-
Notifications
You must be signed in to change notification settings - Fork 2
/
index.html
67 lines (55 loc) · 3.2 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
<!DOCTYPE html>
<html>
<head>
<title>Secure WinRM - Introduction</title>
<meta name="viewport" content="width=device-width">
<link rel="stylesheet" type="text/css" href="css/manual.css">
<script language="JavaScript" src="scripts/TextSelection.js"></script>
</head>
<body>
<p>Status: <strong>DRAFT</strong></p>
<h1>Introduction</h1>
<p>On Windows WinRM is sort of the equivalent of SSH. It enables remote shells and remote command execution. Microsoft
is also working on <a href="https://github.com/PowerShell/Win32-OpenSSH">SSH for Windows</a>, but it has not been
released yet.</p>
<p>Unfortunately WinRM is a lot more work to set up than SSH. And you have to get all of the details right, because
there are strict requirements for the certificates used for authentication.</p>
<p>One of the major drawbacks of WinRM is that it does not verify the identity of the server by default. If a server
responds to the hostname you entered, the client will happily make a connection. If you use Basic or Negotiate
authentication (<a href="https://msdn.microsoft.com/en-us/library/aa384372(v=vs.85).aspx">which are both enabled by
default</a>), and the server forces the use of one of these methods, sensitive information that can be used to
impersonate you will be sent to the server:</p>
<ul>
<li>
<p>
<a href="https://msdn.microsoft.com/en-us/library/aa384465(v=vs.85).aspx#winrm.gloss_basic_authentication">Basic</a>:
Your username and password are sent to the server. This allows the server to impersonate you indefinitely. </p>
</li>
<li>
<p>
<a href="https://msdn.microsoft.com/en-us/library/aa384465(v=vs.85).aspx#winrm.gloss_negotiate_authentication">Negotiate</a>:
If you are not in a domain, NTLM will be used. In that case, <a
href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa378749(v=vs.85).aspx">the encrypted challenge
will be sent to the server</a>. Using this response the server can impersonate you for a single session.</p>
</li>
</ul>
<p>This manual contains steps to switch to public key infrastructure (PKI) authentication exclusively. This ensures that
neither the client nor the server blindly allows connections to unknown hosts, and that no secrets are sent to the
other machine.</p>
<p>A certificate authority to generate the client or server certificates is not needed. Self-signed certificates are
used for both.</p>
<p>Instructions are available for both Windows (whether part of a domain or not) and Linux clients, so you will be able
to access the Windows server from the operating system of your choice.</p>
<p>This manual can also be read offline. <a href="https://github.com/jstuyts/Secure-WinRM-Manual">Download an archive of
the source from GitHub</a> (press the green button).</p>
<h2>Table of contents</h2>
<ul>
<li><a href="trust.html">Trust</a></li>
<li><a href="feedback.html">Feedback</a></li>
<li><a href="conventions.html">Conventions</a></li>
<li><a href="server-configuration.html">Server configuration</a></li>
<li><a href="windows-client-configuration.html">Windows client configuration</a></li>
<li><a href="linux-client-configuration.html">Linux client configuration</a></li>
</ul>
</body>
</html>