L1 BIO 12.06.01 ISO A.12.6.1 CIS Windows Hardening

WinRM Remote Server Management Uitgeschakeld

📅 2025-10-30
⏱️ 7 minuten lezen
🟢 Should-Have

💼 Management Samenvatting

WinRM (Windows extern beheerment) moet worden uitgeschakeld op workstations om het aanvalsoppervlak te verkleinen, tenzij remote PowerShell management een business requirement is.

Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
7/10
Implementatie
6u (tech: 4u)
Van toepassing op:
Windows 10
Windows 11
Workstations

WINRM aanvalsoppervlak: WinRM is Windows implementation van WS-Management protocol voor extern beheerment. RISKS: Remote code execution capability via PowerShell remoting, Lateral movement vector (attackers gebruiken WinRM voor spreading), Diefstal van inloggegevens risk (basic auth over HTTP is plaintext), Open network port (5985 HTTP, 5986 HTTPS). ATTACK SCENARIOS: Attacker compromises één account → gebruikt WinRM to execute commands op other machines → Lateral movement over network → Domain-wide compromise. LEGITIMATE USE: IT admins need WinRM voor: Intune management agent (Deze gebruikt HTTPS), PowerShell remoting voor scripting, SCCM/extern beheerment. WORKSTATION vs SERVER: WORKSTATIONS: zelden need INBOUND WinRM (users don't beheren other machines), Can Schakel uit safely (Intune gebruikt alternative channels), SERVERS: vaak need WinRM voor management (especially domain controllers), kan niet Schakel uit zonder careful planning. aanbevolen APPROACH: Schakel uit op workstations, Schakel in alleen op servers die need extern beheerment, gebruiken HTTPS instead of HTTP (port 5986 instead of 5985), Restrict via firewall to authorized admin workstations only.

PowerShell Modules Vereist
Primary API: Intune / Group Policy
Connection: Registry / Service
Required Modules:

Implementatie

Schakel uit WinRM automatische configuratie via: Registry: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\AllowAutoConfig is 0. ALTERNATIVE: Schakel uit WinRM service entirely: Set-Service WinRM -StartupType Disabled. EFFECT: Inbound PowerShell remoting BLOCKED, Other machines kan niet connect to Deze machine via WinRM, Local PowerShell nog steeds works (no remoting), Intune management NIET affected (uses alternative protocols). IMPORTANT: Dit disabled alleen INBOUND WinRM. Machine can nog steeds connect OUTBOUND to other WinRM endpoints (voor admin tasks).

Vereisten

  1. Windows 10/11 workstations
  2. Verify: No business processes depend op inbound WinRM to workstations
  3. Intune management: gebruikt alternative protocols (not affected)
  4. Alternative: Cloud-gebaseerde management (Intune) instead of on-prem WinRM

Implementatie

Gebruik PowerShell-script allow-remote-server-management-through-winrm-is-set-to-disabled.ps1 (functie Invoke-Remediation) – Schakel uit WinRM auto-config.

Intune: Settings catalog → WinRM Service AutoConfig is Disabled. toepassen to workstations ONLY.

Monitoring

Gebruik PowerShell-script allow-remote-server-management-through-winrm-is-set-to-disabled.ps1 (functie Invoke-Monitoring) – Verifieer WinRM disabled op workstations.

Monitor: WinRM service status, netwerkverbindings op ports 5985/5986 (zou moeten zijn nul op workstations)

Compliance en Auditing

  1. CIS Windows Benchmark - Minimize aanvalsoppervlak
  2. BIO 12.06 - kwetsbaarheidsbeheer
  3. ISO 27001 A.12.6.1

Remediatie

Gebruik PowerShell-script allow-remote-server-management-through-winrm-is-set-to-disabled.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Intune Security Options: Remote Server Management WinRM Disabled .DESCRIPTION CIS - Remote server management via WinRM moet disabled (unless needed). .NOTES Filename: winrm-remote-mgmt.ps1|Author: Nederlandse Baseline voor Veilige Cloud|Service: WinRM|Expected: Disabled or Controlled #> #Requires -Version 5.1 #Requires -RunAsAdministrator [CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert) $ErrorActionPreference = 'Stop'; $RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service"; $RegName = "AllowAutoConfig"; $ExpectedValue = 0 function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) } function Test-Compliance { $r = [PSCustomObject]@{ScriptName = "winrm-remote.ps1"; PolicyName = "WinRM Remote Mgmt"; IsCompliant = $false; CurrentValue = $null; ExpectedValue = "Disabled"; Details = @() }; function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue } try { if (Test-Path $RegPath) { $v = Get-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue; if ($v -and $v.$RegName -eq $ExpectedValue) { $r.IsCompliant = $true; $r.Details += "WinRM auto-config disabled" }else { $r.Details += "WinRM auto-config enabled" } }else { $r.IsCompliant = $true; $r.Details += "Default" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r } function Invoke-Remediation { if (-not(Test-Path $RegPath)) { New-Item -Path $RegPath -Force | Out-Null }; Set-ItemProperty -Path $RegPath -Name $RegName -Value $ExpectedValue -Type DWord -Force; Write-Host "WinRM auto-config disabled" -ForegroundColor Green } function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r } function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue } try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }

Risico zonder implementatie

Risico zonder implementatie
High: Hoog risico: WinRM ingeschakeld op workstations is lateral movement vector voor attackers. Schakel uit vermindert aanvalsoppervlak significantly. Intune management NOT affected.

Management Samenvatting

Schakel uit WinRM op workstations (not servers). voorkomt lateral movement attacks. Intune nog steeds works (alternative protocols). toepassen to workstations only. Implementatie: 4-6 uur.