From cfe71940e9c34256fb926674dc1a8bd29e44be7e Mon Sep 17 00:00:00 2001 From: mhorak Date: Mon, 25 Aug 2025 07:33:21 +0000 Subject: [PATCH] Upload files to "/" --- ConfigWinRM.ps1 | 1178 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1178 insertions(+) create mode 100644 ConfigWinRM.ps1 diff --git a/ConfigWinRM.ps1 b/ConfigWinRM.ps1 new file mode 100644 index 0000000..9e670de --- /dev/null +++ b/ConfigWinRM.ps1 @@ -0,0 +1,1178 @@ +#Requires -Version 3.0 +##Requires -Version 5.1 + +<#PSScriptInfo + +.VERSION 1.02 + +.GUID 14e0e777-6ba8-4f3f-b914-53c62e0a72aa + +.AUTHOR Martin Hudak - mhudak@totalservice.cz + +.COMPANYNAME TOTAL Service a.s. + +.COPYRIGHT + +.TAGS + +.LICENSEURI + +.PROJECTURI + +.ICONURI + +.EXTERNALMODULEDEPENDENCIES + +.REQUIREDSCRIPTS + +.EXTERNALSCRIPTDEPENDENCIES + Configuration file - ConfigWinRM.xml + +.RELEASENOTES + Version 1.00 - Initial version based on script + Written by Trond Hindenes + Updated by Chris Church + Updated by Michael Crilly + Updated by Anton Ouzounov + Updated by Nicolas Simond + Updated by Dag Wieërs + Updated by Jordan Borean + Updated by Erwan Quélin + Updated by David Norman + Version 1.01 - Fixed issue with HTTPS when certificate in HTTPS listener doesn't match the cert in local store + Updated by Michal Horák + Verison 1.02 - Fixed issue when script fails on removing listeners if only HTTP listener exists (no HTTPS listener exists) + Updated by Michal Horák +#> + +<# +.SYNOPSIS + ConfigWinRM + +.DESCRIPTION + This script enable, configure and secure WinRM service on server + +.NOTES + Version 1.00 - Initial version based on script + Written by Trond Hindenes + Updated by Chris Church + Updated by Michael Crilly + Updated by Anton Ouzounov + Updated by Nicolas Simond + Updated by Dag Wieërs + Updated by Jordan Borean + Updated by Erwan Quélin + Updated by David Norman +#> + +$AppName = "ConfigWinRM" +$AppVersion = "1.00" +$AppDate = "2022-11-16" + +$Path = "C:\WinRM\" + +$Hostname = $env:COMPUTERNAME.ToUpper() +$ConfigFile = $Path + $AppName +".xml" +$LogPath = $Path +"Logs\" +$LogFile = $LogPath + $Hostname +"_"+ $AppName + "_"+ (Get-Date -Format yyyyMMdd) +".log" +$LogRetention = 90 + +if(Test-Path -Path ($LogPath)) +{ +} else +{ + New-Item -Path ($LogPath) -ItemType directory +} +Get-ChildItem ($LogPath) -Include ("*"+$AppName +"_*.log") -Recurse | Where-Object {$_.LastWriteTime -lt (Get-Date).AddDays((-1 * $LogRetention))} | Remove-Item + +$Error.Clear() +$MyERROR = $false +$CFGFound = $false +$RunningConfig = @{} +#--------------------------------------------------------------------------------------------------------------------- +#--------------------------------------------------------------------------------------------------------------------- +Function Write-MyLog +{ + param ( + [Parameter()] + [string] $LOGSeverity, # START, STOP, END, WARN, ERROR, OUT, INFO, LINE + [string] $LOGMessage + ) + $now = Get-Date -UFormat "%Y-%m-%d %T %Z" + if ($LOGSeverity -eq "LINE") { $LOGMessage = '----------------------------------------------------------------------------------------------------' } + $_message = $now+ ' '+ ('['+ $LOGSeverity + ']').PadRight(7) +' ' +$LOGMessage + write-host $_message + try + { + $_message | Out-File -Encoding UTF8 -Append -FilePath $LogFile + } Catch + { + $ErrorMessage = $_.Exception.Message + $FailedItem = $_.Exception.ItemName + Write-Host $ErrorMessage + Write-Host $FailedItem + Break + } +} +#--------------------------------------------------------------------------------------------------------------------- +#--------------------------------------------------------------------------------------------------------------------- +Function New-LegacySelfSignedCert +{ + Param ( + [string]$SubjectName, + [int]$ValidDays = 1095 + ) + $hostnonFQDN = $env:computerName + $hostFQDN = [System.Net.Dns]::GetHostByName(($env:computerName)).Hostname + $SignatureAlgorithm = "SHA256" + + $name = New-Object -COM "X509Enrollment.CX500DistinguishedName.1" + $name.Encode("CN=$SubjectName", 0) + + $key = New-Object -COM "X509Enrollment.CX509PrivateKey.1" + $key.ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider" + $key.KeySpec = 1 + $key.Length = 4096 + $key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)" + $key.MachineContext = 1 + $key.Create() + + $serverauthoid = New-Object -COM "X509Enrollment.CObjectId.1" + $serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1") + $ekuoids = New-Object -COM "X509Enrollment.CObjectIds.1" + $ekuoids.Add($serverauthoid) + $ekuext = New-Object -COM "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1" + $ekuext.InitializeEncode($ekuoids) + + $cert = New-Object -COM "X509Enrollment.CX509CertificateRequestCertificate.1" + $cert.InitializeFromPrivateKey(2, $key, "") + $cert.Subject = $name + $cert.Issuer = $cert.Subject + $cert.NotBefore = (Get-Date).AddDays(-1) + $cert.NotAfter = $cert.NotBefore.AddDays($ValidDays) + + $SigOID = New-Object -ComObject X509Enrollment.CObjectId + $SigOID.InitializeFromValue(([Security.Cryptography.Oid]$SignatureAlgorithm).Value) + + [string[]] $AlternativeName += $hostnonFQDN + $AlternativeName += $hostFQDN + $IAlternativeNames = New-Object -ComObject X509Enrollment.CAlternativeNames + foreach ($AN in $AlternativeName) + { + $AltName = New-Object -ComObject X509Enrollment.CAlternativeName + $AltName.InitializeFromString(0x3, $AN) + $IAlternativeNames.Add($AltName) + } + $SubjectAlternativeName = New-Object -ComObject X509Enrollment.CX509ExtensionAlternativeNames + $SubjectAlternativeName.InitializeEncode($IAlternativeNames) + + [String[]]$KeyUsage = ("DigitalSignature", "KeyEncipherment") + $KeyUsageObj = New-Object -ComObject X509Enrollment.CX509ExtensionKeyUsage + $KeyUsageObj.InitializeEncode([int][Security.Cryptography.X509Certificates.X509KeyUsageFlags]($KeyUsage)) + $KeyUsageObj.Critical = $true + + $cert.X509Extensions.Add($KeyUsageObj) + $cert.X509Extensions.Add($ekuext) + $cert.SignatureInformation.HashAlgorithm = $SigOID + $cert.X509Extensions.Add($SubjectAlternativeName) + $cert.Encode() + + $enrollment = New-Object -COM "X509Enrollment.CX509Enrollment.1" + $enrollment.InitializeFromRequest($cert) + $certdata = $enrollment.CreateRequest(0) + $enrollment.InstallResponse(2, $certdata, 0, "") + + # extract/return the thumbprint from the generated cert + $parsed_cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 + $parsed_cert.Import([System.Text.Encoding]::UTF8.GetBytes($certdata)) + + return $parsed_cert.Thumbprint +} +#--------------------------------------------------------------------------------------------------------------------- +#--------------------------------------------------------------------------------------------------------------------- +Function Run +{ + Write-MyLog -LOGSeverity "START" -LOGMessage ("Application : "+ $AppName +", Version : "+ $AppVersion + ", date : "+ $AppDate) + $StopWatch = [system.diagnostics.stopwatch]::StartNew() + $Config = New-Object -TypeName XML + try + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Loading configuration : "+ $ConfigFile) + $Config.Load($ConfigFile) + } catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't load config file !