#Requires -Version 3.0 ##Requires -Version 5.1 <#PSScriptInfo .VERSION 1.00 .GUID 14e0e777-6ba8-4f3f-b914-53c62e0a72aa .AUTHOR Martin Hudak - mhudak@totalservice.cz .COMPANYNAME TOTAL Service a.s. .COPYRIGHT .TAGS .LICENSEURI .PROJECTURI .ICONURI .EXTERNALMODULEDEPENDENCIES .REQUIREDSCRIPTS .EXTERNALSCRIPTDEPENDENCIES Configuration file - ConfigWinRM.xml .RELEASENOTES Version 1.00 - Initial version based on script Written by Trond Hindenes Updated by Chris Church Updated by Michael Crilly Updated by Anton Ouzounov Updated by Nicolas Simond Updated by Dag Wieërs Updated by Jordan Borean Updated by Erwan Quélin Updated by David Norman #> <# .SYNOPSIS ConfigWinRM .DESCRIPTION This script enable, configure and secure WinRM service on server .NOTES Version 1.00 - Initial version based on script Written by Trond Hindenes Updated by Chris Church Updated by Michael Crilly Updated by Anton Ouzounov Updated by Nicolas Simond Updated by Dag Wieërs Updated by Jordan Borean Updated by Erwan Quélin Updated by David Norman #> $AppName = "ConfigWinRM" $AppVersion = "1.00" $AppDate = "2022-11-16" $Path = "C:\WinRM\" $Hostname = $env:COMPUTERNAME.ToUpper() $ConfigFile = $Path + $AppName +".xml" $LogPath = $Path +"Logs\" $LogFile = $LogPath + $Hostname +"_"+ $AppName + "_"+ (Get-Date -Format yyyyMMdd) +".log" $LogRetention = 90 if(Test-Path -Path ($LogPath)) { } else { New-Item -Path ($LogPath) -ItemType directory } Get-ChildItem ($LogPath) -Include ("*"+$AppName +"_*.log") -Recurse | Where-Object {$_.LastWriteTime -lt (Get-Date).AddDays((-1 * $LogRetention))} | Remove-Item $Error.Clear() $MyERROR = $false $CFGFound = $false $RunningConfig = @{} #--------------------------------------------------------------------------------------------------------------------- #--------------------------------------------------------------------------------------------------------------------- Function Write-MyLog { param ( [Parameter()] [string] $LOGSeverity, # START, STOP, END, WARN, ERROR, OUT, INFO, LINE [string] $LOGMessage ) $now = Get-Date -UFormat "%Y-%m-%d %T %Z" if ($LOGSeverity -eq "LINE") { $LOGMessage = '----------------------------------------------------------------------------------------------------' } $_message = $now+ ' '+ ('['+ $LOGSeverity + ']').PadRight(7) +' ' +$LOGMessage write-host $_message try { $_message | Out-File -Encoding UTF8 -Append -FilePath $LogFile } Catch { $ErrorMessage = $_.Exception.Message $FailedItem = $_.Exception.ItemName Write-Host $ErrorMessage Write-Host $FailedItem Break } } #--------------------------------------------------------------------------------------------------------------------- #--------------------------------------------------------------------------------------------------------------------- Function New-LegacySelfSignedCert { Param ( [string]$SubjectName, [int]$ValidDays = 1095 ) $hostnonFQDN = $env:computerName $hostFQDN = [System.Net.Dns]::GetHostByName(($env:computerName)).Hostname $SignatureAlgorithm = "SHA256" $name = New-Object -COM "X509Enrollment.CX500DistinguishedName.1" $name.Encode("CN=$SubjectName", 0) $key = New-Object -COM "X509Enrollment.CX509PrivateKey.1" $key.ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider" $key.KeySpec = 1 $key.Length = 4096 $key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)" $key.MachineContext = 1 $key.Create() $serverauthoid = New-Object -COM "X509Enrollment.CObjectId.1" $serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1") $ekuoids = New-Object -COM "X509Enrollment.CObjectIds.1" $ekuoids.Add($serverauthoid) $ekuext = New-Object -COM "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1" $ekuext.InitializeEncode($ekuoids) $cert = New-Object -COM "X509Enrollment.CX509CertificateRequestCertificate.1" $cert.InitializeFromPrivateKey(2, $key, "") $cert.Subject = $name $cert.Issuer = $cert.Subject $cert.NotBefore = (Get-Date).AddDays(-1) $cert.NotAfter = $cert.NotBefore.AddDays($ValidDays) $SigOID = New-Object -ComObject X509Enrollment.CObjectId $SigOID.InitializeFromValue(([Security.Cryptography.Oid]$SignatureAlgorithm).Value) [string[]] $AlternativeName += $hostnonFQDN $AlternativeName += $hostFQDN $IAlternativeNames = New-Object -ComObject X509Enrollment.CAlternativeNames foreach ($AN in $AlternativeName) { $AltName = New-Object -ComObject X509Enrollment.CAlternativeName $AltName.InitializeFromString(0x3, $AN) $IAlternativeNames.Add($AltName) } $SubjectAlternativeName = New-Object -ComObject X509Enrollment.CX509ExtensionAlternativeNames $SubjectAlternativeName.InitializeEncode($IAlternativeNames) [String[]]$KeyUsage = ("DigitalSignature", "KeyEncipherment") $KeyUsageObj = New-Object -ComObject X509Enrollment.CX509ExtensionKeyUsage $KeyUsageObj.InitializeEncode([int][Security.Cryptography.X509Certificates.X509KeyUsageFlags]($KeyUsage)) $KeyUsageObj.Critical = $true $cert.X509Extensions.Add($KeyUsageObj) $cert.X509Extensions.Add($ekuext) $cert.SignatureInformation.HashAlgorithm = $SigOID $cert.X509Extensions.Add($SubjectAlternativeName) $cert.Encode() $enrollment = New-Object -COM "X509Enrollment.CX509Enrollment.1" $enrollment.InitializeFromRequest($cert) $certdata = $enrollment.CreateRequest(0) $enrollment.InstallResponse(2, $certdata, 0, "") # extract/return the thumbprint from the generated cert $parsed_cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $parsed_cert.Import([System.Text.Encoding]::UTF8.GetBytes($certdata)) return $parsed_cert.Thumbprint } #--------------------------------------------------------------------------------------------------------------------- #--------------------------------------------------------------------------------------------------------------------- Function Run { Write-MyLog -LOGSeverity "START" -LOGMessage ("Application : "+ $AppName +", Version : "+ $AppVersion + ", date : "+ $AppDate) $StopWatch = [system.diagnostics.stopwatch]::StartNew() $Config = New-Object -TypeName XML try { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Loading configuration : "+ $ConfigFile) $Config.Load($ConfigFile) } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't load config file !