Allow PowerShell remote access only from one address

networking powershell firewall remote-access

14,539

Solution 1

Like explained in this article: Enabling PowerShell remoting for only a specified set of IP addresses.

(for each client pc1/pc2/pc...) you have to:

enable-psremoting

next: remove the winrm-listener that was created by enable-psremoting

Remove-WSManInstance winrm/config/Listener -SelectorSet @{Address="*";Transport="http"}

now the machine listens to nobody, so you have to create a new listener for the admin-client

New-WSManInstance winrm/config/Listener -SelectorSet @{Address="IP:10.11.12.13";Transport="http"}

now restart the winrm service

spsv winrm -pass | sasv -pass |gsv   #*

(you have to run PowerShell as admin)

\*
*spsv = stop-service // sasv = start-service // gsv = get-service // -pass = -passThrough*

Solution 2

Maybe the Powershell "trustedhosts" list is you want?
You cant remote into a machine if you are not on the trustedhosts-list

Start the Powershell console as administrator

run this command:

get-item wsman:\localhost\client\trustedhosts

The "value" hast to be that IP adress or name of the admin client. To set this value run:

set-item wsman:\localhost\client\trustedhosts 192.168.1.2

(if there is already one value or if you have to admin-clients:

set-item wsman:\localhost\client\trustedhosts -concatenate admin02pcName

) Of course, wildcards are allowed
You can abbreviate get-item with gi and set-item with si and -concatenate with -concat

14,539

SebastianR

Updated on September 18, 2022

Comments

SebastianR over 1 year
I must manage a school network of about 60 Windows computers that are setup as workgroup computers and not in a domain. To ease configuration I am going to enable PowerShell remoting on all computers. (I know about Enable-PSRemoting and how to set this up in general) To limit security risks as far as possible, remoting to these computers should only be possible from my administration PC with a certain IP address.

So consider this example:
```
Computer 1: only accepts remoting connection from admin, not from computer 2
Computer 2: only accepts remoting connection from admin, not from computer 1
Admin computer: can remote on all computers
```
I'm not sure how to set up the Windows firewall on the computers to allow traffic of the WinRM protocol only from one IP address. The whole network is set to 'private'.

Can somebody help me out with enabling the correct firewall rules?
SebastianR over 7 years

Thanks for your answer, but I want to restrict connections at the other end: the computer that is being connected to should only allow those from a certain ip. Your solution allows the computer initiating the connection to connect.
MacMartin over 7 years

sorry, now I understand. So I think you have to configure the remoting listener (WinRM) somehow. Maybe this article: link ... >Now, to re-create the http listener on a specified IP address > >New-WSManInstance winrm/config/Listener -SelectorSet @{Address="IP:192.168.100.2";Transport="http"} > >Once this listener is created successfully, you need to restart the >WinRM service ...
SebastianR over 7 years

Excellent! Thank you for your competent answer!
durette almost 6 years

This controls which local IP is listening, not which remote IPs are accepted by the listener.