Windows Remote Management (WinRM)

Owned by Miguel Lauriano
Last updated: Jun 11, 2024 by Aparna Rr
16 min read

About the Device

RRAS provides a remote user with access to an internal network via a secured virtual private network (VPN) connection. This connectivity can be deployed using typical IP-based VPN over the Internet. Or, like an Internet service provider (ISP), it can be deployed through dial-up services by allowing remote users to connect with the organizational network after authentication

The Routing and Remote Access service (RRAS) in Windows Server supports remote user or site-to-site connectivity by using virtual private network (VPN) or dial-up connections. 

Device Information

 Entity

Particulars

 Entity

Particulars

Vendor Name

Microsoft

Product Name

Windows Remote Management

Type of Device

Hosted

Collection Method

Log Type

 Ingestion label

Preferred Logging Protocol - Format

Log collection method

Log Type

 Ingestion label

Preferred Logging Protocol - Format

Log collection method

Windows Event

WINEVTLOG

API-Pull

CyberHub

Device Configuration

To Configure WinRM

To Add the domain root certificate to the keystore

To use encryption for WinRM service, the HTTPS connection protocol should be defined. The default port for HTTP protocol is 5985 and for HTTPS protocol the default port is 5986.

If you do not use the HTTPS protocol, you do not need a certificate.

Every computer that has its logs read should have an SSL certificate. The Domain Certificate Server provides the certificate which should be signed with a domain root certificate. Machine collector read events should be included in the domain and should have domain user access. Both the domain computer and target computer should not be in the 169.XXX.XXX.XXX network.

The domain root certificate should be imported to the Cyberhub certificate keystore.

To add the domain root certificate to the keystore

  1. Copy the certificate file to the C:\Program Files\Symantec\Event Agent\jre\bin directory.

  2. At a command prompt, type the following: 

    keytool -importcert -trustcacerts -alias Symc-CA -file Symc-CA.cer -keystore "C:\Program Files\Symantec\Event Agent\jre\lib\security\cacerts" -storepass changeit.

Symc-CA is an alias for the domain root certificate Symc-CA.cer is a file with the domain root certificate. C:\Program Files\Symantec\Event Agent\jre\lib\security\cacerts is the path to the default Java certificate keystore. The default password for the certificate keystore is changeit

Adding a security descriptor

For the collector to access event logs through WinRM, a security descriptor must be added to the monitored Windows Vista, Windows 2003, Windows 2003 R2, or Windows 2008 system. The security descriptor was added as a component of Windows Vista SP1. A security descriptor needs to be modified to read the Security Event Log.

To add a security descriptor on the Windows 2008 or Windows 2008 R2 system:

  • Update the Windows Registry.

For a user that does not have administrative privileges, you can create a new user and add the record to the Event Log Readers group. To do this, first run the

wevtutil

command to get information about access rights. For example, to get settings for the security log, you can run the command: 

wevtutil gl security

This command will provide the following output:

  • name: security

  • enabled: true

  • type: Admin

  • owningPublisher:

  • isolation: Custom

  • channelAccess: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)

  • logging:

  • logFileName: %SystemRoot%\System32\Winevt\Logs\security.evtx

  • retention: false

  • autoBackup: false

  • maxSize: 20971520

  • publishing:

Make a note of channnelAccess which returns the SDDL string that is set for the Security Log. In the example above, the third ACE string (A;;0x1;;;S-1-5-32-573) grants read access to the Event Log Readers group. The ACE string of RootSDDL grants read access to the Event Log Readers: (A;;GR;;;ER).

If cutomsd.reg was imported, or you had set the CustomSD in the registry, you can access the Registry and delete the CustomSD key. This restores the default setting. To be able to collect the Security log from a Windows 2008 machine via WinRM  (access to the Security log is restricted to only a few users). 

To be able to read the Security log via WinRM, the Network Service account must be given read access to the Security log. The Network Service is the default account which the WinRM service uses to run. There are two ways to give the Network Service account the right permission: 

  • Add the account to the Event Log Readers group from which you want to collect the Security log: From the Administrator's command prompt, type the following: 

  • Provide the Network Service account read access to the Security log by changing the channel access: 

Windows Server 2003/2003 R2 or Windows Server 2008/2008 R2 with domain level 2003 does not have the EventLogreaders group. You must manually add permissions to the registry. 

