least privilege account for WinRM remote calls on Windows 2008 Server

Posted by aldrin on Server Fault See other posts from Server Fault or by aldrin
Published on 2010-03-18T18:04:56Z Indexed on 2010/03/18 18:11 UTC
Read the original article Hit count: 1349

Filed under:

windows-server-2008

|

winrs

|

user-management

|

security

ServerFault Windows experts: please consider the following use case:

I have 2 Windows 2008 Server SP2 boxes let’s call them – SOURCE, CLIENT.
On SOURCE: I create a new user called 'normal'. Just a plain user - no special privileges.
On CLIENT: I run the following from a command prompt winrm get wmi/root/cimv2/Win32_UTCTime -r:SOURCE -u:normal -p:NormalPassword
I get an output containing WSManFault: Message = Access is denied.
On CLIENT: I repeat step 3 with the administrator identity, i.e. winrm get wmi/root/cimv2/Win32_UTCTime -r:SOURCE -u:Administrator -p:AdminPassword
I get the current UTC time at SOURCE.

The question is, what are the least privileges I need to assign to the user 'normal' to ensure that Step 3 behaves like Step 5. In other words, what's the least privilege to enable WinRM access for a non-Admin account?

© Server Fault or respective owner

Related posts about windows-server-2008

Password policy problem windows server 2008

as seen on Server Fault - Search for 'Server Fault'
Hi, I'm creating a domain and I need to make users that can have an empty password but administrators have to comply with password complexity how to I solve this problem? Thanks in advance >>> More
SAP DCOM Connector on Windows Server 2008

as seen on Stack Overflow - Search for 'Stack Overflow'
Does anybody know, if it is possible to use the "old" SAP DCOM Connector on a Windows Server 2008 ? I want to migrate a old ASP Web Solution with DCOM Connection to SAP from Windows 2000 Server to Windows 2008 Server. When I try to install the DCOM Connector I get the Error Message: "Setup could… >>> More
Windows Server 2008 R2: AD Module for Windows PowerShell

as seen on Internet.com - Search for 'Internet.com'
Windows Server 2008 R2 includes a new Active Directory module for Windows PowerShell, a consolidated group of 76 cmdlets that can perform a host of tasks against Active Directory's various services. >>> More
Windows Server 2008 Directory Services, Group Policy Preferences - More Control Panel Settings

as seen on Internet.com - Search for 'Internet.com'
In Windows Server 2008, Group Policy Preferences makes it possible to reap the chief benefits of an Active Directory environment by simplifying client management. Control Panel Settings nodes in the Group Policy Management Editor makes this possible. >>> More
Windows Server 2008 R2: Introducing the AD Administrative Center

as seen on Internet.com - Search for 'Internet.com'
The Active Directory Administrative Center in Windows Server 2008 R2 is a significant improvement over its predecessor. Although not without limitations, it offers beefed-up management of AD objects, new navigation capabilities, better task-based management options, and improvements to the properties… >>> More

Related posts about winrs

wuinstall doesn't work with winrs

as seen on Server Fault - Search for 'Server Fault'
I've been having issues with psexec so I've been migrating to use winrs (part of the winrm system). It's a very nice remoting tool which is proving to be more reliable then psexec. Wuinstall is used to install available windows updates. The two however don't play well together. I'm working on a verity… >>> More
least privilege account for WinRM remote calls on Windows 2008 Server

as seen on Server Fault - Search for 'Server Fault'
ServerFault Windows experts: please consider the following use case: I have 2 Windows 2008 Server SP2 boxes let’s call them – SOURCE, CLIENT. On SOURCE: I create a new user called 'normal'. Just a plain user - no special privileges. On CLIENT: I run the following from a command prompt winrm get… >>> More
Increase number of concurrent shells in PowerShell V2

as seen on Server Fault - Search for 'Server Fault'
I'd like to increase number of concurrent shells in PowerShell V2.I tried using the following command ,but I got no luck.The error I got is" Error: Invalid use of command line. Type "winrm -?" for help." Can someone shine some light? winrm set winrm/config/winrs @{MaxShellsPerUser="50"} >>> More
Increase number of concurrent shells in PowerShell V2

as seen on Stack Overflow - Search for 'Stack Overflow'
I'd like to increase number of concurrent shells in PowerShell V2.I tried using the following command ,but I got no luck.The error I got is" Error: Invalid use of command line. Type "winrm -?" for help." Can someone shine some light? winrm set winrm/config/winrs @{MaxShellsPerUser="50"} >>> More