Winrm служба удаленного управления windows ws management

From Wikipedia, the free encyclopedia

WinRM (Windows Remote Management) is Microsoft’s implementation of WS-Management in Windows which allows systems to access or exchange management information across a common network. Utilizing scripting objects or the built-in command-line tool, WinRM can be used with any remote computers that may have baseboard management controllers (BMCs) to acquire data. Windows-based computers including WinRM certain data supplied by Windows Management Instrumentation (WMI) can also be obtained.^[1]

Components[edit]

• WinRM Scripting API
  • Provides an Application programming interface enabling scripts to remotely acquire data from computers that perform WS-Management operations.
• winrm.cmd
  • Built-in systems management command line tool allowing a machine operator to configure WinRM. Implementation consists of a Visual Basic Scripting (VBS) Edition file (Winrm.vbs) which is written using the aforementioned WinRM scripting API.
• winrs.exe
  • Another command line tool allowing the remote execution of most Cmd.exe commands. This tool utilizes the WS-Management protocol.
• Intelligent Platform Management Interface (IPMI) driver
  • Provides hardware management and facilitates control of remote server hardware through BMCs. IPMI is most useful when the operating system is not running or deployed as it allows for continued remote operations of the bare metal hardware/software.
• WMI plug-in
  • Allows WMI data to be made available to WinRM clients.^[2]
• WMI service
  • Leverages the WMI plug-in to provide requested data or control and can also be used to acquire data from most WMI classes. Examples include the Win32_Process, in addition to any IPMI-supplied data.
• WS-Management protocol
  • Web Services Management is a DMTF open standard defining a SOAP-based protocol for the management of servers, devices, applications and various Web services. WS-Management provides a common way for systems to access and exchange management information across the IT infrastructure.^[3]

• Ports
  • By default WinRM HTTPS used 5986 port, and HTTP uses 5985 port. By default, port 5985 is in listening mode, but port 5986 has to be enabled.

Common uses[edit]

Ansible communicates with Windows servers over WinRM using the Python pywinrm package and can remotely run PowerShell scripts and commands.^[4]

Thycotic’s Secret Server also leverages WinRM to enable PowerShell remoting.^[5]

SolarWinds Server and Application Monitoring software (SAM) utilizes a WinRM server on monitored servers for its PowerShell integration.^[6]

CloudBolt leverages WinRM as part of Blueprints, Server Actions, and CB Plugins to execute remote scripts on Windows servers using the python pywinrm module.^[7]

Security[edit]

WinRM uses Kerberos for initial authentication by default. This ensures that actual credentials are never sent in client-server communications, instead relying on features such as hashing and tickets to connect.^[8] Although WinRM listeners can be configured to encrypt all communications using HTTPS, with the use of Kerberos, even if unencrypted HTTP is used, all communication is still encrypted using a symmetric 256-bit key after the authentication phase completes. Using HTTPS with WinRM allows for additional security by ensuring server identity via SSL/TLS certificates thereby preventing an attacker from impersonating it.^[9]

References[edit]

External links[edit]

• Windows Remote Management — Windows applications | Microsoft Docs

From Wikipedia, the free encyclopedia

WinRM (Windows Remote Management) is Microsoft’s implementation of WS-Management in Windows which allows systems to access or exchange management information across a common network. Utilizing scripting objects or the built-in command-line tool, WinRM can be used with any remote computers that may have baseboard management controllers (BMCs) to acquire data. Windows-based computers including WinRM certain data supplied by Windows Management Instrumentation (WMI) can also be obtained.^[1]

Components[edit]

