--------- [winrm of "four" safe] ---------
Four security, is the most unsafe.
winrm use http + 5985 port, password transmission encryption, data, order transmission expressly default.
There are people stealing confidential, and insert the risk of attack command, the so-called middle attacks. But then, in fact, not a big problem.
Resolved, enable the https version of winrm, or put out http vpn can be.
There are people stealing confidential, and insert the risk of attack command, the so-called middle attacks. But then, in fact, not a big problem.
Resolved, enable the https version of winrm, or put out http vpn can be.
Say it again: win2012r2, win2016, win2019 default port 5985 open this kind of http.
--------- [winrm of "three" security] ---------
Class III, means to put http ssl coat.
After the coat to put ssl http, transfer content encrypted, authenticated connection process still requires a user name and password.
That is what I said [Lai law, forced start, https version of winrm], that winrm client connections winrm server uses ssl, but skip the self-signed certificate, skip binding domain, I think this is enough.
That is what I said [Lai law, forced start, https version of winrm], that winrm client connections winrm server uses ssl, but skip the self-signed certificate, skip binding domain, I think this is enough.
Skip certificate, skip binding domain, Lai law, to rely on these two magic.
-SkipCACheck # Skip certificate
-SkipCNCheck # skip server machine name
-SkipCACheck # Skip certificate
-SkipCNCheck # skip server machine name
winrm server:
# Administrator powershell:Get-childitem WSMan:\Localhost\listener\ Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse $winrm证书 = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName 'powershell交流群183173532' Get-childitem WSMan:\Localhost\listener\ New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -Force -CertificateThumbPrint $winrm证书.Thumbprint Get-ChildItem Cert:\LocalMachine\My |Where-Object Thumbprint -eq $winrm证书.Thumbprint |Remove-Item -Force #防火墙添加5986端口 New-NetFirewallRule -DisplayName "ps传教士winrm的https in" -Name "Windows Remote Management (HTTPS-In)" -Profile Any -LocalPort 5986 -RemoteAddress Any -Protocol TCP
winrm client:
# This command asks for, the account password on the server winrmInvoke-Command -ComputerName $winrm服务器ip -Port 5986 -Credential (Get-Credential) ` -UseSSL -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck) ` -ScriptBlock { dir c:\ }
--------- [winrm of "secondary" safety] ---------
Secondary safety, refers to the law on the basis of Lai. winrm server / winrm client connection, use https self-signed certificate.
Winrm required on the server to establish one pair of keys, on the [Cert: \ LocalMachine \ my] years. Yes, there must be public + private key on the server.
winrm on the client only needs a public key. The public key import into the client's [Cert: \ LocalMachine \ root] years.
winrm on the client only needs a public key. The public key import into the client's [Cert: \ LocalMachine \ root] years.
winrm certificate requirements:
Set certificate enhanced key usage (EKU) "Server Authentication" (OID = 1.3.6.1.5.5.7.3.1).
The "certificate subject" is set to "CN = HOSTNAME".
Set certificate enhanced key usage (EKU) "Server Authentication" (OID = 1.3.6.1.5.5.7.3.1).
The "certificate subject" is set to "CN = HOSTNAME".
winrm server:
# Administrator privileges powershell, on winrm server, [Certificates - Local Computer - "Personal -" certificate], the establishment of the certificate:
$ WinRM certificate parameter = @ { CertStoreLocation = " Cert Control: \ the LocalMachine \ My " keyAlgorithm = 'the RSA' the HashAlgorithm = 'SHA256' the key length = 4096 the Subject = " the CN = PowerShell exchange group 183 173 532 " the NotBefore = (GET-DATE) - [TimeSpan ] :: FromDays (365 ) NotAfter = (GET-DATE) + [TimeSpan] :: FromDays (3650 ) } $ winrm certificate = New-SelfSignedCertificate @ winrm certificate parameter # in winrm client, export only the public key certificate: Export- -cert certificate $ winrm certificate -FilePath 'd: \ winrm public key certificate .cer' # make winrm listening 6516 port: The default port = 5985 (http), does not listen 5986 (HTTPS) Get- ChildItem the WSMan: \ Localhost \ listener \ the Remove -Item -Path the WSMan: \ Localhost \ listener \ * listener - the Recurse the Get - ChildItem the WSMan: \ Localhost \ listener \ New -Item -Path the WSMan: \ LocalHost \ -transport HTTPS listener -address * -Force -CertificateThumbPrint $ winrm certificate .Thumbprint firewall is turned on, winrm server 6516 port: New -NetFirewallRule -DisplayName " PS winrm of missionaries in HTTPS " -Name " Windows Remote Management (HTTPS-an in) " -Profile Any -LocalPort 5986 -RemoteAddress Any -Protocol TCP
winrm client:
Copy the public key file 'd: \ winrm public key certificate .cer', on to the client.
