💼 Management Samenvatting
Remote shell access (WinRM/PowerShell Remoting) moet worden uitgeschakeld op workstations om lateral movement attacks te voorkomen.
Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
7/10
Implementatie
2u (tech: 1u)
Van toepassing op:
✓ Windows 10
✓ Windows 11
✓ Windows 11
REMOTE SHELL is LATERAL MOVEMENT VECTOR: Attackers gebruik WinRM/PowerShell Remoting voor: Executing commands op compromised machines, Spreading malware over network, credential harvesting via remote sessies. WORKSTATIONS DON'T NEED INBOUND SHELL: Users don't remotely beheren each other's machines, Intune gebruikt alternative protocols. Disabling is aanvalsoppervlak reduction.
PowerShell Modules Vereist
Primary API: Intune / groep beleid
Connection:
Required Modules:
Connection:
ServiceRequired Modules:
Implementatie
Schakel uit WinRM service op workstations: Set-Service WinRM -StartupType Disabled. Local PowerShell blijft werken.
Vereisten
- Windows 10/11 workstations
- Verify: No inbound remoting needed
Implementatie
Gebruik PowerShell-script allow-remote-shell-access-is-set-to-disabled.ps1 (functie Invoke-Remediation) – Schakel uit WinRM service.
Schakel uit WinRM service via Intune of GPO. toepassen to workstations only.
Monitoring
Gebruik PowerShell-script allow-remote-shell-access-is-set-to-disabled.ps1 (functie Invoke-Monitoring) – Verifieer WinRM disabled.
Compliance en Auditing
- CIS Windows - aanvalsoppervlak reduction
- BIO 12.06
Remediatie
Gebruik PowerShell-script allow-remote-shell-access-is-set-to-disabled.ps1 (functie Invoke-Remediation) – Herstellen.
Compliance & Frameworks
- CIS M365: Control Windows Hardening (L1) - WinRM disabled
- BIO: 12.06.01 - aanvalsoppervlak reduction
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
<#
.SYNOPSIS
Intune Security Options: Remote Shell Access Disabled
.DESCRIPTION
CIS - Remote shell (WinRS) access disabled.
.NOTES
Filename: winrs-disabled.ps1|Author: Nederlandse Baseline voor Veilige Cloud|Registry: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\AllowRemoteShellAccess|Expected: 0
#>
#Requires -Version 5.1
#Requires -RunAsAdministrator
[CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert)
$ErrorActionPreference = 'Stop'; $RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service"; $RegName = "AllowRemoteShellAccess"; $ExpectedValue = 0
function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) }
function Test-Compliance {
$r = [PSCustomObject]@{ScriptName = "winrs.ps1"; PolicyName = "Remote Shell"; IsCompliant = $false; CurrentValue = $null; ExpectedValue = "Disabled"; Details = @() }; function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue }
try { if (Test-Path $RegPath) { $v = Get-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue; if ($v -and $v.$RegName -eq $ExpectedValue) { $r.IsCompliant = $true; $r.Details += "Remote shell disabled" }else { $r.Details += "Remote shell enabled" } }else { $r.IsCompliant = $true; $r.Details += "Default" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r
}
function Invoke-Remediation { if (-not(Test-Path $RegPath)) { New-Item -Path $RegPath -Force | Out-Null }; Set-ItemProperty -Path $RegPath -Name $RegName -Value $ExpectedValue -Type DWord -Force; Write-Host "Remote shell disabled" -ForegroundColor Green }
function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r }
function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue }
try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }
Risico zonder implementatie
Risico zonder implementatie
High: Hoog risico: WinRM ingeschakeld is lateral movement vector. Schakel uit op workstations.
Management Samenvatting
Schakel uit WinRM/remote shell op workstations. voorkomt lateral movement. Implementatie: 1-2 uur.
- Implementatietijd: 2 uur
- FTE required: 0.02 FTE