For Windows Server 2003 client computers, set the registry key CustomerSD as follows: 

  • HKLM/SYSTEM/CurrentControlSet/Services/EventLog/Security as O:BAG:SYD:(A;;0x01;;;NS) 

  • HKLM/SYSTEM/CurrentControlSet/Services/EventLog/System as O:BAG:SYD:(A;;0x01;;;NS) 

  • HKLM/SYSTEM/CurrentControlSet/Services/EventLog/Application as O:BAG:SYD:(A;;0x01;;;NS)

Windows Server 2003 does not have the wevtutil command, the changes must be done through regedit.

To Disable the Remote Shell Access 

You may want to disable the Remote Shell Access, particularly if your company's policy states that Remote Shell Access is not allowed. After running winrm quickconfig, the Remote Shell Access is enabled.

To disable the Remote Shell Access for WinRM, run the following command:

To Configure Windows Firewall

If Windows Firewall is enabled on the server, you must configure the Windows Firewall to allow the Cyberhub to read events. 

  1. On the collector computer, from the Start menu, navigate to Control Panel > Administrative Tools > Windows Firewall with Advanced Security.

  2. In the left pane, click Windows Firewall with Advanced Security, and then, to expand the Configuration options, click the down arrow next to Windows Firewall with Advanced Security.

  3. In the left pane, under Windows Firewall with Advanced Security, click Inbound Rules.

  4. In the right pane, click New Rule

  5. On Windows 2008 Server R2, in the New Inbound Rule Wizard, complete the following steps:​

  • For the Rule Type, click Port, and then click Next

  • In the Protocol, select TCP

  • In the Local port, select Specific ports, and then specify the port values based on whether WinRM 1.1 or WinRM 2.0 is being used. 

    • WinRM 1.1 uses port 80 for HTTP and port 443 for HTTPS by default. 

    • WinRM 2.0 uses port 5985 for HTTP and port 5986 for HTTPS by default. 

  • Click Next.

  • In Action, click Allow the connection, and then click Next

  • In Profile, click all check boxes, and then click Next

  • In Name, specify a rule name, and then click Next.

To Configure WinRM to work with the Cyberhub

If Windows Remote Management is not installed and configured, WinRM scripts do not run. The WinRM command-line tool cannot perform data operations. On Windows Vista, start the WinRM service manually. By default, no WinRM listener is configured. You can use the WinRM command to locate listeners and addresses.

A certificate must be installed before you use the HTTPS protocol. To configure a Vista computer, you must log on as the local administrator. You can either select Run As Administrator from the Start menu or use the RunAs command at a command prompt.

You should execute Adding the domain root certificate to the keystore only if you use a local account for monitored host name. Vista should be included in a domain before you configure WinRM.

Type the following command at a command prompt to run WinRM with HTTP: 

The command performs the following operations: 

  • Starts the WinRM service and sets the service startup type to auto-start.

  • Configures a listener for the ports that send and receive MS-Management protocol messages using either the HTTP protocol or HTTPS protocol.

  • Defines the Internet Connection Firewall (ICF) exceptions for the WinRM service and opens the ports.

When the tool appears, Make these changes: type: y

  1. At the prompt, type: winrm set winrm/config/service @{AllowUnencrypted="true"} ​

  2. At the prompt, type: winrm set winrm/config/service/Auth @{Basic="true"}​

  3. The winrm quickconfig command enables the Remote Shell access by default. When you run winrm set winrm/config, the following message appears:

AllowRemoteShell Access=true.

For security, Accenture recommends that you disable the Remote Shell access.

 To delete an HTTP listener 

  • ​Type the following at the command prompt:

For example, if your listener has the IP Address 192.168.2.1, type the following command to remove it: 

To delete an HTTPS listener 

  • Type the following at the command prompt: 

For example, if your listener has the IP Address 192.168.2.1, type the following command to remove it:

 To list all WinRM listeners​

  • ​Type the following at a command prompt: 

To set access rights for WinRM 

For WinRM 1.1:

  • Use the following command to grant read access for WinRM to a user: 

  • Replace with the SID of the user to whom you want to grant read access. To retrieve the SID of a user, consult the Microsoft documentation. 

For WinRM 2.0:

 A window appears that lets you add users and set the permissions.

image-20240528-043436.png

The collector can be installed remotely and uses Kerberos authentication when read from Windows 2012 R2 Domain Controllers. 

To configure Kerberos:

  1. Create a user for events reading.

  2. Add this user to the Event Log Reader group.

  3. Open User properties and in the Account tab, select Algorythms for this user.

image-20240528-043359.png

  1. Edit the Domain controller policy to enable additional algorithms.

To Configure the collector to collect events using HTTP transport with domain accounts 

  1. Create a domain user account in the Windows Active Directory Domain that hosts the systems from which you will be collecting events.

