WindowsBox.WinRM.psm1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
<#
.Synopsis
    Enables WinRM insecurely over http (use only for localhost connections)
.Description
    This cmdlet enables the WinRM endpoint using http and basic auth. This should
    only be used via localhost since username and password are sent unencrypted
    over the network.
#>

function Enable-InsecureWinRM {
    # Ensure the Windows firewall allows WinRM https traffic over port 5985
    Enable-NetFirewallRule -DisplayName 'Windows Remote Management (HTTP-In)'

    Enable-WinRMConfiguration

    # Enable insecure basic auth over http
    winrm set winrm/config/service '@{AllowUnencrypted="true"}'
    winrm set winrm/config/service/auth '@{Basic="true"}'
}

<#
.Synopsis
    Enables WinRM over https
.Description
    This cmdlet enables the WinRM endpoint using https and basic auth. This creates
    a self signed cert so you'll need to ensure your client ignores cert validation
    errors.
#>

function Enable-WinRM {
    # Ensure the Windows firewall allows WinRM https traffic over port 5986
    New-NetFirewallRule -Name "WINRM-HTTPS-In-TCP" `
        -DisplayName "Windows Remote Management (HTTPS-In)" `
        -Description "Inbound rule for Windows Remote Management via WS-Management. [TCP 5986]" `
        -Group "Windows Remote Management" `
        -Program "System" `
        -Protocol TCP `
        -LocalPort "5986" `
        -Action Allow `
        -Profile Domain,Private

    New-NetFirewallRule -Name "WINRM-HTTPS-In-TCP-PUBLIC" `
        -DisplayName "Windows Remote Management (HTTPS-In)" `
        -Description "Inbound rule for Windows Remote Management via WS-Management. [TCP 5986]" `
        -Group "Windows Remote Management" `
        -Program "System" `
        -Protocol TCP `
        -LocalPort "5986" `
        -Action Allow `
        -Profile Public

    Enable-WinRMConfiguration

    # Create self signed cert for TLS connections to WinRM
    $cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName "winrm"
    New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $cert.Thumbprint -Force

    # Enable basic auth over https
    winrm set winrm/config/service '@{AllowUnencrypted="false"}'
    winrm set winrm/config/service/auth '@{Basic="true"}'
    winrm set 'winrm/config/listener?Address=*+Transport=HTTPS' "@{Port=`"5986`";Hostname=`"winrm`";CertificateThumbprint=`"$($cert.Thumbprint)`"}"
}

function Enable-WinRMConfiguration {
    # Enable WinRM with defaults
    Enable-PSRemoting -Force -SkipNetworkProfileCheck

    # Override defaults to allow unlimited shells/processes/memory
    winrm set winrm/config '@{MaxTimeoutms="7200000"}'
    winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="0"}'
    winrm set winrm/config/winrs '@{MaxProcessesPerShell="0"}'
    winrm set winrm/config/winrs '@{MaxShellsPerUser="0"}'
}