Remote management via WinRM
Working with the Desktop director we are setting up remote management for the helpdesk. For this WinRM is needed and needs to be configured. WinRM works fine when you’re a administrator, when not there are challenges. Read more about WinRM and remote support in this blog.
Challenge
The challenge we faced was to allow the helpdesk users to use the Desktop Director from Citrix without administrative rights. when a user is administrator the task is simple and easy to configure without being an administrator it get’s more complex. With WinRM not configured correctly or without administrative rights you get no info as shown below.
Components
- Windows Remote Management service
- Windows Remote shell command line tool
- Windows Firewall
Configure the service
- WinRM qc (QuickConfig)
Next command is to make sure commands are accepted through an unecure channel, so no HTTPS but HTTP is being used. If you wonder if this is safe enough remember that you are LAN based and only computers inside the LAN can access that computer. Further on only users with Administrative rights on that computer are able to do remote management. I assume there is no need to do HTTPS inside the LAN for your administrators, if you can’t trust them who can you trust.
- WinRM Set WinRM/config/service @{AllowUnencrypted=”true”}
And set authentication to basic;
- WinRM Set WinRM/config/service/Auth @{Basic=”true”}
If your firewall is switched off, disabled or otherwise not working, you’ll get a nice error stating that the endpoint mapper can’t map any endpoint or something like that.
Configure the Client
On the client side you also need to configure WinRM to make sure you can access the remote machine.
First set authentication to basic. These steps are not needed when you just need to have extra information from the desktop director. the settings below are needed when you need to access the machine from another machine, like remote control of scripts.
- WinRM Set WinRM/Config/client/Auth @{Basic=”true”}
And to allow unsecure command to travel there..
- WinRM Set WinRM/Config/client @{AllowUnencrypted=”true”}
Back to the service
To make sure remote command can be transfer to the machine you have to enter the following command on the remote machine side;
- WinRM Set WinRM/Config/Client/Auth @{CredSSP=”true”}
After these command remote control of the machine is possible.
Remote control
If you want to make sure execute the following command;
- WinRM Identify -r:http://remotecomputername:5985 -auth:none
Communication seems to be fine, next step is to really control the machine…
I forgot one command, to be able to take control of a machine you have to add the machine to TrustedHosts or connect over HTTPS. I’ve used the first option for that is much easier to setup.
With the following command you can add a Trusted host to your computer.
- WinRM Set WinRM/config/client @{TrustedHosts=”RemoteComputerIPAddress”}
For this we will use WinRS, use the following command to open a connection to the trusted machine.
- WinRS -r:http://remotemachinename:5985 -u:Domainusername “cmd”
You start a command box on the remote machine. the CMD command in this is purely an example you could do other stuff there, but CMD might be one command you really would like to for from there you can open services.msc or whatever.
In the screenshot below you can see I opened a command prompt on another server where I can start anything there. this way it’s possible to support users with taking over their desktop by remote assistance.
Of course any script or program that would have impact on WinRM or the firewall service can’t be executed for it would break the connection.
Is it a security breach, hell no. You still need to be an administrator to be able to do this.
Group policies
Back to Citrix
- ConfigRemoteMgmt.exe” /configwinrmuser “Domain group name”
After this the users with no administrative right should have the possibility to see the activity in the desktop Director.
Read more about this on Citrix Edocs: director-cfg-machine-permission
Reading the blogs it shows that the tool is kinda buggy and the output isn’t guaranteed… read the article above and if it doesn’t work go for the manual setup.
If I find time soon I’ll write about that also.
For now I wanted to share with you how to take control of a remote machine in your network and share the Citrix tool that allows non-admin users to use the Desktop Director functionality.