How to enable Remote PowerShell for Oracle Java scanning on Windows
Goal
This article explains how to enable Remote PowerShell on Windows machines, setting "localhost" as the only trusted host. This configuration is necessary to safely scan computers running Windows for Oracle Java executables. The machine configuration can be accomplished through a Group Policy.
For additional details, please refer to Microsoft online help about Enable-PSRemoting.
Enable Remote Management
Create GPO to enable Remote PowerShell
- Open Group Policy Management: On a domain controller or a computer with the Remote Server Administration Tools (RSAT) installed, open the Group Policy Management Console (GPMC).
- Create a Group Policy Object (GPO): Create a new GPO that applies to the computers where you want to enable remote PowerShell and set localhost as a trusted host.
- Edit this new Group Policy Object:
- Right-click on the GPO and choose "Edit".
- Navigate to
Computer Configuration
\ Policies
\ Administrative Templates
\ Windows Components
\ Windows Remote Management (WinRM)
\ WinRM Service
- Enable WinRM: Enable setting "Allow remote server management through WinRM". This allows WinRM to automatically configure listeners on the system and provide IP filter.
Make sure that Windows service "Windows Remote Management (WS-Management)" is running on all target machines.
Define Trusted Hosts
To set "localhost" as a trusted host, you need to define the TrustedHosts list. This setting is not available directly in Group Policy, but you can use Group Policy Preferences to modify the registry:
- Navigate to
Computer Configuration
\ Preferences
\ Windows Settings
\ Registry - Right-click on "Registry" and select "New => Registry Item".
- Configure the following settings:
Action: Update Hive: HKEY_LOCAL_MACHINE Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Client Value name: TrustedHosts Value type: REG_SZ Value data: localhost
Go to "Common" tabulator, heck the "Apply once and do not reapply" option and save your change:
Activate and Check GPO
Force Group Policy Update: After making these changes, you need to ensure that Group Policy is applied to the target computers. You can do this by running `gpupdate /force` on the target computers or waiting for the Group Policy to update automatically according to the refresh interval.
PowerShell Execution Policy
Please ensure that execution policy for PowerShell scripts on all Windows target machines is set to a suitable level.
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine
Authorize User Account
Open Active Directory User and Group Management console, create a domain account for the user that is configured to run the Java executable and add this user to the "Remote Management Users" group in AD:
Make sure that this membership is pushed to all relevant target machines through a group policy. This user must be in this group on all machines that will be scanned.