use HTTPS section of Configuration and Security

Note that if HTTPS is not used, WinRM still encrypts the payload over HTTP by default unless explicitly set to not use encryption.

WinRM has been, and should continue to be relied on in secure environments that are configured to meet the government and industry recommended cryptographic algorithms. Due to the lack of clarity in the previous releases of the WS-Man specification, some users were confused about whether or not WS-Man and WinRM supported recent and more secure implementations of the Transport-Layer Security (TLS), which it does. While this has not been an issue for the Microsoft implementation in WinRM, the WS-Man version 1.2 specification update has addressed that, and removed the confusing elements.

Steve Lee
Principal Engineering Manager
Windows Server

Keith Bankston
Senior Program Manager
Windows Server