In controlled environments, it’s useful to know when outbound connectivity is not restricted to a predefined list of required hosts, as many standards like PCI require. Here’s a helpful one-liner that will query your Active Directory instance for computer accounts that are enabled, and then for each of them try to connect to a site from that machine, as orchestrated by WinRM. If you use this script, just know that you will probably see a sea of errors for machines that connect be reached from your source host via WinRM. My go-to site for testing non-secure HTTP is asdf.com, but you could use anything target and port you desire based on what should not be allowed in your environment. I have changed the snippet below to example.com (which will not work) so I don’t spam the poor soul who runs asdf.com, but you should replace that with google.com or whatever host to which you wish to verify connectivity.
Invoke-Command -ComputerName (Get-ADComputer -Filter {Enabled -eq "True"} -Property Name,Enabled | foreach { $_.Name }) -ScriptBlock { Test-NetConnection -Port 80 "example.com" | Select TcpTestSucceeded }
The output will be dropped into look something like this:
TcpTestSucceeded PSComputerName RunspaceId ---------------- -------------- ---------- True YOUR-HOST-1 d5fd044c-c268-460e-a274-d3253adc8ce2 True YOUR-HOST-2 98206f71-80c1-4e7e-a467-fec489c542ee False YOUR-HOST-3 d0b6cf57-e833-44a6-a7bb-aebd4d854b5c True YOUR-HOST-4 14af618b-1ca7-4c1f-bb56-ce58dbd4af94
It’s a great sanity check before an audit or after major changes to your network architecture or security controls. Enjoy!