Windows remote management что это

From Wikipedia, the free encyclopedia

WinRM (Windows Remote Management)

Developer(s)	Microsoft
Operating system	Microsoft Windows
Type	Application programming interface
License	Proprietary commercial software
Website	docs.microsoft.com/en-us/windows/win32/winrm/portal

WinRM (Windows Remote Management) is Microsoft’s implementation of WS-Management in Windows which allows systems to access or exchange management information across a common network. Utilizing scripting objects or the built-in command-line tool, WinRM can be used with any remote computers that may have baseboard management controllers (BMCs) to acquire data. On Windows-based computers including WinRM, certain data supplied by Windows Management Instrumentation (WMI) can also be obtained.^[1]

Components[edit]

winrs

Developer(s)	Microsoft
Operating system	Microsoft Windows
Type	Command
License	Proprietary commercial software
Website	docs.microsoft.com/en-us/windows-server/administration/windows-commands/winrs

• WinRM Scripting API
  • Provides an Application programming interface enabling scripts to remotely acquire data from computers that perform WS-Management operations.
• winrm.cmd
  • Built-in systems management command line tool allowing a machine operator to configure WinRM. Implementation consists of a Visual Basic Scripting (VBS) Edition file (Winrm.vbs) which is written using the aforementioned WinRM scripting API.
• winrs.exe
  • Another command line tool allowing the remote execution of most Cmd.exe commands. This tool utilizes the WS-Management protocol.
• Intelligent Platform Management Interface (IPMI) driver
  • Provides hardware management and facilitates control of remote server hardware through BMCs. IPMI is most useful when the operating system is not running or deployed as it allows for continued remote operations of the bare metal hardware/software.
• WMI plug-in
  • Allows WMI data to be made available to WinRM clients.^[2]
• WMI service
  • Leverages the WMI plug-in to provide requested data or control and can also be used to acquire data from most WMI classes. Examples include the Win32_Process, in addition to any IPMI-supplied data.
• WS-Management protocol
  • Web Services Management is a DMTF open standard defining a SOAP-based protocol for the management of servers, devices, applications and various Web services. WS-Management provides a common way for systems to access and exchange management information across the IT infrastructure.^[3]

• Ports
  • By default WinRM HTTPS used 5986 port, and HTTP uses 5985 port. By default, port 5985 is in listening mode, but port 5986 has to be enabled.

Common uses[edit]

Ansible communicates with Windows servers over WinRM using the Python pywinrm package and can remotely run PowerShell scripts and commands.^[4]

Thycotic’s Secret Server also leverages WinRM to enable PowerShell remoting.^[5]

SolarWinds Server and Application Monitoring software (SAM) utilizes a WinRM server on monitored servers for its PowerShell integration.^[6]

CloudBolt leverages WinRM as part of Blueprints, Server Actions, and CB Plugins to execute remote scripts on Windows servers using the python pywinrm module.^[7]

Security[edit]

WinRM uses Kerberos for initial authentication by default. This ensures that actual credentials are never sent in client-server communications, instead relying on features such as hashing and tickets to connect.^[8] Although WinRM listeners can be configured to encrypt all communications using HTTPS, with the use of Kerberos, even if unencrypted HTTP is used, all communication is still encrypted using a symmetric 256-bit key after the authentication phase completes. Using HTTPS with WinRM allows for additional security by ensuring server identity via SSL/TLS certificates thereby preventing an attacker from impersonating it.^[9]

References[edit]

External links[edit]

• Windows Remote Management — Windows applications | Microsoft Docs

Прочитано:
10 172

Я опишу процесс, каким образом можно централизованно активировать и настроить службу Windows Remote Management (WinRM) на всех целевых компьютерах с помощью Group Security Policy. Windows Remote Management – это специальный сервис, позволяющий администраторам получить возможность удаленного доступа и управления клиентскими и серверными ОС Windows.

Возьмем обычный ПК с  Windows 7, который включен в домен, и на котором не активирована функция Windows Remote Management. В командной строке введем следующую команду:

Запустим командную строку с правами администратора.

WinRM enumerate winrm/config/listener

, должно появиться следующее сообщение об ошибке, свидетельствующее о том, что WRM не установлен:

WSMan Fault. The client cannot connect to the destination specified in the request. Error number: – 2144108526 0?80338012

Если нужно настроить  WinRM  вручную на отдельной системе, достаточно набрать команду:

winrm quickconfig

Это я рассмотрел вариант установки на единичную рабочую станцию.

