Quick Start Guide: WinRM
Requirements
A default installation of Windows Server 2019 Desktop as a target system
The target system is not managed in a Domain / GPO
Local Administrator access to the target and CIS-CAT server
All of the commands listed below should be run in PowerShell as Administrator
Implementation Steps
On the assessment target system (192.168.41.165)
Check and if necessary configure firewall rules to allow for incoming WinRM (TCP 5985) and SMB (TCP 445) from your CIS-CAT Server system.
Allow and confirm remote access to the machine for management with the command;
winrm quickconfig
On CIS-CAT Server system
Within PowerShell add the assessment target IP address to WinRM trusted hosts with this command;
Set-Item WSMan:\localhost\Client\TrustedHosts -Value 192.168.41.165
Run the CIS-CAT Pro Assessor GUI
Select Advanced > Add remote or local target system
Fill out the Information to the required fields;
Select the correct Benchmark and Profile for the Target system and click Add
Click Save
Click Test connection(s) to Targets and you should see output with a line saying Test Successful
Click on Next > Select a Report Output option > Next > Start Assessment
Troubleshooting Steps
On the Target system
Check to make sure WinRM is enabled and running on port 5985;
winrm enumerate winrm/config/listener
Check that SMB2 is running;
Get-SmbServerConfiguration | Select EnableSMB2Protocol
On the CIS-CAT server;
Check that the target system IP is in Trusted Hosts;
Get-Item WSMan:\localhost\Client\TrustedHosts
Check to see you can connect to the target host IP on ports 5985 and 445;
Test-NetConnection -ComputerName 192.168.41.165 -Port 5985 -InformationLevel Detailed
Test-NetConnection -ComputerName 192.168.41.165 -Port 445 -InformationLevel Detailed
Check to see you can connect to the target host IP on the WinRM service;
Test-WSMan -computername 192.168.41.165 -credential Administrator -Authentication negotiate
Video: WinRM Setup
Copyright © 2024 Center for Internet Security® Privacy Policy