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } if (-not $MyError) { $CFG = $Config.ConfigWinRM.Options if ($CFG ) { $CFGFound = $true } } if($CFGFound -and (-not $MyError)) { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Using configuration for computer Hostname : <"+ $Hostname +">.") Write-MyLog -LOGSeverity "LINE" Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM-HTTP : [ " + $CFG.WinRMHTTP +" ].") Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM-HTTPs : [ " + $CFG.WinRMHTTPS +" ].") Write-MyLog -LOGSeverity "INFO" -LOGMessage ("FW-WinRM-HTTP : [ " + $CFG.FWWinRMHTTP +" ].") Write-MyLog -LOGSeverity "INFO" -LOGMessage ("FW-WinRM-HTTPS : [ " + $CFG.FWWinRMHTTPS +" ].") Write-MyLog -LOGSeverity "INFO" -LOGMessage ("FW-WinRM-TrustedHosts : [ " + $CFG.FWWinRMTrustedHosts +" ].") Write-MyLog -LOGSeverity "INFO" -LOGMessage ("SelfCert-Force : [ " + $CFG.SelfCertForce +" ].") Write-MyLog -LOGSeverity "INFO" -LOGMessage ("SelfCert-Validity : [ " + $CFG.SelfCertValidity +" ].") Write-MyLog -LOGSeverity "INFO" -LOGMessage ("BasicAuth : [ " + $CFG.BasicAuth +" ].") Write-MyLog -LOGSeverity "INFO" -LOGMessage ("KerberosAuth : [ " + $CFG.KerberosAuth +" ].") Write-MyLog -LOGSeverity "INFO" -LOGMessage ("CredSSPAuth : [ " + $CFG.CredSSPAuth +" ].") Write-MyLog -LOGSeverity "INFO" -LOGMessage ("DigestAuth : [ " + $CFG.DigestAuth +" ].") Write-MyLog -LOGSeverity "INFO" -LOGMessage ("NegotiateAuth : [ " + $CFG.NegotiateAuth +" ].") Write-MyLog -LOGSeverity "INFO" -LOGMessage ("CertificateAuth : [ " + $CFG.CertificateAuth +" ].") Write-MyLog -LOGSeverity "INFO" -LOGMessage ("LocalAccountTokenFilterPolicy : [ "+ $CFG.LocalAccountTokenFilterPolicy +" ].") } else { $MyError = $true } #-------------------------------------------------------------------------------------------------- if (-not $MyError) { $dotNET = (Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -Recurse | Get-ItemProperty -name Version, Release -EA 0 | Where-Object { $_.PSChildName -match '^(?!S)\p{L}'} | Sort-Object -Property Version | Select-Object @{name = "dotNET"; expression = {$_.PSChildName}}, Version) Write-MyLog -LOGSeverity "LINE" Write-MyLog -LOGSeverity "INFO" -LOGMessage ('User Name : '+ $env:UserName) Write-MyLog -LOGSeverity "INFO" -LOGMessage ('User Domain : '+ $env:UserDomain) Write-MyLog -LOGSeverity "INFO" -LOGMessage ('Hostname : '+ $env:computername) Write-MyLog -LOGSeverity "INFO" -LOGMessage ('IP Address : '+ (Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter 'ipenabled = "true"').IPAddress) Write-MyLog -LOGSeverity "INFO" -LOGMessage ('MAC Address : '+ (Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter 'ipenabled = "true"').MACAddress) Write-MyLog -LOGSeverity "INFO" -LOGMessage ('Manufacturer : '+ (Get-WmiObject -Class Win32_ComputerSystem).Manufacturer) Write-MyLog -LOGSeverity "INFO" -LOGMessage ('Model : '+ (Get-WmiObject -Class Win32_ComputerSystem).Model) Write-MyLog -LOGSeverity "INFO" -LOGMessage ('Serial Number : '+ (Get-WmiObject -Class Win32_Bios).SerialNumber) Write-MyLog -LOGSeverity "INFO" -LOGMessage ('OS Name : '+ (Get-WmiObject -class Win32_OperatingSystem).Caption) Write-MyLog -LOGSeverity "INFO" -LOGMessage ('OS Version : '+ (Get-WMIObject win32_operatingsystem).Version) Write-MyLog -LOGSeverity "INFO" -LOGMessage ('OS ServicePack : '+ (Get-WMIObject win32_operatingsystem).CSDVersion) Write-MyLog -LOGSeverity "INFO" -LOGMessage ('OS Build : '+ (Get-WmiObject -class Win32_OperatingSystem).BuildNumber) Write-MyLog -LOGSeverity "INFO" -LOGMessage ('OS Architecture : '+ (Get-WmiObject Win32_OperatingSystem).OSArchitecture) Write-MyLog -LOGSeverity "INFO" -LOGMessage ('OS Install date : '+ [timezone]::CurrentTimeZone.ToLocalTime(([datetime]'1/1/1970').AddSeconds($(get-itemproperty 'HKLM:\Software\Microsoft\Windows NT\CurrentVersion').InstallDate)).ToString("yyyy-MM-dd HH:mm:ss")) Write-MyLog -LOGSeverity "INFO" -LOGMessage ('RAM Size (MB) : '+ (Get-WmiObject -Class Win32_ComputerSystem).TotalPhysicalMemory / 1MB) Write-MyLog -LOGSeverity "INFO" -LOGMessage ('Disk free (GB) : '+ (Get-PSDrive C).Free /1GB) Write-MyLog -LOGSeverity "INFO" -LOGMessage ('PShell version : '+ $PSVersionTable.PSversion.ToString()) Write-MyLog -LOGSeverity "INFO" -LOGMessage ('PShell CLR : '+ $PSVersionTable.CLRVersion.ToString()) Write-MyLog -LOGSeverity "INFO" -LOGMessage ('Verze .NET : ') foreach ($verze in $dotNET) { Write-MyLog -LOGSeverity "INFO" -LOGMessage ((' : '+ $verze.Version + $Tab +'-'+ $Tab + $verze.dotNET)) } Write-MyLog -LOGSeverity "LINE" } #-------------------------------------------------------------------------------------------------- if (-not $MyError) { # Get the ID and security principal of the current user account $myWindowsID = [System.Security.Principal.WindowsIdentity]::GetCurrent() $myWindowsPrincipal = new-object System.Security.Principal.WindowsPrincipal($myWindowsID) Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Script running as user : [ "+ $myWindowsID.name +" ].") # Get the security principal for the Administrator role $adminRole = [System.Security.Principal.WindowsBuiltInRole]::Administrator # Check to see if we are currently running "as Administrator" if (-Not $myWindowsPrincipal.IsInRole($adminRole)) { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("You need elevated Administrator privileges in order to run this script. Start Windows PowerShell by using the Run as Administrator.") $MyError = $true } else { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Current user have appropriate rights to run this script.") } } #-------------------------------------------------------------------------------------------------- if (-not $MyError) { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Detecting Powershell version : [ "+ $PSVersionTable.PSVersion +" ].") If ($PSVersionTable.PSVersion.Major -lt 3) { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Powershell version is not supported :-( !!!") $MyError = $true } else { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Powershell version is supported.") } } #-------------------------------------------------------------------------------------------------- if (-not $MyError) { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Reading status of WinRM service..") try { $RunningConfig.svcWinRM = Get-Service "WinRM" -ErrorAction Stop Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM service status is [ "+ $RunningConfig.svcWinRM.Status +" ] and startup type is [ "+ $RunningConfig.svcWinRM.StartType +" ].") } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't read Service WinRM status !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } if (-not $MyError -and $RunningConfig.svcWinRM.StartType -ne "Automatic") { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM needs to be configured to Automatic startup..") try { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Setting service WinRM startup type Automatic.") Set-Service -Name "WinRM" -StartupType Automatic $RunningConfig.svcWinRM = Get-Service "WinRM" -ErrorAction Stop } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't change WinRM service startup type. !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } } if (-not $MyError -and $RunningConfig.svcWinRM.Status -ne "Started") { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM needs to be running..") try { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Starting service WinRM...") $StartTimeout = 0 Start-Service -Name "WinRM" -ErrorAction Stop while ((Get-Service "WinRM" -ErrorAction Stop).Status -ne "Running" -and $StartTimeout -lt 10 ) { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Waiting for start service WinRM...") Start-Sleep -Seconds 1 $StartTimeout ++ } } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't start WinRM service. !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Reading status of WinRM service..") try { $RunningConfig.svcWinRM = Get-Service "WinRM" -ErrorAction Stop Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM service status is [ "+ $RunningConfig.svcWinRM.Status +" ] and startup type is [ "+ $RunningConfig.svcWinRM.StartType +" ].") } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't read Service WinRM status !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } If ($RunningConfig.svcWinRM.Status -ne "Running") { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't start Service WinRM !!!") $MyError = $true } } } #-------------------------------------------------------------------------------------------------- if (-not $MyError) { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Reading WinRM service configuration") try { $RunningConfig.WinRMauth = (Get-WSManInstance -ResourceURI winrm/config/service/auth) Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Authentication methods") Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Basic : [ "+ $RunningConfig.WinRMauth.Basic +" ]") Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Negotiate : [ "+ $RunningConfig.WinRMauth.Negotiate +" ]") Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Certificate : [ "+ $RunningConfig.WinRMauth.Certificate +" ]") Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Kerberos : [ "+ $RunningConfig.WinRMauth.Kerberos +" ]") Write-MyLog -LOGSeverity "INFO" -LOGMessage (" CredSSP : [ "+ $RunningConfig.WinRMauth.CredSSP +" ]") } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't read WinRM authentication configuration !!!") $MyError = $true } try { $RunningConfig.WinRMListeners = (Get-WSManInstance -ResourceURI winrm/config/listener -Enumerate) Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Listener(s)") foreach ($lncfg in $RunningConfig.WinRMListeners) { Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Transport : [ "+ $lncfg.Transport +" ].") Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Port : [ "+ $lncfg.Port +" ].") Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Enabled : [ "+ $lncfg.Enabled +" ].") if ($lncfg.Hostname) { Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Hostname : [ "+ $lncfg.Hostname +" ].") } if ($lncfg.Addresss) { Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Address : [ "+ $lncfg.Addresss +" ].") } if ($lncfg.CertificateThumbprint) { Write-MyLog -LOGSeverity "INFO" -LOGMessage (" CertThumbprint: [ "+ $lncfg.CertificateThumbprint +" ].") $RunningConfig.WinRMHTTPSCert = (Get-ChildItem -path ("Cert:\*"+ $lncfg.CertificateThumbprint) -Recurse | Select-Object -Unique) Write-MyLog -LOGSeverity "INFO" -LOGMessage (" CertSubject : [ "+ $RunningConfig.WinRMHTTPSCert.Subject +" ].") Write-MyLog -LOGSeverity "INFO" -LOGMessage (" CertDnsName : [ "+ $RunningConfig.WinRMHTTPSCert.DnsNameList +" ].") Write-MyLog -LOGSeverity "INFO" -LOGMessage (" FriendlyName : [ "+ $RunningConfig.WinRMHTTPSCert.FriendlyName +" ].") Write-MyLog -LOGSeverity "INFO" -LOGMessage (" NotBefore : [ "+ $RunningConfig.WinRMHTTPSCert.NotBefore +" ].") Write-MyLog -LOGSeverity "INFO" -LOGMessage (" NotAfter : [ "+ $RunningConfig.WinRMHTTPSCert.NotAfter +" ].") } } } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't read WinRM listeners configuration !!!") $MyError = $true } } #-------------------------------------------------------------------------------------------------- if (-not $MyError) { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Reading status of Windows Firewall service..") try { $RunningConfig.MPSsvc = Get-Service "MpsSvc" -ErrorAction Stop Write-MyLog -LOGSeverity "INFO" -LOGMessage ("MPSsvc service status is [ "+ $RunningConfig.MPSsvc.Status +" ] and startup type is [ "+ $RunningConfig.MPSsvc.StartType +" ].") } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't read Service MPSsvc status !