WinRM Response Integration

Windows Remote Management (WinRM) is a protocol used for remote administration and command execution on Windows operating systems. Here are some important points about WinRM summarized:

Purpose: WinRM allows managing remote computers over a network. System administrators can use this protocol to execute commands on remote computers, manage services, and gather various system information.

Protocol Basis: WinRM is based on the WS-Management protocol. This is a web services feature aimed at performing management tasks between operating systems over a network in a standard way.

WS-Management Protocol: WinRM is based on the WS-Management protocol, which is a web-based standard for exchanging management data between computers.

Default Ports:

HTTP: WinRM uses TCP port 5985 for unsecured data transfer.
HTTPS: For secure communication, it uses TCP port 5986, with SSL/TLS encryption to protect the data.


Protocols:

HTTP/HTTPS: WinRM operates over the HTTP and HTTPS protocols, depending on the security requirements set during configuration.
Kerberos or NTLM: For authentication, WinRM often uses Kerberos or NTLM.

This guide will explain the integration with HTTP and Basic Auth.

 

In order to perform the operations, it is essential to enable the HTTP protocol, Basic Authentication, and port 5985 on the machine from which commands will be executed via WinRM. This guide illustrates the procedures using an administrator account, but these operations can also be conducted with a user account that possesses basic permissions.

 

1. winrm quickconfig

Explanation: This command configures WinRM quickly and enables the necessary components. First, it starts the WinRM service and sets it to start automatically. Next, it adds the required firewall rules to ensure that WinRM can be accessed over the network. If WinRM has not been configured previously, this step must be completed.

 

2. winrm create winrm/config/listener?Address=*+Transport=HTTP

Explanation: This command creates a WinRM listener that accepts connections from all IP addresses (Address=*) over the HTTP protocol. This listener is essential for allowing clients to connect via WinRM. Establishing this listener is a critical step for enabling communication between the WinRM service and clients.

 

3. winrm set winrm/config/service/auth '@{Basic="true"}'

Explanation: This command configures the authentication settings of the WinRM service to enable basic authentication. Basic authentication allows the transmission of usernames and passwords without encryption; therefore, it must be used with caution. For security purposes, such authentication is generally recommended only over more secure connections, such as VPNs.

4. Set-Item WSMan:\localhost\Client\TrustedHosts -Value "10.10.0.10"

Explanation: This command sets a specific machine (in this example, the machine with the IP address 10.10.0.10) as a trusted host for the WSMan client. By designating trusted hosts, it allows connections from this machine without requiring authentication. This facilitates management and automation tasks.

5. Get-Item WSMan:\localhost\Client\TrustedHosts

Explanation: This command retrieves the current trusted hosts of the WSMan client. This allows administrators to check which IP addresses have been designated as trusted, both before and after configuration. This assists system administrators in monitoring and managing security policies.

6. winrm set winrm/config/client '@{AllowUnencrypted="true"}'

Explanation:
This command modifies the client configuration of WinRM to allow unencrypted communications. By setting this parameter to true, WinRM permits connections that do not utilize encryption (SSL/TLS). While this can simplify certain operational tasks, it significantly increases security risks, as data transmitted over the network will be in plaintext and vulnerable to interception. This setting is typically limited to very controlled environments or during troubleshooting, while best practices strongly advise using encrypted communications in production settings to ensure data security and integrity.

Finally, please check if there are any WinRM rules in Windows Firewall. If there is no rule, you should create a rule for the port you are using.

For more information, please refer to: https://learn.microsoft.com/en-us/windows/win32/winrm/installation-and-configuration-for-windows-remote-management.

 

Once the Logsign response is added, the integration is ready for use to execute any commands or scripts.

 

You can test the integration by executing the ping command within the Logsign incident and reviewing the response to verify that the command has been executed

 

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.