Jaa


Add security for default WSMAN configuration - Remotely

Recently I was chatting with one of my friends  about Powershell remoting  and WSMAN . He was telling about how he got flagged by security for running WINRM on 5985 which is the default port on windows 2008r2 . I was like are you serious ? 5985 is not a standard port and his reply was this is the default and people know about it additionally they had windows firewall turned off using a domain policy. Over the conversation going back and forth I agreed to help him come up with some thing that would help him change it so that he keep security guys happy at the same time he get to enjoy the powershell remoting features which rides on top of winrm.

I started looking at it . That is when I understood there is a reason why security thinks it  not "secure". I dumped the winrm default config on my local machine running windows 2008 r2 

C:\Users\vbaby>winrm enumerate winrm/config/Listener
Listener
    Address = * -- All the configured addresses.
Transport = HTTP
    Port = 5985   -- Default port
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = 192.168.0.4, 127.0.0.1, ::1 --- All IPs are listening for Winrm

Now  I am thinking the same as my friend we need to change this in prod environment.  All the machines in this scenario has 2 interfaces Customer facing, Admin. The security suggested measure was to lock WINRM on the admin interface on a non standard port and get the port opened through the Back end firewall.  I could come up with a script  in some time to do this as follows

gci WSMan:\localhost\Listener | Remove-Item -Recurse
$port="23001"
$IP=gwmi Win32_NetworkAdapterConfiguration | ? {$_.ipaddress -like '198*'} | select -expandproperty ipaddress
new-item -path WSMan:\localhost\Listener -Transport http -Address "ip:$IP" -Port 23001 -force

The first line removes the default listener, second line sets a non standard port, third line find the interface here all the admin interfaces started with 198. Fourth line created a listener  on the IP at the specified port.

Asked him to save it as <name>.ps1 and run it on all the machines he want to configure.  Send this off to him . That evening I receive an extension or the same request  " I need to run this on 200 + machines help me run it remotely".  

Looking at it I decided to use Psexec . Testing it Psexec was looking okay , only problem was I had to press enter twice after each execution , this was not looking good suddenly this is turning complex . Doing some online searches I found this https://www.leeholmes.com/blog/2007/10/02/using-powershell-and-psexec-to-invoke-expressions-on-remote-computers/ . Things were looking good after that . I saved the above script as remoting.ps1 on to  my utility server after that used a for loop to loop through my servers to test it. Here is the for loop

for /f %i in (\\utilityserver\servers\server.txt) do psexec \\%i /u domain\<user> /p <pass> cmd /c "echo .| powershell -file \\utilitserver\scripts\remoting.ps1"

PsExec v1.96 - Execute processes remotely
Copyright (C) 2001-2009 Mark Russinovich
Sysinternals - www.sysinternals.com

   WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Listener

Name                      Type                 Keys
----                      ----                 ----
Listener_1226527951       Container            {Address=IP:192.168.0.10, Tran...

cmd exited on web9  with error code 0.

Now I have new listener on all may machines exactly the way I wanted on a particular port , on a particular IP all set up remotely . The only issue  is when I run remote power shell as invoke-command tries to 5985 by default.

 Invoke-Command -ComputerName web19 -ScriptBlock {gci cert:\localmachine\my}

[web19] Connecting to remote server failed with the following error message : The client cannot connect to the destination specified in the request. Veri
+ CategoryInfo : OpenError: (:) [], PSRemotingTransportException
+ FullyQualifiedErrorId : PSSessionStateBroken

I have to specify the port now

Invoke-Command -ComputerName web19  -ScriptBlock {gci c:\ } -Port 23001

Mode                LastWriteTime     Length Name
----                -------------     ------ ----
d----          4/8/2010  12:08 PM            compaq
d----          4/8/2010  12:10 PM            CPQSYSTEM
d----          4/8/2010  12:08 PM            hp
d----          7/2/2010   7:57 AM            inetpub
d----          7/2/2010   8:00 AM            localbin
d----         7/13/2009   8:20 PM            PerfLogs
d-r--          8/8/2010  11:19 AM            Program Files
d-r--          8/8/2010  11:19 AM            Program Files (x86)

 

Looks like problem solved. Send this off to my friend , got  back a reply all good.

If you are interested to know how WSMAN works over a port when you even do not have IIS on a machine , try this from command prompt

netsh http show urlacl

Reserved URL            : https://+:23001/wsman/
   User: NT SERVICE\WinRM
       Listen: Yes
       Delegate: No
   User: NT SERVICE\Wecsvc
       Listen: Yes
       Delegate: No
       SDDL: D:(A;;GX;;;....)

You can see that the listener is created at the http.sys level.

In the next post we will look at having some fun with scheduled tasks and wevtutil.

Comments

  • Anonymous
    October 08, 2014
    It is funny that he needs to change the port for WSMAN but PSEXEC works.