Skip to main content Link Menu Expand (external link) Document Search Copy Copied
Documentation

Technical information on agentless connections for Windows systems

Agentless connections on Windows systems use the remote connection protocol WinRM. WinRM therefore needs to be activated on assets to be monitored by Cyberwatch.

WinRM HTTP uses the port 5985 by default, and WinRM HTTPS the port 5986.

Getting Windows agentless connection to work may require some configurations steps described below.

Prerequisites for using Agentless connections

The use of a local Administrator account is mandatory as the analysis scripts contain privileged methods:

  • use of DISM (Deployment Imaging and Servicing Management) - recovery of versions of installed KBs -.
  • use of WUA API (Windows Update Agent) - deletion / download / management of .cab file, WUA services management, deployment of updates -.
  • access to privileged directories - %APPDATA% of all users to get the version of installed applications -.
  • privileges potentially needed for running Compliance scan scripts.

It is therefore necessary to create a Cyberwatch user member of the local Administrators group, for example with the following command:

$UserPassword = Read-Host -AsSecureString   # Once the command is validated enter a password for the Cyberwatch user
New-LocalUser "Cyberwatch" -Password $UserPassword
Add-LocalGroupMember -Group 'Administrators' -Member Cyberwatch -Verbose

/!\ The members of the Protected Users or gMSA groups cannot use the WinRM service so the new Cyberwatch user must not belong to these groups.

Enable WinRM

The PowerShell command below enables the WinRM service if it is disabled, and configures the Windows firewall accordingly:

Enable-PSRemoting -Force

In some cases, the activation of WinRM alone may not be enough. It may be necessary to allow accounts of local administrator to connect via the WinRM protocol, or Cyberwatch will raise the WinRM::WinRMAuthorizationError error when initializing the agentless connection.

To avoid this issue, add the following key to the Windows register:

New-ItemProperty -Name LocalAccountTokenFilterPolicy -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -propertyType DWord -value 1

The following command is used to check that the WinRM service is started, and starts it if it is not:

winrm quickconfig

Optional - Manually disable the firewall for WinRM

Manually disabling the Windows firewall may sometimes be necessary mainly with the use of AWS-EC2 hosts. In this case Cyberwatch will raise the Connection expired error.

The PowerShell command below configures the firewall to allow incoming TCP requests on port 5985.

netsh advfirewall firewall add rule name="WinRM-HTTP" dir=in localport=5985 protocol=TCP action=allow