Disabling Windows Remote Management (WinRM) / Mass deployment over network using Admin Assistant

Article ID: 436
Category: Security
Applies to: Admin Assistant
Updated: 2020-09-13

This guide illustrates how to completely disable WinRM and how to deploy it over the network using the free tool EventSentry Admin Assistant.

  1. Disabling WinRM
  2. Network deployment using EventSentry Admin Assistant

Disabling WinRM

The Windows Remote Management (WinRM) service is Microsoft's implementation of the WS-Management (WS-Man) protocol which allows systems to access or exchange management information across a common network.

Since there are known vulnerabilities in Windows Remote Management (WinRM), it is recommended and best practice to disable it if your environment does not utilize or need WinRM.

The script below will disable all the unsecure aspects of WinRM (like the use of basic authentication and unencrypted communication) and stop and disable the service as well (both scripts are attached at the end of this article).

1
2
3
4
5
6
@echo off
Powershell.exe Set-Item WSMan:\localhost\Service\Auth\Basic -Value $False
Powershell.exe Set-Item WSMan:\localhost\Service\AllowUnencrypted -Value $False
Powershell.exe winrm delete winrm/config/listener?address=*+transport=HTTP
Powershell.exe Stop-Service -force winrm
Powershell.exe Set-Service -Name winrm -StartupType Disabled

The script below re-enables WinRM:

1
2
3
Powershell.exe Set-WSManQuickConfig -Force
Powershell.exe Set-Item WSMan:\localhost\Service\Auth\Basic -Value $True
Powershell.exe Set-Item WSMan:\localhost\Service\AllowUnencrypted -Value $True

Network deployment using EventSentry Admin Assistant

The disabling script (or any script or program) can be deployed to multiple computers using the EventSentry Admin Assistant.

Download and install the EventSentry Admin Assistant from here this link

In the main window of the EventSentry Admin Assistant, "File Management" must be selected from the drop down menu. Click on add file menu (1) and select the script file. Ensure that Copy Files is selected and Mirror local directory structure is unchecked. For this example, the C:\users\public\scripts folder will be used (2). Select computers on the network to where a copy of the script should be deployed to (3). Check Create directory if it does not exist and then click the Update button (4).

Deploying script copy over network

At this point a copy of the script should be available on all computers so that it can now be executed. At the EventSentry Admin Assistan main window, from the drop down menu, select "Execute Processes". Under "Executable", the same path when the file was pushed must be entered. In this example c:\users\public\scripts\disable_winrm.bat (1) Be sure that Execute process on remote host is checked and condense output unchecked (2). Select the computers from the list (3) an click the "Start" button (4).

The script will be executed on all computers and disable WinRM on them.

Executing script

Attachments and Resources

EventSentry Admin Asistant Download