PingSentry   |   Discord   |   System32   |   GitHub   |   Free tools

Threat Intel: Attack Vector: Disable WinRM (Windows Remote Management)

1c1e3c39-98a3-41cb-8bf1-1a5f36a6c950

There are known vulnerabilities based on WinRM and it's best practice to disable WinRM.

https://attack.mitre.org/techniques/T1028/

Remediation

At registry key path HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service
Set registry key "AllowAutoConfig" to 0. Create it if does not exist.

Registry key information: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsRemoteManagement::AllowAutoConfig

Or if remote management is not needed, stop and disable service "Windows Remote Management (WS-Management)"

https://4sysops.com/wiki/disable-powershell-remoting-disable-psremoting-winrm-listener-firewall-and-localaccounttokenfilterpolicy/

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/disable-psremoting?view=powershell-7

https://docs.microsoft.com/en-us/windows-server/administration/server-manager/configure-remote-management-in-server-manager#to-enable-server-manager-remote-management-by-using-the-command-line



Tags

server desktop bestpractice-server bestpractice-desktop threat-intel-desktop threat-intel-server

Your Privacy Choices

Manage your cookie preferences below:

Helps us improve website performance and understand how visitors use our site.

Allows us to collect feedback about our products and improve them based on your input.

To learn more about our use of cookies, please see our
Privacy Policy.