• WinRM Scripting API
  • Provides an Application programming interface enabling scripts to remotely acquire data from computers that perform WS-Management operations.
• winrm.cmd
  • Built-in systems management command line tool allowing a machine operator to configure WinRM. Implementation consists of a Visual Basic Scripting (VBS) Edition file (Winrm.vbs) which is written using the aforementioned WinRM scripting API.
• winrs.exe
  • Another command line tool allowing the remote execution of most Cmd.exe commands. This tool utilizes the WS-Management protocol.
• Intelligent Platform Management Interface (IPMI) driver
  • Provides hardware management and facilitates control of remote server hardware through BMCs. IPMI is most useful when the operating system is not running or deployed as it allows for continued remote operations of the bare metal hardware/software.
• WMI plug-in
  • Allows WMI data to be made available to WinRM clients.^[2]
• WMI service
  • Leverages the WMI plug-in to provide requested data or control and can also be used to acquire data from most WMI classes. Examples include the Win32_Process, in addition to any IPMI-supplied data.
• WS-Management protocol
  • Web Services Management is a DMTF open standard defining a SOAP-based protocol for the management of servers, devices, applications and various Web services. WS-Management provides a common way for systems to access and exchange management information across the IT infrastructure.^[3]

• Ports
  • By default WinRM HTTPS used 5986 port, and HTTP uses 5985 port. By default, port 5985 is in listening mode, but port 5986 has to be enabled.

Common uses[edit]

Ansible communicates with Windows servers over WinRM using the Python pywinrm package and can remotely run PowerShell scripts and commands.^[4]

Thycotic’s Secret Server also leverages WinRM to enable PowerShell remoting.^[5]

SolarWinds Server and Application Monitoring software (SAM) utilizes a WinRM server on monitored servers for its PowerShell integration.^[6]

CloudBolt leverages WinRM as part of Blueprints, Server Actions, and CB Plugins to execute remote scripts on Windows servers using the python pywinrm module.^[7]

Security[edit]

WinRM uses Kerberos for initial authentication by default. This ensures that actual credentials are never sent in client-server communications, instead relying on features such as hashing and tickets to connect.^[8] Although WinRM listeners can be configured to encrypt all communications using HTTPS, with the use of Kerberos, even if unencrypted HTTP is used, all communication is still encrypted using a symmetric 256-bit key after the authentication phase completes. Using HTTPS with WinRM allows for additional security by ensuring server identity via SSL/TLS certificates thereby preventing an attacker from impersonating it.^[9]

References[edit]

External links[edit]

• Windows Remote Management — Windows applications | Microsoft Docs

Discover what WinRM protocol is all about and gain insight on how you can use it to manage your network

Windows Remote Management (WinRM) is the Microsoft implementation of Web Services-Management (WS-Management) protocol that provides a common way for systems (hardware and operating systems) from different vendors, to interact to access and exchange management information across an IT infrastructure.

WinRM is an important and useful protocol, especially for Network Administrators managing large windows network infrastructure.

Microsoft started implementing the WS-Management standard when it released WinRM 1.1, available for Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This was followed by WinRM 2.0 found in Windows 7 and Windows Server 2008 R2, which allows PowerShell 2.0 scripts and cmdlets to be invoked on a remote machine or a large set of remote machines. The latest version of Windows Remote Management—WinRM 3.0 was released in 2012 and comes pre-installed out of the box in Windows 8 and Windows Server 2012.

Why is the WinRM protocol important?

Why is the WinRM protocol important and why do we need it? With WinRM protocol, the connection between computers or servers can be easily established, so that remote operations can be performed. You can obtain data or manage resources on remote computers as well as the local computer. Connecting to a remote computer in a Windows Remote Management script is very similar to making a local connection. The WinRM protocol is intended to improve hardware management in a network environment with various devices running a variety of operating systems.

As a command-line tool, WinRM is built into Windows operating systems and based on .NET and PowerShell, which allows scripts and remote PowerShell commands to be invoked on Windows-based machines or a large set of remote machines without RDP or log into the remote machine. This method makes it easier for Windows Administrators to manage multiple machines using scripts and cmdlet, and perform tasks such as:

• Monitor, manage and configure servers, operating systems, and client machines from a remote location.
• Remotely communicate and interface with hosts through readily available channels/ports within your network, including workstations, servers, and any operating system that supports it.
• Execute commands remotely on systems that you are not local to you but are network accessible

The Windows Remote Shell (WinRS) command-line tool relies on WinRM to execute remote commands. It leverages WinRM to let you launch processes on remote machines. WinRM is the server component of this remote management application and WinRS is the client component for WinRM, which runs on the remote computer attempting to remotely manage the WinRM server. However, both computers must have WinRM installed and enabled on them for WinRS to work and retrieve information from the remote system.

