diff --git a/ConfigWinRM.ps1 b/ConfigWinRM.ps1 deleted file mode 100644 index 00f007e..0000000 --- a/ConfigWinRM.ps1 +++ /dev/null @@ -1,1165 +0,0 @@ -#Requires -Version 3.0 -##Requires -Version 5.1 - -<#PSScriptInfo - -.VERSION 1.01 - -.GUID 14e0e777-6ba8-4f3f-b914-53c62e0a72aa - -.AUTHOR Martin Hudak - mhudak@totalservice.cz - -.COMPANYNAME TOTAL Service a.s. - -.COPYRIGHT - -.TAGS - -.LICENSEURI - -.PROJECTURI - -.ICONURI - -.EXTERNALMODULEDEPENDENCIES - -.REQUIREDSCRIPTS - -.EXTERNALSCRIPTDEPENDENCIES - Configuration file - ConfigWinRM.xml - -.RELEASENOTES - Version 1.00 - Initial version based on script - Written by Trond Hindenes - Updated by Chris Church - Updated by Michael Crilly - Updated by Anton Ouzounov - Updated by Nicolas Simond - Updated by Dag Wieërs - Updated by Jordan Borean - Updated by Erwan Quélin - Updated by David Norman - Version 1.01 - Fixed issue with HTTPS when certificate in HTTPS listener doesn't match the cert in local store - Updated by Michal Horák -#> - -<# -.SYNOPSIS - ConfigWinRM - -.DESCRIPTION - This script enable, configure and secure WinRM service on server - -.NOTES - Version 1.00 - Initial version based on script - Written by Trond Hindenes - Updated by Chris Church - Updated by Michael Crilly - Updated by Anton Ouzounov - Updated by Nicolas Simond - Updated by Dag Wieërs - Updated by Jordan Borean - Updated by Erwan Quélin - Updated by David Norman -#> - -$AppName = "ConfigWinRM" -$AppVersion = "1.00" -$AppDate = "2022-11-16" - -$Path = "C:\WinRM\" - -$Hostname = $env:COMPUTERNAME.ToUpper() -$ConfigFile = $Path + $AppName +".xml" -$LogPath = $Path +"Logs\" -$LogFile = $LogPath + $Hostname +"_"+ $AppName + "_"+ (Get-Date -Format yyyyMMdd) +".log" -$LogRetention = 90 - -if(Test-Path -Path ($LogPath)) -{ -} else -{ - New-Item -Path ($LogPath) -ItemType directory -} -Get-ChildItem ($LogPath) -Include ("*"+$AppName +"_*.log") -Recurse | Where-Object {$_.LastWriteTime -lt (Get-Date).AddDays((-1 * $LogRetention))} | Remove-Item - -$Error.Clear() -$MyERROR = $false -$CFGFound = $false -$RunningConfig = @{} -#--------------------------------------------------------------------------------------------------------------------- -#--------------------------------------------------------------------------------------------------------------------- -Function Write-MyLog -{ - param ( - [Parameter()] - [string] $LOGSeverity, # START, STOP, END, WARN, ERROR, OUT, INFO, LINE - [string] $LOGMessage - ) - $now = Get-Date -UFormat "%Y-%m-%d %T %Z" - if ($LOGSeverity -eq "LINE") { $LOGMessage = '----------------------------------------------------------------------------------------------------' } - $_message = $now+ ' '+ ('['+ $LOGSeverity + ']').PadRight(7) +' ' +$LOGMessage - write-host $_message - try - { - $_message | Out-File -Encoding UTF8 -Append -FilePath $LogFile - } Catch - { - $ErrorMessage = $_.Exception.Message - $FailedItem = $_.Exception.ItemName - Write-Host $ErrorMessage - Write-Host $FailedItem - Break - } -} -#--------------------------------------------------------------------------------------------------------------------- -#--------------------------------------------------------------------------------------------------------------------- -Function New-LegacySelfSignedCert -{ - Param ( - [string]$SubjectName, - [int]$ValidDays = 1095 - ) - $hostnonFQDN = $env:computerName - $hostFQDN = [System.Net.Dns]::GetHostByName(($env:computerName)).Hostname - $SignatureAlgorithm = "SHA256" - - $name = New-Object -COM "X509Enrollment.CX500DistinguishedName.1" - $name.Encode("CN=$SubjectName", 0) - - $key = New-Object -COM "X509Enrollment.CX509PrivateKey.1" - $key.ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider" - $key.KeySpec = 1 - $key.Length = 4096 - $key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)" - $key.MachineContext = 1 - $key.Create() - - $serverauthoid = New-Object -COM "X509Enrollment.CObjectId.1" - $serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1") - $ekuoids = New-Object -COM "X509Enrollment.CObjectIds.1" - $ekuoids.Add($serverauthoid) - $ekuext = New-Object -COM "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1" - $ekuext.InitializeEncode($ekuoids) - - $cert = New-Object -COM "X509Enrollment.CX509CertificateRequestCertificate.1" - $cert.InitializeFromPrivateKey(2, $key, "") - $cert.Subject = $name - $cert.Issuer = $cert.Subject - $cert.NotBefore = (Get-Date).AddDays(-1) - $cert.NotAfter = $cert.NotBefore.AddDays($ValidDays) - - $SigOID = New-Object -ComObject X509Enrollment.CObjectId - $SigOID.InitializeFromValue(([Security.Cryptography.Oid]$SignatureAlgorithm).Value) - - [string[]] $AlternativeName += $hostnonFQDN - $AlternativeName += $hostFQDN - $IAlternativeNames = New-Object -ComObject X509Enrollment.CAlternativeNames - foreach ($AN in $AlternativeName) - { - $AltName = New-Object -ComObject X509Enrollment.CAlternativeName - $AltName.InitializeFromString(0x3, $AN) - $IAlternativeNames.Add($AltName) - } - $SubjectAlternativeName = New-Object -ComObject X509Enrollment.CX509ExtensionAlternativeNames - $SubjectAlternativeName.InitializeEncode($IAlternativeNames) - - [String[]]$KeyUsage = ("DigitalSignature", "KeyEncipherment") - $KeyUsageObj = New-Object -ComObject X509Enrollment.CX509ExtensionKeyUsage - $KeyUsageObj.InitializeEncode([int][Security.Cryptography.X509Certificates.X509KeyUsageFlags]($KeyUsage)) - $KeyUsageObj.Critical = $true - - $cert.X509Extensions.Add($KeyUsageObj) - $cert.X509Extensions.Add($ekuext) - $cert.SignatureInformation.HashAlgorithm = $SigOID - $cert.X509Extensions.Add($SubjectAlternativeName) - $cert.Encode() - - $enrollment = New-Object -COM "X509Enrollment.CX509Enrollment.1" - $enrollment.InitializeFromRequest($cert) - $certdata = $enrollment.CreateRequest(0) - $enrollment.InstallResponse(2, $certdata, 0, "") - - # extract/return the thumbprint from the generated cert - $parsed_cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 - $parsed_cert.Import([System.Text.Encoding]::UTF8.GetBytes($certdata)) - - return $parsed_cert.Thumbprint -} -#--------------------------------------------------------------------------------------------------------------------- -#--------------------------------------------------------------------------------------------------------------------- -Function Run -{ - Write-MyLog -LOGSeverity "START" -LOGMessage ("Application : "+ $AppName +", Version : "+ $AppVersion + ", date : "+ $AppDate) - $StopWatch = [system.diagnostics.stopwatch]::StartNew() - $Config = New-Object -TypeName XML - try - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Loading configuration : "+ $ConfigFile) - $Config.Load($ConfigFile) - } catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't load config file !