Abstract: For security reasons you wish to configure Windows Remote Management (WinRM) on your Windows 2012 R2 OS to use an SSL certificate.

This is for example required if an the Microsoft Exchange environment should be hardened and this action requires the following steps:

Preparation:

At first check if WinRM is already running via https. To do that open a powershell (run as admin) an enter:

Get-ChildItem WSMan:\localhost\Client\DefaultPorts

This will show the default configured ports like:

   WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Client\DefaultPorts

Type Name SourceOfValue Value
---- ---- ------------- -----
System.String HTTP 5985
System.String HTTPS 5986

As you know the default/configured port now, you can check the function via telnet "telnet localhost 5986".

 

Steps to implement WinHTTPS for WinRM:

1.) At first create an appropriate SSL certificate (you can use MMC and the Certificate Snapin to request that from your internal Microsoft CA). As friendly name you can choose "WinRM Certificate" or something which fits your company guidelines. As CN I used the full qualified hostname. Additional to that I added the IP address and the DNS names as an alias. The certificate usage must be "Server Authentication".

2.) Once you have the needed certificate open a Windows Powershell (run as admin) and search for the thumbprint via:

Get-ChildItem -Path cert: -Recurse | select Subject, FriendlyName, Thumbprint | Format-List

or

Get-ChildItem -Path cert: -Recurse | select FriendlyName, Thumbprint | Format-List

It will show the SSL certificates you have on your system. Make sure that you pick up the correct one and make a note from the thumbprint from the certifcate.

3.) Now run a CMD as admin and run:

C:\Windows\system32>winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="server01.int.contoso.com";CertificateThumbprint="1C60E58F827A6F16F1ADD93C76A2BB1EE9431F15"}

which will output something like:

ResourceCreated
Address = http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
ReferenceParameters
ResourceURI = http://schemas.microsoft.com/wbem/wsman/1/config/listener
SelectorSet
Selector: Address = *, Transport = HTTPS

Note: If you do the same action inside a powershell you will get an error like:

PS C:\Windows\system32> winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="server01.int.contoso.com";CertificateThumbprint="1C60E58F827A6F16F1ADD93C76A2BB1EE9431F15"}
Error: Invalid use of command line. Type "winrm -?" for help.

4.) If you have enabled the Windows OS firewall, you might need to create a rule for https WinRM via:

New-NetFirewallRule -DisplayName "Windows Remote Management (HTTPS-In)" -Name "Windows Remote Management (HTTPS-In)" -Profile Any -LocalPort 5986 -Protocol TCP

 

Created with the help from:
https://blogs.technet.microsoft.com/heyscriptingguy/2013/11/27/powertip-use-powershell-to-discover-certificate-thumbprints/
https://blogs.msdn.microsoft.com/wmi/2009/03/17/three-ways-to-configure-winrm-listeners/
https://support.microsoft.com/en-us/kb/2019527

 

Comments (0)

There are no comments posted here yet

Leave your comments

Posting comment as a guest.
Attachments (0 / 3)
Share Your Location