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } } #-------------------------------------------------------------------------------------------------- if (-not $MyError) { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Reading local FireWall configuration.") try { $RunningConfig.FWprofile = Get-NetFirewallProfile Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Windows Firewall profile(s): ") foreach ($prof in $RunningConfig.FWprofile) { Write-MyLog -LOGSeverity "INFO" -LOGMessage ($prof.profile +" : [ "+ $prof.enabled +" ].") } } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't read Firewall profiles !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } } #-------------------------------------------------------------------------------------------------- #-------------------------------------------------------------------------------------------------- if (-not $MyError) { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Finding Firewall rules for WinRM ports.") $RunningConfig.FWHTTPRules = @() $RunningConfig.FWHTTPPortFilter = @() $RunningConfig.FWHTTPAddressFilter = @() $RunningConfig.FWHTTPSRules = @() $RunningConfig.FWHTTPSPortFilter = @() $RunningConfig.FWHTTPSAddressFilter = @() try { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Finding rule for WinRM HTTP - TCP 5985") $RunningConfig.FWHTTPPortFilter = Get-NetFirewallPortFilter | Where-Object { $_.LocalPort -eq 5985 } foreach ($PortFilter in $RunningConfig.FWHTTPPortFilter) { $RunningConfig.FWHTTPRules += Get-NetFirewallRule | Where-Object { $_.InstanceID -eq $PortFilter.InstanceID } } foreach ($rule in $RunningConfig.FWHTTPRules) { $RunningConfig.FWHTTPAddressFilter += (Get-NetFirewallAddressFilter | Where-Object { $_.InstanceID -eq $rule.InstanceID }) } } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't read Firewall rules !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } if ($RunningConfig.FWHTTPRules) { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("FireWall WinRM HTTP rule") foreach ($rule in $RunningConfig.FWHTTPRules) { Write-MyLog -LOGSeverity "INFO" -LOGMessage (" [ "+ $rule.DisplayName +" ]") Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Profile : [ "+ $rule.profile +" ]") Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Description : [ "+ $rule.Description +" ]") Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Direction : [ "+ $rule.Direction +" ]") Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Enabled : [ "+ $rule.Enabled +" ]") $tmp = ($RunningConfig.FWHTTPPortFilter | Where-Object { $_.InstanceID -eq $rule.InstanceID } | Select-Object Protocol, LocalPort, RemotePort, InstanceID) Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Protocol : [ "+ $tmp.Protocol +" ]") Write-MyLog -LOGSeverity "INFO" -LOGMessage (" LocalPort : [ "+ $tmp.LocalPort +" ]") Write-MyLog -LOGSeverity "INFO" -LOGMessage (" RemotePort : [ "+ $tmp.RemotePort +" ]") $tmp = ( $RunningConfig.FWHTTPAddressFilter | Where-Object { $_.InstanceID -eq $rule.InstanceID } | Select-Object LocalAddress, LocalIP, RemoteAddress, RemoteIP) Write-MyLog -LOGSeverity "INFO" -LOGMessage (" LocalAddress : [ "+ $tmp.LocalAddress +" ]") Write-MyLog -LOGSeverity "INFO" -LOGMessage (" LocalIP : [ "+ $tmp.LocalIP +" ]") Write-MyLog -LOGSeverity "INFO" -LOGMessage (" RemoteAddress : [ "+ $tmp.RemoteAddress +" ]") Write-MyLog -LOGSeverity "INFO" -LOGMessage (" RemoteIP : [ "+ $tmp.RemoteIP +" ]") } } else { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("No WinRM HTTP FireWall rule.") } try { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Finding rule for WinRM HTTPS - TCP 5986") $RunningConfig.FWHTTPSPortFilter = Get-NetFirewallPortFilter | Where-Object { $_.LocalPort -eq 5986 } foreach ($PortFilter in $RunningConfig.FWHTTPSPortFilter) { $RunningConfig.FWHTTPSRules += Get-NetFirewallRule | Where-Object { $_.InstanceID -eq $PortFilter.InstanceID } } foreach ($rule in $RunningConfig.FWHTTPSRules) { $RunningConfig.FWHTTPSAddressFilter += (Get-NetFirewallAddressFilter | Where-Object { $_.InstanceID -eq $rule.InstanceID }) } } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't read Firewall rules !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } if ($RunningConfig.FWHTTPSRules) { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("FireWall WinRM HTTPS rule") foreach ($rule in $RunningConfig.FWHTTPSRules) { Write-MyLog -LOGSeverity "INFO" -LOGMessage (" [ "+ $rule.DisplayName +" ]") Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Profile : [ "+ $rule.profile +" ]") Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Description : [ "+ $rule.Description +" ]") Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Direction : [ "+ $rule.Direction +" ]") Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Enabled : [ "+ $rule.Enabled +" ]") $tmp = ($RunningConfig.FWHTTPSPortFilter | Where-Object { $_.InstanceID -eq $rule.InstanceID } | Select-Object Protocol, LocalPort, RemotePort, InstanceID) Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Protocol : [ "+ $tmp.Protocol +" ]") Write-MyLog -LOGSeverity "INFO" -LOGMessage (" LocalPort : [ "+ $tmp.LocalPort +" ]") Write-MyLog -LOGSeverity "INFO" -LOGMessage (" RemotePort : [ "+ $tmp.RemotePort +" ]") $tmp = ( $RunningConfig.FWHTTPSAddressFilter | Where-Object { $_.InstanceID -eq $rule.InstanceID } | Select-Object LocalAddress, LocalIP, RemoteAddress, RemoteIP) Write-MyLog -LOGSeverity "INFO" -LOGMessage (" LocalAddress : [ "+ $tmp.LocalAddress +" ]") Write-MyLog -LOGSeverity "INFO" -LOGMessage (" LocalIP : [ "+ $tmp.LocalIP +" ]") Write-MyLog -LOGSeverity "INFO" -LOGMessage (" RemoteAddress : [ "+ $tmp.RemoteAddress +" ]") Write-MyLog -LOGSeverity "INFO" -LOGMessage (" RemoteIP : [ "+ $tmp.RemoteIP +" ]") } } else { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("No WinRM HTTPS FireWall rule.") } } #-------------------------------------------------------------------------------------------------- if (-not $MyError) { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Checking LocalAccountTokenFilterPolicy") $RunningConfig.LocalAccountTokenFilterPolicy = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\").LocalAccountTokenFilterPolicy Write-MyLog -LOGSeverity "INFO" -LOGMessage ("LocalAccountTokenFilterPolicy have Value : [ "+ $RunningConfig.LocalAccountTokenFilterPolicy +" ]") } #-------------------------------------------------------------------------------------------------- if (-not $MyError) { Write-MyLog -LOGSeverity "LINE" Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Starting WinRM config modifications.") Write-MyLog -LOGSeverity "LINE" } #-------------------------------------------------------------------------------------------------- if (-not $MyError -and $CFG.LocalAccountTokenFilterPolicy.ToLower() -eq "enable" -and $RunningConfig.LocalAccountTokenFilterPolicy -eq 0 ) { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Setting registry key LocalAccountTokenFilterPolicy to 1.") try { Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" -Name "LocalAccountTokenFilterPolicy" -Value 1 } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't edit registry key. !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } } elseif (-not $MyError -and $CFG.LocalAccountTokenFilterPolicy.ToLower() -eq "disable" -and $RunningConfig.LocalAccountTokenFilterPolicy -eq 1 ) { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Setting registry key LocalAccountTokenFilterPolicy to 0.") try { Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" -Name "LocalAccountTokenFilterPolicy" -Value 0 } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't edit registry key. !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } } elseif (-not $MyError -and $CFG.LocalAccountTokenFilterPolicy.ToLower() -eq "enable" -and $RunningConfig.LocalAccountTokenFilterPolicy -ne 0 -and -not $RunningConfig.LocalAccountTokenFilterPolicy ) { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Creating registry key LocalAccountTokenFilterPolicy with Value 1.") try { New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" -PropertyType DWORD -Name "LocalAccountTokenFilterPolicy" -Value 1 | out-null } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't create reguistry key. !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } } elseif (-not $MyError) { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Skipping changes in registry for LocalAccountTokenFilterPolicy.") } #-------------------------------------------------------------------------------------------------- if (-not $MyError -and ($RunningConfig.WinRMListeners | Where-Object { $_.Transport -eq "HTTPS" } ) -and $CFG.WINRMHTTPS.ToLower() -eq "enable" -and $CFG.SelfCertForce.ToLower() -eq "enable" ) { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Forcing SSL Self-Certificate reissuing, and recreating WinRM HTTPS listener.") try { $SelfCertThumbprint = New-LegacySelfSignedCert -SubjectName ($env:COMPUTERNAME) -ValidDays $CFG.SelfCertValidityDays Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Self-Certificate issued with thumbprint : [ "+ $SelfCertThumbprint +" ]") } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't issuen new Self-Signed certificate. !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } if (-not $MyError) { $ValueSet = @{ CertificateThumbprint = $SelfCertThumbprint Hostname = ($env:COMPUTERNAME) } $selectorset = @{ Transport = "HTTPS" Address = "*" } Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Removing existing WinRM HTTPS listener") try { Remove-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM SSL listener removed.") } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't remove WinRM HTTPS listener. !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } } if (-not $MyError) { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Creating new listener with new Self-Signed SSL certificate.") try { $a = New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset -ValueSet $valueset Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM HTTPS listener created.") } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't create WinRM HTTPS listener. !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } } } #-------------------------------------------------------------------------------------------------- if (-not $MyError -and -not ($RunningConfig.WinRMListeners | Where-Object { $_.Transport -eq "HTTPS" } ) -and $CFG.WINRMHTTPS.ToLower() -eq "enable") { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Creating new WinRM HTTPS listener.") try { $SelfCertThumbprint = New-LegacySelfSignedCert -SubjectName ($env:COMPUTERNAME) -ValidDays $CFG.SelfCertValidityDays Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Self-Certificate issued with thumbprint : [ "+ $SelfCertThumbprint +" ]") } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't issue new Self-Signed certificate. !