В том случае, если нужно настроить WinRM на группе компьютеров, то можно воспользоваться специальными параметрами групповой политики.  Создадим групповую политику на контейнер где располагаются рабочие станции. Конфигурация компьютера  — Политики — Административные шаблоны -> Компоненты Windows – Удаленное управление Windows.  Активируем следующие параметры:

•    Клиент службы удаленного управления Windows.

•    Служба удаленного управления Windows

В разделе IPv4 filter укажем *, что означает, что компьютер может принимать подключения (а значит и управляющие команды) откуда угодно.

Далее в разделе Конфигурация компьютера – Политики — Административные шаблоны – Компоненты Windows – Удаленная оболочка Windows

Активируем пункт:

Разрешить доступ к удаленной оболочке – Включена

Управлять способом запуска служб можно из следующего раздела групповых политик: Конфигурация компьютера – Политики —  Конфигурация Windows — Параметры безопасности — Системные службы.

Открыть службу «Служба удаленного управления Windows (WM-Management) и произвести настройки ниже, см. скриншот.

Все готово. Перезагружаем рабочую станцию и после активации WinRM с помощью групповой политики, на клиентской системе проверим статус службы с помощью знакомой команды:

WinRM enumerate winrm/config/listener

Удостоверимся, что тип запуска службы WinRM  задан в автоматический . Хотя по факту тип запуска «автоматический с задержкой», т.к. по умолчанию для службы WinRM  задана задержка запуска (параметр  DelayedAutoStart=1 в ветке HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinRM ).

После применения групповой политики, данной системой можно управлять удаленно с помощью команд WinRS. Следующая команда откроет командную строку, запущенную на удаленной системе:

winrs –r:<имя_компьютера> cmd

После появления окна командной строки вы можете выполнять и видеть результат выполнения любых команд на удаленном компьютере, как будто бы вы работаете за ним локально. Отметим, что на вашем управляющем компьютере WinRM также должна быть активирована.

В моем случаем тестовая машина называется alektest4

winrs -r:alektest4 cmd

Windows Remote Management, or WinRM, is a Windows-native built-in remote management protocol in its simplest form that uses Simple Object Access Protocol to interface with remote computers and servers, as well as Operating Systems and applications.

WinRM is a command-line tool that is used for the following tasks:

• Remotely communicate and interface with hosts through readily available channels/ports within your network, including workstations, servers and any operating system that supports it.
• Execute commands remotely on systems that you are not local to you but are network accessible
• Monitor, manage and configure servers, operating systems and client machines from a remote location.

History of WinRM

The earlier release, versions 1.1, was found in Windows Vista and Windows Server 2008, though could later be installed manually for Windows XP and Windows 2003.

A newer version, 2.0, can be found in Windows 7 and Windows Server 2008 R2, and the latest version of the software, 3.0, comes pre-installed out of the box in Windows 8 and Windows 2012 Server.

As for the latest windows installment, Windows 10, you’ll need to enable it as it does not come enabled by default.

It does require a little bit of setup and configuration, as it is not usually enabled and configured by default, but as it comes pre-installed and ready to go it’s a pretty simple process – do note that simple doesn’t always mean easy, unfortunately.

Configuring WinRM can sometimes be a breeze though it can sometimes be a bit of a hassle to get all the errors out of the way and get it sorted out just right.

Thankfully a great number of resources exist to aid in this part of the process and even several tools to help automate it!

Check out this great Tool below from Solarwinds that allows your to Remotely Enable WinRM on any PC or Server within your Network from your workstation.

A sort of sister process, Windows Remote Shell or WinRS, is the counterpart to WinRM. WinRS acts as the clients to WinRMs server component, providing the actual functionality and method of enacting commands and processes.

Most actual remote commands will be run via WinRS to a remote system with WinRM configured on it.

WinRM has several noteworthy benefits and strengths. As mentioned above, it’s built into the operating system, making installation and compatibility less of an issue.

It utilizes SOAP (Simple Object Access Protocol) requests in XML format, making it quite simple to work with.

Ports and Compatibility

WinRM Port is 5985 and 5986 (HTTPS)

In previous versions of WinRM, though, communications used to be done over port 80/443.

But since many server administrators take extra pre-cautions when locking down servers and desktop machines, blocking incoming traffic on Ports 80 and 443 was a given.

This was a problem for Powershell and WS-Management users as to why their connections where getting blocked and/or dropped while trying to manage systems remotely – thus leading Microsoft to change the default ports to the ones specified above, HTTP Port 5985 and HTTPS Port 5986 for WinRM connectivity.

