Windows Remote Management Protocols

Windows servers can be managed locally or remotely using several built-in services and protocols. Remote management is enabled by default on Windows Server 2016 and newer. It provides administrators the ability to control, monitor, and configure systems through secure and sometimes GUI-based interfaces. This section covers the main protocols and methods used for remote management of Windows systems.


📡 RDP (Remote Desktop Protocol)

RDP is a Microsoft-developed protocol for GUI-based remote access to Windows systems. It typically uses TCP port 3389 (and optionally UDP 3389) and allows the user to control a system as if they were sitting in front of it.

🔐 Security

  • Supports TLS/SSL encryption.

  • Uses Network Level Authentication (NLA) by default on recent systems.

  • May use self-signed certificates, which are vulnerable to MITM attacks.

⚙️ Default Configuration

  • Installed and enabled on Windows Servers.

  • NLA required by default.

🔎 Footprinting

sudo nmap -sV -sC <IP CIBLE> -p3389 --script rdp*

Useful scripts:

  • rdp-enum-encryption: lists supported encryption layers.

  • rdp-ntlm-info: retrieves hostname, domain, and version.

🛠️ Security Checks

To manually inspect RDP handshakes:

git clone https://github.com/CiscoCXSecurity/rdp-sec-check.git
cd rdp-sec-check
./rdp-sec-check.pl <IP CIBLE>

🖥️ Connecting to RDP (Linux Example)

xfreerdp /u:<utilisateur> /p:<motdepasse> /v:<IP CIBLE>

🛑 Attention au mismatch de certificats auto-signés qui peuvent générer des alertes ou des refus.


🧩 WinRM (Windows Remote Management)

WinRM is a command-line based protocol for remote management, built on SOAP and accessible over TCP ports 5985 (HTTP) and 5986 (HTTPS).

🧾 Features

  • Supports remote PowerShell commands.

  • Powers WinRS and Invoke-Command.

🔎 Footprinting

nmap -sV -sC <IP CIBLE> -p5985,5986

🛠️ Connect via Evil-WinRM (Linux)

evil-winrm -i <IP CIBLE> -u <utilisateur> -p <motdepasse>

🧠 WMI (Windows Management Instrumentation)

WMI provides read/write access to a wide range of system components. It is Microsoft's implementation of the Web-Based Enterprise Management (WBEM) standard.

🛠️ Access via Impacket

/usr/share/doc/python3-impacket/examples/wmiexec.py <utilisateur>:<motdepasse>@<IP CIBLE> "hostname"

📡 Ports

  • TCP 135 to initialize.

  • Follow-up communication occurs over dynamic ports.


🛡️ Recommandations

  • Désactiver RDP si non nécessaire, ou le restreindre avec des ACL.

  • Utiliser des certificats valides et l'authentification forte (NLA, MFA).

  • Monitorer l'accès à WinRM et WMI, et restreindre aux seuls administrateurs autorisés.


📚 Ressources utiles


Mis à jour