none
Restricting PowerShell Remoting to One Server RRS feed

  • Question

  • I am basically trying to enable remoting on all domain devices, but restrict them from only listening to one "script server." We are trying to keep remoting secure across the company and only allow it on domain devices and only from one server. I found a similar question and answer here: https://superuser.com/questions/1156138/allow-powershell-remoting-only-from-one-address. However, this does not appear to be working. After running the following command, I am able to remote to the computer from my script server:

    Enable-PSRemoting -confirm:$false

    I am running the following commands to restrict listening to only my script server IP address via the following:

    Remove-WSManInstance winrm/config/Listener -SelectorSet @{Address="*";Transport="http"}
    
    New-WSManInstance winrm/config/Listener -SelectorSet @{Address="IP:10.23.23.33";Transport="http"}
    
    Restart-Service winrm -Force

    However, when I now run a command against the remote computer, I receive the following error:

    [COMPUTERNAME] Connecting to remote server COMPUTERNAME failed with the following error message : The WinRM client sent a request to an HTTP server and got a response    
    saying the requested HTTP URL was not available. This is usually returned by a HTTP server that does not support the WS-Management protocol. For more information, see the  
    about_Remote_Troubleshooting Help topic.                                                                                                                         

    Any suggestions? If there is a better way of restricting access so that only one server can run remote commands against any domain-connected machine?


    • Edited by ja0821 Thursday, January 4, 2018 6:15 PM
    • Moved by Bill_Stewart Monday, April 30, 2018 8:57 PM Abandoned
    Thursday, January 4, 2018 5:42 PM

All replies

  • When set up by group policy this is the default.  All servers enabled can only authenticate via the domain. 

    What is a "script server"?  There is no such thing.

    You can set the list of hosts for both client and server connections in GP.

    Post in GP forum to learn how to configure the Windows Remoting system for your domain.


    \_(ツ)_/

    Thursday, January 4, 2018 6:19 PM
  • I know how to enable PS remoting for ALL devices. however, I don't want to do that. I want to be able to enable PS remoting ONLY from my single server (my script server) and remote to ALL domain devices. I didn't think I needed to use the TrustedHosts list since I am only using HTTP within the domain. If I am trying to keep the domain as secure as possible and only use kerberos, what do I need to do so that I can use PS remoting on all domain-joined machines, but only from my server ?
    Thursday, January 4, 2018 6:28 PM
  • In ordere to use remoting to any device remoting (server) must be enabled on that client.  "TrustedHosts" will deteremine which "clients" can connect tot the "server" on the PC/Server.

    This is normally always done with GP. 

    What is a "script server" ?  Do you mean a remote client and you only want your PC to be the remote client. 

    You can also use certificates to validate the client to the server and restrict all connections to only  one client certificate.

    In all cases you must enable remoting on all systems.

    Please study the following carefully until you understand what WinRM is and how it works.  Follow all links.  Don't just read the first page.

    https://msdn.microsoft.com/en-us/library/aa384426(v=vs.85).aspx


    \_(ツ)_/

    Thursday, January 4, 2018 7:28 PM