If for some reason using the new port assignments are going to be a problem for your environment, and you would like configure systems to accept traffic on HTTP Port 80 and HTTPS Port 443, then this is where “Compatibility Listeners” come into play.

Compatibility Listeners cant be directly addressed, as other listeners are, but you can however allow traffic on these ports by either running a special command that configures the WinRM service to enable traffic on either port 80 or 443 like this:

winrm set winrm/config/service @{EnableCompatibilityHttpListener=”true”}

winrm set winrm/config/service @{EnableCompatibilityHttpsListener=”true”}

or applying a New Group Policy settings within this string:

Computer Configuration > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service

and then set either of these keys to “YES”

“Turn On Compatibility HTTP Listener” (if you would like to allow WinRM over HTTP port 80)

“Turn On Compatibility HTTPS Listener” (if you would like to allow WinRM over HTTPS port 443)

You can find more info about compatilibity settings on the MSDN Blog post here

It is worth pointing out that WinRM/WinRS can be a little finnicky when it comes to user accounts and permissions – any long time Windows environment tech won’t be too surprised by this.

When dealing with remote management in a situation like this you have to be pretty sure your accounts and permissions are properly configured, and there’s several ways that you can set things up so that it works perfectly with WinRM.

It does introduce on potential flaw, but only in the case of particularly bad password and user account etiquette.

Generally speaking, though, the usual nuances apply here like with most Windows workgroup accounts and permissions.

If I am logged into an ‘Administrator’ account with a certain password and hit up WinRM on another system which has the exact same username and password combination, then I’m in with full permissions.

But with the basics of what WinRM is out of the way, it begs the obvious next question – what can it do? As the name intuitively implies it’s all about remote management.

Part of it’s strength lies in its ability to do far more than just manage workstations, though – WinRM can provide remote management to a range of devices, physical and soft, including applications, a wide range of different vendors’ hardware, operating systems (not just Windows!), and more.

Almost any range of commands can be performed remotely once setup and configured properly, which does become especially useful in the realm of managing workstations and servers on any Windows-based environment, as you can effortlessly start and stop processes, check configurations and system status, perform maintenance, install or remove services.. just about anything!

If there’s a command line process that you can run on a Windows system then it’s a sure bet you can use it via WinRM for remote management. There’s a lot of options for remote system management, but sometimes it’s best to just go with what’s built in and already more or less ready to go.

A little configuration and setup is all it takes and you’ll be well on your way to easy native remote management, as long as the initial configuration woes don’t get in the way.

WinRM FAQs

Discover what WinRM protocol is all about and gain insight on how you can use it to manage your network

Windows Remote Management (WinRM) is the Microsoft implementation of Web Services-Management (WS-Management) protocol that provides a common way for systems (hardware and operating systems) from different vendors, to interact to access and exchange management information across an IT infrastructure.

WinRM is an important and useful protocol, especially for Network Administrators managing large windows network infrastructure.

Microsoft started implementing the WS-Management standard when it released WinRM 1.1, available for Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This was followed by WinRM 2.0 found in Windows 7 and Windows Server 2008 R2, which allows PowerShell 2.0 scripts and cmdlets to be invoked on a remote machine or a large set of remote machines. The latest version of Windows Remote Management—WinRM 3.0 was released in 2012 and comes pre-installed out of the box in Windows 8 and Windows Server 2012.

Why is the WinRM protocol important?

Why is the WinRM protocol important and why do we need it? With WinRM protocol, the connection between computers or servers can be easily established, so that remote operations can be performed. You can obtain data or manage resources on remote computers as well as the local computer. Connecting to a remote computer in a Windows Remote Management script is very similar to making a local connection. The WinRM protocol is intended to improve hardware management in a network environment with various devices running a variety of operating systems.

As a command-line tool, WinRM is built into Windows operating systems and based on .NET and PowerShell, which allows scripts and remote PowerShell commands to be invoked on Windows-based machines or a large set of remote machines without RDP or log into the remote machine. This method makes it easier for Windows Administrators to manage multiple machines using scripts and cmdlet, and perform tasks such as:

• Monitor, manage and configure servers, operating systems, and client machines from a remote location.
• Remotely communicate and interface with hosts through readily available channels/ports within your network, including workstations, servers, and any operating system that supports it.
• Execute commands remotely on systems that you are not local to you but are network accessible

The Windows Remote Shell (WinRS) command-line tool relies on WinRM to execute remote commands. It leverages WinRM to let you launch processes on remote machines. WinRM is the server component of this remote management application and WinRS is the client component for WinRM, which runs on the remote computer attempting to remotely manage the WinRM server. However, both computers must have WinRM installed and enabled on them for WinRS to work and retrieve information from the remote system.

