Saturday, 29 June 2019

networking - Allow PowerShell remote access only from one address


I must manage a school network of about 60 Windows computers that are setup as workgroup computers and not in a domain. To ease configuration I am going to enable PowerShell remoting on all computers. (I know about Enable-PSRemoting and how to set this up in general) To limit security risks as far as possible, remoting to these computers should only be possible from my administration PC with a certain IP address.


So consider this example:


Computer 1: only accepts remoting connection from admin, not from computer 2
Computer 2: only accepts remoting connection from admin, not from computer 1
Admin computer: can remote on all computers

I'm not sure how to set up the Windows firewall on the computers to allow traffic of the WinRM protocol only from one IP address. The whole network is set to 'private'.


Can somebody help me out with enabling the correct firewall rules?



Answer



Like explained in this article: Enabling PowerShell remoting for only a specified set of IP addresses.


(for each client pc1/pc2/pc...) you have to:


enable-psremoting

next: remove the winrm-listener that was created by enable-psremoting


Remove-WSManInstance winrm/config/Listener -SelectorSet @{Address="*";Transport="http"}

now the machine listens to nobody, so you have to create a new listener for the admin-client


New-WSManInstance winrm/config/Listener -SelectorSet @{Address="IP:10.11.12.13";Transport="http"}

now restart the winrm service


spsv winrm -pass | sasv -pass |gsv   #*

(you have to run PowerShell as admin)


\*
*spsv = stop-service // sasv = start-service // gsv = get-service // -pass = -passThrough*

No comments:

Post a Comment

How can I VLOOKUP in multiple Excel documents?

I am trying to VLOOKUP reference data with around 400 seperate Excel files. Is it possible to do this in a quick way rather than doing it m...