Requirements

Implementation Steps

Check and if necessary configure firewall rules to allow for incoming WinRM (TCP 5985) and SMB (TCP 445) from your CIS-CAT Server system.

Allow and confirm remote access to the machine for management with the command;

winrm quickconfig

Within PowerShell add the assessment target IP address to WinRM trusted hosts with this command;

Set-Item WSMan:\localhost\Client\TrustedHosts -Value 192.168.41.165

Run the CIS-CAT Pro Assessor GUI

Select Advanced > Add remote or local target system

Fill out the Information to the required fields;

Select the correct Benchmark and Profile for the Target system and click Add

Click Save

Click Test connection(s) to Targets and you should see output with a line saying Test Successful

Click on Next > Select a Report Output option > Next > Start Assessment

Check to make sure WinRM is enabled and running on port 5985;

winrm enumerate winrm/config/listener

Check that SMB2 is running;

Get-SmbServerConfiguration | Select EnableSMB2Protocol

Check that the target system IP is in Trusted Hosts;

Get-Item WSMan:\localhost\Client\TrustedHosts

Check to see you can connect to the target host IP on ports 5985 and 445;

Test-NetConnection -ComputerName 192.168.41.165 -Port 5985 -InformationLevel Detailed

Test-NetConnection -ComputerName 192.168.41.165 -Port 445 -InformationLevel Detailed

Check to see you can connect to the target host IP on the WinRM service;

Test-WSMan -computername 192.168.41.165 -credential Administrator -Authentication negotiate