Securing PSRemoting: A Critical Layer Beyond RDP Protection

By /

Listen to this Post

While many IT admins focus on securing Remote Desktop Protocol (RDP) with Multi-Factor Authentication (MFA) and alerting, PowerShell Remoting (PSRemoting) often remains overlooked. Attackers can leverage PSRemoting for lateral movement, bypassing RDP restrictions. Here’s how to lock it down and detect malicious activity.

You Should Know:

1. Disable PSRemoting if Unnecessary

Disable-PSRemoting -Force

Verify the configuration:

Get-PSSessionConfiguration | Format-Table Name, Permission

2. Restrict PSRemoting Access

Allow only specific users/groups via `-RunAs` or JEA (Just Enough Administration):

Register-PSSessionConfiguration -Name "Restricted" -RunAsAccount "DOMAIN\LimitedUser" -ShowSecurityDescriptorUI

3. Enable Logging for PSRemoting Sessions

Configure PowerShell transcript logging:

Start-Transcript -Path "C:\Logs\PSRemoting_$(Get-Date -Format yyyyMMdd).txt" -Append

Enable Module Logging in Group Policy:

  • Navigate to:
    `Computer Configuration β†’ Administrative Templates β†’ Windows Components β†’ Windows PowerShell`

4. Monitor for Suspicious PSRemoting Activity

Check active sessions:

Get-PSSession

Audit Event Logs (Event ID 4103, 4104 for PowerShell activity):

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4103,4104} -MaxEvents 50

5. Network-Level Protections

  • Block WinRM (TCP 5985/5986) at the firewall unless required.
  • Use IPSec to restrict access:
    New-NetFirewallRule -DisplayName "Block WinRM" -Direction Inbound -LocalPort 5985,5986 -Protocol TCP -Action Block

6. Alternative: SSH for Secure Remote Management

Configure OpenSSH for Windows:

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
Start-Service sshd

What Undercode Say

PSRemoting is a powerful tool for admins but equally dangerous if left unsecured. Combine these measures with SIEM alerts for `WinRM` and `PowerShell` anomalies. Regularly audit:

Get-ChildItem -Path "C:\Logs\PSRemoting_.txt" | Select-Object LastWriteTime, Length

For Linux admins, ensure `sshd_config` restricts root access:

PermitRootLogin no

And monitor SSH logs:

tail -f /var/log/auth.log | grep "sshd"

Expected Output:

  • Disabled or restricted PSRemoting.
  • Enabled PowerShell logging.
  • Firewall rules blocking unnecessary WinRM ports.
  • Regular audits of remote sessions.

References:

Reported By: Spenceralessi It – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass βœ…

Join Our Cyber World:

πŸ’¬ Whatsapp | πŸ’¬ TelegramFeatured Image

Related Posts: