How safe is it to enable WinRM / PSRemoting on an internet-facing machine?

Generally speaking, you should never open anything from the Internet to a production server, unless it is a service that you want the public to use. If the machine is a webserver, then only port 80 should be open to it. If no other ports are open through the firewall to it, then there is no way for an attacker to get in.

A VPN would be the best solution, requiring users to authenticate then access the productions systems only from the inside. A VPN is far more flexible and secure than any other method.


A couple of things that might help:

  1. Add your clients to the TrustedHosts list.

    Set-Item wsman:\localhost\Client\TrustedHosts -Value Server01.Domain01.Fabrikam.com
    
  2. Create a log scanning script that pulls bad IP's from your logs and creates firewall rules to block those IPs. (Excuse my PS writing technique :-) )

    Get the contents of a file which has bad IP's listed in activity log. I created a script which scanned my proprietary web log file and found clients probing my web server so I dropped their IP's into the badips.txt file.

    $ips = get-content c:\powershell\utilities\badips.txt
    

    Now I create a firewall rule to block the bad IP address

    foreach ($i in $ips){
    [string]$rulename = "disallow-" + $i
    [string]$remoteip = $i + "/32"
    [string]$description = $i
    

    Getting list of bad IP's who already have a blocking rule

    $processed = get-content c:\powershell\utilities\processedips.txt
    

    Checking against the list to see if the IP is already blocked

    $count = ($processed|select-string $i).count
    

    If this is a new IP address, create a firewall rule and add IP to the processed list text file

    if ($count -lt 1){
    invoke-expression ("netsh advfirewall firewall add rule name=" + $rulename + " action=block enable=yes
    localip=any dir=in profile=public remoteip=" + $remoteip + " description=" + $description)
    $i|add-content c:\powershell\utilities\processedips.txt
    }}
    

This doesn't really answer your question about how protected your server will be but gives you two more items to limit potential threats.