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } if (-not $MyError) { $ValueSet = @{ CertificateThumbprint = $SelfCertThumbprint Hostname = ($env:COMPUTERNAME) } $selectorset = @{ Transport = "HTTPS" Address = "*" } Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Creating new WinRM HTTPS listener with new Self-Signed SSL certificate.") try { $a = New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset -ValueSet $valueset Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM HTTPS listener created.") } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't create WinRM HTTPS listener. !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } } } #-------------------------------------------------------------------------------------------------- if (-not $MyError -and $RunningConfig.WinRMListeners) { if (($RunningConfig.WinRMListeners | Where-Object { $_.Transport.ToUpper() -eq "HTTPS" } ) -and $CFG.WINRMHTTPS.ToLower() -eq "disable") { $selectorset = @{ Transport = "HTTPS" Address = "*" } Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Removing existing WinRM HTTPS listener") try { Remove-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM HTTPS listener removed.") } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't remove WinRM HTTPS listener. !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } } } #-------------------------------------------------------------------------------------------------- if (-not $MyError -and -not ($RunningConfig.WinRMListeners | Where-Object { $_.Transport -eq "HTTP" }) -and $CFG.WINRMHTTP.ToLower() -eq "enable") { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Creating new WinRM HTTP listener.") $selectorset = @{ Transport = "HTTP" Address = "*" } try { $a = New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM HTTP listener created.") } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't create WinRM HTTP listener. !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } } #-------------------------------------------------------------------------------------------------- if (-not $MyError -and $RunningConfig.WinRMListeners) { if (($RunningConfig.WinRMListeners | Where-Object { $_.Transport.ToUpper() -eq "HTTP" } ) -and $CFG.WINRMHTTP.ToLower() -eq "disable") { $selectorset = @{ Transport = "HTTP" Address = "*" } Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Removing existing WinRM HTTP listener") try { Remove-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM HTTP listener removed.") } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't remove WinRM HTTP listener. !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } } } #-------------------------------------------------------------------------------------------------- if (-not $MyError) { if ($RunningConfig.WinRMauth.Basic -eq "false" -and $CFG.BasicAuth.ToLower() -eq "enable") { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Enabling WinRM basic auth support.") try { Set-Item -Path "WSMan:\localhost\Service\Auth\Basic" -Value $true Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM basic auth support enabled.") } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't enable WinRM basic auth. !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } } if ($RunningConfig.WinRMauth.Basic -eq "true" -and $CFG.BasicAuth.ToLower() -eq "disable") { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Disabling WinRM basic auth support.") try { Set-Item -Path "WSMan:\localhost\Service\Auth\Basic" -Value $false Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM basic auth support disabled.") } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't disable WinRM basic auth. !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } } } #-------------------------------------------------------------------------------------------------- if (-not $MyError) { if ($RunningConfig.WinRMauth.CredSSP -eq "false" -and $CFG.CredSSPAuth.ToLower() -eq "enable") { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Enabling WinRM CredSSP auth support.") try { Set-Item -Path "WSMan:\localhost\Service\Auth\CredSSP" -Value $true Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM CredSSP auth support enabled.") } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't enable WinRM CredSSP auth. !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } } if ($RunningConfig.WinRMauth.CredSSP -eq "true" -and $CFG.CredSSPAuth.ToLower() -eq "disable") { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Disabling WinRM CredSSP auth support.") try { Set-Item -Path "WSMan:\localhost\Service\Auth\CredSSP" -Value $false Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM CredSSP auth support disabled.") } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't disable WinRM CredSSP auth. !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } } } #-------------------------------------------------------------------------------------------------- #-------------------------------------------------------------------------------------------------- if (-not $MyError) { if ($RunningConfig.WinRMauth.Kerberos -eq "false" -and $CFG.KerberosAuth.ToLower() -eq "enable") { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Enabling WinRM Kerberos auth support.") try { Set-Item -Path "WSMan:\localhost\Service\Auth\Kerberos" -Value $true Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM Kerberos auth support enabled.") } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't enable WinRM Kerberos auth. !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } } if ($RunningConfig.WinRMauth.Kerberos -eq "true" -and $CFG.KerberosAuth.ToLower() -eq "disable") { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Disabling WinRM Kerberos auth support.") try { Set-Item -Path "WSMan:\localhost\Service\Auth\Kerberos" -Value $false Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM Kerberos auth support disabled.") } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't disable WinRM Kerberos auth. !