Skip to main content

WinRM Configuration

Kyle Wasberg
  • Updated

WinRM Configuration

Device42 version 18.08 and newer adds WinRM as a discovery option for Windows Machines.  This does not require a WDS server to run discovery via WinRM.  Please see below for details on how to configure WinRM.

  1. The WinRM service must be running on the Windows server that is to be discovered. Default installations of Microsoft Windows Server 2012 and above come with the WinRM service running by default, and so in this case no extra steps are needed.
  2. You must ensure that the WinRM service is not blocked by a firewall and therefore is remote accessible. By default, WinRM uses port 5985, which needs to be open. 
  3. You must ensure that a user account with appropriate privileges is used on the Windows server. The user account must be part of the local administrators group on the managed server.  To run the discovery as a non-admin user, you will need to configure four areas to get a successful discovery. 

To check the status of your WinRM service, run the following command from an elevated command prompt or elevated powershell prompt on a target machine

Winrm enumerate winrm/config/listener

 This will verify the service is running and config.  You can also confirm the port and transport on the local machine, and set the discovery job accordingly.

Configure WinRM access as a non-admin user:

It is possible to manage Windows OS with a user account that is not a member of the local administrators group. There are four requirements for configuring non-admin user access, each of which are explained below:

  1. User must be a member of required groups.
  2. User must have access to WinRM resources.
  3. User must have access to WMI namespace.
  4. User must have query service manager permissions.

 

1. To add the user to the required groups:

  1. At the elevated command prompt, execute the following commands:
    net localgroup "Remote Management Users" /add <domain>\<user>
    net localgroup "Performance Monitor Users" /add <domain>\<user>

 

2. To give the user access to WinRM resources:

  1. At the elevated command prompt, execute the following command:

    winrm configSDDL default
  2. This command will open the Permissions for Default dialog.
  3. In the Group or user names section, add <domain>\<user> to the list.
  4. Select the <domain>\<user> you have just added, and in the Permissions section beneath, check 'Allow' for Read(Get,Enumerate,Subscribe) and Execute(Invoke)
  5. Click OK to confirm your changes.

 

3. To give the user access to WMI namespace:

  1. In the elevated command prompt, type winmgmt.msc
  2. This will open the WmiMgmt console. Right click on WMIControl (Local), and from the context menu click Properties.
  3. This will open the WMI Control (Local) Properties dialog. Under the Security tab, select Root and then click Security at the bottom of the window.
  4. This will open the Security for Root dialog. In the Group or user names section, add 'Remote Management Users' group.
  5. Select the newly added 'Remote Management Users' group from the list and click Advanced at the bottom of the window.
  6. This will open the Advanced Security Settings for Root dialog. Select the 'Remote Management Users' group and click Edit.
  7. This will open the Permission Entry for Root dialog. In the Applies to dropdown field, select 'This namespace and subnamespaces'.
  8. In the Permissions section, tick the following boxes:
    • Execute Methods
    • Enable Account
    • Remote Enable
  9. Click OK to save your changes.

 

4. To allow the user service control manager queries:

  1. Open command prompt in Administrator mode.
  2. Obtain and take note of the SID of the user by using 'wmic useraccount where name="<username>" get name,sid'.
  3. Output the existing SDDL, which you will need to adjust by using 'sc sdshow scmanager'. The output will be similar to the below (note the 'S:' in the SDDL - you will be adding new text immediately before it):

    D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CCLCRPWPRC;;;<user SID>)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
  4. Create a new SDDL snippet that is to be inserted into the original SDDL obtained in Step 3 above. The content of the snippet is:
    (A;;CCLCRPWPRC;;;<SID of User>)
    You need to replace <SID of User> with the SID obtained in Step 2 above. After replacement, the snippet will look similar to the following:

    (A;;CCLCRPWPRC;;;S-1-0-10-200000-30000000000-4000000000-500)
  5. Place the above snippet immediately before 'S:' of the original SDDL obtained. This will look similar to the following:
    D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CCLCRPWPRC;;;S-1-0-10-200000-30000000000-4000000000-500)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
  6. Update the service manager SDDL:
    sc sdset scmanager <SDDL from Step 5>

 

Related articles

Comments

0 comments

Article is closed for comments.