KBI 311998 Why PowerShell Remoting Causes Multiple Security Problems




Tuesday, 21 June 2022


This article describes why PowerShell Remoting causes multiple Security problems.

Technical Background

1.PowerShell Remoting use WinRM port 5985 and 5986

Remoting creates openings for an attacker to exploit

Leaving the ports open mean any user can remote in and do more than just copying file

2.PowerShell Remoting needs WinRM (Windows Remote Management) service

It allows user to remotely run Windows management scripts

3.No built-it logging for file copy process

Unlike “Robocopy” or “XCopy”, “Copy-Item” command does not have proper logging

4.File integrity issue

If network issue occurs while copying file, it won’t resume thus file will be corrupted

Windows tools like “Robocopy” or “XCopy” can resume once connection is reestablished

5.For HTTPS option, need to create SSL Certificate on every Virtual machine and install on Local machine