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - if (-not $MyError) - { - $CFG = $Config.ConfigWinRM.Options - if ($CFG ) - { - $CFGFound = $true - } - } - if($CFGFound -and (-not $MyError)) - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Using configuration for computer Hostname : <"+ $Hostname +">.") - Write-MyLog -LOGSeverity "LINE" - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM-HTTP : [ " + $CFG.WinRMHTTP +" ].") - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM-HTTPs : [ " + $CFG.WinRMHTTPS +" ].") - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("FW-WinRM-HTTP : [ " + $CFG.FWWinRMHTTP +" ].") - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("FW-WinRM-HTTPS : [ " + $CFG.FWWinRMHTTPS +" ].") - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("FW-WinRM-TrustedHosts : [ " + $CFG.FWWinRMTrustedHosts +" ].") - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("SelfCert-Force : [ " + $CFG.SelfCertForce +" ].") - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("SelfCert-Validity : [ " + $CFG.SelfCertValidity +" ].") - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("BasicAuth : [ " + $CFG.BasicAuth +" ].") - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("KerberosAuth : [ " + $CFG.KerberosAuth +" ].") - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("CredSSPAuth : [ " + $CFG.CredSSPAuth +" ].") - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("DigestAuth : [ " + $CFG.DigestAuth +" ].") - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("NegotiateAuth : [ " + $CFG.NegotiateAuth +" ].") - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("CertificateAuth : [ " + $CFG.CertificateAuth +" ].") - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("LocalAccountTokenFilterPolicy : [ "+ $CFG.LocalAccountTokenFilterPolicy +" ].") - } - else - { - $MyError = $true - } -#-------------------------------------------------------------------------------------------------- - if (-not $MyError) - { - $dotNET = (Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -Recurse | Get-ItemProperty -name Version, Release -EA 0 | Where-Object { $_.PSChildName -match '^(?!S)\p{L}'} | Sort-Object -Property Version | Select-Object @{name = "dotNET"; expression = {$_.PSChildName}}, Version) - Write-MyLog -LOGSeverity "LINE" - Write-MyLog -LOGSeverity "INFO" -LOGMessage ('User Name : '+ $env:UserName) - Write-MyLog -LOGSeverity "INFO" -LOGMessage ('User Domain : '+ $env:UserDomain) - Write-MyLog -LOGSeverity "INFO" -LOGMessage ('Hostname : '+ $env:computername) - Write-MyLog -LOGSeverity "INFO" -LOGMessage ('IP Address : '+ (Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter 'ipenabled = "true"').IPAddress) - Write-MyLog -LOGSeverity "INFO" -LOGMessage ('MAC Address : '+ (Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter 'ipenabled = "true"').MACAddress) - Write-MyLog -LOGSeverity "INFO" -LOGMessage ('Manufacturer : '+ (Get-WmiObject -Class Win32_ComputerSystem).Manufacturer) - Write-MyLog -LOGSeverity "INFO" -LOGMessage ('Model : '+ (Get-WmiObject -Class Win32_ComputerSystem).Model) - Write-MyLog -LOGSeverity "INFO" -LOGMessage ('Serial Number : '+ (Get-WmiObject -Class Win32_Bios).SerialNumber) - Write-MyLog -LOGSeverity "INFO" -LOGMessage ('OS Name : '+ (Get-WmiObject -class Win32_OperatingSystem).Caption) - Write-MyLog -LOGSeverity "INFO" -LOGMessage ('OS Version : '+ (Get-WMIObject win32_operatingsystem).Version) - Write-MyLog -LOGSeverity "INFO" -LOGMessage ('OS ServicePack : '+ (Get-WMIObject win32_operatingsystem).CSDVersion) - Write-MyLog -LOGSeverity "INFO" -LOGMessage ('OS Build : '+ (Get-WmiObject -class Win32_OperatingSystem).BuildNumber) - Write-MyLog -LOGSeverity "INFO" -LOGMessage ('OS Architecture : '+ (Get-WmiObject Win32_OperatingSystem).OSArchitecture) - Write-MyLog -LOGSeverity "INFO" -LOGMessage ('OS Install date : '+ [timezone]::CurrentTimeZone.ToLocalTime(([datetime]'1/1/1970').AddSeconds($(get-itemproperty 'HKLM:\Software\Microsoft\Windows NT\CurrentVersion').InstallDate)).ToString("yyyy-MM-dd HH:mm:ss")) - Write-MyLog -LOGSeverity "INFO" -LOGMessage ('RAM Size (MB) : '+ (Get-WmiObject -Class Win32_ComputerSystem).TotalPhysicalMemory / 1MB) - Write-MyLog -LOGSeverity "INFO" -LOGMessage ('Disk free (GB) : '+ (Get-PSDrive C).Free /1GB) - Write-MyLog -LOGSeverity "INFO" -LOGMessage ('PShell version : '+ $PSVersionTable.PSversion.ToString()) - Write-MyLog -LOGSeverity "INFO" -LOGMessage ('PShell CLR : '+ $PSVersionTable.CLRVersion.ToString()) - Write-MyLog -LOGSeverity "INFO" -LOGMessage ('Verze .NET : ') - foreach ($verze in $dotNET) - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ((' : '+ $verze.Version + $Tab +'-'+ $Tab + $verze.dotNET)) - } - Write-MyLog -LOGSeverity "LINE" - } -#-------------------------------------------------------------------------------------------------- - if (-not $MyError) - { - # Get the ID and security principal of the current user account - $myWindowsID = [System.Security.Principal.WindowsIdentity]::GetCurrent() - $myWindowsPrincipal = new-object System.Security.Principal.WindowsPrincipal($myWindowsID) - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Script running as user : [ "+ $myWindowsID.name +" ].") - # Get the security principal for the Administrator role - $adminRole = [System.Security.Principal.WindowsBuiltInRole]::Administrator - # Check to see if we are currently running "as Administrator" - if (-Not $myWindowsPrincipal.IsInRole($adminRole)) - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("You need elevated Administrator privileges in order to run this script. Start Windows PowerShell by