PowerShell, Remoting, Scripting
comments 4

Enabling PowerShell remoting for only a specified set of IP addresses

I’ve published a free book on PowerShell 2.0 remoting. You can download it at:

I wasn’t so sure about the post title. But read on to understand what I really meant. πŸ™‚

When you enable remoting on a computer using Enable-PSRemoting cmdlet, an http listener will be created to listen for remoting requests on all IP addresses on the local computer. This may not be a great security practice in an enterprise.

For example, you have an Internet facing server with two network connections. One – obviously – is the Internet connection and a second one connecting to your internal network. You don’t need remoting be enabled on the network adapter connected Internet. But, since you used Enable-PSRemoting cmdlet, remoting will be enabled and there is a WinRM listener on the Internet facing network too.

So, how do we disable remoting on the Internet facing adapter?

Enable-PSRemoting is a comprehensive cmdlet that does lot of things for you in one shot. This is also the recommended way to enable remoting. So, if we need to disable remoting on a particular IP address, all you need to do is remove the WinRM listener create by Enable-PSRemoting cmdlet and re-create your own listener for a specified IP address.

We use Remove-WSManInstance and New-WSManInstance cmdlets to do this. You can also use winrm command-line to achieve this. It is just a preference.

To remove the http listener created by Enable-Remoting,

This will remove the listener.

Now, to re-create the http listener on a specified IP address

Once this listener is created successfully, you need to restart the WinRM service using Restart-Service cmdlet. From this point onwards, system will listen only on 192.168.100.2 IP address for any remoting requests.

You can follow the same approach for HTTPS transport too. However, you will have to specify the CertificateThumbPrint though.

Disclaimer: This is just one workaround I found. From my experience – in PowerShell — there will be more than one way to do the same thing. There could be a better / simple way to achieve this. Do let me know if you have a better / simpler method. I will post it here.

Filed under: PowerShell, Remoting, Scripting

by

Ravikanth is a principal engineer and the lead architect for Microsoft and VMware virtualized and hybrid cloud solutions within the Infrastructure Solutions Group at Dell EMC. He is a multi-year recipient of Microsoft Most Valuable Professional (MVP) award in Windows PowerShell (CDM) and Microsoft Azure. Ravikanth is the author of Windows PowerShell Desired State Configuration Revealed (Apress) and leads Bangalore PowerShell and Bangalore IT Pro user groups. He can be seen speaking regularly at local user group events and conferences in India and abroad.

  • jribeauv

    Hi,

    I’m trying bto get instance from Hyper-V .
    I’m able to get it by using powershell script as :

    gwmi -namespace “root\virtualization” -class “Msvm_SystemBIOS” -computername “10.10.11.107”

    Now I want to do same thing by using WSMan interface :

    1) I’m able to get datas from root/cimv2 namespace :

    Get-WSManInstance -Enumerate wmicimv2/* -filter “select * from win32_BIOS” -computername “tutu”

    2) I’m not able to find what I must specify as namespace after the Enumerate option to access root\virtualization namespace

    Did you already check this kind of thing ?
    Any idea where to finf infos ?

    Thx

    Regards,

    jribeauv

  • Dimashenkov

    How can I copy files between machines which are not in domain,I need to use IP’s like in the above example?

  • Yes, but for computers that are not in a domain, the remoting restrictions apply. Pls look at the configuring remoting for workgroups in my remoting ebook.

  • papali

    I have configured the WS-Management with a GPO, but I dis not find where to specify an single IP address, can I do it?