Skip to content
/ SecureWinRM Public

This module exists because many tools and workflows require WinRM to be enabled, but very few specify how it should be secured.

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

mitchricker/SecureWinRM

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
Private
Private
 
 
Public
Public
 
 
.gitattributes
.gitattributes
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
SecureWinRM.psd1
SecureWinRM.psd1
 
 
SecureWinRM.psm1
SecureWinRM.psm1
 
 

Repository files navigation

SecureWinRM

SecureWinRM is a PowerShell module that enforces a hardened Windows Remote Management configuration.

This module exists because many tools and workflows require WinRM to be enabled, but very few specify how it should be secured.

The module configures WinRM to use HTTPS only and disables weak or legacy authentication paths. It is designed to be safe to re-run and to make insecure configurations obvious and intentional to undo.

What this module enforces

SecureWinRM configures WinRM with the following security guarantees:

  • HTTPS only listeners
  • TLS encrypted transport
  • Kerberos authentication for domain environments
  • Certificate based authentication support
  • Basic authentication disabled
  • Unencrypted WinRM disabled
  • HTTP WinRM listeners removed

This module intentionally breaks legacy or insecure remoting setups.

Intended audience

Primary:

  • Active Directory administrators
  • Enterprise Windows administrators

Also suitable for:

  • Homelab environments
  • Compliance and audit driven environments
  • Golden image and baseline builds

Requirements

  • Windows PowerShell 5.1 or later
  • Administrator privileges
  • WinRM service available
  • For certificate authentication, client certificate mapping must be configured separately

Installation

Clone the repository and import the module:

Import-Module .\SecureWinRM\SecureWinRM.psd1

Optionally place the module in a standard PowerShell module path.

Usage

Enable-SecureWinRM

By default, the module will create a self signed certificate for the local computer if no suitable certificate is found.

To specify a DNS name for the certificate:

Enable-SecureWinRM -DnsName server01.contoso.com

To preview changes without applying them:

Enable-SecureWinRM -WhatIf

Safety and idempotency

  • Existing HTTPS listeners are reused when possible
  • HTTP listeners are removed if present
  • Settings are applied in a repeatable manner
  • Supports WhatIf and Confirm for change control workflows

Certificate authentication note

Enabling certificate authentication allows WinRM to accept certificate based logons, but it does not configure client certificate mappings.

You must configure either:

Local certificate to user mappings

Active Directory certificate mappings

This is by design to keep policy decisions explicit.

Non goals

  • Supporting NTLM, Basic authentication, or unencrypted WinRM
  • Automatically mapping certificates to users
  • Backwards compatibility with legacy tooling

About

This module exists because many tools and workflows require WinRM to be enabled, but very few specify how it should be secured.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages