Technical information on agentless connections for Windows systems
Agentless connections on Windows systems use the remote connection protocol WinRM
. WinRM
therefore needs to be activated on assets to be monitored by Cyberwatch.
WinRM HTTP
uses the port 5985 by default, and WinRM HTTPS
the port 5986.
Getting Windows agentless connection to work may require some configurations steps described below.
Prerequisites for using Agentless connections
The use of a local Administrator account is mandatory as the analysis scripts contain privileged methods:
- use of DISM (Deployment Imaging and Servicing Management) -recovery of versions of installed KBs -
- use of WUA API (Windows Update Agent) - deletion / download / management of .cab file, WUA services management, deployment of updates -
- access to privileged directories - %APPDATA% of all users to get the version of installed applications -
- privileges potentially needed for running Compliance scan scripts
It is therefore necessary to create a Cyberwatch user member of the local Administrators group, for example with the following command:
$UserPassword = Read-Host -AsSecureString # Once the command is validated enter a password for the Cyberwatch user
New-LocalUser "Cyberwatch" -Password $UserPassword
Add-LocalGroupMember -Group 'Administrators' -Member Cyberwatch -Verbose
Name of the Administrators
group will vary depending on the system’s language.
The members of the Protected Users
or gMSA
groups cannot use the WinRM service. Make sure the Cyberwatch user does not belong to either of these groups.
Enable WinRM
The PowerShell command below enables the WinRM service if it is disabled, and configures the Windows firewall accordingly:
Enable-PSRemoting -Force
In some cases, the activation of WinRM alone may not be enough. It may be necessary to allow accounts of local administrator to connect via the WinRM protocol, or Cyberwatch will raise the WinRM::WinRMAuthorizationError
error when initializing the agentless connection.
To avoid this issue, add the following key to the Windows register:
New-ItemProperty -Name LocalAccountTokenFilterPolicy -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -propertyType DWord -value 1
The following command is used to check that the WinRM service is started, and starts it if it is not:
winrm quickconfig
Optional - Manually disable the firewall for WinRM
Manually disabling the Windows firewall may sometimes be necessary mainly with the use of AWS-EC2 hosts. In this case Cyberwatch will raise the Connection expired
error.
The PowerShell command below configures the firewall to allow incoming TCP requests on port 5985.
netsh advfirewall firewall add rule name="WinRM-HTTP" dir=in localport=5985 protocol=TCP action=allow
Optional - Using WinRM-Kerberos
Kerberos is an authentication protocol that relies on third-party trust. It works using a Key Distribution Center (KDC), that can distribute tickets allowing the user to access and use the network resources. It works in a way similar to SSO authentication systems.
Kerberos authentication process is as follows:
- The client initiates an authentication request against the KDC
- If the KDC validates the authentication, it issues a ticket-granting ticket (TGT)
- The client then presents the TGT to a service it wants to access
- The service sends back the TGT to the KDC for validation
- Once validated, the KDC issues a final ticket that allows the client to authenticate against the service
For this authentication process to be possible, information below must be filled:
Realm
: logical group in which Kerberos resources are centralized. For WinRM authentication, this represents the domain of your Active DirectoryKDC
: third-party trusted server responsible for issuing tickets. In an Active Directory domain, it corresponds to the FQDN of the domain controllerAdministration server
: third-party trusted server responsible for issuing service tickets to clients. In an Active Directory domain, it corresponds to the FQDN of the domain controller
It is then required to provide user/password information of an account allowed to authenticate against the Active Directory domain provided above.
Prerequisites for using WinRM-Kerberos
The Cyberwatch server must be able to resolve the domain names of:
- the KDC (Key Distribution Center)
- the administration server
- each asset to be monitored