WinRM architecture and components 

The WinRM architecture consists of components on the client and server computers. The diagram in Figure 1.0 below shows the components on both the requesting client and responding server computers, and how they interact with each other, including the protocol that is used to communicate between them.

Table 1.0  below is a breakdown of the various WinRM components and where they reside.

Table 1.0 | WinRM components and description

WinRM configuration and commands

For the WinRM command-line tool and scripts to run, and perform data operations effectively, Windows Remote Management (WinRM) must be installed and configured. However, the good news is that WinRM is automatically installed with all currently-supported versions of the Windows operating system, including IPMI (Intelligent Platform Management Interface) WMI (Windows Management Instrumentation) provider components.

By default, WinRM is enabled on Windows Server OS since Windows Server 2012, but not on Windows 10 operating system. This means that you need to enable it on Windows 10 machines. To enable WinRM on a Windows 10 machine, open PowerShell and run the following cmdlet:

Enable-PSRemoting -force

If you have a single Windows 10 machine that is not part of an Active Directory domain network,  you may need to add the machine you are going to connect from to the trusted host of the Windows 10 machine. The reason we need to add trusted hosts is to be able to connect to a Windows machine using WinRM.

However, in situations where you have 100+ Windows 10 machines in an Active Directory domain network, you may need to use a Group Policy (GPO) to get it working with minimal effort. To use a GPO, create a new one or edit an existing one and modify the following settings and set WinRM to “Enabled”:

• Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service > Allow remote server management through WinRM

Remember to apply the GPO to the Organizational Units (OU) that have all your Windows 10 machines. Within a few minutes after applying the GPO to the OU, all your hosts will get the policy update. In this case, there is no need to modify the trusted hosts’ list.

The table below is a collection of some WinRM commands you can use to execute remote operations. Please note that these commands work best when you are on an Active Directory domain network. For workgroup machines, the WinRM service may require additional configuration such as modifying the trusted hosts’ list.

Table 2.0 | Common WinRM commands and description

WinRM security

By default, WinRM uses Kerberos for authentication. This means that Windows never sends the actual credentials to the system requesting validation instead of relying on features such as hashing and tickets to connect.

WinRM listens on TCP port 80 (HTTP) by default, it doesn’t mean traffic is unencrypted. Traffic by default is only accepted by WinRM when it is encrypted using the Negotiate or Kerberos SSP. WinRM also includes helper code that lets the WinRM listener share port 80 with the Microsoft IIS  web server or any other application that may need to use that port. Although WinRM listeners can be configured to encrypt all communications using HTTPS, with the use of Kerberos, even if unencrypted HTTP is used, all communication is still encrypted using a symmetric 256-bit key after the authentication phase completes.

You can manually configure WinRM to use HTTPS. The purpose of configuring WinRM for HTTPS is to encrypt the data being sent across the network. This allows for additional security by ensuring server identity via SSL/TLS certificates thereby preventing an attacker from impersonating it. To configure WinRM to use HTTPS, a local computer Server Authentication certificate with a CNAME matching the hostname is required to be installed. To install certificates for the local computer, follow the steps below:

• Select Start and then select Run (or using keyboard combination press Windows key+R)
• Type MMC and then press Enter
• Select File from menu options and then select Add or Remove Snap-ins
• Select Certificates and select Add
• Go through the wizard selecting the Computer account
• Install or view the certificates under Certificates (Local computer) >> Personal >> Certificates.

