Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:configuration_-_winrm [2019/06/12 06:52] kucerar created |
tutorial:adm:configuration_-_winrm [2019/06/12 10:43] kucerar |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== Configuration of WinRM ====== | ====== Configuration of WinRM ====== | ||
+ | In this tutorial we will go through configuration of WinRM which is necessary for using [[devel: | ||
+ | |||
+ | WinRM or Windows remote management, is a remote management protocol that uses Simple Object Access Protocol to interface with remote computers and servers, as well as Operating Systems and applications. | ||
+ | WinRM is a command-line tool. | ||
+ | |||
+ | ==== Check if Winrm is running ==== | ||
+ | |||
+ | < | ||
+ | The output should be following: | ||
+ | {{: | ||
+ | |||
+ | If you get some error then you need to do the [[https:// | ||
+ | |||
+ | Now execute the first command again and it should without error now. | ||
+ | |||
+ | ==== Show current configuration ==== | ||
+ | Display WinRM listener. It will show useful information about port, address, ... where WinRM is listening for incoming connections. | ||
+ | After quick config you will probably see only one listener for HTTP. | ||
+ | < | ||
+ | {{: | ||
+ | |||
+ | Display current winrm configuration | ||
+ | < | ||
+ | {{: | ||
+ | |||
+ | Show SDDL setting, this command will show dialog window | ||
+ | < | ||
+ | {{: | ||
+ | |||
+ | ==== Authentications methods ==== | ||
+ | |||
+ | ^ ^ Type of user | **Credential delegation** | ||
+ | | Basic | local | no | no | | ||
+ | | NTLM | local, domain | ||
+ | | Kerberos | ||
+ | | CredSSP | ||
+ | |||
+ | You can configure trusted host which will be able to connect. If you don't want to specify this use | ||
+ | < | ||
+ | |||
+ | We can use several methods for authentication. | ||
+ | * Basic - the second command will allow unencrypted data transfer, so it's not recommended to use it with HTTP. For some testing purpose it's ok. | ||
+ | < | ||
+ | winrm set winrm/ | ||
+ | </ | ||
+ | * NTLM | ||
+ | < | ||
+ | * Kerberos | ||
+ | < | ||
+ | * CredSSP | ||
+ | < | ||
+ | |||
+ | ==== Permission configuration ==== | ||
+ | Now we need to set the right permissions. It's tested against NTLM, Kerberos and CredSSP auth | ||
+ | It's tested with local user + group and with domain user + group. | ||
+ | For the following steps you can use one of these groups WinRMRemoteWMIUsers__ or Remote Management Users It should work with both. | ||
+ | |||
+ | Assign user into group | ||
+ | |||
+ | Set WMI access for group. | ||
+ | * Computer Management -> Services and Application -> right click WMI Control -> Properties | ||
+ | * In new dialog window -> tab Security -> Root -> CIMV2 and click button Security | ||
+ | * Next dialog window will appear - you need to add group here | ||
+ | * You need to select these options in the checkboxes - Execute Methods, Enable Account and Remote Enable | ||
+ | * Click on Advanced - select and edit group -> Set " | ||
+ | * Confirm all changes in dialog windows and close them | ||
+ | {{: | ||
+ | {{: | ||
+ | |||
+ | Set SDDL | ||
+ | * < | ||
+ | {{: | ||
+ | * Add group and give it Full Control | ||
+ | * Confirm changes | ||
+ | |||
+ | Restart WinRM | ||
+ | < |