-
Notifications
You must be signed in to change notification settings - Fork 0
/
configure_winrm_https.ps1
62 lines (46 loc) · 2.43 KB
/
configure_winrm_https.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
<#
.SYNOPSIS
Configure computer to accept WinRm HTTPS
.DESCRIPTION
Configure computer to accept WinRm HTTPS
.NOTES
website: www.amikkelsen.com
Author: Anders Mikkelsen
Creation Date: 2024-06-17
Credits To:
- https://www.visualstudiogeeks.com/devops/how-to-configure-winrm-for-https-manually
- https://4sysops.com/archives/powershell-remoting-over-https-with-a-self-signed-ssl-certificate/
- https://learn.microsoft.com/en-us/powershell/module/microsoft.wsman.management/enable-wsmancredssp?view=powershell-7.4#examples
- https://kaloferov.com/blog/using-credssp-with-the-vco-powershell-plugin/
- https://kaloferov.com/blog/vro-securing-your-powershell-execution-and-password-in-vro-skkb1035/
#>
# Run commands on the computer to enable WINRM HTTPS on
# Must be executed with admin priviliges
# Enable WinRM HTTP Listner - If required !!
winrm quickconfig
# What listners is currently configured
winrm enumerate winrm/config/listener
# Remove HTTP Listner - If required !!
# HTTP Listner is required to mitigate WinRM - DoubleHop bypass
Get-ChildItem WSMan:\Localhost\listener | Where-Object -Property Keys -eq "Transport=HTTP" | Remove-Item -Recurse
# Create HTTPS cert
$thisHostname = (hostname).ToLower()
$thisDomain = ($env:USERDNSDOMAIN).ToLower()
$thisFQDN = "$thisHostname.$thisDomain"
$certLifetime = 5 # years
$myCert = New-SelfSignedCertificate -CertStoreLocation cert:\localmachine\my -DnsName ($thisFQDN, $thisHostname) -NotAfter (get-date).AddYears($certLifetime) -Provider "Microsoft RSA SChannel Cryptographic Provider" -KeyLength 2048
# Configure WinRM HTTPS listner
winrm create winrm/config/Listener?Address=*+Transport=HTTPS """@{Hostname=$thisFQDN; CertificateThumbprint=$($myCert.Thumbprint)}"""
# Add new WinRM HTTPS Listener firewall rule
$thisPort = "5986"
netsh advfirewall firewall add rule name="Windows Remote Management (HTTPS-In)" dir=in action=allow protocol=TCP localport=$thisPort
# Disable WinRM HTTP Listener firewall rule - If required !!
Disable-NetFirewallRule -DisplayName "Windows Remote Management (HTTP-In)"
########################
# Test new WinRM HTTPS connection
# Form another PC run below
$winrmPort = "5986"
$cred = Get-Credential
$targetHostname = "<hostname>"
$sOptions = New-PSSessionOption -SkipCACheck
Enter-PSSession -ComputerName $targetHostname -Port $winrmPort -Credential $cred -SessionOption $sOptions -UseSSL