WinRM: Allow Connections From Specific IP/Prefix

Hello,

My Goal:

On this test machine (non-domain), I want to restrict WinRM listener (itself) to only listen for specific client IP addresses or client IP address range. I don’t want to attempt to control WinRM traffic via GPO/FW, I want to control WinRM traffic via the listener itself.

My problem:

The command I used to create the listener (The IP I used in "“IP:xxx.xxx.xxx.xxxx” is the IP of the public interface (front net). The resulting listener configuration then contains the public IP as the listener Address as well as the ListenOn address. I appreciate if someone case explain what the “Address” field and “ListenOn” field mean and how I can ensure that WinRM is listening on a specific interface on the target server and listening for specific client (requesting) IP’s.

New-WSManInstance winrm/config/Listener -SelectorSet @{Address=“IP:xxx.xxx.xxx.xxxx”;Transport=“HTTPS”} -ValueSet @{HostName=‘xxxxxxxxxxxx.xxxxxxxxxxx.xxxx’;CertificateThumbprint=‘XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX’}

Check listener configuration:

PS C:\scripts> winrm e winrm/config/listener
Listener
Address = IP:xxx.xxx.xxx.xxxx
Transport = HTTPS
Port = xxxx
Hostname = xxxxxxxxxxxx.xxxxxxxxxxx.xxxx
Enabled = true
URLPrefix = wsman
CertificateThumbprint = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ListeningOn = xxx.xxx.xxx.xxxx

Thanks in advance!

Jason

That’s something you’d have to lock down in the firewall. Or, I suppose, with IP address restrictions at the IIS level. The WinRM configurations tell it which IP addresses to bind to, not which ones to accept connections from.

Sorry, scratch “IIS level;” I had a pull server in my head. This’d have to be done at the firewall.