Remote management via WinRM

robbeekmans

Remote management via WinRM

Working with the Desktop director we are setting up remote management for the helpdesk. For this WinRM is needed and needs to be configured. WinRM works fine when you’re a administrator, when not there are challenges. Read more about WinRM and remote support in this blog.

Challenge

The challenge we faced was to allow the helpdesk users to use the Desktop Director from Citrix without administrative rights. when a user is administrator the task is simple and easy to configure without being an administrator it get’s more complex. With WinRM not configured correctly or without administrative rights you get no info as shown below.

Diving into this I decided it was more fun for administrators to be able to control the remote desktop and it would make more sense. So next to troubleshooting a Citrix issue we faced I enabled more fucntionality for the administrators. Further on I will set this up more manageable but for now the prove of the pudding was more important.

Components

  • Windows Remote Management service
  • Windows Remote shell command line tool
  • Windows Firewall
Alternative you can do this via the group policies but for the sake of proving this is working I went for manual. First thing you need to do is to enable your firewall, I know you have it disabled like all of us but that’s was a bad idea in the first place. Enable the firewall and make sure it confgured basically.
After the firewall is started you can configure WinRM.
There are two sides to configure, the service side on the desktops you want to manage and the client side from where you want to manage them.

Configure the service

Basic configuration is donw with the command

  • WinRM qc (QuickConfig)
This starts the service, and sets the options to default. This will allow default access to the machine. With only this command executed you don’t have enough rights to really manage the remote machine.
The output will be either 
Or it will ask you if you want to configure the firewall. If you get the question to configure the firewall you answer “Y” so that you can access the machine remotely, for that’s the goal I presume.

Next command is to make sure commands are accepted through an unecure channel, so no HTTPS but HTTP is being used. If you wonder if this is safe enough remember that you are LAN based and only computers inside the LAN can access that computer. Further on only users with Administrative rights on that computer are able to do remote management. I assume there is no need to do HTTPS inside the LAN for your administrators, if you can’t trust them who can you trust.

  • WinRM Set WinRM/config/service @{AllowUnencrypted=”true”}



And set authentication to basic;

  • WinRM Set WinRM/config/service/Auth @{Basic=”true”}



If your firewall is switched off, disabled or otherwise not working, you’ll get a nice error stating that the endpoint mapper can’t map any endpoint or something like that.

Configure the Client

On the client side you also need to configure WinRM to make sure you can access the remote machine.
First set authentication to basic. These steps are not needed when you just need to have extra information from the desktop director. the settings below are needed when you need to access the machine from another machine, like remote control of scripts.

  • WinRM Set WinRM/Config/client/Auth @{Basic=”true”}




And to allow unsecure command to travel there..

  • WinRM Set WinRM/Config/client @{AllowUnencrypted=”true”}



Back to the service

To make sure remote command can be transfer to the machine you have to enter the following command on the remote machine side;

  • WinRM Set WinRM/Config/Client/Auth @{CredSSP=”true”}

After these command remote control of the machine is possible.

Remote control

If you want to make sure execute the following command;

  • WinRM Identify -r:http://remotecomputername:5985 -auth:none



Communication seems to be fine, next step is to really control the machine…
I forgot one command, to be able to take control of a machine you have to add the machine to TrustedHosts or connect over HTTPS. I’ve used the first option for that is much easier to setup.

With the following command you can add a Trusted host to your computer.

  • WinRM Set WinRM/config/client @{TrustedHosts=”RemoteComputerIPAddress”}

For this we will use WinRS, use the following command to open a connection to the trusted machine.

  • WinRS -r:http://remotemachinename:5985 -u:Domainusername “cmd”  

You start a command box on the remote machine. the CMD command in this is purely an example you could do other stuff there, but CMD might be one command you really would like to for from there you can open services.msc or whatever.

In the screenshot below you can see I opened a command prompt on another server where I can start anything there. this way it’s possible to support users with taking over their desktop by remote assistance.
Of course any script or program that would have impact on WinRM or the firewall service can’t be executed for it would break the connection.

Is it a security breach, hell no. You still need to be an administrator to be able to do this.

Group policies

of course all this can be set by group policies, below are screenshots of the group policy settings you can use to alternatively set it domain wide.

Back to Citrix

So only administrators will see every aspect of the Desktop Director and be able to use it. Users without administrative rights will only have power control over de desktops.
Citrix has a tool that should configure WinRM for certain users to make it possible for non-administrative users to experience the full benefit of Desktop Director.
The tool is called ConfigRemoteMgmt and is downloadable from Citrix.com.
If you configured WinRM like I did, I’m sorry to say it will break it all…and do a reconfigure.
Start the tool with the following command and good things will happen.

  • ConfigRemoteMgmt.exe” /configwinrmuser “Domain group name”

After this the users with no administrative right should have the possibility to see the activity in the desktop Director.

Read more about this on Citrix Edocs: director-cfg-machine-permission

Reading the blogs it shows that the tool is kinda buggy and the output isn’t guaranteed… read the article above and if it doesn’t work go for the manual setup.

If I find time soon I’ll write about that also.

For now I wanted to share with you how to take control of a remote machine in your network and share the Citrix tool that allows non-admin users to use the Desktop Director functionality.


Written by 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.