Remote PowerShell / WinRM
There’s a lot of articles online how to setup remote PowerShell or how to configure remote PowerShell. I have found that all articles on how to setup remote PowerShell are not all complete. As in there’s some information there, different parts of information all over the place across different posts and not in the complete order and/or missing steps.
You need Remote PowerShell to administer Windows servers and these days with PowerShell, you can do everything and anything with PowerShell, so remote PowerShell is a must.
Remote PowerShell is a little hard to setup and comes in two flavours, HTTP (port 5985) and HTTPS (port 5986). In the theme of security, this post will focus on the most secure way of setting up Remote PowerShell, port 5986 HTTPS with SSL. Also too, I am not focusing on domain based machines, I am focusing on just stock standard machines, machines not connected to the domain aka ‘workgroup’ servers.
Two script below, one which assumes you already have a trusted cert setup, the other assumes you want to create a brand new self signed cert. Both Scripts take into consideration of delegated authentication – to set the stage for if you want to use CredSSP.
If you’re a cheap skate, you can have PowerShell create a brand new Self Signed certificate for you, which you can use.
Now, if you don’t want to buy a trusted certificate online and you still want to use the first method of using an existing certificate, you can pretty much make your own certificate.
First things first, you need to make a server signing certificate with a private key. Easiest and cheapest (free) way is to get copy of makecert and pvk2pfx available from here https://1drv.ms/f/s!ArtfJd5lMp6hg-YBwF-ezB_IJFDMMA.
Once you have these tools, you need to run:
makecert -sky exchange -r -n "CN=*.yourdomain.com" -pe -a sha1 -eku 1.3.6.1.5.5.7.3.1 -len 2048 -ss My -sr localmachine "MyCert.cer"
Use your best judgement here and change some things around as you see fit, this is an example only.
From here you import this certificate to the local machine and export the private key to a *.pfx file. Please note, the command above should add the certificate to the local computer certificate store for you. You will then need to add the root certificate authority certificate MyCert.cer (the one you just created) to the computer based trusted root store of the machine you are connecting from. I won’t go into the certificate stuff too deep here, but you should know most of this already.