  2. On each system from which you will be collecting events, add the domain user account created in the previous step to the local Administrators group.

  3. On each system from which you will be collecting events, open an administrator-level command prompt by right-clicking the command prompt shortcut in the Start menu (located in All Programs > Accessories), and selecting Run as administrator.

  4. In the command prompt window, run the following commands:

  1. Answer “y” when asked “Make these changes [y/n]?”

  2. In Information Manager, in your WS Management Event Collector configuration, create a sensor definition for each system from which you will be collecting events, as follows:

  • Monitored Host Name = Fully Qualified Domain Name of system

  • Monitored Host Realm = Domain Name of Active Directory Domain

  • Connection Port = default for HTTP transport is port 80 for WinRM 1.1 and port 5985 for WinRM 2.0

  • Connection Protocol = HTTP

  • Monitored Host Account Name = Domain user account created in step 1

  • Account Password = Password for Domain user account created in step 1

  • Event Logs to Audit = Event logs from which you would like to collect events

  • Start Reading From = BEGINNING or END​

To Configure the collector to collect events using HTTP transport with a standalone server account

  1. Create a local user account in the Windows Active Directory Domain that hosts the systems from which you will be collecting events.

  2. On each system from which you will be collecting events, add the local user account created in the previous step to the local Administrators group.

  3. On each system from which you will be collecting events, open an administrator-level command prompt by right-clicking the Command Prompt shortcut on the Start menu (located in All Programs > Accessories), and selecting Run as administrator.

  4. In the command prompt window, run the following commands: 

  1. Answer “y” when asked “Make these changes [y/n]?” 

  2. In Information Manager, in your WS Management Event Collector configuration, create a sensor definition for each system from which you will be collecting events as follows:

  • Monitored Host Name = Fully Qualified Domain Name of system

  • Connection Port = default for HTTP transport is port 80 for WinRM 1.1 and port 5985 for WinRM 2.0

  • Connection Protocol = HTTP

  • Monitored Host Account Name = MACHINE/username for the local user account created in step 1

  • Account Password = Password for local user account created in Step 1

  • Event Logs to Audit = Event logs from which you would like to collect events

To Set up the collector without SSL 

If you are not collecting from other Windows hosts, your traffic will be sent from the agent encrypted, so there is no need to encrypt it on the same host twice. But if you wish to send logs from other windows hosts, you should consider using https and follow the procedures described below.

You must complete WinRM configuration on Windows Vista or Windows 2008 before you can install and configure the Information Manager Windows Vista/2008 collector. Review Microsoft documentation or contact Microsoft for detailed information.

To Add a Security Descriptor (SD) to the registry 

Access to the Event Logs requires that a Custom SD be used to allow access to that log. The Information Manager Windows Vista/2008 collector must have the ability to access the Windows Event Log, for this you must add an SD. To do this, you need to update your registry by exporting the customsd.reg provided with the collector or by adding the SD to the Event Logs manually. For Windows Server 2003, import customsd.reg for the local administrator account or add customsd. See "To add a Security Descriptor (SD) to the registry". 

To add a Security Descriptor (SD) to the registry: 

If you are not on a Domain, use the provided registry file to add the security descriptor for the Administrator account. The customsd.reg file is located under the utils subdirectory of the installation directory or inside the collector zipfile.

If you use a Domain, you need to configure a custom Security Descriptor. When using a domain user account, you need to configure the SD to allow access for that user.

To Set up the WinRM 

WinRM 2.x now uses the following ports for its default WinRM configuration: Ports HTTP = 5985 and HTTPS = 5986. See

WinRM must be installed and configured or WinRM scripts do not run and the WinRM command-line tool cannot perform data operations.

On Windows Vista, the WinRM service must be started manually. By default, no WinRM listener is configured. You can use the WinRM command to locate listeners and addresses. 

To set up WinRM

  1. To configure a Vista computer, you must login as the local administrator. You can either select Run As Administrator from the Start menu or use the RunAs command at the command prompt.

  2. To configure WinRM to work with the collector for standard http enter the following: To create WinRM listener with HTTP port 80, run the following command to create this listener: 

The command performs the following operations:

  • Starts the WinRM service and sets the service startup type to auto-start.

  • Configures a listener for the port that sends and receives MS-Management protocol messages using the HTTP protocol.

  • Defines the Internet Connection Firewall (ICF) exceptions for the WinRM service and opens the ports. 

