WinRM HTTP

Critical Risk

TCP — Remote Access

Port Overview

Port Number 5985

Service Name WinRM HTTP

Transport Protocol TCP

Category Remote Access

Security Risk Critical

Port Range Registered (1024-49151)

What is Port 5985?

Port 5985 is used by Windows Remote Management (WinRM) for HTTP-based remote PowerShell and management connections. WinRM implements the WS-Management protocol for remote Windows administration and is used by tools like Ansible and PowerShell remoting. Exposure of this port allows remote command execution on Windows systems.

TCP Remote Access Commonly Used

Security Considerations

Port 5985 (WinRM HTTP) is classified as critical risk. This port should not be exposed to the public internet. The service transmits data without encryption, making it vulnerable to eavesdropping, credential theft, and man-in-the-middle attacks.

Recommendation: Block this port at the firewall. Use encrypted alternatives (SSH, SFTP, HTTPS) instead.

Related Ports — Remote Access

22 SSH 23 Telnet 89 SU/MIT Telnet Gateway 95 SUPDUP 107 Remote Telnet 177 XDMCP 259 ESRO 311 macOS Server Admin