S
Scott W. Sander
Guest
Summary:
Does setting the following group policy setting to Disabled break Windows Event Forwarding (WEF) in a source-initiated Windows Event Collector (WEC) subscription setup? Assume that I'm not applying the setting to the WEC itself.
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service\Allow remote server management through WinRM
Details:
I am working on a Windows Event Collector (WEC) + Windows Event Forwarding (WEF) setup. I am using source-initiated collection. I understand that you need to have WinRM running on both the WEC as well as any Windows computers doing WEF.
While I was doing this, since it requires some group policy settings to be pushed out (a bunch, if you included the various auditing settings), I was also looking at security hardening by following the CIS Benchmarks. One of the CIS Benchmark items (18.9.97.2.2 in the CIS Benchmark for Windows 10 1803 v1.5.0) has you disable the following setting:
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service\Allow remote server management through WinRM
Note that this setting is about the WinRM Service, not the WinRM Client. I am pretty sure setting that to Disabled would break WEC/WEF in a collector-initiated setup, but my understanding of how source-initiated WEF works, the WinRM Service on the endpoints isn't required, just the Client.
Is that right? Or will enabling that setting recommended by CIS break WEF even in a source-initiated setup?
Continue reading...
Does setting the following group policy setting to Disabled break Windows Event Forwarding (WEF) in a source-initiated Windows Event Collector (WEC) subscription setup? Assume that I'm not applying the setting to the WEC itself.
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service\Allow remote server management through WinRM
Details:
I am working on a Windows Event Collector (WEC) + Windows Event Forwarding (WEF) setup. I am using source-initiated collection. I understand that you need to have WinRM running on both the WEC as well as any Windows computers doing WEF.
While I was doing this, since it requires some group policy settings to be pushed out (a bunch, if you included the various auditing settings), I was also looking at security hardening by following the CIS Benchmarks. One of the CIS Benchmark items (18.9.97.2.2 in the CIS Benchmark for Windows 10 1803 v1.5.0) has you disable the following setting:
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service\Allow remote server management through WinRM
Note that this setting is about the WinRM Service, not the WinRM Client. I am pretty sure setting that to Disabled would break WEC/WEF in a collector-initiated setup, but my understanding of how source-initiated WEF works, the WinRM Service on the endpoints isn't required, just the Client.
Is that right? Or will enabling that setting recommended by CIS break WEF even in a source-initiated setup?
Continue reading...