1我想在所有域PC中启用WinRm,但是我想使用Windows防火墙使其更安全。我使用以下命令在两台计算机用户上创建了一个IPSec规则:
$KerbComputer = New-NetIPsecAuthProposal -Kerberos -Machine
$KerbUser = New-NetIPsecAuthProposal -Kerberos -User
$Phase1Auth = New-NetIPsecPhase1AuthSet -DisplayName "Computer kerb Auth" -Proposal $KerbComputer
$Phase2Auth = New-NetIPsecPhase2AuthSet -DisplayName "User Kerb Auth" -Proposal $KerbUser
New-NetIPsecRule -DisplayName "Test" -Profile Any -Enabled True -Mode Transport -InboundSecurity Require -OutboundSecurity Require -Protocol TCP -LocalPort 5985 -Phase1AuthSet $Phase1Auth.Name -Phase2AuthSet $Phase2Auth.Name
它工作正常,现在在Windows防火墙winrm规则中,我想使用以下命令添加我的域名用户名过滤器:
$user = New-Object -TypeName System.Security.Principal.NTAccount ("kpl\eveld")
$SIDUser = $user.Translate([System.Security.Principal.SecurityIdentifier]).Value
$SecureUserSDDL = "D:(A;;CC;;; $SIDUser)"
Set-NetFirewallRule -DisplayName "Windows Remote Management (HTTP-In)" -Profile Domain -Enable True -Authentication Required -RemoteUser $SecureUserSDDL
Set-NetFirewallRule -DisplayName "Windows Remote Management - Compatibility Mode (HTTP-In)" -Profile Domain -Enable True -Authentication Required -RemoteUser $SecureUserSDDL
这也可以正常使用See PIC-现在,我想在防火墙规则上添加远程计算机(如果可能);我尝试使用域计算机sid,但无法正常工作...