r/PowerShell - Can PSRemoting be locked down using WinRM trusted hosts list My manager has asked for PSremoting be limited to only come from the "Mngmt Servers" which is a group of about 4 servers Remoting from any other server to another svr on the domain that is not one of the "management" svr should be blocked

          
          

          
          

          
          

          = Can PSRemoting be locked down using WinRM trusted hosts list My manager has asked for PSremoting be limited to only come from the "Mngmt Servers" which is a group of about 4 servers Remoting from any other server to another svr on the domain that is not one of the "management" svr should be blocked =


You don't use trusted hosts, that is only for outgoing connections

~~In the "Allow remote server management through winrm" gpo you can set the IPs or IP Ranges that computers will accept connections from. Set that to cover only your management subnets. A gpupdate should be enough to update the settings on the computers e: Use firewalls instead!
what firewall configuration would I use. Everything I have read is telling me to open remote management and use the ip listener in WinRM. I did previously try setting the accept list at firewall level but never seemed to work. "Tried adding Host_names to the authorized computers" list
This is the answer. Just block access to WinRM ports at the network level with a Windows Firewall GPO

You need to limit admin and remote management users. And block windows remote management in host firewall, allowing only the authorized management hosts

Host firewall is key

We used firewalls to handle it, it is a giant pain in thecompared to being on a domain

GPO would be the easiest depending on how large the network is

You could also put an ACL on the routing interface (if there are only a few) to allow management server IPs on WinRM ports to access those devices

Two rules you would need

Allow the management IPs on those ports
Block all other IPs on those ports

It just depends on how you want to manage access and how you want that access documented

Getting different results on different machines in same test GPO. When i add and remove Server A's IP from the IP4 listening field it turns the listening on ports 5985 & 5986 off but when i do the same with server B there is no difference. It can connect no matter what.. not sure if it is gpo settings..

How do I add an individual IP address to the IPV4 filter I'm only ever seeing ranges being discussed

== About Community ==
Members
Online