Enable WSMan HTTPS Listener with PowerShell

Document created by matt.piekunka on Apr 20, 2016Last modified by fran.schwarzmann on Aug 15, 2016
Version 2Show Document
  • View in full screen mode

WSMan and has replaced WMI for Hyper-V and Microsoft APM configurations in VMTurbo 5.4 and above.  Previous setup instructions (Enable/Disable WinRM on remote hosts & WSMan service configuration using domain GPO) configured WinRM to allow unencrypted traffic with basic authentication, which allows sensitive information (including credentials!) to be easily compromised.  See Compromising Yourself with WinRM’s “AllowUnencrypted = True” for a better explanation and demonstration of this.  The following instructions walk you through configuring an HTTPS listener using PowerShell on your Hyper-V and Microsoft APM targets so that you can configure secure communication with VMTurbo.  All instructions require PowerShell 4+.  You will also require a certificate that is trusted by both the target and the VMTurbo appliance.  For the purposes of this document, we will be assuming that you have a publicly signed certificate (with private key) and that PowerShell Remoting is already enabled on the target.

On the Hyper-V or Microsoft APM Target:

1. Import the .pfx certificate into the LocalMachine\My certificate store (you may not need the password if your certificate was not secured with one)

$password = ConvertTo-SecureString -String <cert password> -AsPlainText -Force $cert = Import-PfxCertificate -FilePath <path to certificate> -CertStoreLocation Cert:\LocalMachine\My -Password $password 

 

2. Create the WSMan HTTPS listener using the certificate you just imported

New-Item -Path WSMan:\Localhost\Listener -Transport HTTPS -Address * -CertificateThumbprint $cert.Thumbprint

 

3. Create a firewall rule to allow WinRM HTTPS traffic in

New-NetFirewallRule -DisplayName "Windows Remote Management (HTTPS-In)" -Name "WinRM HTTPS-In" -Profile Any -LocalPort 5986 -Protocol TPC 

 

4. You can verify that the HTTPS listener is working by entering a remote PowerShell session on the target via HTTPS

Enter-PSSession -ComputerName <target>-Credential (Get-Credential) -UseSSL

 

5. [Optional] Remove HTTP listeners to prevent insecure connections

Warning: This will remove all configured HTTP listeners and will prevent the use of some commands, such as Invoke-Command, without the "-UseSSL" switch.  Only do this if you fully understand the risks of removing all HTTP listeners.

Get-ChildItem WSMan:\Localhost\Listener | Where -Property Keys -eq "Transport=HTTP" | Remove-Item -Recurse

 

6. [Optional] Set WinRM service to deny unencrypted connections

winrm set winrm/config/service @{AllowUnencrypted="false"}

 

In VMTurbo:

When you add a target in VMTurbo, make sure to check the "Secure connection" checkbox.

VMTurbo-SecureHypervTarget.png

1 person found this helpful

Attachments

    Outcomes