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } } } #-------------------------------------------------------------------------------------------------- if (-not $MyError) { if ($RunningConfig.WinRMauth.Digest -eq "false" -and $CFG.DigestAuth.ToLower() -eq "enable") { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Enabling WinRM Digest auth support.") try { Set-Item -Path "WSMan:\localhost\Service\Auth\Digest" -Value $true Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM Digest auth support enabled.") } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't enable WinRM Digest auth. !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } } if ($RunningConfig.WinRMauth.Digest -eq "true" -and $CFG.DigestAuth.ToLower() -eq "disable") { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Disabling WinRM Digest auth support.") try { Set-Item -Path "WSMan:\localhost\Service\Auth\Digest" -Value $false Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM Digest auth support disabled.") } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't disable WinRM Digest auth. !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } } } #-------------------------------------------------------------------------------------------------- if (-not $MyError) { if ($RunningConfig.WinRMauth.Negotiate -eq "false" -and $CFG.NegotiateAuth.ToLower() -eq "enable") { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Enabling WinRM Negotiate auth support.") try { Set-Item -Path "WSMan:\localhost\Service\Auth\Negotiate" -Value $true Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM Negotiate auth support enabled.") } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't enable WinRM Negotiate auth. !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } } if ($RunningConfig.WinRMauth.Negotiate -eq "true" -and $CFG.NegotiateAuth.ToLower() -eq "disable") { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Disabling WinRM Negotiate auth support.") try { Set-Item -Path "WSMan:\localhost\Service\Auth\Negotiate" -Value $false Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM Negotiate auth support disabled.") } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't disable WinRM Negotiate auth. !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } } } #-------------------------------------------------------------------------------------------------- #-------------------------------------------------------------------------------------------------- if (-not $MyError) { if ($RunningConfig.WinRMauth.Certificate -eq "false" -and $CFG.CertificateAuth.ToLower() -eq "enable") { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Enabling WinRM Certificate auth support.") try { Set-Item -Path "WSMan:\localhost\Service\Auth\Certificate" -Value $true Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM Certificate auth support enabled.") } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't enable WinRM Certificate auth. !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } } if ($RunningConfig.WinRMauth.Certificate -eq "true" -and $CFG.CertificateAuth.ToLower() -eq "disable") { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Disabling WinRM Certificate auth support.") try { Set-Item -Path "WSMan:\localhost\Service\Auth\Certificate" -Value $false Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM Certificate auth support disabled.") } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't disable WinRM Certificate auth. !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } } } #-------------------------------------------------------------------------------------------------- if (-not $MyError) { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Configuration changes finished, restarting WinRM service.") try { $StartTimeout = 0 Restart-Service -Name "WinRM" -ErrorAction Stop -Force while ((Get-Service "WinRM" -ErrorAction Stop).Status -ne "Running" -and $StartTimeout -lt 10 ) { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Waiting for start service WinRM...") Start-Sleep -Seconds 1 $StartTimeout ++ } } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't start WinRM service. !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Reading status of WinRM service..") try { $RunningConfig.svcWinRM = Get-Service "WinRM" -ErrorAction Stop Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM service status is [ "+ $RunningConfig.svcWinRM.Status +" ] and startup type is [ "+ $RunningConfig.svcWinRM.StartType +" ].") } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't read Service WinRM status !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } If ($RunningConfig.svcWinRM.Status -ne "Running") { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't start Service WinRM !!!") $MyError = $true } } #-------------------------------------------------------------------------------------------------- if (-not $MyError) { if ($RunningConfig.FWHTTPAddressFilter | Where-Object {$_.RemoteAddress -eq $CFG.FWWinRMTrustedHosts }) { foreach($AddressFilter in ($RunningConfig.FWHTTPAddressFilter | Where-Object {$_.RemoteAddress -eq $CFG.FWWinRMTrustedHosts })) { foreach ($FirewallRule in ($RunningConfig.FWHTTPRules | Where-Object { $_.InstanceID -eq $AddressFilter.InstanceID } )) { if ($FirewallRule.Enabled -eq "False" -and $CFG.FWWinRMHTTP.Tolower() -eq "enable") { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Enabling WinRM HTTP FireWall rule : [ "+ $FirewallRule.InstanceID +" ].") try { $FirewallRule | Set-NetFirewallRule -Enabled True Write-MyLog -LOGSeverity "INFO" -LOGMessage ("FireWall rule enabled.") } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't enable FireWall rule !