I must manage a school network of about 60 Windows computers that are setup as workgroup computers and not in a domain. To ease configuration I am going to enable PowerShell remoting on all computers. (I know about Enable-PSRemoting and how to set this up in general) To limit security risks as far as possible, remoting to these computers should only be possible from my administration PC with a certain IP address.
So consider this example:
Computer 1: only accepts remoting connection from admin, not from computer 2
Computer 2: only accepts remoting connection from admin, not from computer 1
Admin computer: can remote on all computers
I'm not sure how to set up the Windows firewall on the computers to allow traffic of the WinRM protocol only from one IP address. The whole network is set to 'private'.
Can somebody help me out with enabling the correct firewall rules?
Answer
Like explained in this article: Enabling PowerShell remoting for only a specified set of IP addresses.
(for each client pc1/pc2/pc...) you have to:
enable-psremoting
next: remove the winrm-listener that was created by enable-psremoting
Remove-WSManInstance winrm/config/Listener -SelectorSet @{Address="*";Transport="http"}
now the machine listens to nobody, so you have to create a new listener for the admin-client
New-WSManInstance winrm/config/Listener -SelectorSet @{Address="IP:10.11.12.13";Transport="http"}
now restart the winrm service
spsv winrm -pass | sasv -pass |gsv #*
(you have to run PowerShell as admin)
\*
*spsv = stop-service // sasv = start-service // gsv = get-service // -pass = -passThrough*
No comments:
Post a Comment