Once the certificate is successfully installed, use the following command to configure WRM to listen on HTTPS: winrm quickconfig -transport:https

Notable applications of WinRM

• SolarWinds Server & Application Monitor software (SAM) enables remote access for PowerShell with WinRM. It utilizes a WinRM server on monitored servers for its PowerShell integration.
• Thycotic Secret Server—privileged access management (PAM) solution, relies on WinRM components to run PowerShell scripts.
• Ansible—an agentless open-source software provisioning and deployment tool, leverages WinRM to communicate with Windows servers and run PowerShell scripts and commands. Ansible is agentless because of its ability to remotely connect via WinRM, thereby allowing remote PowerShell execution to do its tasks.
• CloudBolt—a hybrid cloud management platform, leverages WinRM as part of Blueprints, Server Actions, and CB Plugins to execute remote scripts on Windows servers using the python pywinrm module.

Windows Remote Management FAQs

В этой статье мы рассмотрим, как централизованно включить и настроить службу удаленного управления Windows Remote Management (WinRM) на компьютерах домена с помощью групповых политик. Напомню, что Windows Remote Management это реализация протокола WS-Management Protocol для удаленного управления клиентскими и серверными ОС Windows. WinRM позволяет удаленно управлять компьютерами через:

• Server Manager (Windows Server);
• PowerShell Remoting (PSSession);
• Windows Admin Center.

Как включить WinRM в Windows вручную?

Служба WinRM установлена во всех современных версиях Windows. В Windows Server она включена по умолчанию, и отключена в десктопных редакциях Windows 11/10/8.1). По умолчанию слушатель службы WinRM listener не принимает подключения. Чтобы проверить это, выполните на клиенте команду:

WinRM enumerate winrm/config/listener

Появится ошибка, которая говорит, что служба WinRM не настроена:

WSManFault Message = The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".
Error number: -2144108526 0x80338012

Чтобы включить и настроить службу WinRM в Windows, достаточно выполнить команду:

winrm quickconfig

или

Enable-PSRemoting –Force

WinRM has been updated to receive requests.
WinRM service type changed successfully.
WinRM service started.

Данная команда изменит тип запуска службы WinRM на автоматический, задаст стандартные настройки WinRM и добавить исключения для WinRM портов (5985 и 5986) в список исключений Windows Defender Firewall.

Настройка WinRM с помощью групповых политик

Вы можете автоматически включить и настроить WinRM на компьютерах домена с помощью групповых политик Windows.

1. Откройте консоль редактора Group Policy Management Console (gpmc.msc), выберите контейнер с компьютерами на которых вы хотите включить WinRM и создайте новую политику corpEnableWinRM;
2. Откройте политику на редактирование;
3. Перейдите в раздел Computer Configuration -> Policies -> Windows Settings -> Security Settings -> System Services. Найдите службу Windows Remote Service (WS-Management) и настройте ее на автоматический запуск;
4. Теперь перейдите в раздел Computer Policies -> Preferences -> Control Panel Settings -> Services и выберите New -> Service. Укажите имя службы WinRM и на вкладке Recovery задайте действие Restart the Service;
5. Перейдите в раздел Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows Remote Management (WinRM) -> WinRM Service. Включите параметр Allow remote server management through WinRM. В поле фильтр IPv4/IPv6 можно указать IP адреса или подсети, на которых нужно слушать удаленные подключения через WinRM. Если вы хотите разрешать принимать WinRM подключения на всех IP адресах, оставьте здесь *;
6. Откройте в Windows Defender Firewall правила, разрешающие подключаться к WinRM по стандартным портам 5985 и 5986. Перейдите в Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security -> Windows Firewall with Advanced Security -> Inbound Rules. Выберите predefined rule Windows Remote Management;
7. Перейдите в раздел Computer Configuration -> Policies -> Windows Components -> Windows Remote Shell и включите параметр Allow Remote Shell Access.

Обновите настройки GPO на клиентах и проверьте, что служба WinRM настроилась автоматически. Для диагностики применения групповой политики на клиенте можно использовать утилиту gpresult.

Проверка настроек WinRM

Чтобы проверить, что настройки WinRM на компьютере заданы через групповые политики, выполните команду:

winrm e winrm/config/listener

Команда выведет текущие настройки WinRM листенера. Обратите внимание на строку
Listener [Source="GPO"]
. Она означает, что настройки получены через групповые политики.