using the Run as Administrator.") - $MyError = $true - } else { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Current user have appropriate rights to run this script.") - } - } -#-------------------------------------------------------------------------------------------------- - if (-not $MyError) - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Detecting Powershell version : [ "+ $PSVersionTable.PSVersion +" ].") - If ($PSVersionTable.PSVersion.Major -lt 3) - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Powershell version is not supported :-( !!!") - $MyError = $true - } else { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Powershell version is supported.") - } - } -#-------------------------------------------------------------------------------------------------- - if (-not $MyError) - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Reading status of WinRM service..") - try - { - $RunningConfig.svcWinRM = Get-Service "WinRM" -ErrorAction Stop - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM service status is [ "+ $RunningConfig.svcWinRM.Status +" ] and startup type is [ "+ $RunningConfig.svcWinRM.StartType +" ].") - } catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't read Service WinRM status !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - if (-not $MyError -and $RunningConfig.svcWinRM.StartType -ne "Automatic") - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM needs to be configured to Automatic startup..") - try - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Setting service WinRM startup type Automatic.") - Set-Service -Name "WinRM" -StartupType Automatic - $RunningConfig.svcWinRM = Get-Service "WinRM" -ErrorAction Stop - } catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't change WinRM service startup type. !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - } - if (-not $MyError -and $RunningConfig.svcWinRM.Status -ne "Started") - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM needs to be running..") - try - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Starting service WinRM...") - $StartTimeout = 0 - Start-Service -Name "WinRM" -ErrorAction Stop - while ((Get-Service "WinRM" -ErrorAction Stop).Status -ne "Running" -and $StartTimeout -lt 10 ) - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Waiting for start service WinRM...") - Start-Sleep -Seconds 1 - $StartTimeout ++ - } - } catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't start WinRM service. !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Reading status of WinRM service..") - try - { - $RunningConfig.svcWinRM = Get-Service "WinRM" -ErrorAction Stop - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM service status is [ "+ $RunningConfig.svcWinRM.Status +" ] and startup type is [ "+ $RunningConfig.svcWinRM.StartType +" ].") - } catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't read Service WinRM status !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - If ($RunningConfig.svcWinRM.Status -ne "Running") - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't start Service WinRM !!!") - $MyError = $true - } - } - } -#-------------------------------------------------------------------------------------------------- - if (-not $MyError) - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Reading WinRM service configuration") - try - { - $RunningConfig.WinRMauth = (Get-WSManInstance -ResourceURI winrm/config/service/auth) - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Authentication methods") - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Basic : [ "+ $RunningConfig.WinRMauth.Basic +" ]") - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Negotiate : [ "+ $RunningConfig.WinRMauth.Negotiate +" ]") - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Certificate : [ "+ $RunningConfig.WinRMauth.Certificate +" ]") - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Kerberos : [ "+ $RunningConfig.WinRMauth.Kerberos +" ]") - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" CredSSP : [ "+ $RunningConfig.WinRMauth.CredSSP +" ]") - } - catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't read WinRM authentication configuration !!!") - $MyError = $true - } - try - { - $RunningConfig.WinRMListeners = (Get-WSManInstance -ResourceURI winrm/config/listener -Enumerate) - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Listener(s)") - foreach ($lncfg in $RunningConfig.WinRMListeners) - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Transport : [ "+ $lncfg.Transport +" ].") - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Port : [ "+ $lncfg.Port +" ].") - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Enabled : [ "+ $lncfg.Enabled +" ].") - if ($lncfg.Hostname) { Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Hostname : [ "+ $lncfg.Hostname +" ].") } - if ($lncfg.Addresss) { Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Address : [ "+ $lncfg.Addresss +" ].") } - if ($lncfg.CertificateThumbprint) - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" CertThumbprint: [ "+ $lncfg.CertificateThumbprint +" ].") - $RunningConfig.WinRMHTTPSCert = (Get-ChildItem -path ("Cert:\*"+ $lncfg.CertificateThumbprint) -Recurse | Select-Object -Unique) - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" CertSubject : [ "+ $RunningConfig.WinRMHTTPSCert.Subject +" ].") - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" CertDnsName : [ "+ $RunningConfig.WinRMHTTPSCert.DnsNameList +" ].") - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" FriendlyName : [ "+ $RunningConfig.WinRMHTTPSCert.FriendlyName +" ].") - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" NotBefore : [ "+ $RunningConfig.WinRMHTTPSCert.NotBefore +" ].") - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" NotAfter : [ "+ $RunningConfig.WinRMHTTPSCert.NotAfter +" ].") - } - } - } catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't read WinRM listeners configuration !!!") - $MyError = $true - } - } -#-------------------------------------------------------------------------------------------------- - if (-not $MyError) - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Reading status of Windows Firewall service..") - try - { - $RunningConfig.MPSsvc = Get-Service "MpsSvc" -ErrorAction Stop - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("MPSsvc service status is [ "+ $RunningConfig.MPSsvc.Status +" ] and startup type is [ "+ $RunningConfig.MPSsvc.StartType +" ].") - } catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't read Service MPSsvc status !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - } -#-------------------------------------------------------------------------------------------------- - if (-not $MyError) - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Reading local FireWall configuration.") - try - { - $RunningConfig.FWprofile = Get-NetFirewallProfile - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Windows Firewall profile(s): ") - foreach ($prof in $RunningConfig.FWprofile) - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ($prof.profile +" : [ "+ $prof.enabled +" ].") - } - } catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't read Firewall profiles !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - } -#-------------------------------------------------------------------------------------------------- -#-------------------------------------------------------------------------------------------------- - if (-not $MyError) - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Finding Firewall rules for WinRM ports.") - $RunningConfig.FWHTTPRules = @() - $RunningConfig.FWHTTPPortFilter = @() - $RunningConfig.FWHTTPAddressFilter = @() - $RunningConfig.FWHTTPSRules = @() - $RunningConfig.FWHTTPSPortFilter = @() - $RunningConfig.FWHTTPSAddressFilter = @() - try - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Finding rule for WinRM HTTP - TCP 5985") - $RunningConfig.FWHTTPPortFilter = Get-NetFirewallPortFilter | Where-Object { $_.LocalPort -eq 5985 } - foreach ($PortFilter in $RunningConfig.FWHTTPPortFilter) - { - $RunningConfig.FWHTTPRules += Get-NetFirewallRule | Where-Object { $_.InstanceID -eq $PortFilter.InstanceID } - } - foreach ($rule in $RunningConfig.FWHTTPRules) - { - $RunningConfig.FWHTTPAddressFilter += (Get-NetFirewallAddressFilter | Where-Object { $_.InstanceID -eq $rule.InstanceID }) - } - } catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't read Firewall rules !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - if ($RunningConfig.FWHTTPRules) - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("FireWall WinRM HTTP rule") - foreach ($rule in $RunningConfig.FWHTTPRules) - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" [ "+ $rule.DisplayName +" ]") - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Profile : [ "+ $rule.profile +" ]") - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Description : [ "+ $rule.Description +" ]") - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Direction : [ "+ $rule.Direction +" ]") - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Enabled : [ "+ $rule.Enabled +" ]") - $tmp = ($RunningConfig.FWHTTPPortFilter | Where-Object { $_.InstanceID -eq $rule.InstanceID } | Select-Object Protocol, LocalPort, RemotePort, InstanceID) - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Protocol : [ "+ $tmp.Protocol +" ]") - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" LocalPort : [ "+ $tmp.LocalPort +" ]") - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" RemotePort : [ "+ $tmp.RemotePort +" ]") - $tmp = ( $RunningConfig.FWHTTPAddressFilter | Where-Object { $_.InstanceID -eq $rule.InstanceID } | Select-Object LocalAddress, LocalIP, RemoteAddress, RemoteIP) - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" LocalAddress : [ "+ $tmp.LocalAddress +" ]") - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" LocalIP : [ "+ $tmp.LocalIP +" ]") - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" RemoteAddress : [ "+ $tmp.RemoteAddress +" ]") - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" RemoteIP : [ "+ $tmp.RemoteIP +" ]") - } - } else - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("No WinRM HTTP FireWall rule.") - } - try - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Finding rule for WinRM HTTPS - TCP 5986") - $RunningConfig.FWHTTPSPortFilter = Get-NetFirewallPortFilter | Where-Object { $_.LocalPort -eq 5986 } - foreach ($PortFilter in $RunningConfig.FWHTTPSPortFilter) - { - $RunningConfig.FWHTTPSRules += Get-NetFirewallRule | Where-Object { $_.InstanceID -eq $PortFilter.InstanceID } - } - foreach ($rule in $RunningConfig.FWHTTPSRules) - { - $RunningConfig.FWHTTPSAddressFilter += (Get-NetFirewallAddressFilter | Where-Object { $_.InstanceID -eq $rule.InstanceID }) - } - } catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't read Firewall rules !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - if ($RunningConfig.FWHTTPSRules) - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("FireWall WinRM HTTPS rule") - foreach ($rule in $RunningConfig.FWHTTPSRules) - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" [ "+ $rule.DisplayName +" ]") - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Profile : [ "+ $rule.profile +" ]") - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Description : [ "+ $rule.Description +" ]") - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Direction : [ "+ $rule.Direction +" ]") - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Enabled : [ "+ $rule.Enabled +" ]") - $tmp = ($RunningConfig.FWHTTPSPortFilter | Where-Object { $_.InstanceID -eq $rule.InstanceID } | Select-Object Protocol, LocalPort, RemotePort, InstanceID) - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Protocol : [ "+ $tmp.Protocol +" ]") - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" LocalPort : [ "+ $tmp.LocalPort +" ]") - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" RemotePort : [ "+ $tmp.RemotePort +" ]") - $tmp = ( $RunningConfig.FWHTTPSAddressFilter | Where-Object { $_.InstanceID -eq $rule.InstanceID } | Select-Object LocalAddress, LocalIP, RemoteAddress, RemoteIP) - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" LocalAddress : [ "+ $tmp.LocalAddress +" ]") - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" LocalIP : [ "+ $tmp.LocalIP +" ]") - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" RemoteAddress : [ "+ $tmp.RemoteAddress +" ]") - Write-MyLog -LOGSeverity "INFO" -LOGMessage (" RemoteIP : [ "+ $tmp.RemoteIP +" ]") - } - } else - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("No WinRM HTTPS FireWall rule.") - } - } -#-------------------------------------------------------------------------------------------------- - if (-not $MyError) - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Checking LocalAccountTokenFilterPolicy") - $RunningConfig.LocalAccountTokenFilterPolicy = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\").LocalAccountTokenFilterPolicy - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("LocalAccountTokenFilterPolicy have Value : [ "+ $RunningConfig.LocalAccountTokenFilterPolicy +" ]") - } -#-------------------------------------------------------------------------------------------------- - if (-not $MyError) - { - Write-MyLog -LOGSeverity "LINE" - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Starting WinRM config modifications.") - Write-MyLog -LOGSeverity "LINE" - } -#-------------------------------------------------------------------------------------------------- - if (-not $MyError -and $CFG.LocalAccountTokenFilterPolicy.ToLower() -eq "enable" -and $RunningConfig.LocalAccountTokenFilterPolicy -eq 0 ) - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Setting registry key LocalAccountTokenFilterPolicy to 1.") - try - { - Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" -Name "LocalAccountTokenFilterPolicy" -Value 1 - } - catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't edit registry key. !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - } elseif (-not $MyError -and $CFG.LocalAccountTokenFilterPolicy.ToLower() -eq "disable" -and $RunningConfig.LocalAccountTokenFilterPolicy -eq 1 ) - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Setting registry key LocalAccountTokenFilterPolicy to 0.") - try - { - Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" -Name "LocalAccountTokenFilterPolicy" -Value 0 - } - catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't edit registry key. !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - } elseif (-not $MyError -and $CFG.LocalAccountTokenFilterPolicy.ToLower() -eq "enable" -and $RunningConfig.LocalAccountTokenFilterPolicy -ne 0 -and -not $RunningConfig.LocalAccountTokenFilterPolicy ) - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Creating registry key LocalAccountTokenFilterPolicy with Value 1.") - try - { - New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" -PropertyType DWORD -Name "LocalAccountTokenFilterPolicy" -Value 1 | out-null - } - catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't create reguistry key. !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - } elseif (-not $MyError) - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Skipping changes in registry for LocalAccountTokenFilterPolicy.") - } -#-------------------------------------------------------------------------------------------------- -# Get WinRM HTTPS listener thumbprint - -$winrmOutput = winrm e winrm/config/listener -$winrmThumbprint = ($winrmOutput | Where-Object { $_ -match 'CertificateThumbprint' }) -replace '.*CertificateThumbprint\s*=\s*', '' - - -# Get local self-signed certificate thumbprint (adjust subject name as needed) -$DN = $env:COMPUTERNAME -$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { - $_.Subject -like "*CN=$DN*" -and $_.Issuer -eq $_.Subject -} -$localThumbprint = $cert.Thumbprint - -# Compare the thumbprints - if ($localThumbprint -contains $winrmThumbprint) - { - $certisinwinrm = "yes" - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Self-Signed certificate is used in WinRM HTTPS listener.") - } - else - {$certisinwinrm = "no" - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Self-Signed certificate is not used in WinRM HTTPS listener.") - } - -if (-not $MyError -and ($RunningConfig.WinRMListeners | Where-Object { $_.Transport -eq "HTTPS" } ) -and $CFG.WINRMHTTPS.ToLower() -eq "enable" -and $CFG.SelfCertForce.ToLower() -eq "enable" -or $certisinwinrm -eq "no" ) - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Forcing SSL Self-Certificate reissuing, and recreating WinRM HTTPS listener.") - try - { - $SelfCertThumbprint = New-LegacySelfSignedCert -SubjectName ($env:COMPUTERNAME) -ValidDays $CFG.SelfCertValidityDays - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Self-Certificate issued with thumbprint : [ "+ $SelfCertThumbprint +" ]") - } catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't issuen new Self-Signed certificate. !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - if (-not $MyError) - { - $ValueSet = @{ - CertificateThumbprint = $SelfCertThumbprint - Hostname = ($env:COMPUTERNAME) - } - $selectorset = @{ - Transport = "HTTPS" - Address = "*" - } - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Removing existing WinRM HTTPS listener") - try - { - Remove-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM SSL listener removed.") - } catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't remove WinRM HTTPS listener. !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - } - if (-not $MyError) - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Creating new listener with new Self-Signed SSL certificate.") - try - { - $a = New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset -ValueSet $valueset - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM HTTPS listener created.") - } catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't create WinRM HTTPS listener. !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - } - } -#-------------------------------------------------------------------------------------------------- - if (-not $MyError -and -not ($RunningConfig.WinRMListeners | Where-Object { $_.Transport -eq "HTTPS" } ) -and $CFG.WINRMHTTPS.ToLower() -eq "enable") - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Creating new WinRM HTTPS listener.") - try - { - $SelfCertThumbprint = New-LegacySelfSignedCert -SubjectName ($env:COMPUTERNAME) -ValidDays $CFG.SelfCertValidityDays - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Self-Certificate issued with thumbprint : [ "+ $SelfCertThumbprint +" ]") - } catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't issue new Self-Signed certificate. !