Securing WinRM over HTTPS [Windows Server 2019]


    I (tobor), cover how to configure WinRM over HTTPS in an Windows environment using Group Policy on Windows Server 2019 domain environment consisting of a Domain Controller and a Certificate Authority.

    0:00 Intro Summary
    0:52 BTPS SecPack policy settings that will be covered
    1:00 Create a group policy
    1:21 Assign Group Policy to OU
    1:30 Edit Group Policy settings
    1:47 Security Filtering permissions on GPO policy
    2:05 Delegation permission on GPO Policy
    2:18 Policy Setting Services WinRM
    3:00 Permissions required to start a service using “Log on as service”
    3:41 Recovery Tab on Services
    3:54 Policy Setting Create Registry Value
    5:22 Policy Setting Network Connections for WMI (optional)
    6:04 Policy Setting Allow inbound remote administration exception (optional)
    6:24 Policy Setting Allow ICMP Exceptions (optional)
    6:41 Policy Setting Credential Delegation
    6:52 CredSSP Summary Example Windows Admin Center
    7:23 Policy Setting Encryption Oracle Remediation
    7:52 Policy Setting Allow Delegate Fresh Credentials
    9:08 Policy Setting Allow Delegate Fresh Credentials using NTLM-only Server Authentication
    9:30 Windows Components Remote Management
    9:58 Policy Setting WinRM Client
    12:30 Policy Setting Trusted Hosts
    13:07 Policy Setting WinRM Service
    13:21 Policy Setting Allow Remote Server Management with WinRM
    15:17 Policy Setting Disallow WinRM from storing runas credentials
    15:51 Turn on Compatibility HTTP/HTTPS Listener
    16:35 Create WinRM SSL Certificate Template
    17:02 Duplicate Web Server Cert Template
    17:10 Compatability Tab
    17:25: General Tab
    17:40 Request Handling Tab
    18:12 Cryptography Tab
    18:27 Security Tab
    19:09 Subject Name Tab
    20:11 DC Replication to access new template quicker
    20:41 Sites and Services
    20:52 Force Replication
    21:10 Local Computer Cert Manager
    21:19 Request New Certificate for WinRM
    21:51 Enumerate WinRM cert used with port 5986
    22:07 Change Listener Certificate for WinRM
    22:20 Delete current certificate associated with port 5986
    22:45 Assign certificate to WinRM over HTTPS
    24:00 Verify cert assigned to port
    24:20 BTPS Secpack command reference
    24:39 If incorrect CN name on cert is set, this happens
    25:32 Loopback listener is not configured for WinRM service to attach to on my instance
    26:00 Invoke-Command Example using WinRM over HTTPS
    26:25 WinRM port 5985 is disabled in my instance

    View my Verified Certifications!

    Follow us on GitHub!

    Read our blogs!

    Give Respect on HackTheBox!

    Like us on Facebook!

    View PS Gallery Modules!


    Previous articleHow to make 5 people install League of Legends
    Next articleGroovy Tutorial For Beginners