Полную конфигурацию службы WinRM можно вывести с помощью команды:

winrm get winrm/config

Теперь нужно попробовать удаленно подключиться к компьютеру через WinRM. Запустите на удаленном компьютере консоль PowerShell с учетной записью с правами администратора на обоих компьютерах и выполните команду:

Test-WsMan YourCompName1

Если WinRM включен, появится такой ответ:

wsmid : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor : Microsoft Corporation
ProductVersion : OS: 0.0.0 SP: 0.0 Stack: 3.0

Теперь можно попробовать выполнить интерактивное подключение к удаленному компьютеру через PSRemoting с помощью командлета Enter-PSSession:

Enter-PSSession CompNameHere1

В данном случае подключение было успешно установлено и перед вами открылась консоль удаленного сервера.

По аналогии через PSRemoting на удаленном компьютере команду можно выполнить произвольную команду с помощью Invoke-Command:

Invoke-Command -ComputerName YourCompName1 -ScriptBlock {ipconfig /all}

Если соединение работает, вы увидите на экране вывод команды
ipconfig
.

Также можно выполнить команду на удаленном хосте так:

winrs -r:wsk-w10BO1 dir

В некоторых случаях при подключении через PSSession может появится ошибка:

Enter-PSSession : Connecting to remote server wsk-w10BO1 failed with the following error message : Access is denied.
CategoryInfo : InvalidArgument: (wsk-w10BO1:String) [Enter-PSSession], PSRemotingTransportException FullyQualifiedErrorId : CreateRemoteRunspaceFailed

В этом случае проверьте настройки разрешения для подключения к WinRM на удаленном компьютере:

Set-PSSessionConfiguration -ShowSecurityDescriptorUI -Name Microsoft.PowerShell

Убедитесь, что ваша учетная запись входит в группу Administrators или Remote Management Users (см. статью об удаленном доступе через WinRM без прав администратора) и им предоставлены права FullControl. Также проверьте, нет ли Deny правил.

Для настройки WinRM и PSRemoting в рабочей группе (без домена AD) рекомендуем использовать эту инструкцию.

Windows Remote Management (WinRM) service implements the WS-Management protocol for remote management. WS-Management is a standard web services protocol used for remote software and hardware management. The WinRM service listens on the network for WS-Management requests and processes them. The WinRM Service needs to be configured with a listener using winrm.cmd command line tool or through Group Policy in order for it to listen over the network. The WinRM service provides access to WMI data and enables event collection. Event collection and subscription to events require that the service is running. WinRM messages use HTTP and HTTPS as transports. The WinRM service does not depend on IIS but is preconfigured to share a port with IIS on the same machine. The WinRM service reserves the /wsman URL prefix. To prevent conflicts with IIS, administrators should ensure that any websites hosted on IIS do not use the /wsman URL prefix.

This service also exists in Windows 7, 8 and Vista.

Startup Type

Default Properties

Default Behavior

The Windows Remote Management (WS-Management) service is running as NT AUTHORITYNetworkService in a shared process of svchost.exe. Other services might run in the same process. If Windows Remote Management (WS-Management) fails to start, the error is logged. Windows 10 startup proceeds, but a message box is displayed informing you that the WinRM service has failed to start.

Dependencies

Windows Remote Management (WS-Management) is unable to start, if at least one of the following services is stopped or disabled:

• HTTP Service
• Remote Procedure Call (RPC)

Restore Default Startup Type of Windows Remote Management (WS-Management)

Automated Restore

1. Select your Windows 10 edition and release, and then click on the Download button below.

2. Save the RestoreWindowsRemoteManagementWSManagementWindows10.bat file to any folder on your hard drive.

3. Right-click the downloaded batch file and select Run as administrator.

4. Restart the computer to save changes.

Note. Make sure that the WsmSvc.dll file exists in the %WinDir%system32 folder. If this file is missing you can try to restore it from your Windows 10 installation media.

Yea, though I walk through the valley of the shadow of death, I will fear no evil: for thou art with me; thy rod and thy staff they comfort me.