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - if (-not $MyError) - { - $ValueSet = @{ - CertificateThumbprint = $SelfCertThumbprint - Hostname = ($env:COMPUTERNAME) - } - $selectorset = @{ - Transport = "HTTPS" - Address = "*" - } - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Creating new WinRM HTTPS listener with new Self-Signed SSL certificate.") - try - { - $a = New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset -ValueSet $valueset - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM HTTPS listener created.") - } catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't create WinRM HTTPS listener. !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - } - } -#-------------------------------------------------------------------------------------------------- - if (-not $MyError -and $RunningConfig.WinRMListeners) - { - if (($RunningConfig.WinRMListeners | Where-Object { $_.Transport.ToUpper() -eq "HTTPS" } ) -and $CFG.WINRMHTTPS.ToLower() -eq "disable") - { - $selectorset = @{ - Transport = "HTTPS" - Address = "*" - } - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Removing existing WinRM HTTPS listener") - try - { - Remove-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM HTTPS listener removed.") - } catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't remove WinRM HTTPS listener. !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - } - } -#-------------------------------------------------------------------------------------------------- - if (-not $MyError -and -not ($RunningConfig.WinRMListeners | Where-Object { $_.Transport -eq "HTTP" }) -and $CFG.WINRMHTTP.ToLower() -eq "enable") - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Creating new WinRM HTTP listener.") - $selectorset = @{ - Transport = "HTTP" - Address = "*" - } - try - { - $a = New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM HTTP listener created.") - } catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't create WinRM HTTP listener. !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - } -#-------------------------------------------------------------------------------------------------- - if (-not $MyError -and $RunningConfig.WinRMListeners) - { - if (($RunningConfig.WinRMListeners | Where-Object { $_.Transport.ToUpper() -eq "HTTP" } ) -and $CFG.WINRMHTTP.ToLower() -eq "disable") - { - $selectorset = @{ - Transport = "HTTP" - Address = "*" - } - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Removing existing WinRM HTTP listener") - try - { - Remove-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM HTTP listener removed.") - } catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't remove WinRM HTTP listener. !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - } - } -#-------------------------------------------------------------------------------------------------- - if (-not $MyError) - { - if ($RunningConfig.WinRMauth.Basic -eq "false" -and $CFG.BasicAuth.ToLower() -eq "enable") - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Enabling WinRM basic auth support.") - try - { - Set-Item -Path "WSMan:\localhost\Service\Auth\Basic" -Value $true - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM basic auth support enabled.") - } catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't enable WinRM basic auth. !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - } - if ($RunningConfig.WinRMauth.Basic -eq "true" -and $CFG.BasicAuth.ToLower() -eq "disable") - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Disabling WinRM basic auth support.") - try - { - Set-Item -Path "WSMan:\localhost\Service\Auth\Basic" -Value $false - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM basic auth support disabled.") - } catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't disable WinRM basic auth. !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - } - } -#-------------------------------------------------------------------------------------------------- - if (-not $MyError) - { - if ($RunningConfig.WinRMauth.CredSSP -eq "false" -and $CFG.CredSSPAuth.ToLower() -eq "enable") - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Enabling WinRM CredSSP auth support.") - try - { - Set-Item -Path "WSMan:\localhost\Service\Auth\CredSSP" -Value $true - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM CredSSP auth support enabled.") - } catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't enable WinRM CredSSP auth. !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - } - if ($RunningConfig.WinRMauth.CredSSP -eq "true" -and $CFG.CredSSPAuth.ToLower() -eq "disable") - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Disabling WinRM CredSSP auth support.") - try - { - Set-Item -Path "WSMan:\localhost\Service\Auth\CredSSP" -Value $false - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM CredSSP auth support disabled.") - } catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't disable WinRM CredSSP auth. !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - } - } -#-------------------------------------------------------------------------------------------------- -#-------------------------------------------------------------------------------------------------- - if (-not $MyError) - { - if ($RunningConfig.WinRMauth.Kerberos -eq "false" -and $CFG.KerberosAuth.ToLower() -eq "enable") - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Enabling WinRM Kerberos auth support.") - try - { - Set-Item -Path "WSMan:\localhost\Service\Auth\Kerberos" -Value $true - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM Kerberos auth support enabled.") - } catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't enable WinRM Kerberos auth. !