5

I am trying to set up remote management on a few machines. I can successfully execute commands on the remote machine from my computer, but I don't want anyone to be able to do so.

I have tried setting the trusted hosts on the remote computer, and restarted the service but it doesn't seem to be doing anything.

For example, on the remote machine:

 winrm set winrm/config/client '@{TrustedHosts="someIncorrectName"}'

I then restart the winrm service.

How come I can still run the remote commands from my laptop? Shouldn't it prevent the command from being executed?

I'm running the command the following way: 

Invoke-Command -cn remoteMachine -Credential $cred -scriptblock {get-process}

Where $cred was generated using get-credential domain/username.

I have read a few things about TrustedHosts, and they seem to give conflicting reports as to what it does. Some people seem to say that it prevents commands from being executed on computers not listed in the Trusted Hosts list. Others say it's a list of computers that can run commands on that machine.

MSDN says: "Specifies the list of remote computers that are trusted." That seems to imply that it is the second option (a list of computers that can execute commands on the machine).

What am I doing wrong?

Thanks

navalhawkeye
  • 259
  • 3
  • 4
  • 13

1 Answers1

6

TrustedHosts doesn't do what you think it does. Unlike Unix .rhosts, this setting is for the PowerShell client, not the remote server endpoint. This is why it's found at:

WSMan:\localhost\Client

If it was relevant to the listener, it would be under the Service node.

As the other answer touches on, this is typically used in non-domain or mixed environments to prevent your client from sending an NTLM challenge-response or basic authentication attempt to an untrusted remote machine. Why? Because a remote rogue server may capture this information and use it to compromise your network. When you're in a mixed environment, the only protection available is SSL and many may opt to disable this through AllowUnencrypted = $false, again in the Client node of the WSMAN drive.

So, how do you limit incoming connections? You should have made the connection by now and started to look under the WSMAN:\localhost\Service node on the remote server. If you do this, you'll see:

   WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Service

Type            Name                           SourceOfValue   Value                                                                       
----            ----                           -------------   -----                                                                       
System.String   RootSDDL                                       ...    
System.String   MaxConcurrentOperations                        4294967295                                                                  
System.String   MaxConcurrentOperationsPerUser                 1500                                                                        
System.String   EnumerationTimeoutms                           240000                                                                      
System.String   MaxConnections                                 300                                                                         
System.String   MaxPacketRetrievalTimeSeconds                  120                                                                         
System.String   AllowUnencrypted                               false                                                                       
Container       Auth                                                                                                                       
Container       DefaultPorts                                                                                                               
System.String   IPv4Filter                                     *                                                                           
System.String   IPv6Filter                                     *                                                                           
System.String   EnableCompatibilityHttpList...                 false                                                                       
System.String   EnableCompatibilityHttpsLis...                 false                                                                       
System.String   CertificateThumbprint                                                                                                      
System.String   AllowRemoteAccess                              true

Now, looking down this list, you'll see some pertinently named properties like IPv4Filter and IPv6Filter. Guess what these do ;-)

x0n
  • 51,312
  • 7
  • 89
  • 111