WS-Man (Web Services for Management) 1.2 Published

  • Article

The DMTF recently published the Web Services for Management (WS-Man) standard version 1.2. This release of the WS-Man specification clarifies support for the latest encryption protocols, which has been required by organizations and governmental agencies such as the US Government NIST program.

WS-Man is a SOAP-based protocol that can be used with any transport, although it is primarily used with HTTP and HTTPS.  The older versions of the WS-Man specification made specific references to older versions of TLS (Transport Layer Security) that have proven to be insufficient.  The updated version more clearly decouples the protocol and the transport to ensure that interoperability is not dependent on specific versions of encryption algorithms, including TLS.  There is no functional change with the updated WS-Man 1.2 specification.  

Microsoft, an active member of the DMTF, contributed and edited the updated WS-Man specification. The Microsoft implementation of WS-Man is known as Windows Remote Management (WinRM), and has been a part of Windows since Windows 7 / Windows Server 2008 R2.  The WinRM implementation of WS-Man conforms with the latest NIST requirements described in NIST Special Publication 800 -52r1 . WinRM leverages HTTP.SYS, which implements and enables configuration of the most recent and industry-standard secure transport protocol layer, as described in these two articles:

· Configuring WINRM for HTTPS

· The Configuring WinRM to Use HTTPS section of Configuration and Security

Note that if HTTPS is not used, WinRM still encrypts the payload over HTTP by default unless explicitly set to not use encryption.

WinRM has been, and should continue to be relied on in secure environments that are configured to meet the government and industry recommended cryptographic algorithms. Due to the lack of clarity in the previous releases of the WS-Man specification, some users were confused about whether or not WS-Man and WinRM supported recent and more secure implementations of the Transport-Layer Security (TLS), which it does. While this has not been an issue for the Microsoft implementation in WinRM, the WS-Man version 1.2 specification update has addressed that, and removed the confusing elements.

Steve Lee
Principal Engineering Manager
Windows Server

Keith Bankston
Senior Program Manager
Windows Server

Comments

  • Anonymous
    November 24, 2014
    Hi I have install a windows service The service embeds a power shell cmdlts to invoke it on remote computer I get access denied exception At the same time if i run same cmdlts from cmd console it runs successful ly I have logged in as administrator It seems the policies for local service and administrator are different Please Help Regards

  • Anonymous
    November 25, 2014
    The comment has been removed