Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:configuration_-_winrm [2019/06/12 08:56]
kucerar basic config, commands 		tutorial:adm:configuration_-_winrm [2019/06/12 10:43]
kucerar
Line 28: Line 28:
 <code>winrm configSDDL default</code> <code>winrm configSDDL default</code>
 {{:tutorial:adm:winrm_sddl.png?nolink&400|}} {{:tutorial:adm:winrm_sddl.png?nolink&400|}}
 +
 +==== Authentications methods ====
 +
 +^           ^ Type of user   | **Credential delegation**  | **Message encryption**  |
 +| Basic     | local          | no                         | no                      |
 +| NTLM      | local, domain  | no                         | yes                     |
 +| Kerberos  | domain         | yes                        | yes                     |
 +| CredSSP   | local, domain  | yes                        | yes                     |
 +
 +You can configure trusted host which will be able to connect. If you don't want to specify this use
 +<code>winrm set winrm/config/client @{TrustedHosts="*"}</code>
 +
 +We can use several methods for authentication.
 +  * Basic - the second command will allow unencrypted data transfer, so it's not recommended to use it with HTTP. For some testing purpose it's ok.
 +<code>winrm set winrm/config/service/auth @{Basic="true"}
 +winrm set winrm/config/service @{AllowUnencrypted="true"}
 +</code>
 +  * NTLM
 +<code>winrm set winrm/config/service/auth @{Negotiate="true"}</code>
 +  * Kerberos
 +<code>winrm set winrm/config/service/auth @{Kerberos="true"}</code>
 +  * CredSSP
 +<code>winrm set winrm/config/service/auth @{CredSSP="true"}</code>
 +
 +==== Permission configuration ====
 +Now we need to set the right permissions. It's tested against NTLM, Kerberos and CredSSP auth
 +It's tested with local user + group and with domain user + group.
 +For the following steps you can use one of these groups WinRMRemoteWMIUsers__ or Remote Management Users It should work with both.
 +
 +Assign user into group
 +
 +Set WMI access for group.
 +  * Computer Management -> Services and Application -> right click WMI Control -> Properties
 +  * In new dialog window -> tab Security -> Root -> CIMV2 and click button Security
 +  * Next dialog window will appear - you need to add group here
 +  * You need to select these options in the checkboxes - Execute Methods, Enable Account and Remote Enable
 +  * Click on Advanced - select and edit group -> Set "Applies to" This namespace and subnamespaces
 +  * Confirm all changes in dialog windows and close them 
 +{{:tutorial:adm:winrm_wmi.png?nolink&600|}}
 +{{:tutorial:adm:winrm_wmi2.png?nolink&800|}}
 +
 +Set SDDL 
 +  * <code>winrm configSDDL default</code>
 +{{:tutorial:adm:winrm_sddl.png?nolink&400|}}
 +  * Add group and give it Full Control
 +  * Confirm changes
 +
 +Restart WinRM
 +<code>Restart-Service winrm</code>
  • by erbenr