Configure WINRM Over HTTPS

Setting Up WinRM Over HTTPS in an Enterprise Environment

Windows Remote Management (WinRM) is a powerful tool for remote management and scripting in Windows environments. While it's secure by default when configured properly, setting up WinRM over HTTPS provides an additional layer of encryption to ensure the safety of your communications. This guide walks you through the steps to set up WinRM over HTTPS in an enterprise environment.

Why Use HTTPS for WINRM?

1. Enhanced Security: HTTPS encrypts the data transmitted between the client and server, protecting sensitive information from being intercepted.

2. Compliance: Many organizations must adhere to strict security standards, which often mandate encrypted communication protocols.

3. Trusted Connections: Using certificates ensures that only trusted endpoints can establish connections.

Prerequisites

Before you begin, ensure the following:

• A valid SSL certificate issued by a trusted Certificate Authority (internal or external).

• Administrative privileges on all servers to be configured.

• Firewall rules to allow TCP traffic on port 5986 (HTTPS).

• PowerShell available on all target systems.

Step 1: Obtain and Install an SSL Certificate

1. Request a Certificate:

   • Use your internal Certificate Authority or purchase one from a public CA.

   • Include the server’s Fully Qualified Domain Name (FQDN) in the certificate’s subject name.

   • Ensure the certificate has the "Server Authentication" Enhanced Key Usage (EKU).

2. Install the Certificate:

   • Import the certificate into the Local Machine store on the target server.

   • Note the certificate’s thumbprint for later use.

Step 2: Enable and Configure WINRM

Run the following commands on the server:

# Enable the WinRM service
Enable-PSRemoting -Force

# Configure the WinRM service to start automatically
Set-Service -Name WinRM -StartupType Automatic

# Allow the service to listen for HTTPS traffic
winrm quickconfig -Force

Step 3: Configure the HTTPS Listener

1. Find the Certificate Thumbprint:

   Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Subject -like "*FQDN*" }

   Replace FQDN with the server’s fully qualified domain name.

2. Create the HTTPS Listener:

   winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="FQDN"; CertificateThumbprint="CERT_THUMBPRINT"}

   Replace FQDN with your server name and CERT_THUMBPRINT with the thumbprint obtained earlier.

Step 4: Secure the WINRM Configuration

To ensure secure communication, update the default WinRM settings:

# Disallow unencrypted connections
winrm set winrm/config/service @{AllowUnencrypted="false"}

# Disable Basic authentication
winrm set winrm/config/service/auth @{Basic="false"}

For non-domain systems, configure trusted hosts:

Set-Item WSMan:\localhost\Client\TrustedHosts -Value "TrustedHostName"

Replace TrustedHostName with the FQDN or IP of the remote machine.

Step 5: Open the Firewall Port

Allow inbound traffic for HTTPS (port 5986) on the server firewall:

New-NetFirewallRule -Name "WinRM HTTPS" -DisplayName "WinRM HTTPS" -Protocol TCP -LocalPort 5986 -Action Allow

Step 6: Test the Configuration

Verify the HTTPS listener:

Test-WSMan -ComputerName "FQDN" -UseSSL

Replace FQDN with the server’s fully qualified domain name. If configured correctly, you’ll see details confirming the connection.

Step 7: Automate with Group Policy

For larger environments, automate the configuration using Group Policy:

1. Open Group Policy Management Console.

   • 
     

2. Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management > WINRM Service.

   • 
     

3. Configure the following policies:

   • Allow automatic configuration of listeners: Enable and specify HTTPS with a wildcard for IP addresses.

     • 
       

   • Allow remote server management through WINRM: Enable and specify the allowed IP ranges.

     • 
       

4. Add a policy to configure the firewall:

   • Navigate to Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security > Inbound Rules.

   • Create a new inbound rule for TCP port 5986.

   • Name the rule "WINRM HTTPS" and set it to allow traffic.

     • 
       

5. Apply the policy to target systems via Organizational Units (OUs).

Conclusion

Setting up WINRM over HTTPS enhances the security and reliability of remote management in your enterprise environment. By encrypting communication and ensuring trusted connections, you can manage servers with confidence, even in compliance-focused industries. By following this guide, you’ll establish a secure, scalable, and automated remote management solution.