«

»

Sep 04

Manage Workgroup Workstation

Manage Workgroup Workstation

How to manage machines in a workgroup

If you have machines in a domain, it is easy to execute remote administration (through gpo, script,…). Regarding the positions in workgroup, the task turns out to be more complex. Indeed, the latter only contain their own GPOs and their account base.
Thus it is possible to use winrm to perform remote administration. In order to secure the communications betweens the two computers (or computer and server) it is possible to encrypt exchanges using the ssl Protocol.

Active Directory Certificates Services

So we will see below how to set-up winrm with SSL. For this we will use a domain controller AD as well as two workstations with Windows 7 and 8. The server will have also the DNS server and CA roles.

During the installation of the CA (Active Directory certificates services), it is necessary to select the role services registration of CA via the web.

Manage Workgroup Workstation

After installation, we will proceed to the configuration of IIS. During the installation of registration of CA via the web, a new web site has been added. It contains a folder named Cert Enroll. In the IIS console, expand the web site, and then select the folder Cert Enroll. In the Center Panel double click Exploration of directory.

Manage Workgroup Workstation

Select the opportunity to explore the directory by clicking on activate.

Manage Workgroup Workstation

Select the site and then in the central window double click request filtering.

Manage Workgroup Workstation

Click allow a file name extension.

Manage Workgroup Workstation

Enter crl in the dialog that appears.

Manage Workgroup Workstation

The extension is correctly added.

Manage Workgroup Workstation

Run the IISreset command to proceed with the restart of the IIS services.

Manage Workstation in a workgroup

The IIS part is now configured, Let’s proceed to the configuration of the CA. From the certification authority console, right-click certificate templates and then click Manage. Right-click on the computer model, and then on the shortcut menu, select duplicate model.

Manage Workgroup Workstation

A new window appears, select into the Compatibility tab the operating system desired drop down lists CA and destination of the certificate.

Manage Workgroup Workstation

Into the General tab, enter the desired name for the model and publish into Active Directory.

Manage Workgroup Workstation

Select Security tab and add enroll permission for authentified user.

Manage Workgroup Workstation

On the application tab and check allow exporting of the key.

Manage Workgroup Workstation

On the subject name tab, select the provide radio button in the application.

Manage Workgroup Workstation

The certificate templates console can now be closed. In the Certificates management console, right-click certificate template, and then select new – model of certificates to be issued.

Select the previously created template, and then click Next.

Manage Workgroup Workstation

It is necessary to change the extensions so that the http link is the first. These extensions allow the stations and servers to retrieve the revocation list. In the certification authority console, right-click the server and select Properties. Select Extension Tab and copy. You need delete and create the first two line.
Therefore please note the content (path, variable,…) as well as the configured options. Next delete the line and click add to create the line.

Manage Workgroup Workstation

Check the boxes

  • Include in CRL lists in order to search the delta certificate revocation lists
  • Include in issued certificates CDP extension

Manage Workgroup Workstation

The two extension has been recreated. Click OK and Yes for validate modification and restart Services.

Manage Workgroup Workstation

The CA is now configured, it is now possible to proceed to the configuration of the stations and servers.

Configure workstation

We will now be able to configure the workstations and servers. On the collector open an mmc console and then add the Certificates snap-in. In the wizard select computer account

Manage Workgroup Workstation

Right-click on Personnal, and then in the menu select all tasks / request a new certificate. In the wizard click Next twice, and then check the previously created model.

Manage Workgroup Workstation

Click on the hyperlink below to be able to configure the name of server, computer,… In the subject name field, select common name and enter the FQDN of the server. Click on Add.
Select DNS in another name then enter the FQDN name then click Add. Once again, DNS and enter the Netbios name

Manage Workgroup Workstation

click OK and Enroll. The certificate appear into the mmc console.

Manage Workgroup Workstation

Repeat the same operation for the workstations in workgroup. Only the common name (name of the subject) is used. It is necessary to enter the NetBIOS name (example: cl7, Workstation2,…). Export certificates for desktops can now be performed. To do this, right-click on the desired certificate and select all tasks – export. A Wizard starts, select Yes, export the private key.

Manage Workgroup Workstation

Enter the desired password, then save the pfx file to the place where you want to. Repeat the same operation for the certificates of other machines. It is also necessary to export the certificate root certification authority. It is present in CAs roots of trust (not export private key).

Manage Workgroup Workstation

Operation to perform for Windows XP

Change the Dword forceguest present in HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa key so that it has the value of 0. Restart the computer later.

Manage Workgroup Workstation

Install the .net Framework 2.0 SP1, WinRM 2.0 and WS-Management.
.Net Framework 2.0
WinRM2.0
WS-Management

Configure WinRM

Go to the machine in workgroup and then retrieve the certificate files from the server as well as the root certificate (file previously exported).

Manage Workgroup Workstation

Open an mmc console and then add the Certificate snap-in. In the wizard select computer account. Right-click on Personnal and in the menu select all tasks – import. Select the certificate with the private key (pfx format).

Manage Workgroup Workstation

Enter the password, and then start the import. The certificate is present in the store. Do the same for the root certificate (import into CAs roots of trust)

Manage Workgroup Workstation

The next operation should be performed only on the computer/server source running Windows 7/2008 R2 or later.
Select the Certificates folder in Personnal and then right-click on the previously imported certificate.

Manage Workgroup Workstation

In the pop-up menu, click all tasks – manage private keys.
Grant the read right to the network service account, and then click OK.

Manage Workgroup Workstation

For Windows XP, it is necessary to give the right to read on the folder (c:\Documents and Settings\All Users\Application Data\Microsoft\Crypto) RSA network service account

Manage Workgroup Workstation

On the workstation, open a dos windows as an administrator command prompt and then run the command winrm qc.

Manage Workgroup Workstation

In order to configure WinRM over SSL, it is necessary to retrieve the thumbprint of the certificate. This value is present in the certificate properties. Since the MMC on the workstation, open the certificate, and then go to the Details tab. Select the thumbprint line, then copy the value.

Manage Workgroup Workstation

Run command winrm create winrm/config/Listener?Address=*+Transport=HTTPS  @{Hostname= »FQDN or Netbios »;CertificateThumbprint= »Thumbprint Value »}

Enter the name of the workstation in workgroup (NetBIOS name) or server (FQDN) in Hostname, the thumbprint value must be entered in CertificateThumbprint.

Manage Workgroup Workstation

Enable the exception in the Windows Firewall by running the following command.

netsh advfirewall firewall add rule name= »Windows Remote Management (HTTPS-In) » protocol=TCP dir=in localport=5986 action=allow

Manage Workgroup Workstation

Repeat the same operation on servers and computer. You can use this KB if you have error messages when you cretate https listener.
KB Listerner error

When the configuration is complete, it’s possible to connect via powerhsell to the remote machine. To do this, run the following command:

Enter-PSSession – ComputerName myHost – UseSSL – Credential (Get-Credential)

Replace MyHost by the computer name. The instruction (Get-Credential) allows you to specify the username and password to use to connect.


If during the attempt to connect, an error appears indicating that it is not possible to validate the revocation list, run the following commands:

  • Publish revocation list (right click on the folder certicate revoked in the certification authority console then all tasks publish)
  • certutil -urlcache crl delete
  • shutdown -r -t 0

Manage Workgroup Workstation

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Vous pouvez utiliser ces balises et attributs HTML : <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>