Skip to content

Windows Server Setup

Jump to bottom Edit New page
codefreaker edited this page Jun 22, 2016 · 10 revisions

(Note, most of the details here were culled from https://github.com/xebialabs/overthere/#cifs_host_setup)

Setup windows for winrm

(If the remote host is running Windows Server 2003 R2, you will need to enable WinRM. As the Administrator user, go to the Add/Remove System Components feature in the Control Panel and add WinRm under the section Management and Monitoring Tools.)

You can use the "winrm quickconfig" to set this up, or use instructions on Richard Downer's blog he also has a powershell script do it all in one step.

winrm quickconfig

this command will set up an HTTPS listener for winrm connections.

winrm qc -transport:https

todo: need to allowunencrypted, auth basic, etc?

winrm longer config(Most of the time this is needed to config remote windows host)

  1. On the remote host, as the Administrator user, open a PowerShell ISE as Administrator and follow the steps below.

  2. Configure WinRM to allow basic authentication:

     winrm set winrm/config/service/Auth '@{Basic="true"}'

  3. Configure WinRM to allow unencrypted SOAP messages:

     winrm set winrm/config/service '@{AllowUnencrypted="true"}'

  4. Configure WinRM to provide enough memory to the commands that you are going to run, e.g. 1024 MB:

     winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="1024"}'

To use the WINRM_HTTPS connection type, follow the steps below:

  1. (optional) Create a self signed certificate for the remote host by installing selfssl.exe from the IIS 6 resource kit and running the command below or by following the instructions in this blog by Hans Olav:

     C:\Program Files\IIS Resources\SelfSSL>selfssl.exe /T /N:cn=HOSTNAME /V:3650
 Microsoft (R) SelfSSL Version 1.0
 Copyright (C) 2003 Microsoft Corporation. All rights reserved.
 
 Do you want to replace the SSL settings for site 1 (Y/N)?Y
 The self signed certificate was successfully assigned to site 1.

    (nb: Got an error, but the certificate is shown when searched for. perhaps due to IIS not installed?)

    (lwt: If you get a "You must provide a value expression on the right-hand side of the" error in powershell, run the command in the MSDos command prompt app)

  2. Open a PowerShell window and enter the command below to find the thumbprint for the certificate for the remote host:

     PS C:\Windows\system32> Get-childItem cert:\LocalMachine\Root\ | Select-String -pattern HOSTNAME
 
 [Subject]
   CN=HOSTNAME
 
 [Issuer]
   CN=HOSTNAME
 
 [Serial Number]
   527E7AF9142D96AD49A10469A264E766
 
 [Not Before]
   5/23/2011 10:23:33 AM
 
 [Not After]
   5/20/2021 10:23:33 AM
 
 [Thumbprint]
   5C36B638BC31F505EF7F693D9A60C01551DD486F

  3. Create an HTTPS WinRM listener for the remote host using the certificate you've just found:

     winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="HOSTNAME"; CertificateThumbprint="THUMBPRINT"}

If you get an access denied, you are probably hitting this issue http://www.symantec.com/business/support/index?page=content&id=TECH200047

Full config after these steps, as produced by winrm g winrm/config:

C:\Users\Administrator>winrm g winrm/config
Config
    MaxEnvelopeSizekb = 150
    MaxTimeoutms = 60000
    MaxBatchItems = 32000
    MaxProviderRequests = 4294967295
    Client
        NetworkDelayms = 5000
        URLPrefix = wsman
        AllowUnencrypted = false
        Auth
            Basic = true
            Digest = true
            Kerberos = true
            Negotiate = true
            Certificate = true
            CredSSP = false
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        TrustedHosts
    Service
        RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)
        MaxConcurrentOperations = 4294967295
        MaxConcurrentOperationsPerUser = 15
        EnumerationTimeoutms = 60000
        MaxConnections = 25
        MaxPacketRetrievalTimeSeconds = 120
        AllowUnencrypted = true
        Auth
            Basic = true
            Kerberos = true
            Negotiate = true
            Certificate = false
            CredSSP = false
            CbtHardeningLevel = Relaxed
        DefaultPorts
            HTTP = 5985
            HTTPS = 5986
        IPv4Filter = *
        IPv6Filter = *
        EnableCompatibilityHttpListener = false
        EnableCompatibilityHttpsListener = false
        CertificateThumbprint
    Winrs
        AllowRemoteShellAccess = true
        IdleTimeout = 180000
        MaxConcurrentUsers = 5
        MaxShellRunTime = 2147483647
        MaxProcessesPerShell = 15
        MaxMemoryPerShellMB = 1024
        MaxShellsPerUser = 5

Check out the services running with

PS C:\Windows\system32> winrm enumerate winrm/config/listener
Listener
    Address = *
    Transport = HTTPS
    Port = 5986
    Hostname = rundeck.rundeck.org
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    ListeningOn = 10.1.2.3, 127.0.0.1

windows system config

  1. Setup user accounts. Add any users needed, add them to the Administrator group, configure passwords.

  2. Open firewall. If you used winrm qc -transport:https then it should open the firewall for you. Otherwise, go to Server Manager, and add a new rule to allow TCP access on port 5986.

Notes on Domain Windows Systems

  1. Need to create a local, non-domain account, named something like "rundeck". The overthere library doesn't support using domain accounts.

  2. As administrator, run

    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

  3. Reboot the machine

  4. Rerun winrm quickconfig. For some reason, even if you do the config the long way, a quickconfig is needed to clean something up.

Add a custom footer
Add a custom sidebar
Clone this wiki locally