Configure the WinRM service on a Windows host to allow authentication and remoting from non-administrator user accounts

This how-to article is intended to give a pretty basic method of configuring a Windows Server 2012->2019 host to authenticate via NTLM as user or service accounts within an active directory domain that are not administrator users.

The following steps should assist in achieving the desired result(normal user or svc account can connect via winrm), with accompanying examples of any relevant configuration(s).

Lets get started:

  1. Log into the host we are wanting to enable the WinRM service on for remote execution, and drop a command prompt or PS.

  2. Check and see if winrm has been configured already, by running:

winrm get winrm/config

Which should output something similar to the following if it is configured:

image

  1. If the service is not configured, run the following command:

winrm qc

  1. Running quickconfig should result with an online/operational winrm service with accompanying listener for http by default, you can see this in the listener section or run:

winrm e winrm/config/listener

(Note: Custom SSL configuration is out of scope, so we will focus on using http/plaintext as an example, but would not recommend this in production).

image

  1. At this point you will need to have created the user in active directory that you intend to use(non-admin) for WinRM on the remote host, as well as adding this user to the “Remote Management Users” group in Active Directory.

image

  1. If the user exists, proceed with opening a cmd prompt and executing::

winrm configsddl default

After you do, you should get a dialog box similar to the one below for security configuration of the default sddl:

image

**Note: You may also add the user directly here and apply the same permissions vs. adding the group containing the user, from my testing this works equally well so long as the proper permissions are granted.

  1. If using the user group, add and/or highlight the ‘Remote Management Users’ group from active directory, and then check only the top(Full Control) box(see above image).

  2. Now we will need to verify that on the remote winrm host, Negotiation mode is enabled for Authentication, this should be enabled by default, but best to check service configuration:

winrm get winrm/config/service

If ‘Negotiate = false’ then run:

winrm set winrm/config/service "@{Negotiation=“true”}'

Since we are using HTTP only in this example, we need to allow unencrypted text over the http port(5985/tcp):

winrm set winrm/config/service "@{AllowUnencrypted=”true”}’

image

There is also a client side setting in the winrm configuration that will need to be run on all hosts intending to connect via http:

winrm set winrm/config/client "@{AllowUnencrypted=”true”}’

image

If you are running a legacy Windows OS(eg; Windows 7, 8.x) with restrictive UAC, you will need to likely execute the following on your local machine to add this registry entry:

cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system** ** /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

You should now have the remote host and client(s) capable of communication with via winrm/wmi. You can test this in harness via “Secrets Management->WinRM Connection Attributes->WinRM Connectivity Test”

**These document does not apply to versions of Windows Server <=Windows 2008 Server R2

Please note that this document does not cover any authentication method besides NTLM.

2 Likes