Differences

This shows you the differences between two versions of the page.

--- tutorial:adm:configuration_-_winrm [2019/06/12 06:52]
kucerar created
+++ tutorial:adm:configuration_-_winrm [2019/06/12 10:43]
kucerar
@@ Line 1: / Line 1: @@
 ====== Configuration of WinRM ======
+In this tutorial we will go through configuration of WinRM which is necessary for using [[devel:documentation:systems:dev:winrm_connector|WinRM connector]]
+WinRM or Windows remote management, is a remote management protocol that uses Simple Object Access Protocol to interface with remote computers and servers, as well as Operating Systems and applications.
+WinRM is a command-line tool.
+==== Check if Winrm is running ====
+<code>Test-WSMan</code>
+The output should be following:
+{{:tutorial:adm:winrm_test.png?nolink&400|}}
+If you get some error then you need to do the [[https://docs.microsoft.com/en-us/windows/desktop/winrm/installation-and-configuration-for-windows-remote-management#quick-default-configuration|quick default configuration]]
+Now execute the first command again and it should without error now.
+==== Show current configuration ====
+Display WinRM listener. It will show useful information about port, address, ... where WinRM is listening for incoming connections.
+After quick config you will probably see only one listener for HTTP.
+<code>winrm e winrm/config/listener</code>
+{{:tutorial:adm:winrm_listener.png?nolink&600|}}
+Display current winrm configuration
+<code>winrm get winrm/config</code>
+{{:tutorial:adm:winrm_config.png?nolink&600|}}
+Show SDDL setting, this command will show dialog window
+<code>winrm configSDDL default</code>
+{{:tutorial:adm:winrm_sddl.png?nolink&400|}}
+==== Authentications methods ====
+^           ^ Type of user   | **Credential delegation**  | **Message encryption**  |
+| Basic     | local          | no                         | no                      |
+| NTLM      | local, domain  | no                         | yes                     |
+| Kerberos  | domain         | yes                        | yes                     |
+| CredSSP   | local, domain  | yes                        | yes                     |
+You can configure trusted host which will be able to connect. If you don't want to specify this use
+<code>winrm set winrm/config/client @{TrustedHosts="*"}</code>
+We can use several methods for authentication.
+  * Basic - the second command will allow unencrypted data transfer, so it's not recommended to use it with HTTP. For some testing purpose it's ok.
+<code>winrm set winrm/config/service/auth @{Basic="true"}
+winrm set winrm/config/service @{AllowUnencrypted="true"}
+</code>
+  * NTLM
+<code>winrm set winrm/config/service/auth @{Negotiate="true"}</code>
+  * Kerberos
+<code>winrm set winrm/config/service/auth @{Kerberos="true"}</code>
+  * CredSSP
+<code>winrm set winrm/config/service/auth @{CredSSP="true"}</code>
+==== Permission configuration ====
+Now we need to set the right permissions. It's tested against NTLM, Kerberos and CredSSP auth
+It's tested with local user + group and with domain user + group.
+For the following steps you can use one of these groups WinRMRemoteWMIUsers__ or Remote Management Users It should work with both.
+Assign user into group
+Set WMI access for group.
+  * Computer Management -> Services and Application -> right click WMI Control -> Properties
+  * In new dialog window -> tab Security -> Root -> CIMV2 and click button Security
+  * Next dialog window will appear - you need to add group here
+  * You need to select these options in the checkboxes - Execute Methods, Enable Account and Remote Enable
+  * Click on Advanced - select and edit group -> Set "Applies to" This namespace and subnamespaces
+  * Confirm all changes in dialog windows and close them
+{{:tutorial:adm:winrm_wmi.png?nolink&600|}}
+{{:tutorial:adm:winrm_wmi2.png?nolink&800|}}
+Set SDDL
+  * <code>winrm configSDDL default</code>
+{{:tutorial:adm:winrm_sddl.png?nolink&400|}}
+  * Add group and give it Full Control
+  * Confirm changes
+Restart WinRM
+<code>Restart-Service winrm</code>