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - } - if ($RunningConfig.WinRMauth.Kerberos -eq "true" -and $CFG.KerberosAuth.ToLower() -eq "disable") - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Disabling WinRM Kerberos auth support.") - try - { - Set-Item -Path "WSMan:\localhost\Service\Auth\Kerberos" -Value $false - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM Kerberos auth support disabled.") - } catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't disable WinRM Kerberos auth. !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - } - } -#-------------------------------------------------------------------------------------------------- - if (-not $MyError) - { - if ($RunningConfig.WinRMauth.Digest -eq "false" -and $CFG.DigestAuth.ToLower() -eq "enable") - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Enabling WinRM Digest auth support.") - try - { - Set-Item -Path "WSMan:\localhost\Service\Auth\Digest" -Value $true - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM Digest auth support enabled.") - } catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't enable WinRM Digest auth. !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - } - if ($RunningConfig.WinRMauth.Digest -eq "true" -and $CFG.DigestAuth.ToLower() -eq "disable") - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Disabling WinRM Digest auth support.") - try - { - Set-Item -Path "WSMan:\localhost\Service\Auth\Digest" -Value $false - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM Digest auth support disabled.") - } catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't disable WinRM Digest auth. !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - } - } -#-------------------------------------------------------------------------------------------------- - if (-not $MyError) - { - if ($RunningConfig.WinRMauth.Negotiate -eq "false" -and $CFG.NegotiateAuth.ToLower() -eq "enable") - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Enabling WinRM Negotiate auth support.") - try - { - Set-Item -Path "WSMan:\localhost\Service\Auth\Negotiate" -Value $true - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM Negotiate auth support enabled.") - } catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't enable WinRM Negotiate auth. !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - } - if ($RunningConfig.WinRMauth.Negotiate -eq "true" -and $CFG.NegotiateAuth.ToLower() -eq "disable") - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Disabling WinRM Negotiate auth support.") - try - { - Set-Item -Path "WSMan:\localhost\Service\Auth\Negotiate" -Value $false - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM Negotiate auth support disabled.") - } catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't disable WinRM Negotiate auth. !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - } - } -#-------------------------------------------------------------------------------------------------- -#-------------------------------------------------------------------------------------------------- - if (-not $MyError) - { - if ($RunningConfig.WinRMauth.Certificate -eq "false" -and $CFG.CertificateAuth.ToLower() -eq "enable") - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Enabling WinRM Certificate auth support.") - try - { - Set-Item -Path "WSMan:\localhost\Service\Auth\Certificate" -Value $true - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM Certificate auth support enabled.") - } catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't enable WinRM Certificate auth. !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - } - if ($RunningConfig.WinRMauth.Certificate -eq "true" -and $CFG.CertificateAuth.ToLower() -eq "disable") - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Disabling WinRM Certificate auth support.") - try - { - Set-Item -Path "WSMan:\localhost\Service\Auth\Certificate" -Value $false - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM Certificate auth support disabled.") - } catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't disable WinRM Certificate auth. !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - } - } -#-------------------------------------------------------------------------------------------------- - if (-not $MyError) - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Configuration changes finished, restarting WinRM service.") - try - { - $StartTimeout = 0 - Restart-Service -Name "WinRM" -ErrorAction Stop -Force - while ((Get-Service "WinRM" -ErrorAction Stop).Status -ne "Running" -and $StartTimeout -lt 10 ) - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Waiting for start service WinRM...") - Start-Sleep -Seconds 1 - $StartTimeout ++ - } - } catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't start WinRM service. !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Reading status of WinRM service..") - try - { - $RunningConfig.svcWinRM = Get-Service "WinRM" -ErrorAction Stop - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM service status is [ "+ $RunningConfig.svcWinRM.Status +" ] and startup type is [ "+ $RunningConfig.svcWinRM.StartType +" ].") - } catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't read Service WinRM status !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - If ($RunningConfig.svcWinRM.Status -ne "Running") - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't start Service WinRM !!!") - $MyError = $true - } - } -#-------------------------------------------------------------------------------------------------- - if (-not $MyError) - { - if ($RunningConfig.FWHTTPAddressFilter | Where-Object {$_.RemoteAddress -eq $CFG.FWWinRMTrustedHosts }) - { - foreach($AddressFilter in ($RunningConfig.FWHTTPAddressFilter | Where-Object {$_.RemoteAddress -eq $CFG.FWWinRMTrustedHosts })) - { - foreach ($FirewallRule in ($RunningConfig.FWHTTPRules | Where-Object { $_.InstanceID -eq $AddressFilter.InstanceID } )) - { - if ($FirewallRule.Enabled -eq "False" -and $CFG.FWWinRMHTTP.Tolower() -eq "enable") - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Enabling WinRM HTTP FireWall rule : [ "+ $FirewallRule.InstanceID +" ].") - try - { - $FirewallRule | Set-NetFirewallRule -Enabled True - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("FireWall rule enabled.") - } - catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't enable FireWall rule !