Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision Both sides next revision
tutorial:adm:configuration_-_winrm [2019/06/12 08:56]
kucerar basic config, commands 		tutorial:adm:configuration_-_winrm [2019/06/12 10:42]
kucerar auth, permissions
Line 28: Line 28:
 <code>winrm configSDDL default</code> <code>winrm configSDDL default</code>
 {{:tutorial:adm:winrm_sddl.png?nolink&400|}} {{:tutorial:adm:winrm_sddl.png?nolink&400|}}
 +
 +==== Authentications methods ====
 +
 +^           ^ Type of user   | **Credential delegation**  | **Message encryption**  |
 +| Basic     | local          | no                         | no                      |
 +| NTLM      | local, domain  | no                         | yes                     |
 +| Kerberos  | domain         | yes                        | yes                     |
 +| CredSSP   | local, domain  | yes                        | yes                     |
 +
 +You can configure trusted host which will be able to connect. If you don't want to specify this use
 +<code>winrm set winrm/config/client @{TrustedHosts="*"}</code>
 +
 +We can use several methods for authentication.
 +  * Basic - the second command will allow unencrypted data transfer, so it's not recommended to use it with HTTP. For some testing purpose it's ok.
 +<code>winrm set winrm/config/service/auth @{Basic="true"}
 +winrm set winrm/config/service @{AllowUnencrypted="true"}
 +</code>
 +  * NTLM
 +<code>winrm set winrm/config/service/auth @{Negotiate="true"}</code>
 +  * Kerberos
 +<code>winrm set winrm/config/service/auth @{Kerberos="true"}</code>
 +  * CredSSP
 +<code>winrm set winrm/config/service/auth @{CredSSP="true"}</code>
 +
 +==== Permission configuration ====
 +Now we need to set the right permissions. It's tested against NTLM, Kerberos and CredSSP auth
 +It's tested with local user + group and with domain user + group.
 +For the following steps you can use one of these groups WinRMRemoteWMIUsers__ or Remote Management Users It should work with both.
 +
 +Set WMI access for group.
 +  * Computer Management -> Services and Application -> right click WMI Control -> Properties
 +  * In new dialog window -> tab Security -> Root -> CIMV2 and click button Security
 +  * Next dialog window will appear - you need to add group here
 +  * You need to select these options in the checkboxes - Execute Methods, Enable Account and Remote Enable
 +  * Click on Advanced - select and edit group -> Set "Applies to" This namespace and subnamespaces
 +  * Confirm all changes in dialog windows and close them 
 +{{:tutorial:adm:winrm_wmi.png?nolink&600|}}
 +{{:tutorial:adm:winrm_wmi2.png?nolink&800|}}
 +
 +Set SDDL 
 +  * <code>winrm configSDDL default</code>
 +{{:tutorial:adm:winrm_sddl.png?nolink&400|}}
 +  * Add group and give it Full Control
 +  * Confirm changes
 +
 +Restart WinRM
 +<code>Restart-Service winrm</code>
  • by erbenr