Собственно WinRM (или Windows Remote Management) и переводится как «удаленное управление Windows». WinRM – служба удаленного управления для операционных систем Windows. Она входит в состав операционных систем начиная с Vista и Server 2008, для Windows XP и Server 2003 ее нужно устанавливать отдельно отсюда. WinRM – серверная часть приложения удаленного управления, к которому возможно удаленное подключение с помощью клиента Windows Remote Shell (WinRS).

WinRM основан на службах Web Services for Management (WS-Management) и использует протокол HTTP (порт 80) или HTTPS (443) и запросы SOAP для выполнения работы. Независимо от используемого протокола весь трафик, передаваемый WinRM шифруется (если специально не отключить эту опцию). Для аутентификации по умолчанию используется протокол Kerberos.

 В Windows Server 2008 WinRM установлен, но (по соображениям безопасности) по умолчанию не включен. Чтобы проверить, запущен ли WinRM на нашей машине, набираем в командной строке winrm enumerate winrm/config/listener

Если ответа нет, значит WinRM не запущен. Для того, чтобы настроить WinRM на автоматический запуск и разрешить удаленное подключение к компьютеру, набираем команду winrm quickconfig  или winrm qc

Чтобы WinRM не спрашивал подтверждения, можно добавить к вызову ключ -quiet. Узнать информацию о более тонкой настройке можно посмотреть встроенную справку WinRM: winrm help config

Ну и отключить WinRM можно с помощью такой команды:
winrm delete winrm/config/listener?IPAdress=*+Transport=HTTP

 Также все необходимые настройки можно сделать с помощью групповых политик. Для этого нужно:

• Настроить службу WinRM на автоматический запуск
• Разрешить подключения на соответствующие порты (80 и 443) в брандмауэре Windows
• Настроить элемент групповой политики Конфигурация компьютераАдминистративные шаблоныКомпоненты WindowsУдаленное управление WindowsСлужба удаленного управления WindowsРазрешить автоматическую установку прослушивателей (Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Remote Management WinRM ServiceAllow automatic configuration of listeners). Тут нужно будет указать  IP-адреса, с которых разрешаются подключения.

 Теперь перейдем непосредственно к использованию. Для подключения к удаленному компьютеру используем утилиту WinRS. WinRS – аббревиатура для Windows Remote Shell (удаленная среда Windows). С WinRS мы можем делать удаленные запросы на компьютеры, на которых запущен WinRM. Однако имейте ввиду, что на вашей машине также необходимо запускать WinRM для работы с WinRS.

Основным способом использования WinRS является выполнение команд на удаленной машине. Имя компьютера задаётся ключом -r, а после него следует выполняемая команда, например winrs –r:SRV2 ipconfig /all запускает на удаленном компьютере SRV2 команду ipconfig /all

По умолчанию для коммуникаций используется протокол http, но можно использовать и https: winrs -r:https://SRV2 ipconfig /all

Также можно с помощью  WinRS открыть интерактивный сеанс на удалённом компьютере: winrs -r:SRV2 cmd.exe

 Эта функция аналогична подключению по telnet, но использование WinRS однозначно лучше с точки зрения безопасности.

 Для использования WinRM все компьютеры должны быть членами одного домена. Если в вашем случае это не так, то можно попробовать понизить уровень безопасности. Для этого на компьютере, к которому хотим получить доступ, вводим следующие команды:

WinRM set winrm/config/service/auth @{Basic=«true»}

WinRM set winrm/config/client @{TrustedHosts=«<local>»}

WinRM set winrm/config/client @{TrustedHosts=«ComputerName»}

где ComputerName  — удаленный компьютер, с которого будет производиться подключение.

На компьютере, с которого будем подключаться, вводим :

WinRM set winrm/config/service/auth @{Basic=«true»}

WinRM set winrm/config/client @{TrustedHosts=«<local>»}

WinRM set winrm/config/client @{TrustedHosts=«ComрuterName»}

где ComputerName — компьютер, которым будем управлять.

Затем устанавливаем соедининие с помощью команды:

winrs -r:«ComputerName»: –u:DomainUsername –p:Password cmd.exe

где DomainUsername —  учетная запись пользователя с административными правами на удаленном компьютере.