PProfessNet Academy
On-premise & data center/03core12 min

WinRM and managing the Windows fleet

A fleet of on-premise Windows servers needs remote management without logging into each machine separately. The standard is WinRM (Windows Remote Management) — and it is through WinRM that ZEUS reads the state of Windows hosts.

What WinRM is

WinRM is an implementation of the WS-Management protocol — management over HTTP(S) with a SOAP payload. It is the transport on which PowerShell Remoting runs (Invoke-Command, Enter-PSSession). Two ports:

PortProtocolNote
5985HTTPunencrypted transport — avoid
5986HTTPSencrypted — recommended
# Włączenie WinRM (na maszynie docelowej)
Enable-PSRemoting -Force

# Konfiguracja listenera HTTPS z certyfikatem
New-Item -Path WSMan:\localhost\Listener -Transport HTTPS `
  -Address * -CertificateThumbPrint <odcisk-cert>

Authentication

WinRM supports several mechanisms. In an AD domain the best is Kerberos (no password transmission). For machines outside the domain or over a tunnel you use NTLM or CredSSP — but CredSSP delegates credentials and can be risky.

# Zdalne odpytanie stanu poprawek na grupie serwerów
$cred = Get-Credential
Invoke-Command -ComputerName srv01,srv02 -Credential $cred -ScriptBlock {
    Get-HotFix | Select-Object HotFixID, InstalledOn |
        Sort-Object InstalledOn -Descending | Select-Object -First 5
}

Tip: always HTTPS (5986) and Kerberos in the domain. WinRM over HTTP with NTLM is an interception risk. ZEUS flags hosts with a WinRM listener on HTTP as a finding.

What we query for security

Through WinRM (read-only — only Get-*) we collect the host's state:

  • the patch level (Get-HotFix) — missing critical updates,
  • local administrators (Get-LocalGroupMember Administrators),
  • services and their accounts (Get-Service, Get-WmiObject Win32_Service),
  • the firewall state (Get-NetFirewallProfile),
  • the OS version and its support (Get-CimInstance Win32_OperatingSystem).
Invoke-Command -ComputerName srv01 -Credential $cred -ScriptBlock {
    Get-LocalGroupMember -Group "Administrators" |
        Select-Object Name, PrincipalSource
}

How ZEUS sees it

The ZEUS on-prem connector connects to Windows hosts through WinRM (HTTPS), using a domain account with read-only permissions — exclusively Get-* commands, no modifications. It reads the patch level, local administrators, service configuration and the firewall. This data makes up the endpoint posture of the Windows fleet and feeds the same view as cloud resources. The connection goes through a reverse-SSH tunnel — details in lesson 06.

In the next lesson: on-prem networking, VPN and tunneling.