Depending on your environment, up to five steps are required you to completely disable PowerShell remoting on a Windows computer. These include blocking remote access to session configurations with Disable-PSRemoting, disabling the WinRM service, deleting the listener, disabling firewall exceptions, and setting the value of the LocalAccountTokenFilterPolicy to 0.
- OpenVPN IPv6 and IPv4 configuration - Mon, Mar 1 2021
- 4sysops author and member competition 2020 - Fri, Jan 1 2021
- Assign an IPv6 address to an EC2 instance (dual stack) - Tue, Dec 15 2020
Disabling remote access with Disable-PSRemoting ^
With the help of the Disable-PSRemoting cmdlet, you can block remote access to all session configurations on the local computer. This prevents remote users from creating PowerShell sessions (PSSessions) on the local computer.
To view the current access rights, you can run this command:
Get-PSSessionConfiguration | Format-Table -Property Name, Permission
To disable remote access to all PowerShell session configurations, you can execute Disable-PSRemoting from an elevated PowerShell console:
The -Force parameter suppresses the usual confirmation prompts.
If you check the rights configuration again now, you will notice that remote users no longer have access.
See Microsoft's documentation for more details about Disable-PSRemoting.
Note that running Disable-PSRemoting does not prevent local users from creating PowerShell sessions on the local computer or remote computers.
The warning messages you see after executing Disable-PSRemoting indicate you should take a few more steps to disable PowerShell remoting. However, these steps only add extra security. After running Disable-PSRemoting, it is no longer possible to establish remote PowerShell connections.
Stop and disable the WinRM service ^
The Windows Remote Management (WinRM) service is Microsoft's implementation of the WS-Management (WS-Man) protocol introduced in Windows before PowerShell. It allows remote management of hardware and operating systems.
In Windows, the service is not only necessary for PowerShell remoting but also for remote server management with Server Manager (since Windows Server 2012). In addition, third-party products might rely on the service. This is why Disable-PSRemoting can't simply disable the service. Note that most of the Remote Server Administration Tools (RSAT) use the Distributed Component Object Model (DCOM) protocol and therefore don't depend on the WinRM service.
On Windows servers, the WinRM service starts automatically by default. On Windows workstations, the service is usually set to start automatically when you enable PowerShell remoting.
If you want to stop and disable the service for security reasons, you can do so in the Services snap-in (type "services" in the Start menu), or you can use PowerShell:
Stop-Service WinRM -PassThruSet-Service WinRM -StartupType Disabled -PassThru
The -PassThru parameter lets us see the result of the command.
Delete the listener ^
The third recommendation that Disable-PSRemoting gives is to delete the listener that accepts requests on any IP address. For PowerShell remoting, you can have multiple listeners on different TCP ports that process the WS-Man requests. For instance, you can have a listener for HTTP (the default) or one for HTTPS.
If you disabled the WinRM service as explained above, this disables the listener as well. If you need a listener on another port for an application other than PowerShell, you have to keep the WinRM service running. You can delete just the HTTP listener to improve security (assuming you already blocked remote access to the PowerShell session configurations).
Also note that Server Manager uses the same listener for remote server management as PowerShell remoting. To display the available listeners you can run this command:
Once you know the name of the listener, you can remove it with the next PowerShell command.
Remove-Item -Path WSMan:\Localhost\listener\<Listener name>
To remove all listeners, you can use this command:
Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse
Another security benefit of removing the listener(s) is that if someone starts the WinRM service, this will also activate the listener. However, if you delete the listener before you disable the service, you have to add the listener again with the Enable-PSRemoting cmdlet.
Disable the firewall exceptions ^
The third recommendation of the Disable-PSRemoting cmdlet is to disable the firewall exceptions for WS-Management communications. The default TCP ports for the listener are 5985 (HTTP) and 5986 (HTTPS). A while back, Microsoft changed the ports from 80 and 443 to the new ports for security reasons and probably due to conflicts with web servers.
Enabling PowerShell remoting through Enable-PSRemoting automatically opens port 5895 in the Windows Firewall. To disable the firewall exceptions, you can use the Windows Firewall with Advanced Security MMC snap-in (type "firewall" in the Start menu) and search for Windows Remote Management (HTTP-In) rules. There is one rule for the network profile domain (private) and one for public ones. Click Inbound Rules, then right-click each rule and select Disable.
Alternatively, you can use PowerShell:
Set-NetFirewallRule -DisplayName 'Windows Remote Management (HTTP-In)' -Enabled False -PassThru | Select -Property DisplayName, Profile, Enabled
This command disables both rules.
Note: If the language of your Windows installation is not English, you can use the Name parameter instead of DisplayName. See comment below.
LocalAccountTokenFilterPolicy token ^
The last point of the Disable-PSRemoting warning message is misleading:
Restore the value of the LocalAccountTokenFilterPolicy to 0, which restricts remote access to members of the Administrators group on the computer.
On computers that are not members of an Active Directory domain, Enable-PSRemoting adds the LocalAccountTokenFilterPolicy registry entry to the location below and sets the value to 1.
The purpose of this registry setting is to ensure users can't execute remote commands with an administrator access token without triggering a User Account Control (UAC) prompt that wouldn't display on the administrator's remote console. Setting LocalAccountTokenFilterPolicy to 0 prevents remote PowerShell sessions entirely.
This registry key does not affect computers that are members of an Active Directory domain. In this case, Enable-PSRemoting does not create the key, and you don't have to set it to 0 after disabling remoting with Disable-PSRemoting. If an administrator establishes a remote PowerShell session to a domain member, this will automatically elevate the remote commands on the remote machine.
You can use the PowerShell command below to change the setting on a standalone machine:
Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system -Name LocalAccountTokenFilterPolicy -Value 0