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - } - if ($FirewallRule.Enabled -eq "True" -and $CFG.FWWinRMHTTP.Tolower() -eq "disable") - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Disabling WinRM HTTP FireWall rule : [ "+ $FirewallRule.InstanceID +" ].") - try - { - $FirewallRule | Set-NetFirewallRule -Enabled False - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("FireWall rule disabled..") - } - catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't disable FireWall rule !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - } - } - } - } elseif ($CFG.FWWinRMHTTP.Tolower() -eq "enable" -and $CFG.WinRMHTTP.tolower() -eq "enable") - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Creating new WinRM HTTP FireWall rule.") - try - { - New-NetFirewallRule -Name ("Ansible WinRM Allow (In-HTTP)_"+ $CFG.FWWinRMTrustedHosts) -DisplayName "Ansible WinRM Allow (In-HTTP)" -Direction Inbound -Action Allow -RemoteAddress $CFG.FWWinRMTrustedHosts -Enabled "True" -Protocol TCP -LocalPort 5985 -Description "Allowing Ansible WinRM (In-HTTP) access to system." -Group "Windows Remote Management" -ErrorAction Stop | Out-Null - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("New WinRM HTTP FireWall rule created.") - } - catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't create new FireWall rule !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - } - } -#-------------------------------------------------------------------------------------------------- -#-------------------------------------------------------------------------------------------------- -if (-not $MyError) -{ - if ($RunningConfig.FWHTTPSAddressFilter | Where-Object -FilterScript {$_.RemoteAddress -eq $CFG.FWWinRMTrustedHosts }) - { - foreach($AddressFilter in ($RunningConfig.FWHTTPSAddressFilter | Where-Object -FilterScript {$_.RemoteAddress -eq $CFG.FWWinRMTrustedHosts })) - { - foreach ($FirewallRule in ($RunningConfig.FWHTTPSRules | Where-Object { $_.InstanceID -eq $AddressFilter.InstanceID } )) - { - if ($FirewallRule.Enabled -eq "False" -and $CFG.FWWinRMHTTPS.Tolower() -eq "enable") - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Enabling WinRM HTTPS FireWall rule : [ "+ $FirewallRule.InstanceID +" ].") - try - { - $FirewallRule | Set-NetFirewallRule -Enabled True - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("FireWall rule enabled.") - } - catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't enable FireWall rule !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - } - if ($FirewallRule.Enabled -eq "True" -and $CFG.FWWinRMHTTPS.Tolower() -eq "disable") - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Disabling WinRM HTTPS FireWall rule : [ "+ $FirewallRule.InstanceID +" ].") - try - { - $FirewallRule | Set-NetFirewallRule -Enabled False - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("FireWall rule disabled..") - } - catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't disable FireWall rule !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - } - } - } - } elseif ($CFG.FWWinRMHTTPS.Tolower() -eq "enable" -and $CFG.WinRMHTTPS.tolower() -eq "enable") - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Creating new WinRM HTTPS FireWall rule.") - try - { - New-NetFirewallRule -Name ("Ansible WinRM Allow (In-HTTPS)_"+ $CFG.FWWinRMTrustedHosts) -DisplayName "Ansible WinRM Allow (In-HTTPS)" -Direction Inbound -Action Allow -RemoteAddress $CFG.FWWinRMTrustedHosts -Enabled "True" -Protocol TCP -LocalPort 5986 -Description "Allowing Ansible WinRM (In-HTTPS) access to system." -Group "Windows Remote Management" -ErrorAction Stop | Out-Null - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("New WinRM HTTPS FireWall rule created.") - } - catch - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't create new FireWall rule !!!") - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) - $MyError = $true - } - } -} -#-------------------------------------------------------------------------------------------------- -#-------------------------------------------------------------------------------------------------- - if (-not $MyError) - { - # Test a remoting connection to localhost, which should work. - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Testing WinRM connection.") - $httpsOptions = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck - $httpResult = Invoke-Command -ComputerName "localhost" -ScriptBlock { param($a) Return @{"Source"=$a;"Destination"=$env:computername} } -ArgumentList $env:computername -ErrorVariable httpError -ErrorAction SilentlyContinue - $httpsResult = Invoke-Command -ComputerName "localhost" -ScriptBlock { param($a) Return @{"Source"=$a;"Destination"=$env:computername} } -ArgumentList $env:computername -UseSSL -SessionOption $httpsOptions -ErrorVariable httpError -ErrorAction SilentlyContinue - - if ($httpResult -and $httpsResult) - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("HTTP: Enabled | HTTPS: Enabled") - } - ElseIf ($httpsResult -and !$httpResult) - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("HTTP: Disabled | HTTPS: Enabled") - } - ElseIf ($httpResult -and !$httpsResult) - { - Write-MyLog -LOGSeverity "INFO" -LOGMessage ("HTTP: Enabled | HTTPS: Disabled") - } - Else - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Unable to establish an HTTP or HTTPS remoting session.") - $MyError = $true - } - } -#-------------------------------------------------------------------------------------------------- -################################################################# - if($MyERROR) - { - Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("ERROR during checks...") - $StopWatch.Stop() - Write-MyLog -LOGSeverity "END" -LOGMessage ("Running Time : "+ $StopWatch.Elapsed.TotalSeconds +"s.") - } - else - { - Write-MyLog -LOGSeverity "OK" -LOGMessage ("PS Remoting has been successfully configured for Ansible.") - $StopWatch.Stop() - Write-MyLog -LOGSeverity "END" -LOGMessage ("Running Time : "+ $StopWatch.Elapsed.TotalSeconds +"s.") - } -} -################################################################ -Run; -# HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN \ No newline at end of file