  1. Modify some of the default settings: 

  1. To verify these settings, type the following:

  1. To remove a WinRM listener type the following at a command prompt: 

  1. Follow the remaining steps in the WS Management Event Collector Guide for Installation and Sensor Configuration.

To Create a WinRM listener with a custom port 

You need to create a WinRM listener with a custom port when you want to collect Windows logs and enable the WinRM listener. It uses the ports that are already in use.

WinRM 1.1 and its earlier versions use default HTTP port 80 and default HTTPS port 443 while Internet Information Services commonly use these ports.

WinRM 2.x uses default HTTP port 5985 and default HTTPS port 5986. Windows 2008 R2 uses a new version of WinRM, by default its HTTP port is 5985 and HTTPS port is 5986.

To create a WinRM listener with a custom HTTP port 8888

  • Run the command: 

You may choose any unused port.

To create WinRM listener with a custom HTTPS port 8888

  • Run the command: 

Port 8888 is given as an example. You may choose any unused port.

To change the port to a created WinRM listener:

  • Run the command: 

 Port 8888 is given as an example. You may choose any unused port.

To Create a Group Policy Object (GPO) for auto-configuration through Active Directory for the WS Management collector

​​For automatic configuration of WinRM through Active Directory, refer to the following URL:

To Create a GPO for auto-enrollment of certificates for WinRM for the WS Management collector

One of the components that the WS Management collector uses is WinRM. You need to create certificates for every server to use HTTPS as a communication protocol for WinRM.

To automate this task, you can create a Group Policy Object (GPO) which instructs the servers to enroll for a certificate automatically. 

 

To create a GPO for auto-enrollment of certificates for WinRM for the WS Management collector

  1. On the Start menu, navigate to Programs > Administrative Tools > Group Policy Management.

  2. Create a new GPO.

  3. Right-click the new GPO and click Edit.

  4. In Group Policy Management Editor, expand the Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies folders.

  5. Create a new automatic certificate request policy.

  6. In the Welcome to the Automatic Certificate Request Settings Wizard panel, click Next.

  7. In the Certificate Template panel, select the Computer template, and click Next. If you create a policy for domain controllers, select the Domain Controller template.

  8. Click Finish.

  9. In the Group Policy Management Editor, navigate to Public Key Policies folder, in the right, enable Certificate Client Services - Auto-Enrollment (right-click Properties).

  10. To the right, in Group Policy Management Editor, in the Object Type section, right-click Certificate Client Services - Auto-Enrollment and select Properties.

  11. In the Configuration Model list, click Enabled.

  12. Check the two boxes available, click Apply and then click OK.

To check that the permissions for the Computer template on your certificate authority (CA) are set correctly: 

  1. On your CA, on the Start menu, click Run, and type the following command: mmc

  2. In the Management console, on the File menu, click Add/Remove Snap-in...

  3. In the Available snap-ins list, click Certificate Templates, click Add, and then click OK.

  4. In the Template Display Name list, right-click Computer template, and then click Properties.

  5. On the Security tab, for the domain computers group, check the Allow box to enroll permissions for domain computers.

You can now link the GPO to your domain and assign it to the computers that use WinRM for the WS Management collector.

To Specifying manually what certificate the WinRM listener uses

If in the collector log there are messages about "untrusted server certificate chain", a certificate either has not been set up, or winrm is set up with the wrong certificate file.

You must specify the certificate for Winrm because it does not use the correct one with the quickconfig tab.

You can manually set which certificate winrm uses by specifying the Certificate Thumbprint when you create the listener.

To create a new listener that specifies the Certificate Thumbprint:

  1. Open the certificate file, and click the Details tab.

  2. Scroll to the bottom and click Thumbprint.

  3. The bottom half of the window displays the hexadecimal value. This is what must be used in the Winrm command.

  4. When logged in as administrator, or an administrator, open a command window.

  5. Set the winrm configuration to use the correct thumbprint by entering the following command: 

  1. Set up the listener to use that same thumbprint by entering the following command: 

To Delete a WinRM listener created with the quickconfig command

You can delete WinRM listener that was created with the quickconfig command in Windows 2008 or Windows Vista.

To delete a WinRM listener created with the quickconfig command:

Do either of the following:

  • For an HTTP listener, run the following command:

  • For an HTTPS listener, run the following command:

Using the Event Log Readers group ​

Windows 2008/2008R2 standalone or domain level 2008 /2008R2 servers and Windows Vista grant read access to the event logs to the Event Log Readers group by default.