WinRM architecture and components 

The WinRM architecture consists of components on the client and server computers. The diagram in Figure 1.0 below shows the components on both the requesting client and responding server computers, and how they interact with each other, including the protocol that is used to communicate between them.

Table 1.0  below is a breakdown of the various WinRM components and where they reside.

Table 1.0 | WinRM components and description

WinRM configuration and commands

For the WinRM command-line tool and scripts to run, and perform data operations effectively, Windows Remote Management (WinRM) must be installed and configured. However, the good news is that WinRM is automatically installed with all currently-supported versions of the Windows operating system, including IPMI (Intelligent Platform Management Interface) WMI (Windows Management Instrumentation) provider components.

By default, WinRM is enabled on Windows Server OS since Windows Server 2012, but not on Windows 10 operating system. This means that you need to enable it on Windows 10 machines. To enable WinRM on a Windows 10 machine, open PowerShell and run the following cmdlet:

Enable-PSRemoting -force

If you have a single Windows 10 machine that is not part of an Active Directory domain network,  you may need to add the machine you are going to connect from to the trusted host of the Windows 10 machine. The reason we need to add trusted hosts is to be able to connect to a Windows machine using WinRM.

However, in situations where you have 100+ Windows 10 machines in an Active Directory domain network, you may need to use a Group Policy (GPO) to get it working with minimal effort. To use a GPO, create a new one or edit an existing one and modify the following settings and set WinRM to “Enabled”:

• Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service > Allow remote server management through WinRM

Remember to apply the GPO to the Organizational Units (OU) that have all your Windows 10 machines. Within a few minutes after applying the GPO to the OU, all your hosts will get the policy update. In this case, there is no need to modify the trusted hosts’ list.

The table below is a collection of some WinRM commands you can use to execute remote operations. Please note that these commands work best when you are on an Active Directory domain network. For workgroup machines, the WinRM service may require additional configuration such as modifying the trusted hosts’ list.

Table 2.0 | Common WinRM commands and description

WinRM security

By default, WinRM uses Kerberos for authentication. This means that Windows never sends the actual credentials to the system requesting validation instead of relying on features such as hashing and tickets to connect.

WinRM listens on TCP port 80 (HTTP) by default, it doesn’t mean traffic is unencrypted. Traffic by default is only accepted by WinRM when it is encrypted using the Negotiate or Kerberos SSP. WinRM also includes helper code that lets the WinRM listener share port 80 with the Microsoft IIS  web server or any other application that may need to use that port. Although WinRM listeners can be configured to encrypt all communications using HTTPS, with the use of Kerberos, even if unencrypted HTTP is used, all communication is still encrypted using a symmetric 256-bit key after the authentication phase completes.

You can manually configure WinRM to use HTTPS. The purpose of configuring WinRM for HTTPS is to encrypt the data being sent across the network. This allows for additional security by ensuring server identity via SSL/TLS certificates thereby preventing an attacker from impersonating it. To configure WinRM to use HTTPS, a local computer Server Authentication certificate with a CNAME matching the hostname is required to be installed. To install certificates for the local computer, follow the steps below:

• Select Start and then select Run (or using keyboard combination press Windows key+R)
• Type MMC and then press Enter
• Select File from menu options and then select Add or Remove Snap-ins
• Select Certificates and select Add
• Go through the wizard selecting the Computer account
• Install or view the certificates under Certificates (Local computer) >> Personal >> Certificates.

Once the certificate is successfully installed, use the following command to configure WRM to listen on HTTPS: winrm quickconfig -transport:https

Notable applications of WinRM

• SolarWinds Server & Application Monitor software (SAM) enables remote access for PowerShell with WinRM. It utilizes a WinRM server on monitored servers for its PowerShell integration.
• Thycotic Secret Server—privileged access management (PAM) solution, relies on WinRM components to run PowerShell scripts.
• Ansible—an agentless open-source software provisioning and deployment tool, leverages WinRM to communicate with Windows servers and run PowerShell scripts and commands. Ansible is agentless because of its ability to remotely connect via WinRM, thereby allowing remote PowerShell execution to do its tasks.
• CloudBolt—a hybrid cloud management platform, leverages WinRM as part of Blueprints, Server Actions, and CB Plugins to execute remote scripts on Windows servers using the python pywinrm module.

Windows Remote Management FAQs