Manage Workgroup Workstation

Manage Workgroup Workstation

Manage Workgroup Workstation

How to manage machines in a workgroup

If you have machines in a domain, it is easy to execute remote administration (through gpo, script,…). Regarding the positions in workgroup, the task turns out to be more complex. Indeed, the latter only contain their own GPOs and their account base.
Thus it is possible to use winrm to perform remote administration. In order to secure the communications betweens the two computers (or computer and server) it is possible to encrypt exchanges using the ssl Protocol.

Active Directory Certificates Services

So we will see below how to set-up winrm with SSL. For this we will use a domain controller AD as well as two workstations with Windows 7 and 8. The server will have also the DNS server and CA roles.

During the installation of the CA (Active Directory certificates services), it is necessary to select the role services registration of CA via the web.

Manage Workgroup Workstation Add certification authority

After installation, we will proceed to the configuration of IIS. During the installation of registration of CA via the web, a new web site has been added. It contains a folder named Cert Enroll. In the IIS console, expand the web site, and then select the folder Cert Enroll. In the Center Panel double click Exploration of directory.

Manage Workgroup Workstation Configure IIS

Select the opportunity to explore the directory by clicking on activate.

Manage Workgroup Workstation Configure IIS

Select the site and then in the central window double click request filtering.

Configure IIS

Click allow a file name extension.

Manage Workgroup Workstation

Enter crl in the dialog that appears.

Manage Workgroup Workstation Enter CRL

The extension is correctly added.


Run the IISreset command to proceed with the restart of the IIS services.

Run IIS Reset

The IIS part is now configured, Let’s proceed to the configuration of the CA. From the certification authority console, right-click certificate templates and then click Manage. Right-click on the computer model, and then on the shortcut menu, select duplicate model.

Manage Workgroup Workstation Manage certificate

A new window appears, select into the Compatibility tab the operating system desired drop down lists CA and destination of the certificate.

Manage Workgroup Workstation Configure properties of certificate

Into the General tab, enter the desired name for the model and publish into Active Directory.

Manage Workgroup Workstation Configure WinRM

Select Security tab and add enroll permission for authentified user.

On the application tab and check allow exporting of the key.

Manage Workgroup Workstation Allow export key

On the subject name tab, select the provide radio button in the application.

Manage Workgroup Workstation

The certificate templates console can now be closed. In the Certificates management console, right-click certificate template, and then select new – model of certificates to be issued. Select the previously created template, and then click Next.

Manage Workgroup Workstation

It is necessary to change the extensions so that the http link is the first. These extensions allow the stations and servers to retrieve the revocation list. In the certification authority console, right-click the server and select Properties. Select Extension Tab and copy. You need delete and create the first two line. Therefore please note the content (path, variable,…) as well as the configured options. Next delete the line and click add to create the line.

Configure extension

Check the boxes

  • Include in CRL lists in order to search the delta certificate revocation lists
  • Include in issued certificates CDP extension
Manage Workgroup Workstation Configure extension

The two extension has been recreated. Click OK and Yes for validate modification and restart Services.

Manage Workgroup Workstation

The CA is now configured, it is now possible to proceed to the configuration of the stations and servers.

Configure workstation

We will now be able to configure the workstations and servers. On the collector open an mmc console and then add the Certificates snap-in. In the wizard select computer account.

Access to certificate store

Right-click on Personnal, and then in the menu select all tasks / request a new certificate. In the wizard click Next twice, and then check the previously created model.

Select certificate template

Click on the hyperlink below to be able to configure the name of server, computer,… In the subject name field, select common name and enter the FQDN of the server. Click on Add.

Select DNS in another name then enter the FQDN name then click Add. Once again, DNS and enter the Netbios name.

Manage Workgroup Workstation Configure certificate

click OK and Enroll. The certificate appear into the mmc console.

Manage Workgroup Workstation Certificate has been issued

Repeat the same operation for the workstations in workgroup. Only the common name (name of the subject) is used. It is necessary to enter the NetBIOS name (example: cl7, Workstation2,…). Export certificates for desktops can now be performed. To do this, right-click on the desired certificate and select all tasks – export. A Wizard starts, select Yes, export the private key.

Manage Workgroup Workstation Export key

Enter the desired password, then save the pfx file to the place where you want to. Repeat the same operation for the certificates of other machines. It is also necessary to export the certificate root certification authority. It is present in CAs roots of trust (not export private key).

Manage Workgroup Workstation

Operation to perform for Windows XP

Change the Dword forceguest present in HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa key so that it has the value of 0. Restart the computer later.

Modify Registry key

Install the .net Framework 2.0 SP1, WinRM 2.0 and WS-Management.
.Net Framework 2.0

Configure WinRM

Go to the machine in workgroup and then retrieve the certificate files from the server as well as the root certificate (file previously exported).

Certificate has issued

Open an mmc console and then add the Certificate snap-in. In the wizard select computer account. Right-click on Personnal and in the menu select all tasks – import. Select the certificate with the private key (pfx format).

Import certificate

Enter the password, and then start the import. The certificate is present in the store. Do the same for the root certificate (import into CAs roots of trust).

Certificate has been issued

The next operation should be performed only on the computer/server source running Windows 7/2008 R2 or later.
Select the Certificates folder in Personnal and then right-click on the previously imported certificate.

Certificate has issued

In the pop-up menu, click all tasks – manage private keys.
Grant the read right to the network service account, and then click OK.

Configure ACL

For Windows XP, it is necessary to give the right to read on the folder (c:\Documents and Settings\All Users\Application Data\Microsoft\Crypto) RSA network service account.

Configure crypto
Configure listener

In order to configure WinRM over SSL, it is necessary to retrieve the thumbprint of the certificate. This value is present in the certificate properties. Since the MMC on the workstation, open the certificate, and then go to the Details tab. Select the thumbprint line, then copy the value.

Access to certificate properties

Run command :

winrm create winrm/config/Listener?Address=*+Transport=HTTPS  @{Hostname="FQDN or Netbios";CertificateThumbprint="Thumbprint Value"}

Enter the name of the workstation in workgroup (NetBIOS name) or server (FQDN) in Hostname, the thumbprint value must be entered in CertificateThumbprint.

Configure listeners

Enable the exception in the Windows Firewall by running the following command.

netsh advfirewall firewall add rule name="Windows Remote Management (HTTPS-In)" protocol=TCP dir=in localport=5986 action=allow
Configure firewall

Repeat the same operation on servers and computer. You can use this KB if you have error messages when you cretate https listener.
KB Listerner error

When the configuration is complete, it’s possible to connect via powerhsell to the remote machine. To do this, run the following command:

Enter-PSSession - ComputerName myHost - UseSSL - Credential (Get-Credential)

Replace MyHost by the computer name. The instruction (Get-Credential) allows you to specify the username and password to use to connect.

If during the attempt to connect, an error appears indicating that it is not possible to validate the revocation list, run the following step:

  • Publish revocation list (right click on the folder certicate revoked in the certification authority console then all tasks publish)
certutil -urlcache crl delete
shutdown -r -t 0
WinRM work

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.