I am looking for specific feedback on WinRM. There are ::still:: debates out there about whether or not making RDP publicly available without a VPN is a good idea--There are no debates on whether or not making SSH publicly available is a good idea, as long as it is setup correctly...
Where does WinRM fit in at this point: Use with a VPN, No VPN, etc?
Not a windows guy so i can't speak too much to WinRM specifics.
the bottom line, though, is that any remote-access service like ssh or winrm has risks and benefits. From what I can tell they provide roughly analogous functionality. If they provide similar levels of AAA then you might treat them similarly in your security posture. E.g., if WinRM uses https certificates for authentication, but openssh allows passwords sent over the wire (one possible config), WinRM's AAA is probably better.
Are the privileges of each service limited? E.g., on Linux you might run selinux so that inbound ssh connections can only do certain operations.
You should also consider how much you trust the different vendors/implementations. Do you expect to see remotely exploitable bugs in openssh & *nix more or less than in windows? Trying to word this so as not to be a troll - it's obviously a loaded question. But the issue is very real.
As far as what that security posture specifically should be...some people put ssh out in the open on port 22, some people require a VPN before you can connect. Some use security through obscurity and put ssh on port 222 instead of port 22.
Some have a whitelist of what IPs are allowed to connect. You might do the whitelisting in sshd or in iptables. On windows, in the windows firewall, or possibly in winrm itself? There are lots of possibilities.
I have used WinRM on some occasions to expose metrics - without using VPNs and such. But there are some security considerations:
winrm get winrm/config to see how things are
configured currently.Personal store on the Local Computer (yes - odd nomenclature) winrm quickconfig -transport:httpsOnce the transport is secured, you need to enable client certificate authentication and disable everything else:
winrm set
winrm/config/client/auth @{Digest="false"}. winrm set winrm/config/client/auth @{Certificate="true"}winrm set winrm/config/client/auth '@{CredSSP="true"} for things to work - it may be needed for credentials delegation.This works well and if you trust the Windows HTTP transport, the Windows PKI infrastructure and you have a firewall in place that lets you filter out obvious nasties, it is an option that works out fine. It is quite nice if you need to collect things programatically.
Now, the other thing is: will you be able to get all the info you want via WinRM? This is not as easy to answer. I find that a number of things are harder to get at than you might think. I want status on RAID controllers and such, but this is difficult at best. Using RDP over SSH (just to be sure) is still my favored way of doing this because of the added versatility you get.
In conclusion, yes - you can use WinRM without VPNs and such, but you should consider if it gets you what you want in the end.
EDIT: Comparing the use of WinRM with SSH is perhaps not entirely useful - at least from a feature package perspective. Using SSH, you can get anything if you are prepared to write something that collects the information you want. WinRM is less versatile in that sense. Securitywise, however, both are fine IMHO if you lock things down properly which is entirely possible.
WinRM is capable of using HTTPS transport, and if your machines are in the domain and have your enterprise certificates on them already, it should Just Work.
