Powershell winrm Trusted Hosts not working
TrustedHosts doesn't do what you think it does. Unlike Unix .rhosts, this setting is for the PowerShell client, not the remote server endpoint. This is why it's found at:
WSMan:\localhost\Client
If it was relevant to the listener, it would be under the Service
node.
As the other answer touches on, this is typically used in non-domain or mixed environments to prevent your client from sending an NTLM challenge-response or basic authentication attempt to an untrusted remote machine. Why? Because a remote rogue server may capture this information and use it to compromise your network. When you're in a mixed environment, the only protection available is SSL and many may opt to disable this through AllowUnencrypted = $false
, again in the Client
node of the WSMAN
drive.
So, how do you limit incoming connections? You should have made the connection by now and started to look under the WSMAN:\localhost\Service
node on the remote server. If you do this, you'll see:
WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\ServiceType Name SourceOfValue Value ---- ---- ------------- ----- System.String RootSDDL ... System.String MaxConcurrentOperations 4294967295 System.String MaxConcurrentOperationsPerUser 1500 System.String EnumerationTimeoutms 240000 System.String MaxConnections 300 System.String MaxPacketRetrievalTimeSeconds 120 System.String AllowUnencrypted false Container Auth Container DefaultPorts System.String IPv4Filter * System.String IPv6Filter * System.String EnableCompatibilityHttpList... false System.String EnableCompatibilityHttpsLis... false System.String CertificateThumbprint System.String AllowRemoteAccess true
Now, looking down this list, you'll see some pertinently named properties like IPv4Filter
and IPv6Filter
. Guess what these do ;-)