pywinrm with basic authentication and AllowUnencrypted="false"

[bvenkysubbu]

After reading this article, our windows admin is convinced that the credentials are just being donated to "man in the middle". Can we make pywinrm more secure? I am ready to help in this endeavour.

[pdunnigan]

You can set up winrm to accept connections via https. That is one way to get around this issue while still using basic auth. Kerberos is supported as well. Would either of these be these acceptable?

[rahulcoode90]

Can we set up winrm to accept connections via https and at the same use kerberos ?

[trevrobwhite]

Did you mange to get this working over https?

[rahulcoode90]

Yes.. create a self-signed certificate. Import that certificate and create the winrm listener using that certificate. In python code,set endpoint as "https://:5986/wsman"

[trevrobwhite]

Many thanks worked a treat.

[trevrobwhite]

Out of interest has anyone managed to get this working on Windows 2012?
The connection doesn't seem to error but the command does, this works fine on 2008, I've even tried just running a hostname or echo command in case it's a permissions thing but all fails.

r = s.run_cmd(command, [args])
  File "/usr/local/lib/python2.7/dist-packages/winrm/__init__.py", line 29, in run_cmd
    shell_id = self.protocol.open_shell()
  File "/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line 118, in open_shell
    rs = self.send_message(xmltodict.unparse(rq))
  File "/usr/local/lib/python2.7/dist-packages/winrm/protocol.py", line 190, in send_message
    return self.transport.send_message(message)
  File "/usr/local/lib/python2.7/dist-packages/winrm/transport.py", line 112, in send_message
    raise WinRMTransportError('http', ex.reason)
winrm.exceptions.WinRMTransportError: 500 WinRMTransport. [Errno 104] Connection reset by peer

[trevrobwhite]

I found out the and wanted to share the knowledge, I set the configuration authentication to Basic before creating the listener, in Windows 2008 this isn't an issue as I assume the listener defaults are more relaxed, but the config has to be set after creating the listener.

For anyone else out there here are the steps:

1. Get Makecert version 6.1.7600 (if you want RSA256) it's inside the Windows 7 SDK https://www.microsoft.com/en-us/download/details.aspx?id=8279
2. Open an elevated command prompt, create the certificate, replace with the Hostname of the machine and your company name, the certificate will be put in your personal store, it's ok for it to stay there
   makecert.exe -r -pe -n "CN=<HOSTNAME>,O=<COMPANY>" -e 01/01/2050 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -len 2048 -a sha1 winrm.cer
3. Open the software firewall port:
   netsh advfirewall firewall add rule name="winrm ssl" dir=in action=allow protocol=TCP localport=5986
4. Delete the HTTP listener if you don't need it:
   winrm delete winrm/config/listener?Address=*+Transport=HTTP
5. List the thumbprint of the installed certificate:
   Powershell dir cert:\LocalMachine\My
   Make a note of the Thumbprint for the Certificate with the Subject “CN=Hostname”, typically this will be the last one in the list
6. Create the Listener by running the command below, replace with the thumbprint copied earlier.
   winrm create winrm/config/listener?Address=*+Transport=HTTPS @{ CertificateThumbprint="<THUMBPRINT>";Port="5986"}
7. Enable Windows RM Basic authentication over SSL, and set WinRM to auto startup

winrm set winrm/config/client/auth @{Basic="true"}
winrm set winrm/config/service/auth @{Basic="true"}
winrm set winrm/config/service @{AllowUnencrypted="false"}
powershell set-service WinRM -startuptype Automatic

1. Restart WindowsRM

net stop winrm
net start winrm

1. System is now ready to accept Windows RM requests, you can test this by running:
   winrs -r:https://HOSTNAME:5986 -u:user_name -p:password hostname

To check your configuration run:

WinRM enumerate winrm/config/listener
winrm get winrm/config

Some useful guides that helped me:
http://www.hurryupandwait.io/blog/understanding-and-troubleshooting-winrm-connection-and-authentication-a-thrill-seekers-guide-to-adventure

https://4sysops.com/archives/powershell-remoting-over-https-with-a-self-signed-ssl-certificate/

[durnote]

Had this issues, there is one hint that could save someone's time. If you're running this from powershell on Win2012 you need single quotes also:

winrm set winrm/config/client/auth '@{Basic="true"}' winrm set winrm/config/service/auth '@{Basic="true"}' winrm set winrm/config/service '@{AllowUnencrypted="false"}'

[bielawb]

Alternatively, just use PowerShell wsman provider:

Set-Item -Path WSMan:\localhost\Service\AllowUnencrypted -Value $false
Set-Item -Path WSMan:\localhost\Service\Auth\Basic -Value $true

You can just ls there to verify that settings are correct:

pushd WSMan:\localhost\Service
ls
ls Auth

[jborean93]

There's no need to use Basic auth as well as setting AllowUnencrypted to $true`. Pywinrm has supported message encryption for ntlm, kerberos, and credssp since 0.3.0 which encrypts the data being sent to the server.