WinRM Config - Soverance/Exodus GitHub Wiki

Create and apply a WinRM Group Policy to the Domain

Exodus Data Service requires that WinRM be enabled on all machines that will interact with the Exodus service. The preferred method is to do this via Group Policy within an Active Directory domain. Enabling WinRM requires three major configurations: setting the WinRM service to auto-start, allowing the WinRM service through the firewall, and finally whitelisting IP addresses allowed to connect to the WinRM service. All three of these configurations can be placed into the same GPO, and it is recommended to do just that.

Configure WinRM service to auto-start

• Computer Configuration -> Preferences -> Control Panel Settings -> Services

Add a new service to the GPO, targeting the Windows Remote Management (WinRM) service with the Action type "Start service". You can leave the other settings at default (which should be "No Change").

Configure WinRM inbound firewall rule

• Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Windows Defender Firewall with Advanced Security -> Inbound Rules

Add a new inbound rule targeting the Windows Remote Management service, which runs over TCP port 5985. You should select the predefined ruleset available for this service. Allow the WinRM service on the Domain firewall profile (do not allow this service on Public or Private profiles). Leave all other settings at default.

Whitelist WinRM connection addresses

• Computer Configuration -> Administrative Templates -> Windows Components -> Windows Remote Management (WinRM) -> WinRM Service -> Allow remote server management through WinRM

Set the policy to Enabled, and apply either an IPv4 or IPv6 filter as necessary. To enhance security, Soverance recommends using a limited IP ranged within your network.