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } } if ($FirewallRule.Enabled -eq "True" -and $CFG.FWWinRMHTTP.Tolower() -eq "disable") { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Disabling WinRM HTTP FireWall rule : [ "+ $FirewallRule.InstanceID +" ].") try { $FirewallRule | Set-NetFirewallRule -Enabled False Write-MyLog -LOGSeverity "INFO" -LOGMessage ("FireWall rule disabled..") } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't disable FireWall rule !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } } } } } elseif ($CFG.FWWinRMHTTP.Tolower() -eq "enable" -and $CFG.WinRMHTTP.tolower() -eq "enable") { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Creating new WinRM HTTP FireWall rule.") try { New-NetFirewallRule -Name ("Ansible WinRM Allow (In-HTTP)_"+ $CFG.FWWinRMTrustedHosts) -DisplayName "Ansible WinRM Allow (In-HTTP)" -Direction Inbound -Action Allow -RemoteAddress $CFG.FWWinRMTrustedHosts -Enabled "True" -Protocol TCP -LocalPort 5985 -Description "Allowing Ansible WinRM (In-HTTP) access to system." -Group "Windows Remote Management" -ErrorAction Stop | Out-Null Write-MyLog -LOGSeverity "INFO" -LOGMessage ("New WinRM HTTP FireWall rule created.") } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't create new FireWall rule !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } } } #-------------------------------------------------------------------------------------------------- #-------------------------------------------------------------------------------------------------- if (-not $MyError) { if ($RunningConfig.FWHTTPSAddressFilter | Where-Object -FilterScript {$_.RemoteAddress -eq $CFG.FWWinRMTrustedHosts }) { foreach($AddressFilter in ($RunningConfig.FWHTTPSAddressFilter | Where-Object -FilterScript {$_.RemoteAddress -eq $CFG.FWWinRMTrustedHosts })) { foreach ($FirewallRule in ($RunningConfig.FWHTTPSRules | Where-Object { $_.InstanceID -eq $AddressFilter.InstanceID } )) { if ($FirewallRule.Enabled -eq "False" -and $CFG.FWWinRMHTTPS.Tolower() -eq "enable") { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Enabling WinRM HTTPS FireWall rule : [ "+ $FirewallRule.InstanceID +" ].") try { $FirewallRule | Set-NetFirewallRule -Enabled True Write-MyLog -LOGSeverity "INFO" -LOGMessage ("FireWall rule enabled.") } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't enable FireWall rule !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } } if ($FirewallRule.Enabled -eq "True" -and $CFG.FWWinRMHTTPS.Tolower() -eq "disable") { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Disabling WinRM HTTPS FireWall rule : [ "+ $FirewallRule.InstanceID +" ].") try { $FirewallRule | Set-NetFirewallRule -Enabled False Write-MyLog -LOGSeverity "INFO" -LOGMessage ("FireWall rule disabled..") } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't disable FireWall rule !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } } } } } elseif ($CFG.FWWinRMHTTPS.Tolower() -eq "enable" -and $CFG.WinRMHTTPS.tolower() -eq "enable") { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Creating new WinRM HTTPS FireWall rule.") try { New-NetFirewallRule -Name ("Ansible WinRM Allow (In-HTTPS)_"+ $CFG.FWWinRMTrustedHosts) -DisplayName "Ansible WinRM Allow (In-HTTPS)" -Direction Inbound -Action Allow -RemoteAddress $CFG.FWWinRMTrustedHosts -Enabled "True" -Protocol TCP -LocalPort 5986 -Description "Allowing Ansible WinRM (In-HTTPS) access to system." -Group "Windows Remote Management" -ErrorAction Stop | Out-Null Write-MyLog -LOGSeverity "INFO" -LOGMessage ("New WinRM HTTPS FireWall rule created.") } catch { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't create new FireWall rule !!!") Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message) $MyError = $true } } } #-------------------------------------------------------------------------------------------------- #-------------------------------------------------------------------------------------------------- if (-not $MyError) { # Test a remoting connection to localhost, which should work. Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Testing WinRM connection.") $httpsOptions = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck $httpResult = Invoke-Command -ComputerName "localhost" -ScriptBlock { param($a) Return @{"Source"=$a;"Destination"=$env:computername} } -ArgumentList $env:computername -ErrorVariable httpError -ErrorAction SilentlyContinue $httpsResult = Invoke-Command -ComputerName "localhost" -ScriptBlock { param($a) Return @{"Source"=$a;"Destination"=$env:computername} } -ArgumentList $env:computername -UseSSL -SessionOption $httpsOptions -ErrorVariable httpError -ErrorAction SilentlyContinue if ($httpResult -and $httpsResult) { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("HTTP: Enabled | HTTPS: Enabled") } ElseIf ($httpsResult -and !$httpResult) { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("HTTP: Disabled | HTTPS: Enabled") } ElseIf ($httpResult -and !$httpsResult) { Write-MyLog -LOGSeverity "INFO" -LOGMessage ("HTTP: Enabled | HTTPS: Disabled") } Else { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Unable to establish an HTTP or HTTPS remoting session.") $MyError = $true } } #-------------------------------------------------------------------------------------------------- ################################################################# if($MyERROR) { Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("ERROR during checks...") $StopWatch.Stop() Write-MyLog -LOGSeverity "END" -LOGMessage ("Running Time : "+ $StopWatch.Elapsed.TotalSeconds +"s.") } else { Write-MyLog -LOGSeverity "OK" -LOGMessage ("PS Remoting has been successfully configured for Ansible.") $StopWatch.Stop() Write-MyLog -LOGSeverity "END" -LOGMessage ("Running Time : "+ $StopWatch.Elapsed.TotalSeconds +"s.") } } ################################################################ Run; # HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN