Difference between revisions of "Winrm permissions"
Jump to navigation
Jump to search
| (3 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| + | # Win RM non-root access | ||
https://www.ibm.com/docs/en/rapid-network-auto/1.1.x?topic=how-configuring-powershell-secure-remoting | https://www.ibm.com/docs/en/rapid-network-auto/1.1.x?topic=how-configuring-powershell-secure-remoting | ||
| + | |||
| + | ## Create bastion host for all domain users example | ||
| + | |||
| + | - Open Local Host Groups | ||
| + | - Add "Domain Users" to "Remote Management Users" group | ||
| + | |||
| + | By default, users that are not Administrators or Domain Admins cannot connect over remote PowerShell sessions. The PowerShell block will fail with an “Access is denied.” message even though all authKey components are correct. | ||
| + | |||
| + | - Add the non-admin user to the “Remote Management Users” builtin group | ||
| + | - Add the “Remote Management Users” group to the default SDDL | ||
| + | - Run this command from an Administrator PowerShell prompt: | ||
| + | - winrm configSDDL default | ||
| + | - Add the “Remote Management Users” group and give it Full Control permission | ||
| + | |||
| + | - Add the “Remote Management Users” group to the root of the WMI control tree | ||
| + | - Run the “Computer Management” control panel | ||
| + | - Go to Services and Applications | ||
| + | - Right click on WMI Control and choose Properties | ||
| + | - Go to the Security Tab | ||
| + | - Click on Root and then click on the Security button | ||
| + | - Add the “Remote Management Users” group, then add “Execute Methods” and “Remote Enable” permissions for it | ||
| + | |||
| + | |||
| + | |||
| + | You don't need to do the C:/Windows/Temp line, depending on use case | ||
| + | ``` | ||
| + | These are the steps to configure a Windows Server to allow RNA to connect via PowerShell Remoting over HTTPS | ||
| + | |||
| + | The following commands should be run inside a PowerShell session started with Administrator credentials | ||
| + | |||
| + | 1. Enable PowerShell Remoting | ||
| + | |||
| + | Enable-PSRemoting | ||
| + | 2. Create a self-signed HTTPS certificate to secure the encrypted connection | ||
| + | |||
| + | $CertThumb = $(New-SelfSignedCertificate -DnsName $env:COMPUTERNAME -CertStoreLocation Cert:\LocalMachine\My).Thumbprint | ||
| + | 3. Enable HTTPS for the WinRM listener using the certificate we just created | ||
| + | |||
| + | "winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=`"${env:COMPUTERNAME}`"; CertificateThumbprint=`"$CertThumb`"}" | cmd | ||
| + | 4. Permit PowerShell over HTTPS on the Windows Firewall | ||
| + | |||
| + | New-NetFirewallRule -DisplayName "Allow inbound PowerShell SSL TCP 5986" -Direction inbound -LocalPort 5986 -Protocol TCP -Action Allow | ||
| + | RNA will use the NTLM / Negotiate authentication mechanism for WinRM connections over HTTPS | ||
| + | |||
| + | Allowing non-admin users to connect over PowerShell remoting | ||
| + | By default, users that are not Administrators or Domain Admins cannot connect over remote PowerShell sessions. The PowerShell block will fail with an “Access is denied.” message even though all authKey components are correct. | ||
| + | |||
| + | Add the non-admin user to the “Remote Management Users” builtin group | ||
| + | |||
| + | Add the “Remote Management Users” group to the default SDDL | ||
| + | |||
| + | Run this command from an Administrator PowerShell prompt: | ||
| + | |||
| + | winrm configSDDL default | ||
| + | Add the “Remote Management Users” group and give it Full Control permission | ||
| + | |||
| + | |||
| + | Add the “Remote Management Users” group to the root of the WMI control tree | ||
| + | |||
| + | Run the “Computer Management” control panel | ||
| + | |||
| + | Go to Services and Applications | ||
| + | |||
| + | Right click on WMI Control and choose Properties | ||
| + | |||
| + | Go to the Security Tab | ||
| + | |||
| + | Click on Root and then click on the Security button | ||
| + | |||
| + | Add the “Remote Management Users” group, then add “Execute Methods” and “Remote Enable” permissions for it | ||
| + | |||
| + | Give the “Remote Management Users” group the following file system permissions to the C:\Windows\TEMP directory | ||
| + | ``` | ||
| + | |||
| + | |||
| + | # More | ||
https://www.kjctech.net/how-to-enable-winrm-with-domain-group-policy-for-powershell-remoting/ | https://www.kjctech.net/how-to-enable-winrm-with-domain-group-policy-for-powershell-remoting/ | ||
Latest revision as of 17:47, 11 January 2024
Win RM non-root access
Create bastion host for all domain users example
- Open Local Host Groups
- Add "Domain Users" to "Remote Management Users" group
By default, users that are not Administrators or Domain Admins cannot connect over remote PowerShell sessions. The PowerShell block will fail with an “Access is denied.” message even though all authKey components are correct.
