Windows
Description
The Windows connector connects to a Windows server via WinRM (Windows Remote Management) and uses PowerShell to discover local user accounts, local groups, group memberships, Windows services, and scheduled tasks. It supports both HTTP and HTTPS transport.
System Type Classification
| Field | Value |
|---|---|
| System Type | Server |
| Default Scan Priority | 200 |
Version Support
| OrbisID Edition | Supported |
|---|---|
| Community | Yes |
| Pro | Yes |
| Enterprise | Yes |
Windows scanning is available in all editions.
Supported Protocols
| Protocol | Port | Encryption | Recommendation |
|---|---|---|---|
| WinRM HTTP | 5985 TCP | None | Development / testing only |
| WinRM HTTPS | 5986 TCP | TLS | Recommended for production |
What OrbisID Discovers
| Data | Source |
|---|---|
| Local user accounts | Get-LocalUser / Win32_UserAccount WMI |
| Local groups | Get-LocalGroup / Win32_Group WMI |
| Group memberships | Get-LocalGroupMember |
| Domain members in local groups | Get-LocalGroupMember (external members tracked for cross-system resolution) |
| Account status (enabled/disabled) | Enabled property |
| Last logon timestamp | LastLogon property |
| Windows services | Get-CimInstance Win32_Service |
| Scheduled tasks | Get-ScheduledTask (non-Microsoft tasks only) |
Privileged Groups
The following local groups are automatically classified as privileged:
Administrators, Backup Operators, Server Operators, Account Operators, Print Operators, Remote Management Users, Power Users, Schema Admins, Enterprise Admins, Domain Admins, Replicator
Connection Requirements
Enabling WinRM on the Target Host
Run from an elevated (Administrator) command prompt on the target host:
winrm quickconfig
This enables the WinRM service, creates a listener on port 5985, and configures the Windows Firewall rule.
For HTTPS (recommended for production), configure a WinRM HTTPS listener with a valid certificate:
winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="<fqdn>"; CertificateThumbprint="<thumbprint>"}
Credential Requirements
The scanning credential must be a local or domain account with WinRM access. The account must be a member of one of the following:
- Local Administrators group (full access), or
- Remote Management Users group + WMI namespace read access granted
For least-privilege deployments, grant the service account access to WMI namespaces:
# Grant WMI namespace access
$sd = Get-WmiObject -Namespace root\cimv2 -Class __SystemSecurity
$binarySD = $sd.GetSD()
# (use WMI Security configuration or GPO to add the account)
Domain Credentials
Domain accounts can be supplied as DOMAIN\username in the credential — the scanner automatically splits the domain prefix before constructing the WinRM connection.
Network Requirements
| Requirement | Detail |
|---|---|
| WinRM enabled | Run winrm quickconfig on the target |
| Port 5985 or 5986 | Must be accessible from OrbisID or the On-Premise Agent |
| PowerShell Remoting | Enabled as part of winrm quickconfig |
| Windows Firewall | Allow inbound WinRM (TCP 5985/5986) |
Configuration Steps
- Navigate to Systems in the sidebar
- Click Add System
- Fill in the fields:
| Field | Value |
|---|---|
| Name | Descriptive name (e.g., dc-prod-01) |
| Hostname / IP | WinRM-accessible hostname or IP |
| Port | 5985 (HTTP) or 5986 (HTTPS) |
| OS Type | Windows |
| System Type | Server |
| Credential | Windows account with WinRM access (DOMAIN\user or local account) |
- Click Test Connection — this runs a lightweight PowerShell
Write-Outputcommand to verify WinRM connectivity and authentication - Click Save
Use WinRM HTTPS (port 5986) in production to encrypt credentials in transit. For environments where HTTPS is not practical, consider using an On-Premise Agent deployed within the same network segment to reduce exposure.
Troubleshooting
| Symptom | Likely Cause | Resolution |
|---|---|---|
Connection test fails: Connection refused | WinRM not enabled or port blocked | Run winrm quickconfig on the target; check firewall rules |
Connection test fails: Access denied | Insufficient account permissions | Verify the account is in Administrators or Remote Management Users |
Connection test fails: AuthenticationError | Incorrect credential | Verify username (include domain prefix if required) and password |
| No service or task data | PowerShell execution policy restricts cmdlets | Check the execution policy: Get-ExecutionPolicy -List; set to RemoteSigned if restricted |
| Domain group members missing | Get-LocalGroupMember unavailable (older OS) | Windows Server 2012 R2 and older do not have Get-LocalGroupMember; scanner falls back to WMI for users and groups but membership enumeration may be limited |
| Scan succeeds but no accounts | Account lacks WMI namespace access | Grant root\cimv2 namespace read access to the scanning account |