Configuring the WinRM service to use HTTPS without a publicly signed certificate (F-Secure)

0
(0)

If the computer does not use a publicly signed certificate, you need to perform some additional steps.

If you are using a Windows version older than Windows 8/Windows Server 2012, you need to create a certificate on a separate, newer computer and then export the certificate to a file. Use the following commands to do this:

$cert = New-SelfSignedCertificate -CertstoreLocation ^
Cert:\LocalMachine\My -DnsName “{ipAddress}”
$password = ConvertTo-SecureString -String “{password}” -Force ^
-AsPlainText
Export-PfxCertificate -Cert $cert -FilePath “{filePath}” -Password ^
$password

Note: Use the IP address of the target computer.

To set up the remote management configuration on a computer that does not use a publicly signed certificate, do all the following steps on the target Windows computer using PowerShell:

    1. Start the WinRM service and set it to start automatically:

Set-Service -Name “WinRM” -StartupType Automatic -Status Running

    1. Generate a new self-signed certificate:

For Windows 8/Windows Server 2012 and newer systems:

    1. Use the following PowerShell command to create the certificate:

$Cert = New-SelfSignedCertificate -CertstoreLocation ^
Cert:\LocalMachine\My -DnsName “{ipAddress}”

    1. Use the following command to check the certificate’s thumbprint, which you need when creating the WSMan HTTPS listener:

$cert.Thumbprint

For older Windows OS versions, copy the previously exported certificate to the target computer and import it to a Personal certificate store:

Note: To view certificates in the local machine store, you must use administrator privileges.

  1. Type mmc and press Enter.
  2. Select File > Add/Remove Snap In.
  3. In the Available snap-ins dialog box, select Certificates.
  4. Click Add.
  5. In the Certificates snap-in dialog box, select Computer account and then click Next.
  6. In the Select Computer dialog box, click Finish.
  7. In the Add/Remove Snap-in dialog box, click OK.
  8. Select Certificates (Local Computer) > Personal, right-click and select All Tasks > Import.
  9. Browse for the copied certificate, then click Next.
  10. Enter the password for the certificate, then click Next.
  11. Click Finish.
    1. Add a new WSMan HTTPS listener:

New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * ^
-CertificateThumbPrint $Cert.Thumbprint –Force

    1. Add a new firewall rule to allow WinRM HTTPS traffic:

For Windows 8/Windows Server 2012 and newer systems, use the following PowerShell command to create the firewall rule:

New-NetFirewallRule -DisplayName “Windows Remote Management ^
(HTTPS-In)” -Name “Windows Remote Management (HTTPS-In)” -Profile ^
Any -LocalPort 5986 -Protocol TCP

For older Windows OS versions:

  1. Go to Control Panel > Windows Firewall > Advanced settings.
  2. Add a new rule for inbound traffic that allows TCP port 5986 for the selected network profiles.
    1. If you are using Linux scan nodes, run the following PowerShell command on the target Windows computer to allow basic WinRM authentication:

winrm set winrm/config/service/auth ‘@{Basic=”true”}’

Source : Official F-Secure Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

(Visited 41 times, 1 visits today)
Tagged: