WinRM: Security Question
-
What is the generally practice on using WinRM? While every network policy can be different - the States system allowed WinRM, which gave me more tools and abilities - mainly being about to perform tasks without having to walk across a building or driving into the office to begin with.
Here, it's turned off by design as a security risk, which to some degree I can see and agree with, but now I'll have to annoy users and in some cases drive across town to perform a minor task I could have done with PS.
-
Using Powershell remoting, which uses WinRM, would be a requirement for managing windows endpoints, in my opinion.
-
@gjacobse said in WinRM: Security Question:
Here, it's turned off by design as a security risk, which to some degree I can see and agree with, but now I'll have to annoy users and in some cases drive across town to perform a minor task I could have done with PS.
What's the specific risk?
-
@eddiejennings said in WinRM: Security Question:
Using Powershell remoting, which uses WinRM, would be a requirement for managing windows endpoints, in my opinion.
I agree, but at the same time as @gjacobse pointed out, having it disabled helps are limit the potential vectors that can be used to attack with.
But pretty much any and every support tool out there that "uses magic" is using powershell when it comes to managing windows.
-
@eddiejennings said in WinRM: Security Question:
@gjacobse said in WinRM: Security Question:
Here, it's turned off by design as a security risk, which to some degree I can see and agree with, but now I'll have to annoy users and in some cases drive across town to perform a minor task I could have done with PS.
What's the specific risk?
Well - that is my question and I don't know that I will get any more of an answer other than:
"Remote Powershell execution"
I feel as if I had a tool in the box and it's been welded so it can't be used.
-
@gjacobse said in WinRM: Security Question:
@eddiejennings said in WinRM: Security Question:
@gjacobse said in WinRM: Security Question:
Here, it's turned off by design as a security risk, which to some degree I can see and agree with, but now I'll have to annoy users and in some cases drive across town to perform a minor task I could have done with PS.
What's the specific risk?
Well - that is my question and I don't know that I will get any more of an answer other than:
"Remote Powershell execution"
I feel as if I had a tool in the box and it's been welded so it can't be used.
WinRM in and of itself could of course be used for malicious intent. But so can Manage Engine or any other remote management tool. Someone picked WinRM and said "No" because they don't know how it works or how to secure the environment from abuse.
-
@eddiejennings said in WinRM: Security Question:
@gjacobse said in WinRM: Security Question:
Here, it's turned off by design as a security risk, which to some degree I can see and agree with, but now I'll have to annoy users and in some cases drive across town to perform a minor task I could have done with PS.
What's the specific risk?
The same ones for SSH, only those that affect remote powershell
If remote powershell is anything as bad as RDP security has been seen to be, man, it's a mess.. but frankly I don't really know.
-
@gjacobse said in WinRM: Security Question:
Here, it's turned off by design as a security risk, which to some degree I can see and agree with, but now I'll have to annoy users and in some cases drive across town to perform a minor task I could have done with PS.
Do they not have any other remote management system in place of any kind?
Almost anything would be better than driving across town. -
@dashrender said in WinRM: Security Question:
@gjacobse said in WinRM: Security Question:
Here, it's turned off by design as a security risk, which to some degree I can see and agree with, but now I'll have to annoy users and in some cases drive across town to perform a minor task I could have done with PS.
Do they not have any other remote management system in place of any kind?
Almost anything would be better than driving across town.We are using Manage Engine for remote -
-
@gjacobse said in WinRM: Security Question:
@dashrender said in WinRM: Security Question:
@gjacobse said in WinRM: Security Question:
Here, it's turned off by design as a security risk, which to some degree I can see and agree with, but now I'll have to annoy users and in some cases drive across town to perform a minor task I could have done with PS.
Do they not have any other remote management system in place of any kind?
Almost anything would be better than driving across town.We are using Manage Engine for remote -
Does ME not have the ability to run commands on the machines? I know SC and MC both do.
-
@dashrender said in WinRM: Security Question:
The same ones for SSH, only those that affect remote powershell
Yeah, that's the point that I'm getting at. While, yes, making WinRM available and using remote PowerShell is a potential vector for attack, preventing management automation seems like a greater risk.
-
@dashrender said in WinRM: Security Question:
@gjacobse said in WinRM: Security Question:
@dashrender said in WinRM: Security Question:
@gjacobse said in WinRM: Security Question:
Here, it's turned off by design as a security risk, which to some degree I can see and agree with, but now I'll have to annoy users and in some cases drive across town to perform a minor task I could have done with PS.
Do they not have any other remote management system in place of any kind?
Almost anything would be better than driving across town.We are using Manage Engine for remote -
Does ME not have the ability to run commands on the machines? I know SC and MC both do.
But don't SC and MC both require Agents? If you need to have an Agent installed then doesn't that make WinRM unnecessary?
-
@dashrender said in WinRM: Security Question:
@gjacobse said in WinRM: Security Question:
@dashrender said in WinRM: Security Question:
@gjacobse said in WinRM: Security Question:
Here, it's turned off by design as a security risk, which to some degree I can see and agree with, but now I'll have to annoy users and in some cases drive across town to perform a minor task I could have done with PS.
Do they not have any other remote management system in place of any kind?
Almost anything would be better than driving across town.We are using Manage Engine for remote -
Does ME not have the ability to run commands on the machines? I know SC and MC both do.
I wonder the same.
-
While it is likely I could be missing it,.. As of yet, I don't see any way to run commands like SC / MC. I've been looking over DesktopCentral and nothing stands out.
-
@dafyre said in WinRM: Security Question:
@dashrender said in WinRM: Security Question:
@gjacobse said in WinRM: Security Question:
@dashrender said in WinRM: Security Question:
@gjacobse said in WinRM: Security Question:
Here, it's turned off by design as a security risk, which to some degree I can see and agree with, but now I'll have to annoy users and in some cases drive across town to perform a minor task I could have done with PS.
Do they not have any other remote management system in place of any kind?
Almost anything would be better than driving across town.We are using Manage Engine for remote -
Does ME not have the ability to run commands on the machines? I know SC and MC both do.
But don't SC and MC both require Agents? If you need to have an Agent installed then doesn't that make WinRM unnecessary?
of course, no one said anything different.
-
@gjacobse said in WinRM: Security Question:
While it is likely I could be missing it,.. As of yet, I don't see any way to run commands like SC / MC. I've been looking over DesktopCentral and nothing stands out.
Well that sucks... so yeah.. you'll have to interrupt the user, remote GUI - and run the command.
but at least you're not driving across town. -
If they can't keep their systems patched, then sure. But if that's the case it doesn't matter anyways. If it's not an issue to keep their devices patched properly, then it can be on. Additionally, you could configure the firewalls for devices to only allow connections from a bastion host.
-
@gjacobse said in WinRM: Security Question:
While it is likely I could be missing it,.. As of yet, I don't see any way to run commands like SC / MC. I've been looking over DesktopCentral and nothing stands out.
https://www.manageengine.com/products/free-windows-tools/free-remote-command-prompt-tool.html
-
-