Status: DRAFT
On Windows WinRM is sort of the equivalent of SSH. It enables remote shells and remote command execution. Microsoft is also working on SSH for Windows, but it has not been released yet.
Unfortunately WinRM is a lot more work to set up than SSH. And you have to get all of the details right, because there are strict requirements for the certificates used for authentication.
One of the major drawbacks of WinRM is that it does not verify the identity of the server by default. If a server responds to the hostname you entered, the client will happily make a connection. If you use Basic or Negotiate authentication (which are both enabled by default), and the server forces the use of one of these methods, sensitive information that can be used to impersonate you will be sent to the server:
Basic: Your username and password are sent to the server. This allows the server to impersonate you indefinitely.
Negotiate: If you are not in a domain, NTLM will be used. In that case, the encrypted challenge will be sent to the server. Using this response the server can impersonate you for a single session.
This manual contains steps to switch to public key infrastructure (PKI) authentication exclusively. This ensures that neither the client nor the server blindly allows connections to unknown hosts, and that no secrets are sent to the other machine.
A certificate authority to generate the client or server certificates is not needed. Self-signed certificates are used for both.
Instructions are available for both Windows (whether part of a domain or not) and Linux clients, so you will be able to access the Windows server from the operating system of your choice.
This manual can also be read offline. Download an archive of the source from GitHub (press the green button).