Versions Compared

Old Version 14

changes.mady.by.user Allan Cornwell

Saved on

compared with

New Version Current

changes.mady.by.user Allan Cornwell

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Product Name

CIS-CAT Pro Assessor v4

Product Version

all

Date

Problem

Info

How can I do a CIS-CAT Pro Assessor remote assessment of a Windows target using WinRM?

Solution

  • These should only be run on a test or development system to help understand the requirements for CIS-CAT remote assessment

  • To simplify that process this is assuming an unencrypted connection and the firewall may need to be disabled. In the CIS-CAT \config\sessions.properties file ensure the port is set to 5985

  • Once you have used these steps to troubleshoot the connection adjust the WimRM security settings for your environment

  1. Read the CIS-CAT Documentation section;

  2. Start WinRM on the target system;

    • PS > winrm quickconfig

  3. Test the WinRM connection from the server to the target;

    • PS > Test-WSMan -computername <target_ip> -credential <name> -Authentication Negotiate

 

Warning

If the Test-WSMan connection fails with an error try the following commands in turn and then re-run Test-WSMan until you get a successful connection;

  1. Ensure that UAC remote restrictions have been disabled on the target machine. This command should return a value of 1. If it does not then please reference this section of the CIS-CAT Documentation

    • PS > Get-ItemPropertyValue HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LocalAccountTokenFilterPolicy

  2. Add the target IP to the winrm trusted hosts on the server;

    • PS > Set-Item WSMan:\localhost\Client\TrustedHosts -Value <target_ip>

  3. Allow unencrypted connections on the target machine;

    • CMD > winrm set winrm/config/service @{AllowUnencrypted="true"}

  4. Ensure that allow remote shell access is enabled on the target machine;

    • PS > Get-Item WSMan:\localhost\Shell\AllowRemoteShellAccess

  5. Turn off the firewall on the target machine;

    • CMD > netsh advfirewall set  currentprofile state off

Tip

When the Test-WSMan command succeeds, and the credentials in session.properties match, then a CIS-CAT remote assessment should run.

You can check WinRM connectivity with the command Assessor-CLI.bat --test

NOTE that SMB is also required so you will need to allow connection to the target host using SMB on port 445 

Additional Information;

Understanding and troubleshooting WinRM connection and authentication

WinRM survival guide

Related Content

Filter by label (Content by label)
showLabelsfalse
showSpacefalse
cqllabel = "sbp_winrm"

Copyright © 2020

Center for Internet Security®

Privacy Policy

Page Properties
hiddentrue

Action

Name(s)

Date

Created by

Chris Boldiston

Reviewed by

Elizabeth Chaharyn Jenna Urbanski Amanda McGown Andrew Preston

Approved by

Elizabeth Chaharyn Jenna Urbanski Amanda McGown Andrew Preston

Remove by