How to manage machines in a workgroup

If you have machines in a domain, it is easy to execute remote administration (through gpo, script,…). Regarding the positions in workgroup, the task turns out to be more complex. Indeed, the latter only contain their own GPOs and their account base.
Thus it is possible to use winrm to perform remote administration. In order to secure the communications betweens the two computers (or computer and server) it is possible to encrypt exchanges using the ssl Protocol.

Active Directory Certificates Services

So we will see below how to set-up winrm with SSL. For this we will use a domain controller AD as well as two workstations with Windows 7 and 8. The server will have also the DNS server and CA roles.

During the installation of the CA (Active Directory certificates services), it is necessary to select the role services registration of CA via the web.

After installation, we will proceed to the configuration of IIS. During the installation of registration of CA via the web, a new web site has been added. It contains a folder named Cert Enroll. In the IIS console, expand the web site, and then select the folder Cert Enroll. In the Center Panel double click Exploration of directory.

Select the opportunity to explore the directory by clicking on activate.

Select the site and then in the central window double click request filtering.

Click allow a file name extension.

Enter crl in the dialog that appears.

The extension is correctly added.

Run the IISreset command to proceed with the restart of the IIS services.

The IIS part is now configured, Let’s proceed to the configuration of the CA. From the certification authority console, right-click certificate templates and then click Manage. Right-click on the computer model, and then on the shortcut menu, select duplicate model.

A new window appears, select into the Compatibility tab the operating system desired drop down lists CA and destination of the certificate.

Into the General tab, enter the desired name for the model and publish into Active Directory.

Select Security tab and add enroll permission for authentified user.

On the application tab and check allow exporting of the key.

On the subject name tab, select the provide radio button in the application.

The certificate templates console can now be closed. In the Certificates management console, right-click certificate template, and then select new – model of certificates to be issued. Select the previously created template, and then click Next.

It is necessary to change the extensions so that the http link is the first. These extensions allow the stations and servers to retrieve the revocation list. In the certification authority console, right-click the server and select Properties. Select Extension Tab and copy. You need delete and create the first two line. Therefore please note the content (path, variable,…) as well as the configured options. Next delete the line and click add to create the line.

Check the boxes

• Include in CRL lists in order to search the delta certificate revocation lists

• Include in issued certificates CDP extension

The two extension has been recreated. Click OK and Yes for validate modification and restart Services.

The CA is now configured, it is now possible to proceed to the configuration of the stations and servers.

Configure workstation

We will now be able to configure the workstations and servers. On the collector open an mmc console and then add the Certificates snap-in. In the wizard select computer account.

Right-click on Personnal, and then in the menu select all tasks / request a new certificate. In the wizard click Next twice, and then check the previously created model.

Click on the hyperlink below to be able to configure the name of server, computer,… In the subject name field, select common name and enter the FQDN of the server. Click on Add.

Select DNS in another name then enter the FQDN name then click Add. Once again, DNS and enter the Netbios name.

click OK and Enroll. The certificate appear into the mmc console.

Repeat the same operation for the workstations in workgroup. Only the common name (name of the subject) is used. It is necessary to enter the NetBIOS name (example: cl7, Workstation2,…). Export certificates for desktops can now be performed. To do this, right-click on the desired certificate and select all tasks – export. A Wizard starts, select Yes, export the private key.

Enter the desired password, then save the pfx file to the place where you want to. Repeat the same operation for the certificates of other machines. It is also necessary to export the certificate root certification authority. It is present in CAs roots of trust (not export private key).

Operation to perform for Windows XP

Change the Dword forceguest present in HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa key so that it has the value of 0. Restart the computer later.

Install the .net Framework 2.0 SP1, WinRM 2.0 and WS-Management.
.Net Framework 2.0
WinRM2.0
WS-Management

Configure WinRM

Go to the machine in workgroup and then retrieve the certificate files from the server as well as the root certificate (file previously exported).

Open an mmc console and then add the Certificate snap-in. In the wizard select computer account. Right-click on Personnal and in the menu select all tasks – import. Select the certificate with the private key (pfx format).

Enter the password, and then start the import. The certificate is present in the store. Do the same for the root certificate (import into CAs roots of trust).

The next operation should be performed only on the computer/server source running Windows 7/2008 R2 or later.
Select the Certificates folder in Personnal and then right-click on the previously imported certificate.

In the pop-up menu, click all tasks – manage private keys.
Grant the read right to the network service account, and then click OK.

For Windows XP, it is necessary to give the right to read on the folder (c:\Documents and Settings\All Users\Application Data\Microsoft\Crypto) RSA network service account.

In order to configure WinRM over SSL, it is necessary to retrieve the thumbprint of the certificate. This value is present in the certificate properties. Since the MMC on the workstation, open the certificate, and then go to the Details tab. Select the thumbprint line, then copy the value.

Run command :

winrm create winrm/config/Listener?Address=*+Transport=HTTPS  @{Hostname="FQDN or Netbios";CertificateThumbprint="Thumbprint Value"}

Enter the name of the workstation in workgroup (NetBIOS name) or server (FQDN) in Hostname, the thumbprint value must be entered in CertificateThumbprint.

Enable the exception in the Windows Firewall by running the following command.

netsh advfirewall firewall add rule name="Windows Remote Management (HTTPS-In)" protocol=TCP dir=in localport=5986 action=allow

Repeat the same operation on servers and computer. You can use this KB if you have error messages when you cretate https listener.
KB Listerner error

When the configuration is complete, it’s possible to connect via powerhsell to the remote machine. To do this, run the following command:

Enter-PSSession - ComputerName myHost - UseSSL - Credential (Get-Credential)

Replace MyHost by the computer name. The instruction (Get-Credential) allows you to specify the username and password to use to connect.

If during the attempt to connect, an error appears indicating that it is not possible to validate the revocation list, run the following step:

• Publish revocation list (right click on the folder certicate revoked in the certification authority console then all tasks publish)

certutil -urlcache crl delete

shutdown -r -t 0