Therefore, do not import the customsd.reg and do not set any CustomSD manually. You might want to work under a user account that does not have administrative privileges when you use the collector.

In this case you need to create a user account and add it to the Event Log Readers group.

To get information about the access rights run wevtutil command. For example, to get settings for the Security log, run the following command: wevtutil gl security

The command gives you the following output:

  • name: security

  • enabled: true

  • type: Admin

  • owningPublisher:

  • isolation: Custom

  • channelAccess: O:BAG:SYD:(A;;0xf0005;;;SY) (A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)

  • logging:

  • logFileName: %SystemRoot%\System32\Winevt\Logs\security.evtx

  • retention: false

  • autoBackup: false

  • maxSize: 20971520

  • publishing:

Look at the output for the channnelAccess that returns the SDDL string which is set for the Security Log. In this case the third ACE string (A;;0x1;;;S-1-5-32-573) grants read access to the Event Log Readers group

0x1               Read

0x2               Write

0x3               Read/Write

0x4               Delete

For WinRM 1.1, the ACE string of the RootSDDL, which grants read access to the Event Log Readers looks as follows: (A;;GR;;;ER).

 If you imported the customsd.reg or set the CustomSD in the registry, you need to restore the default settings. 

 

To restore the default settings if you imported the customsd.reg or set CustomSD manually

  1. Navigate to the Registry.

  2. Delete the CustomSD key.

To Give the Network Service account the right permission ​

To collect Security log from a Windows 2008/2008R2 standalone or domain level 2008/2008R2 server via WinRM, the Network Service account must be given read access to the Security log.

The Network Service account is a default account that Windows Remote Management service uses to run.

To Give the Network Service account the right permission 

Use either of the following methods:

  • ​You can add the account to the Event Log Readers group on the Windows 2008 server from which you want to collect the Security log with the following command:

  • You can give the Network Service account read access to the Security log by changing the channel access with the following command:

The second option gives you the ability to use a Group Policy to set the channel access for the Security log in a domain environment.

If you are pulling from a Domain Controller, add the following string to the Custom SDDL for the Domain User to grant Network Service read access: (A;;0x1;;;NS). You need to use the second option for Windows 2008 Domain Controller as the Network Service is a Built-in Security Principal and local groups are not used in a Domain Controller.

Limiting the sensor to use only certain encryption types

The sensor uses the first encryption type that works for a connection. There is a way to limit the use of encryption types.

To limit the sensor to use only certain encryption types

  1. In a text editor, edit the config.xml file in the directory of the collector which uses the Windows Management Sensor. On Windows, this directory is normally available at C:\Program Files\Symantec\Event Agent\collectors\msvista. On Linux and Solaris, this is directory is normally available at: /opt/Symantec/sesa/Agent/collectors/msvista

  2. Under the tag, find the tag. 

  3. Insert the Encryption Types property between the and tags.

  4. Specify the desired value(s). The property accepts a single value as well as a comma-separated list of values. Full list of supported encryption types is available at http://download.oracle.com/javase/6/docs/technotes/guides/security/ jgss/jgss-features.html.

  5. Save and close the file.

  6. Restart the Event Agent. The following is a sample excerpt of a config.xml:

Creation of a subscription for reading events from a remote WinRm configured listener

In Windows Server 2008 and higher, a remote subscription can be configured.

  • For Setting up a Source Initiated Subscription: Refer to,

  • For Installation and Configuration for Windows Remote Management: Refer to,

About Accenture:
Accenture is a leading global professional services company that helps the world’s leading businesses, governments and other organizations build their digital core, optimize their operations, accelerate revenue growth and enhance citizen services—creating tangible value at speed and scale. We are a talent and innovation led company with 738,000 people serving clients in more than 120 countries. Technology is at the core of change today, and we are one of the world’s leaders in helping drive that change, with strong ecosystem relationships. We combine our strength in technology with unmatched industry experience, functional expertise and global delivery capability. We are uniquely able to deliver tangible outcomes because of our broad range of services, solutions and assets across Strategy & Consulting, Technology, Operations, Industry X and Accenture Song. These capabilities, together with our culture of shared success and commitment to creating 360° value, enable us to help our clients succeed and build trusted, lasting relationships. We measure our success by the 360° value we create for our clients, each other, our shareholders, partners and communities. Visit us at www.accenture.com.

About Accenture Security
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Legal notice: Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. This document is intended for general informational purposes only and does not take into account the reader’s specific circumstances, and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable law, any and all liability for the accuracy and completeness of the information in this presentation and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professionals.