- Add the non-admin user to the “Remote Management Users” builtin group
- Add the “Remote Management Users” group to the default SDDL
- Run this command from an Administrator PowerShell prompt:
- winrm configSDDL default
- Add the “Remote Management Users” group and give it Full Control permission
- Add the “Remote Management Users” group to the root of the WMI control tree
- Run the “Computer Management” control panel
- Go to Services and Applications
- Right click on WMI Control and choose Properties
- Go to the Security Tab
- Click on Root and then click on the Security button
- Add the “Remote Management Users” group, then add “Execute Methods” and “Remote Enable” permissions for it
You don't need to do the C:/Windows/Temp line, depending on use case
These are the steps to configure a Windows Server to allow RNA to connect via PowerShell Remoting over HTTPS
The following commands should be run inside a PowerShell session started with Administrator credentials
1. Enable PowerShell Remoting
Enable-PSRemoting
2. Create a self-signed HTTPS certificate to secure the encrypted connection
$CertThumb = $(New-SelfSignedCertificate -DnsName $env:COMPUTERNAME -CertStoreLocation Cert:\LocalMachine\My).Thumbprint
3. Enable HTTPS for the WinRM listener using the certificate we just created
"winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=`"${env:COMPUTERNAME}`"; CertificateThumbprint=`"$CertThumb`"}" | cmd
4. Permit PowerShell over HTTPS on the Windows Firewall
New-NetFirewallRule -DisplayName "Allow inbound PowerShell SSL TCP 5986" -Direction inbound -LocalPort 5986 -Protocol TCP -Action Allow
RNA will use the NTLM / Negotiate authentication mechanism for WinRM connections over HTTPS
Allowing non-admin users to connect over PowerShell remoting
By default, users that are not Administrators or Domain Admins cannot connect over remote PowerShell sessions. The PowerShell block will fail with an “Access is denied.” message even though all authKey components are correct.
Add the non-admin user to the “Remote Management Users” builtin group
Add the “Remote Management Users” group to the default SDDL
Run this command from an Administrator PowerShell prompt:
winrm configSDDL default
Add the “Remote Management Users” group and give it Full Control permission
Add the “Remote Management Users” group to the root of the WMI control tree
Run the “Computer Management” control panel
Go to Services and Applications
Right click on WMI Control and choose Properties
Go to the Security Tab
Click on Root and then click on the Security button
Add the “Remote Management Users” group, then add “Execute Methods” and “Remote Enable” permissions for it
Give the “Remote Management Users” group the following file system permissions to the C:\Windows\TEMP directory
More
https://www.kjctech.net/how-to-enable-winrm-with-domain-group-policy-for-powershell-remoting/
net localgroup "Remote Management Users" /add "Domain Users" The command completed successfully.
(Get-PSSessionConfiguration -Name Microsoft.PowerShell).Permission