Winrm to the client, import the public key to [Trusted Certificate Authority - "Certificate]:
Admin powershell:
Import-Certificate -Filepath 'd:\winrm证书公钥.cer' -CertStoreLocation "Cert:\LocalMachine\root"
Then from winrm client connection winrm server, you can not skip a ca.
Look at the code:
# Running on the client winrm: This command is required to enter the account password on the server winrm the Invoke the Command--ComputerName $ winrm server ip -Port 5986 -Credential (Get- Credential) ` -UseSSL -SessionOption (New-PSSessionOption - the SkipCNCheck)` -ScriptBlock {dir c: \}
--------- [winrm of "a" security] ---------
A safe, refers to the two on the basis of winrm from the client, the server certificate verification winrm cn. Here the name cn, similar to the domain name. It is the computer name of the server [$ env: COMPUTERNAME]
winrm server:
$ WinRM certificate parameter = @ { CertStoreLocation = " Cert Control: \ the LocalMachine \ My " keyAlgorithm = 'the RSA' the HashAlgorithm = 'SHA256' the key length = 4096 the Subject = " the CN = $ the env: COMPUTERNAME " the NotBefore = (GET-DATE) - [TimeSpan ] :: FromDays (365 ) NotAfter = (GET-DATE) + [TimeSpan] :: FromDays (3650 ) } $ winrm certificate = New-SelfSignedCertificate @ winrm certificate parameter # in winrm client, export only the public key certificate: Export- -cert certificate $ winrm certificate -FilePath 'd: \ winrm public key certificate .cer' # make winrm listening 6516 port: The default port = 5985 (http), does not listen 5986 (HTTPS) Get- ChildItem the WSMan: \ Localhost \ listener \ the Remove -Item -Path the WSMan: \ Localhost \ listener \ * listener - the Recurse the Get - ChildItem the WSMan: \ Localhost \ listener \ New -Item -Path the WSMan: \ LocalHost \ -transport HTTPS listener -address * -Force -CertificateThumbPrint $ winrm certificate .Thumbprint # firewall is turned on, winrm server 6516 port: New-NetFirewallRule -DisplayName " PS winrm of missionaries in HTTPS " -Name " Windows Remote Management (HTTPS-an in) " -Profile Any -LocalPort 5986 -RemoteAddress Any -Protocol TCP
winrm client:
Copy the public key file 'd: \ winrm public key certificate .cer', on to the client.
Winrm to the client, import the public key to [Trusted Certificate Authority - "Certificate]:
Admin powershell:
Import-Certificate -Filepath 'd:\winrm证书公钥.cer' -CertStoreLocation "Cert:\LocalMachine\root"
Then from winrm client connection winrm server, you can not skip ca, also can not skip the cn. Look at the code:
$ PSRemoting server ip = 'DESKTOP-XXXX' # if ping DESKTOP-XXXX not returned ip, ip will have to add the mapping computer name in the host. $ PSRemoting server user name = 'ABCD' $ username = " $ PSRemoting server ip \ $ PSRemoting server username " $ password in plain text = '1234 ' $ cipher text = the ConvertTo-the SecureString $ clear text password -AsPlainText - Force $ username and password authorization binding information = New-Object System.Management.Automation.PSCredential ( $ username , $ password ciphertext ) $ connected. 1 = New--ComputerName the PSSession $ PSRemoting server IP -Port 5986 -Credential $ username and password bundling after authorization information - UseSSL the Invoke-Command -session $ connection. 1 -ScriptBlock the dir {D: \}
--------- [winrm of "most" Security] ---------
The safest course is not a self-signed certificate, the certificate purchase.
Or join win control of the domain, the domain becomes the machine.
PowerShell from the win, is connected to the linux PowerShell version, asymmetric secret key using ssh, is also very safe. It is the server, the client two-way authentication.
---------【postscript】---------
I write this post aims to enable https to winrm. Because winrm + https can do ps + web back-end, such as Microsoft's most famous web operation and maintenance framework "slave line and line of fire."
Thanks for watching