Agentless connections on Windows systems use the remote connection protocol
WinRM therefore needs to be activated on assets to be monitored by Cyberwatch.
WinRM HTTP uses the port 5985 by default, and
WinRM HTTPS the port 5986.
Getting Windows agentless connection to work may require some configurations steps described below.
The use of a local Administrator account is mandatory as the analysis scripts contain privileged methods:
- use of DISM (Deployment Imaging and Servicing Management) - recovery of versions of installed KBs -.
- use of WUA API (Windows Update Agent) - deletion / download / management of .cab file, WUA services management, deployment of updates -.
- access to privileged directories - %APPDATA% of all users to get the version of installed applications -.
- privileges potentially needed for running Compliance scan scripts.
It is therefore necessary to create a Cyberwatch user member of the local Administrators group, for example with the following command:
$UserPassword = Read-Host -AsSecureString # Once the command is validated enter a password for the Cyberwatch user New-LocalUser "Cyberwatch" -Password $UserPassword Add-LocalGroupMember -Group 'Administrators' -Member Cyberwatch -Verbose
/!\ The members of the
Protected Users or
gMSA groups cannot use the WinRM service so the new Cyberwatch user must not belong to these groups.
The PowerShell command below enables the WinRM service if it is disabled, and configures the Windows firewall accordingly:
In some cases, the activation of WinRM alone may not be enough. It may be necessary to allow accounts of local administrator to connect via the WinRM protocol, or Cyberwatch will raise the
WinRM::WinRMAuthorizationError error when initializing the agentless connection.
To avoid this issue, add the following key to the Windows register:
New-ItemProperty -Name LocalAccountTokenFilterPolicy -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -propertyType DWord -value 1
The following command is used to check that the WinRM service is started, and starts it if it is not:
Manually disabling the Windows firewall may sometimes be necessary mainly with the use of AWS-EC2 hosts. In this case Cyberwatch will raise the
Connection expired error.
The PowerShell command below configures the firewall to allow incoming TCP requests on port 5985.
netsh advfirewall firewall add rule name="WinRM-HTTP" dir=in localport=5985 protocol=TCP action=allow