Difference between revisions of "Winrm permissions"
Jump to navigation
Jump to search
| Line 1: | Line 1: | ||
# Win RM non-root access | # Win RM non-root access | ||
https://www.ibm.com/docs/en/rapid-network-auto/1.1.x?topic=how-configuring-powershell-secure-remoting | https://www.ibm.com/docs/en/rapid-network-auto/1.1.x?topic=how-configuring-powershell-secure-remoting | ||
| + | |||
| + | You don't need to do the C:/Windows/Temp line | ||
``` | ``` | ||
These are the steps to configure a Windows Server to allow RNA to connect via PowerShell Remoting over HTTPS | These are the steps to configure a Windows Server to allow RNA to connect via PowerShell Remoting over HTTPS | ||
Revision as of 17:42, 11 January 2024
Win RM non-root access
You don't need to do the C:/Windows/Temp line
These are the steps to configure a Windows Server to allow RNA to connect via PowerShell Remoting over HTTPS
The following commands should be run inside a PowerShell session started with Administrator credentials
1. Enable PowerShell Remoting
Enable-PSRemoting
2. Create a self-signed HTTPS certificate to secure the encrypted connection
$CertThumb = $(New-SelfSignedCertificate -DnsName $env:COMPUTERNAME -CertStoreLocation Cert:\LocalMachine\My).Thumbprint
3. Enable HTTPS for the WinRM listener using the certificate we just created
"winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=`"${env:COMPUTERNAME}`"; CertificateThumbprint=`"$CertThumb`"}" | cmd
4. Permit PowerShell over HTTPS on the Windows Firewall
New-NetFirewallRule -DisplayName "Allow inbound PowerShell SSL TCP 5986" -Direction inbound -LocalPort 5986 -Protocol TCP -Action Allow
RNA will use the NTLM / Negotiate authentication mechanism for WinRM connections over HTTPS
Allowing non-admin users to connect over PowerShell remoting
By default, users that are not Administrators or Domain Admins cannot connect over remote PowerShell sessions. The PowerShell block will fail with an “Access is denied.” message even though all authKey components are correct.
Add the non-admin user to the “Remote Management Users” builtin group
Add the “Remote Management Users” group to the default SDDL
Run this command from an Administrator PowerShell prompt:
winrm configSDDL default
Add the “Remote Management Users” group and give it Full Control permission
Add the “Remote Management Users” group to the root of the WMI control tree
Run the “Computer Management” control panel
Go to Services and Applications
Right click on WMI Control and choose Properties
Go to the Security Tab
Click on Root and then click on the Security button
Add the “Remote Management Users” group, then add “Execute Methods” and “Remote Enable” permissions for it
Give the “Remote Management Users” group the following file system permissions to the C:\Windows\TEMP directory
More
https://www.kjctech.net/how-to-enable-winrm-with-domain-group-policy-for-powershell-remoting/
net localgroup "Remote Management Users" /add "Domain Users" The command completed successfully.
(Get-PSSessionConfiguration -Name Microsoft.PowerShell).Permission