Windows Remote Management
To manage the UWF on a remote computer via UWF Dashboard, WinRM is required.
CMD-based configuration
You configure WinRM with default settings by executing the winrm qc command on a console (cmd) with elevated rights (admin).
This automatically configures the computer environment with the required services Windows Remote Management (WS-Management) and firewall settings for WinRM access. Nothing more needs to be done when using winrm qc.
Image: winrm quickconfig command
Group policy based configuration (recommended)
A GPO-based configuration is particularly recommended for domain-connected computers, as all settings are made via centrally specified rules.
In addition, remote access can be handled restrictively here by specifying the IP address from which access is permitted. This increases IT security without requiring a great deal of effort.
The following group policies must be applied to the affected computer systems:
Note: Only GPOs for the computer configuration section are required. User configuration policies can be disabled for performance reasons.
| (#) Path under Computer Configuration | Name | Setting | Comment |
|---|---|---|---|
| (1) /../Policies/Windows Settings/Security Settings/System Services | Windows Remote Management (WS-Management) | Select service startup mode: Automatic | - |
| (2) /../Policies/Windows Settings/Security Settings/Windows Firewall with Advanced Security/../Inbound Rules | Windows Remote Management (HTTP-in) | Enabled (profile: domain) | Predefined rule for WinRM via WS-Management System Service (TCP 5985) |
| (3) /../Policies/Administrative Templates../Windows Components/Windows Remote Management (WinRM)/WinRM Service | Allow remote server management through WinRM | Enabled | Define here the IP address (or an IP address range) from which the remote computers may be accessed via WinRM. (recommended) |
Security aspects
Important
Please read the following notes carefully.
Allowed IP addresses
You should think about accessing remote computers by specifying one or more allowed IP addresses. You can do this in the firewall GPO (#2) on the one hand, and in the WinRM GPO (#3) on the other.
Firewall Scope
Also, in firewall GPO (#2), you should apply the scope of the rule to the domain profile only.
Jump System
Likewise, consider using a dedicated jump computer from which only access to the remote systems is allowed.
Dedicated access
In combination with a Jump system, access to the Jump computer should be possible only for a defined Active Directory user group. Not all system administrators of your domain must have the right for remote access (WinRM).