Configuring PowerShell Secure Remoting

These are the steps to configure a Windows Server to allow Pliant to connect via PowerShell Remoting over HTTPS

The following commands should be run inside a PowerShell session started with Administrator credentials

1. Enable PowerShell Remoting


2. Create a self-signed HTTPS certificate to secure the encrypted connection

$CertThumb = $(New-SelfSignedCertificate -DnsName $env:COMPUTERNAME -CertStoreLocation Cert:\LocalMachine\My).Thumbprint

3. Enable HTTPS for the WinRM listener using the certificate we just created

"winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=`"${env:COMPUTERNAME}`"; CertificateThumbprint=`"$CertThumb`"}" | cmd

4. Permit PowerShell over HTTPS on the Windows Firewall

New-NetFirewallRule -DisplayName "Allow inbound PowerShell SSL TCP 5986" -Direction inbound -LocalPort 5986 -Protocol TCP -Action Allow

Pliant will use the NTLM / Negotiate authentication mechanism for WinRM connections over HTTPS

Allowing non-admin users to connect over PowerShell remoting

By default, users that are not Administrators or Domain Admins cannot connect over remote PowerShell sessions. The PowerShell block will fail with an “Access is denied.” message even though all authKey components are correct.

  1. Add the non-admin user to the “Remote Management Users” builtin group

  2. Add the “Remote Management Users” group to the default SDDL

    1. Run this command from an Administrator PowerShell prompt:

      winrm configSDDL default
    2. Add the “Remote Management Users” group and give it Full Control permission

  3. Add the “Remote Management Users” group to the root of the WMI control tree

    1. Run the “Computer Management” control panel

    2. Go to Services and Applications

    3. Right click on WMI Control and choose Properties

    4. Go to the Security Tab

    5. Click on Root and then click on the Security button

    6. Add the “Remote Management Users” group, then add “Execute Methods” and “Remote Enable” permissions for it

  4. Give the “Remote Management Users” group the following file system permissions to the C:\Windows\TEMP directory