5

I must manage a school network of about 60 Windows computers that are setup as workgroup computers and not in a domain. To ease configuration I am going to enable PowerShell remoting on all computers. (I know about Enable-PSRemoting and how to set this up in general) To limit security risks as far as possible, remoting to these computers should only be possible from my administration PC with a certain IP address.

So consider this example:

Computer 1: only accepts remoting connection from admin, not from computer 2
Computer 2: only accepts remoting connection from admin, not from computer 1
Admin computer: can remote on all computers

I'm not sure how to set up the Windows firewall on the computers to allow traffic of the WinRM protocol only from one IP address. The whole network is set to 'private'.

Can somebody help me out with enabling the correct firewall rules?

kenorb
  • 24,736
  • 27
  • 129
  • 199
SebastianR
  • 185
  • 1
  • 1
  • 6
  • 2
    [How to block all traffic but one IP in Windows Firewall?](http://superuser.com/questions/268902/how-to-block-all-traffic-but-one-ip-in-windows-firewall). Before you dismiss the suggestion, read the answer, the answer can be used in this situation. – Ramhound Dec 13 '16 at 15:20
  • @SimonS Isn't this command supposed to configure what remote hosts the admin computer accepts? Or can it also be used to restrict access who can access a host? – SebastianR Dec 13 '16 at 15:24
  • @Ramhound Thank, I've read the answer, and I think I could adapt the IPSec approach (#2). However, I don't want to block all other traffic, but I could probably adapt the solution to block all traffic on the WinRM ports except from my admin computer. However, changing local group policies with MMC isn't going to scale well for 60 computers spread around the building. So, any chances of a command line solution? – SebastianR Dec 13 '16 at 15:33
  • @Ramhound this is pretty cool! SebastianR you're absolutely right. sorry for the confusion – SimonS Dec 13 '16 at 15:35
  • You don't have to create a explict deny rule. You only need to create a explict allow rule. A implict deny rule already exists in most default configurations. Remember the general deny all rule should be the very last rule, and you should only allow, what you need. – Ramhound Dec 13 '16 at 15:39
  • @Ramhound thanks, I'll give this a try at work tomorrow. I think I must prevent Enable-PsRemoting from opening the firewall for all computers, though, when I first call it, so that the allow rule is enough. – SebastianR Dec 13 '16 at 15:45

2 Answers2

9

Like explained in this article: Enabling PowerShell remoting for only a specified set of IP addresses.

(for each client pc1/pc2/pc...) you have to:

enable-psremoting

next: remove the winrm-listener that was created by enable-psremoting

Remove-WSManInstance winrm/config/Listener -SelectorSet @{Address="*";Transport="http"}

now the machine listens to nobody, so you have to create a new listener for the admin-client

New-WSManInstance winrm/config/Listener -SelectorSet @{Address="IP:10.11.12.13";Transport="http"}

now restart the winrm service

spsv winrm -pass | sasv -pass |gsv   #*

(you have to run PowerShell as admin)

\*
*spsv = stop-service // sasv = start-service // gsv = get-service // -pass = -passThrough*
kenorb
  • 24,736
  • 27
  • 129
  • 199
MacMartin
  • 883
  • 9
  • 12
1

Maybe the Powershell "trustedhosts" list is you want?
You cant remote into a machine if you are not on the trustedhosts-list

Start the Powershell console as administrator

run this command:

get-item wsman:\localhost\client\trustedhosts

The "value" hast to be that IP adress or name of the admin client. To set this value run:

set-item wsman:\localhost\client\trustedhosts 192.168.1.2

(if there is already one value or if you have to admin-clients:

set-item wsman:\localhost\client\trustedhosts -concatenate admin02pcName

) Of course, wildcards are allowed
You can abbreviate get-item with gi and set-item with si and -concatenate with -concat

MacMartin
  • 883
  • 9
  • 12
  • Thanks for your answer, but I want to restrict connections at the other end: the computer that is being connected to should only allow those from a certain ip. Your solution allows the computer initiating the connection to connect. – SebastianR Dec 15 '16 at 16:58
  • sorry, now I understand. So I think you have to configure the remoting listener (WinRM) somehow. Maybe this article: [link](http://www.ravichaganti.com/blog/enabling-powershell-remoting-for-only-a-specified-set-of-ip-addresses/) ... >Now, to re-create the http listener on a specified IP address > >New-WSManInstance winrm/config/Listener -SelectorSet @{Address="IP:192.168.100.2";Transport="http"} > >Once this listener is created successfully, you need to restart the >WinRM service ... – MacMartin Dec 16 '16 at 07:53