How safe is it to enable WinRM / PSRemoting on an internet-facing machine?
Solution 1
Generally speaking, you should never open anything from the Internet to a production server, unless it is a service that you want the public to use. If the machine is a webserver, then only port 80 should be open to it. If no other ports are open through the firewall to it, then there is no way for an attacker to get in.
A VPN would be the best solution, requiring users to authenticate then access the productions systems only from the inside. A VPN is far more flexible and secure than any other method.
Solution 2
A couple of things that might help:
-
Add your clients to the TrustedHosts list.
Set-Item wsman:\localhost\Client\TrustedHosts -Value Server01.Domain01.Fabrikam.com -
Create a log scanning script that pulls bad IP's from your logs and creates firewall rules to block those IPs. (Excuse my PS writing technique :-) )
Get the contents of a file which has bad IP's listed in activity log. I created a script which scanned my proprietary web log file and found clients probing my web server so I dropped their IP's into the badips.txt file.
$ips = get-content c:\powershell\utilities\badips.txtNow I create a firewall rule to block the bad IP address
foreach ($i in $ips){ [string]$rulename = "disallow-" + $i [string]$remoteip = $i + "/32" [string]$description = $iGetting list of bad IP's who already have a blocking rule
$processed = get-content c:\powershell\utilities\processedips.txtChecking against the list to see if the IP is already blocked
$count = ($processed|select-string $i).countIf this is a new IP address, create a firewall rule and add IP to the processed list text file
if ($count -lt 1){ invoke-expression ("netsh advfirewall firewall add rule name=" + $rulename + " action=block enable=yes localip=any dir=in profile=public remoteip=" + $remoteip + " description=" + $description) $i|add-content c:\powershell\utilities\processedips.txt }}
This doesn't really answer your question about how protected your server will be but gives you two more items to limit potential threats.
Related videos on Youtube
07 : 17
37 : 12
04 : 47
02 : 51
07 : 42
02 : 36
Leon Bouquiet
Updated on September 18, 2022Comments
-
Leon Bouquiet over 1 year
How safe is it to make the Remote Powershell (aka PSRemoting) endpoint of a production server accessible from the internet?
We're not a bank or anything, but the server does hold sensitive corporate data.I intend to secure it by:
- Using IP filtering to only accept connections from our own public IP range, so that we can manage it from another part of our network.
- Having the endpoint accept only SSL connections
- Only allowing connections from a limited set of users with a complex password (~150 bits entropy)
- Using a PSSessionConfiguration that has the
LanguageModeset toNoLanguage, so that only scripts can be executed - Requiring that all Powershell scripts that are executed this way are signed (
Set-ExecutionPolicy RemoteSigned)
On the other hand:
- The remote scripts will be executed under a local admin account
- with no restrictions on the Cmdlets/Modules it can invoke.
- I suspect that the WinRM service (that makes PSRemoting possible) is safe enough to be exposed to the internet (Azure VM's have this by default), but I have no evidence of this.
So, I guess my question is: is this 'safe', or are there attack vectors that I'm missing here?
By the way, I have most of my information from the free eBook Secrets of Powershell remoting.
-
E.V.I.L. about 9 yearsOn Server 2012 there is PowerShell Web Access.
-
Leon Bouquiet about 9 yearsA word of caution about the TrustedHosts lists from "Secrets of PowerShell Remoting": "Adding the remote machine's name (..) to your local computer's WinRM TrustedHosts list basically disables mutual authentication. (..) Set up the remote machine to accept HTTPS (..) this enables the SSL certificate to provide the mutual authentication WinRM is after."
-
Leon Bouquiet about 9 yearsI discussed it with one of the networking guys, and we're probably going to use a VPN. Thanks for your response.