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + if (-not $MyError) + { + $CFG = $Config.ConfigWinRM.Options + if ($CFG ) + { + $CFGFound = $true + } + } + if($CFGFound -and (-not $MyError)) + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Using configuration for computer Hostname : <"+ $Hostname +">.") + Write-MyLog -LOGSeverity "LINE" + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM-HTTP : [ " + $CFG.WinRMHTTP +" ].") + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM-HTTPs : [ " + $CFG.WinRMHTTPS +" ].") + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("FW-WinRM-HTTP : [ " + $CFG.FWWinRMHTTP +" ].") + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("FW-WinRM-HTTPS : [ " + $CFG.FWWinRMHTTPS +" ].") + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("FW-WinRM-TrustedHosts : [ " + $CFG.FWWinRMTrustedHosts +" ].") + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("SelfCert-Force : [ " + $CFG.SelfCertForce +" ].") + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("SelfCert-Validity : [ " + $CFG.SelfCertValidity +" ].") + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("BasicAuth : [ " + $CFG.BasicAuth +" ].") + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("KerberosAuth : [ " + $CFG.KerberosAuth +" ].") + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("CredSSPAuth : [ " + $CFG.CredSSPAuth +" ].") + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("DigestAuth : [ " + $CFG.DigestAuth +" ].") + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("NegotiateAuth : [ " + $CFG.NegotiateAuth +" ].") + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("CertificateAuth : [ " + $CFG.CertificateAuth +" ].") + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("LocalAccountTokenFilterPolicy : [ "+ $CFG.LocalAccountTokenFilterPolicy +" ].") + } + else + { + $MyError = $true + } +#-------------------------------------------------------------------------------------------------- + if (-not $MyError) + { + $dotNET = (Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -Recurse | Get-ItemProperty -name Version, Release -EA 0 | Where-Object { $_.PSChildName -match '^(?!S)\p{L}'} | Sort-Object -Property Version | Select-Object @{name = "dotNET"; expression = {$_.PSChildName}}, Version) + Write-MyLog -LOGSeverity "LINE" + Write-MyLog -LOGSeverity "INFO" -LOGMessage ('User Name : '+ $env:UserName) + Write-MyLog -LOGSeverity "INFO" -LOGMessage ('User Domain : '+ $env:UserDomain) + Write-MyLog -LOGSeverity "INFO" -LOGMessage ('Hostname : '+ $env:computername) + Write-MyLog -LOGSeverity "INFO" -LOGMessage ('IP Address : '+ (Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter 'ipenabled = "true"').IPAddress) + Write-MyLog -LOGSeverity "INFO" -LOGMessage ('MAC Address : '+ (Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter 'ipenabled = "true"').MACAddress) + Write-MyLog -LOGSeverity "INFO" -LOGMessage ('Manufacturer : '+ (Get-WmiObject -Class Win32_ComputerSystem).Manufacturer) + Write-MyLog -LOGSeverity "INFO" -LOGMessage ('Model : '+ (Get-WmiObject -Class Win32_ComputerSystem).Model) + Write-MyLog -LOGSeverity "INFO" -LOGMessage ('Serial Number : '+ (Get-WmiObject -Class Win32_Bios).SerialNumber) + Write-MyLog -LOGSeverity "INFO" -LOGMessage ('OS Name : '+ (Get-WmiObject -class Win32_OperatingSystem).Caption) + Write-MyLog -LOGSeverity "INFO" -LOGMessage ('OS Version : '+ (Get-WMIObject win32_operatingsystem).Version) + Write-MyLog -LOGSeverity "INFO" -LOGMessage ('OS ServicePack : '+ (Get-WMIObject win32_operatingsystem).CSDVersion) + Write-MyLog -LOGSeverity "INFO" -LOGMessage ('OS Build : '+ (Get-WmiObject -class Win32_OperatingSystem).BuildNumber) + Write-MyLog -LOGSeverity "INFO" -LOGMessage ('OS Architecture : '+ (Get-WmiObject Win32_OperatingSystem).OSArchitecture) + Write-MyLog -LOGSeverity "INFO" -LOGMessage ('OS Install date : '+ [timezone]::CurrentTimeZone.ToLocalTime(([datetime]'1/1/1970').AddSeconds($(get-itemproperty 'HKLM:\Software\Microsoft\Windows NT\CurrentVersion').InstallDate)).ToString("yyyy-MM-dd HH:mm:ss")) + Write-MyLog -LOGSeverity "INFO" -LOGMessage ('RAM Size (MB) : '+ (Get-WmiObject -Class Win32_ComputerSystem).TotalPhysicalMemory / 1MB) + Write-MyLog -LOGSeverity "INFO" -LOGMessage ('Disk free (GB) : '+ (Get-PSDrive C).Free /1GB) + Write-MyLog -LOGSeverity "INFO" -LOGMessage ('PShell version : '+ $PSVersionTable.PSversion.ToString()) + Write-MyLog -LOGSeverity "INFO" -LOGMessage ('PShell CLR : '+ $PSVersionTable.CLRVersion.ToString()) + Write-MyLog -LOGSeverity "INFO" -LOGMessage ('Verze .NET : ') + foreach ($verze in $dotNET) + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ((' : '+ $verze.Version + $Tab +'-'+ $Tab + $verze.dotNET)) + } + Write-MyLog -LOGSeverity "LINE" + } +#-------------------------------------------------------------------------------------------------- + if (-not $MyError) + { + # Get the ID and security principal of the current user account + $myWindowsID = [System.Security.Principal.WindowsIdentity]::GetCurrent() + $myWindowsPrincipal = new-object System.Security.Principal.WindowsPrincipal($myWindowsID) + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Script running as user : [ "+ $myWindowsID.name +" ].") + # Get the security principal for the Administrator role + $adminRole = [System.Security.Principal.WindowsBuiltInRole]::Administrator + # Check to see if we are currently running "as Administrator" + if (-Not $myWindowsPrincipal.IsInRole($adminRole)) + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("You need elevated Administrator privileges in order to run this script. Start Windows PowerShell by using the Run as Administrator.") + $MyError = $true + } else { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Current user have appropriate rights to run this script.") + } + } +#-------------------------------------------------------------------------------------------------- + if (-not $MyError) + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Detecting Powershell version : [ "+ $PSVersionTable.PSVersion +" ].") + If ($PSVersionTable.PSVersion.Major -lt 3) + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Powershell version is not supported :-( !!!") + $MyError = $true + } else { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Powershell version is supported.") + } + } +#-------------------------------------------------------------------------------------------------- + if (-not $MyError) + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Reading status of WinRM service..") + try + { + $RunningConfig.svcWinRM = Get-Service "WinRM" -ErrorAction Stop + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM service status is [ "+ $RunningConfig.svcWinRM.Status +" ] and startup type is [ "+ $RunningConfig.svcWinRM.StartType +" ].") + } catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't read Service WinRM status !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + if (-not $MyError -and $RunningConfig.svcWinRM.StartType -ne "Automatic") + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM needs to be configured to Automatic startup..") + try + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Setting service WinRM startup type Automatic.") + Set-Service -Name "WinRM" -StartupType Automatic + $RunningConfig.svcWinRM = Get-Service "WinRM" -ErrorAction Stop + } catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't change WinRM service startup type. !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + } + if (-not $MyError -and $RunningConfig.svcWinRM.Status -ne "Started") + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM needs to be running..") + try + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Starting service WinRM...") + $StartTimeout = 0 + Start-Service -Name "WinRM" -ErrorAction Stop + while ((Get-Service "WinRM" -ErrorAction Stop).Status -ne "Running" -and $StartTimeout -lt 10 ) + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Waiting for start service WinRM...") + Start-Sleep -Seconds 1 + $StartTimeout ++ + } + } catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't start WinRM service. !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Reading status of WinRM service..") + try + { + $RunningConfig.svcWinRM = Get-Service "WinRM" -ErrorAction Stop + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM service status is [ "+ $RunningConfig.svcWinRM.Status +" ] and startup type is [ "+ $RunningConfig.svcWinRM.StartType +" ].") + } catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't read Service WinRM status !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + If ($RunningConfig.svcWinRM.Status -ne "Running") + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't start Service WinRM !!!") + $MyError = $true + } + } + } +#-------------------------------------------------------------------------------------------------- + if (-not $MyError) + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Reading WinRM service configuration") + try + { + $RunningConfig.WinRMauth = (Get-WSManInstance -ResourceURI winrm/config/service/auth) + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Authentication methods") + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Basic : [ "+ $RunningConfig.WinRMauth.Basic +" ]") + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Negotiate : [ "+ $RunningConfig.WinRMauth.Negotiate +" ]") + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Certificate : [ "+ $RunningConfig.WinRMauth.Certificate +" ]") + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Kerberos : [ "+ $RunningConfig.WinRMauth.Kerberos +" ]") + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" CredSSP : [ "+ $RunningConfig.WinRMauth.CredSSP +" ]") + } + catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't read WinRM authentication configuration !!!") + $MyError = $true + } + try + { + $RunningConfig.WinRMListeners = (Get-WSManInstance -ResourceURI winrm/config/listener -Enumerate) + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Listener(s)") + foreach ($lncfg in $RunningConfig.WinRMListeners) + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Transport : [ "+ $lncfg.Transport +" ].") + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Port : [ "+ $lncfg.Port +" ].") + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Enabled : [ "+ $lncfg.Enabled +" ].") + if ($lncfg.Hostname) { Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Hostname : [ "+ $lncfg.Hostname +" ].") } + if ($lncfg.Addresss) { Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Address : [ "+ $lncfg.Addresss +" ].") } + if ($lncfg.CertificateThumbprint) + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" CertThumbprint: [ "+ $lncfg.CertificateThumbprint +" ].") + $RunningConfig.WinRMHTTPSCert = (Get-ChildItem -path ("Cert:\*"+ $lncfg.CertificateThumbprint) -Recurse | Select-Object -Unique) + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" CertSubject : [ "+ $RunningConfig.WinRMHTTPSCert.Subject +" ].") + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" CertDnsName : [ "+ $RunningConfig.WinRMHTTPSCert.DnsNameList +" ].") + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" FriendlyName : [ "+ $RunningConfig.WinRMHTTPSCert.FriendlyName +" ].") + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" NotBefore : [ "+ $RunningConfig.WinRMHTTPSCert.NotBefore +" ].") + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" NotAfter : [ "+ $RunningConfig.WinRMHTTPSCert.NotAfter +" ].") + } + } + } catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't read WinRM listeners configuration !!!") + $MyError = $true + } + } +#-------------------------------------------------------------------------------------------------- + if (-not $MyError) + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Reading status of Windows Firewall service..") + try + { + $RunningConfig.MPSsvc = Get-Service "MpsSvc" -ErrorAction Stop + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("MPSsvc service status is [ "+ $RunningConfig.MPSsvc.Status +" ] and startup type is [ "+ $RunningConfig.MPSsvc.StartType +" ].") + } catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't read Service MPSsvc status !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + } +#-------------------------------------------------------------------------------------------------- + if (-not $MyError) + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Reading local FireWall configuration.") + try + { + $RunningConfig.FWprofile = Get-NetFirewallProfile + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Windows Firewall profile(s): ") + foreach ($prof in $RunningConfig.FWprofile) + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ($prof.profile +" : [ "+ $prof.enabled +" ].") + } + } catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't read Firewall profiles !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + } +#-------------------------------------------------------------------------------------------------- +#-------------------------------------------------------------------------------------------------- + if (-not $MyError) + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Finding Firewall rules for WinRM ports.") + $RunningConfig.FWHTTPRules = @() + $RunningConfig.FWHTTPPortFilter = @() + $RunningConfig.FWHTTPAddressFilter = @() + $RunningConfig.FWHTTPSRules = @() + $RunningConfig.FWHTTPSPortFilter = @() + $RunningConfig.FWHTTPSAddressFilter = @() + try + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Finding rule for WinRM HTTP - TCP 5985") + $RunningConfig.FWHTTPPortFilter = Get-NetFirewallPortFilter | Where-Object { $_.LocalPort -eq 5985 } + foreach ($PortFilter in $RunningConfig.FWHTTPPortFilter) + { + $RunningConfig.FWHTTPRules += Get-NetFirewallRule | Where-Object { $_.InstanceID -eq $PortFilter.InstanceID } + } + foreach ($rule in $RunningConfig.FWHTTPRules) + { + $RunningConfig.FWHTTPAddressFilter += (Get-NetFirewallAddressFilter | Where-Object { $_.InstanceID -eq $rule.InstanceID }) + } + } catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't read Firewall rules !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + if ($RunningConfig.FWHTTPRules) + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("FireWall WinRM HTTP rule") + foreach ($rule in $RunningConfig.FWHTTPRules) + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" [ "+ $rule.DisplayName +" ]") + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Profile : [ "+ $rule.profile +" ]") + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Description : [ "+ $rule.Description +" ]") + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Direction : [ "+ $rule.Direction +" ]") + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Enabled : [ "+ $rule.Enabled +" ]") + $tmp = ($RunningConfig.FWHTTPPortFilter | Where-Object { $_.InstanceID -eq $rule.InstanceID } | Select-Object Protocol, LocalPort, RemotePort, InstanceID) + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Protocol : [ "+ $tmp.Protocol +" ]") + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" LocalPort : [ "+ $tmp.LocalPort +" ]") + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" RemotePort : [ "+ $tmp.RemotePort +" ]") + $tmp = ( $RunningConfig.FWHTTPAddressFilter | Where-Object { $_.InstanceID -eq $rule.InstanceID } | Select-Object LocalAddress, LocalIP, RemoteAddress, RemoteIP) + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" LocalAddress : [ "+ $tmp.LocalAddress +" ]") + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" LocalIP : [ "+ $tmp.LocalIP +" ]") + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" RemoteAddress : [ "+ $tmp.RemoteAddress +" ]") + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" RemoteIP : [ "+ $tmp.RemoteIP +" ]") + } + } else + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("No WinRM HTTP FireWall rule.") + } + try + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Finding rule for WinRM HTTPS - TCP 5986") + $RunningConfig.FWHTTPSPortFilter = Get-NetFirewallPortFilter | Where-Object { $_.LocalPort -eq 5986 } + foreach ($PortFilter in $RunningConfig.FWHTTPSPortFilter) + { + $RunningConfig.FWHTTPSRules += Get-NetFirewallRule | Where-Object { $_.InstanceID -eq $PortFilter.InstanceID } + } + foreach ($rule in $RunningConfig.FWHTTPSRules) + { + $RunningConfig.FWHTTPSAddressFilter += (Get-NetFirewallAddressFilter | Where-Object { $_.InstanceID -eq $rule.InstanceID }) + } + } catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't read Firewall rules !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + if ($RunningConfig.FWHTTPSRules) + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("FireWall WinRM HTTPS rule") + foreach ($rule in $RunningConfig.FWHTTPSRules) + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" [ "+ $rule.DisplayName +" ]") + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Profile : [ "+ $rule.profile +" ]") + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Description : [ "+ $rule.Description +" ]") + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Direction : [ "+ $rule.Direction +" ]") + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Enabled : [ "+ $rule.Enabled +" ]") + $tmp = ($RunningConfig.FWHTTPSPortFilter | Where-Object { $_.InstanceID -eq $rule.InstanceID } | Select-Object Protocol, LocalPort, RemotePort, InstanceID) + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Protocol : [ "+ $tmp.Protocol +" ]") + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" LocalPort : [ "+ $tmp.LocalPort +" ]") + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" RemotePort : [ "+ $tmp.RemotePort +" ]") + $tmp = ( $RunningConfig.FWHTTPSAddressFilter | Where-Object { $_.InstanceID -eq $rule.InstanceID } | Select-Object LocalAddress, LocalIP, RemoteAddress, RemoteIP) + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" LocalAddress : [ "+ $tmp.LocalAddress +" ]") + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" LocalIP : [ "+ $tmp.LocalIP +" ]") + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" RemoteAddress : [ "+ $tmp.RemoteAddress +" ]") + Write-MyLog -LOGSeverity "INFO" -LOGMessage (" RemoteIP : [ "+ $tmp.RemoteIP +" ]") + } + } else + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("No WinRM HTTPS FireWall rule.") + } + } +#-------------------------------------------------------------------------------------------------- + if (-not $MyError) + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Checking LocalAccountTokenFilterPolicy") + $RunningConfig.LocalAccountTokenFilterPolicy = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\").LocalAccountTokenFilterPolicy + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("LocalAccountTokenFilterPolicy have Value : [ "+ $RunningConfig.LocalAccountTokenFilterPolicy +" ]") + } +#-------------------------------------------------------------------------------------------------- + if (-not $MyError) + { + Write-MyLog -LOGSeverity "LINE" + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Starting WinRM config modifications.") + Write-MyLog -LOGSeverity "LINE" + } +#-------------------------------------------------------------------------------------------------- + if (-not $MyError -and $CFG.LocalAccountTokenFilterPolicy.ToLower() -eq "enable" -and $RunningConfig.LocalAccountTokenFilterPolicy -eq 0 ) + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Setting registry key LocalAccountTokenFilterPolicy to 1.") + try + { + Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" -Name "LocalAccountTokenFilterPolicy" -Value 1 + } + catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't edit registry key. !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + } elseif (-not $MyError -and $CFG.LocalAccountTokenFilterPolicy.ToLower() -eq "disable" -and $RunningConfig.LocalAccountTokenFilterPolicy -eq 1 ) + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Setting registry key LocalAccountTokenFilterPolicy to 0.") + try + { + Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" -Name "LocalAccountTokenFilterPolicy" -Value 0 + } + catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't edit registry key. !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + } elseif (-not $MyError -and $CFG.LocalAccountTokenFilterPolicy.ToLower() -eq "enable" -and $RunningConfig.LocalAccountTokenFilterPolicy -ne 0 -and -not $RunningConfig.LocalAccountTokenFilterPolicy ) + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Creating registry key LocalAccountTokenFilterPolicy with Value 1.") + try + { + New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" -PropertyType DWORD -Name "LocalAccountTokenFilterPolicy" -Value 1 | out-null + } + catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't create reguistry key. !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + } elseif (-not $MyError) + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Skipping changes in registry for LocalAccountTokenFilterPolicy.") + } +#-------------------------------------------------------------------------------------------------- +# Get WinRM HTTPS listener thumbprint + +$winrmOutput = winrm e winrm/config/listener +$winrmThumbprint = ($winrmOutput | Where-Object { $_ -match 'CertificateThumbprint' }) -replace '.*CertificateThumbprint\s*=\s*', '' + + +# Get local self-signed certificate thumbprint (adjust subject name as needed) +$DN = $env:COMPUTERNAME +$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { + $_.Subject -like "*CN=$DN*" -and $_.Issuer -eq $_.Subject +} +$localThumbprint = $cert.Thumbprint + +# Compare the thumbprints + if ($localThumbprint -contains $winrmThumbprint) + { + $certisinwinrm = "yes" + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Self-Signed certificate is used in WinRM HTTPS listener.") + } + else + {$certisinwinrm = "no" + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Self-Signed certificate is not used in WinRM HTTPS listener.") + } + +if (-not $MyError -and ($RunningConfig.WinRMListeners | Where-Object { $_.Transport -eq "HTTPS" } ) -and $CFG.WINRMHTTPS.ToLower() -eq "enable" -and $CFG.SelfCertForce.ToLower() -eq "enable" -or $certisinwinrm -eq "no" ) + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Forcing SSL Self-Certificate reissuing, and recreating WinRM HTTPS listener.") + try + { + $SelfCertThumbprint = New-LegacySelfSignedCert -SubjectName ($env:COMPUTERNAME) -ValidDays $CFG.SelfCertValidityDays + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Self-Certificate issued with thumbprint : [ "+ $SelfCertThumbprint +" ]") + } catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't issuen new Self-Signed certificate. !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + if (-not $MyError) + { + $ValueSet = @{ + CertificateThumbprint = $SelfCertThumbprint + Hostname = ($env:COMPUTERNAME) + } + $selectorset = @{ + Transport = "HTTPS" + Address = "*" + } + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Removing existing WinRM HTTPS listener") + try + { + $existingHttpsListener = $RunningConfig.WinRMListeners | Where-Object { $_.Transport -eq "HTTPS" } + if ($existingHttpsListener) { + Remove-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM SSL listener removed.") + } else { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("No WinRM HTTPS listener exists, nothing to remove.") + } + } catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't remove WinRM HTTPS listener. !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + } + if (-not $MyError) + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Creating new listener with new Self-Signed SSL certificate.") + try + { + $a = New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset -ValueSet $valueset + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM HTTPS listener created.") + } catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't create WinRM HTTPS listener. !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + } + } +#-------------------------------------------------------------------------------------------------- + if (-not $MyError -and -not ($RunningConfig.WinRMListeners | Where-Object { $_.Transport -eq "HTTPS" } ) -and $CFG.WINRMHTTPS.ToLower() -eq "enable") + { + # Check for existing HTTPS listener before creating certificate + $existingHttpsListener = Get-WSManInstance -ResourceURI winrm/config/listener -Enumerate | Where-Object { $_.Transport -eq "HTTPS" } + if (-not $existingHttpsListener) { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Creating new WinRM HTTPS listener.") + try + { + $SelfCertThumbprint = New-LegacySelfSignedCert -SubjectName ($env:COMPUTERNAME) -ValidDays $CFG.SelfCertValidityDays + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Self-Certificate issued with thumbprint : [ "+ $SelfCertThumbprint +" ]") + } catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't issue new Self-Signed certificate. !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + if (-not $MyError) + { + $ValueSet = @{ + CertificateThumbprint = $SelfCertThumbprint + Hostname = ($env:COMPUTERNAME) + } + $selectorset = @{ + Transport = "HTTPS" + Address = "*" + } + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Creating new WinRM HTTPS listener with new Self-Signed SSL certificate.") + try + { + $a = New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset -ValueSet $valueset + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM HTTPS listener created.") + } catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't create WinRM HTTPS listener. !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + } + } else { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM HTTPS listener already exists, skipping creation and certificate issuance.") + } + } +#-------------------------------------------------------------------------------------------------- + if (-not $MyError -and $RunningConfig.WinRMListeners) + { + if (($RunningConfig.WinRMListeners | Where-Object { $_.Transport.ToUpper() -eq "HTTPS" } ) -and $CFG.WINRMHTTPS.ToLower() -eq "disable") + { + $selectorset = @{ + Transport = "HTTPS" + Address = "*" + } + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Removing existing WinRM HTTPS listener") + try + { + Remove-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM HTTPS listener removed.") + } catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't remove WinRM HTTPS listener. !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + } + } +#-------------------------------------------------------------------------------------------------- + if (-not $MyError -and -not ($RunningConfig.WinRMListeners | Where-Object { $_.Transport -eq "HTTP" }) -and $CFG.WINRMHTTP.ToLower() -eq "enable") + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Creating new WinRM HTTP listener.") + $selectorset = @{ + Transport = "HTTP" + Address = "*" + } + try + { + $a = New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM HTTP listener created.") + } catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't create WinRM HTTP listener. !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + } +#-------------------------------------------------------------------------------------------------- + if (-not $MyError -and $RunningConfig.WinRMListeners) + { + if (($RunningConfig.WinRMListeners | Where-Object { $_.Transport.ToUpper() -eq "HTTP" } ) -and $CFG.WINRMHTTP.ToLower() -eq "disable") + { + $selectorset = @{ + Transport = "HTTP" + Address = "*" + } + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Removing existing WinRM HTTP listener") + try + { + Remove-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM HTTP listener removed.") + } catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't remove WinRM HTTP listener. !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + } + } +#-------------------------------------------------------------------------------------------------- + if (-not $MyError) + { + if ($RunningConfig.WinRMauth.Basic -eq "false" -and $CFG.BasicAuth.ToLower() -eq "enable") + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Enabling WinRM basic auth support.") + try + { + Set-Item -Path "WSMan:\localhost\Service\Auth\Basic" -Value $true + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM basic auth support enabled.") + } catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't enable WinRM basic auth. !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + } + if ($RunningConfig.WinRMauth.Basic -eq "true" -and $CFG.BasicAuth.ToLower() -eq "disable") + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Disabling WinRM basic auth support.") + try + { + Set-Item -Path "WSMan:\localhost\Service\Auth\Basic" -Value $false + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM basic auth support disabled.") + } catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't disable WinRM basic auth. !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + } + } +#-------------------------------------------------------------------------------------------------- + if (-not $MyError) + { + if ($RunningConfig.WinRMauth.CredSSP -eq "false" -and $CFG.CredSSPAuth.ToLower() -eq "enable") + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Enabling WinRM CredSSP auth support.") + try + { + Set-Item -Path "WSMan:\localhost\Service\Auth\CredSSP" -Value $true + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM CredSSP auth support enabled.") + } catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't enable WinRM CredSSP auth. !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + } + if ($RunningConfig.WinRMauth.CredSSP -eq "true" -and $CFG.CredSSPAuth.ToLower() -eq "disable") + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Disabling WinRM CredSSP auth support.") + try + { + Set-Item -Path "WSMan:\localhost\Service\Auth\CredSSP" -Value $false + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM CredSSP auth support disabled.") + } catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't disable WinRM CredSSP auth. !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + } + } +#-------------------------------------------------------------------------------------------------- +#-------------------------------------------------------------------------------------------------- + if (-not $MyError) + { + if ($RunningConfig.WinRMauth.Kerberos -eq "false" -and $CFG.KerberosAuth.ToLower() -eq "enable") + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Enabling WinRM Kerberos auth support.") + try + { + Set-Item -Path "WSMan:\localhost\Service\Auth\Kerberos" -Value $true + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM Kerberos auth support enabled.") + } catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't enable WinRM Kerberos auth. !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + } + if ($RunningConfig.WinRMauth.Kerberos -eq "true" -and $CFG.KerberosAuth.ToLower() -eq "disable") + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Disabling WinRM Kerberos auth support.") + try + { + Set-Item -Path "WSMan:\localhost\Service\Auth\Kerberos" -Value $false + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM Kerberos auth support disabled.") + } catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't disable WinRM Kerberos auth. !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + } + } +#-------------------------------------------------------------------------------------------------- + if (-not $MyError) + { + if ($RunningConfig.WinRMauth.Digest -eq "false" -and $CFG.DigestAuth.ToLower() -eq "enable") + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Enabling WinRM Digest auth support.") + try + { + Set-Item -Path "WSMan:\localhost\Service\Auth\Digest" -Value $true + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM Digest auth support enabled.") + } catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't enable WinRM Digest auth. !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + } + if ($RunningConfig.WinRMauth.Digest -eq "true" -and $CFG.DigestAuth.ToLower() -eq "disable") + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Disabling WinRM Digest auth support.") + try + { + Set-Item -Path "WSMan:\localhost\Service\Auth\Digest" -Value $false + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM Digest auth support disabled.") + } catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't disable WinRM Digest auth. !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + } + } +#-------------------------------------------------------------------------------------------------- + if (-not $MyError) + { + if ($RunningConfig.WinRMauth.Negotiate -eq "false" -and $CFG.NegotiateAuth.ToLower() -eq "enable") + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Enabling WinRM Negotiate auth support.") + try + { + Set-Item -Path "WSMan:\localhost\Service\Auth\Negotiate" -Value $true + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM Negotiate auth support enabled.") + } catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't enable WinRM Negotiate auth. !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + } + if ($RunningConfig.WinRMauth.Negotiate -eq "true" -and $CFG.NegotiateAuth.ToLower() -eq "disable") + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Disabling WinRM Negotiate auth support.") + try + { + Set-Item -Path "WSMan:\localhost\Service\Auth\Negotiate" -Value $false + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM Negotiate auth support disabled.") + } catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't disable WinRM Negotiate auth. !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + } + } +#-------------------------------------------------------------------------------------------------- +#-------------------------------------------------------------------------------------------------- + if (-not $MyError) + { + if ($RunningConfig.WinRMauth.Certificate -eq "false" -and $CFG.CertificateAuth.ToLower() -eq "enable") + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Enabling WinRM Certificate auth support.") + try + { + Set-Item -Path "WSMan:\localhost\Service\Auth\Certificate" -Value $true + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM Certificate auth support enabled.") + } catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't enable WinRM Certificate auth. !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + } + if ($RunningConfig.WinRMauth.Certificate -eq "true" -and $CFG.CertificateAuth.ToLower() -eq "disable") + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Disabling WinRM Certificate auth support.") + try + { + Set-Item -Path "WSMan:\localhost\Service\Auth\Certificate" -Value $false + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM Certificate auth support disabled.") + } catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't disable WinRM Certificate auth. !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + } + } +#-------------------------------------------------------------------------------------------------- + if (-not $MyError) + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Configuration changes finished, restarting WinRM service.") + try + { + $StartTimeout = 0 + Restart-Service -Name "WinRM" -ErrorAction Stop -Force + while ((Get-Service "WinRM" -ErrorAction Stop).Status -ne "Running" -and $StartTimeout -lt 10 ) + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Waiting for start service WinRM...") + Start-Sleep -Seconds 1 + $StartTimeout ++ + } + } catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't start WinRM service. !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Reading status of WinRM service..") + try + { + $RunningConfig.svcWinRM = Get-Service "WinRM" -ErrorAction Stop + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM service status is [ "+ $RunningConfig.svcWinRM.Status +" ] and startup type is [ "+ $RunningConfig.svcWinRM.StartType +" ].") + } catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't read Service WinRM status !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + If ($RunningConfig.svcWinRM.Status -ne "Running") + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't start Service WinRM !!!") + $MyError = $true + } + } +#-------------------------------------------------------------------------------------------------- + if (-not $MyError) + { + if ($RunningConfig.FWHTTPAddressFilter | Where-Object {$_.RemoteAddress -eq $CFG.FWWinRMTrustedHosts }) + { + foreach($AddressFilter in ($RunningConfig.FWHTTPAddressFilter | Where-Object {$_.RemoteAddress -eq $CFG.FWWinRMTrustedHosts })) + { + foreach ($FirewallRule in ($RunningConfig.FWHTTPRules | Where-Object { $_.InstanceID -eq $AddressFilter.InstanceID } )) + { + if ($FirewallRule.Enabled -eq "False" -and $CFG.FWWinRMHTTP.Tolower() -eq "enable") + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Enabling WinRM HTTP FireWall rule : [ "+ $FirewallRule.InstanceID +" ].") + try + { + $FirewallRule | Set-NetFirewallRule -Enabled True + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("FireWall rule enabled.") + } + catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't enable FireWall rule !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + } + if ($FirewallRule.Enabled -eq "True" -and $CFG.FWWinRMHTTP.Tolower() -eq "disable") + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Disabling WinRM HTTP FireWall rule : [ "+ $FirewallRule.InstanceID +" ].") + try + { + $FirewallRule | Set-NetFirewallRule -Enabled False + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("FireWall rule disabled..") + } + catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't disable FireWall rule !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + } + } + } + } elseif ($CFG.FWWinRMHTTP.Tolower() -eq "enable" -and $CFG.WinRMHTTP.tolower() -eq "enable") + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Creating new WinRM HTTP FireWall rule.") + try + { + New-NetFirewallRule -Name ("Ansible WinRM Allow (In-HTTP)_"+ $CFG.FWWinRMTrustedHosts) -DisplayName "Ansible WinRM Allow (In-HTTP)" -Direction Inbound -Action Allow -RemoteAddress $CFG.FWWinRMTrustedHosts -Enabled "True" -Protocol TCP -LocalPort 5985 -Description "Allowing Ansible WinRM (In-HTTP) access to system." -Group "Windows Remote Management" -ErrorAction Stop | Out-Null + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("New WinRM HTTP FireWall rule created.") + } + catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't create new FireWall rule !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + } + } +#-------------------------------------------------------------------------------------------------- +#-------------------------------------------------------------------------------------------------- +if (-not $MyError) +{ + if ($RunningConfig.FWHTTPSAddressFilter | Where-Object -FilterScript {$_.RemoteAddress -eq $CFG.FWWinRMTrustedHosts }) + { + foreach($AddressFilter in ($RunningConfig.FWHTTPSAddressFilter | Where-Object -FilterScript {$_.RemoteAddress -eq $CFG.FWWinRMTrustedHosts })) + { + foreach ($FirewallRule in ($RunningConfig.FWHTTPSRules | Where-Object { $_.InstanceID -eq $AddressFilter.InstanceID } )) + { + if ($FirewallRule.Enabled -eq "False" -and $CFG.FWWinRMHTTPS.Tolower() -eq "enable") + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Enabling WinRM HTTPS FireWall rule : [ "+ $FirewallRule.InstanceID +" ].") + try + { + $FirewallRule | Set-NetFirewallRule -Enabled True + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("FireWall rule enabled.") + } + catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't enable FireWall rule !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + } + if ($FirewallRule.Enabled -eq "True" -and $CFG.FWWinRMHTTPS.Tolower() -eq "disable") + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Disabling WinRM HTTPS FireWall rule : [ "+ $FirewallRule.InstanceID +" ].") + try + { + $FirewallRule | Set-NetFirewallRule -Enabled False + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("FireWall rule disabled..") + } + catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't disable FireWall rule !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + } + } + } + } elseif ($CFG.FWWinRMHTTPS.Tolower() -eq "enable" -and $CFG.WinRMHTTPS.tolower() -eq "enable") + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Creating new WinRM HTTPS FireWall rule.") + try + { + New-NetFirewallRule -Name ("Ansible WinRM Allow (In-HTTPS)_"+ $CFG.FWWinRMTrustedHosts) -DisplayName "Ansible WinRM Allow (In-HTTPS)" -Direction Inbound -Action Allow -RemoteAddress $CFG.FWWinRMTrustedHosts -Enabled "True" -Protocol TCP -LocalPort 5986 -Description "Allowing Ansible WinRM (In-HTTPS) access to system." -Group "Windows Remote Management" -ErrorAction Stop | Out-Null + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("New WinRM HTTPS FireWall rule created.") + } + catch + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't create new FireWall rule !!!") + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) + $MyError = $true + } + } +} +#-------------------------------------------------------------------------------------------------- +#-------------------------------------------------------------------------------------------------- + if (-not $MyError) + { + # Test a remoting connection to localhost, which should work. + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Testing WinRM connection.") + $httpsOptions = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck + $httpResult = Invoke-Command -ComputerName "localhost" -ScriptBlock { param($a) Return @{"Source"=$a;"Destination"=$env:computername} } -ArgumentList $env:computername -ErrorVariable httpError -ErrorAction SilentlyContinue + $httpsResult = Invoke-Command -ComputerName "localhost" -ScriptBlock { param($a) Return @{"Source"=$a;"Destination"=$env:computername} } -ArgumentList $env:computername -UseSSL -SessionOption $httpsOptions -ErrorVariable httpError -ErrorAction SilentlyContinue + + if ($httpResult -and $httpsResult) + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("HTTP: Enabled | HTTPS: Enabled") + } + ElseIf ($httpsResult -and !$httpResult) + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("HTTP: Disabled | HTTPS: Enabled") + } + ElseIf ($httpResult -and !$httpsResult) + { + Write-MyLog -LOGSeverity "INFO" -LOGMessage ("HTTP: Enabled | HTTPS: Disabled") + } + Else + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Unable to establish an HTTP or HTTPS remoting session.") + $MyError = $true + } + } +#-------------------------------------------------------------------------------------------------- +################################################################# + if($MyERROR) + { + Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("ERROR during checks...") + $StopWatch.Stop() + Write-MyLog -LOGSeverity "END" -LOGMessage ("Running Time : "+ $StopWatch.Elapsed.TotalSeconds +"s.") + } + else + { + Write-MyLog -LOGSeverity "OK" -LOGMessage ("PS Remoting has been successfully configured for Ansible.") + $StopWatch.Stop() + Write-MyLog -LOGSeverity "END" -LOGMessage ("Running Time : "+ $StopWatch.Elapsed.TotalSeconds +"s.") + } +} +################################################################ +Run; +# HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN \ No newline at end of file