public/ZBXWinRMConfig
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7b982b34c9f0b3a2dcc0f66dddff83fbeec21306
ZBXWinRMConfig/ConfigWinRM.ps1

1165 lines
56 KiB
PowerShell
Raw Blame History

#Requires -Version 3.0
##Requires -Version 5.1
<#PSScriptInfo
.VERSION 1.01
.GUID 14e0e777-6ba8-4f3f-b914-53c62e0a72aa
.AUTHOR Martin Hudak - mhudak@totalservice.cz
.COMPANYNAME TOTAL Service a.s.
.COPYRIGHT
.TAGS
.LICENSEURI
.PROJECTURI
.ICONURI
.EXTERNALMODULEDEPENDENCIES
.REQUIREDSCRIPTS
.EXTERNALSCRIPTDEPENDENCIES
Configuration file - ConfigWinRM.xml
.RELEASENOTES
Version 1.00 - Initial version based on script
Written by Trond Hindenes <trond@hindenes.com>
Updated by Chris Church <cchurch@ansible.com>
Updated by Michael Crilly <mike@autologic.cm>
Updated by Anton Ouzounov <Anton.Ouzounov@careerbuilder.com>
Updated by Nicolas Simond <contact@nicolas-simond.com>
Updated by Dag Wieërs <dag@wieers.com>
Updated by Jordan Borean <jborean93@gmail.com>
Updated by Erwan Quélin <erwan.quelin@gmail.com>
Updated by David Norman <david@dkn.email>
Version 1.01 - Fixed issue with HTTPS when certificate in HTTPS listener doesn't match the cert in local store
Updated by Michal Horák
#>
<#
.SYNOPSIS
ConfigWinRM
.DESCRIPTION
This script enable, configure and secure WinRM service on server
.NOTES
Version 1.00 - Initial version based on script
Written by Trond Hindenes <trond@hindenes.com>
Updated by Chris Church <cchurch@ansible.com>
Updated by Michael Crilly <mike@autologic.cm>
Updated by Anton Ouzounov <Anton.Ouzounov@careerbuilder.com>
Updated by Nicolas Simond <contact@nicolas-simond.com>
Updated by Dag Wieërs <dag@wieers.com>
Updated by Jordan Borean <jborean93@gmail.com>
Updated by Erwan Quélin <erwan.quelin@gmail.com>
Updated by David Norman <david@dkn.email>
#>
$AppName = "ConfigWinRM"
$AppVersion = "1.00"
$AppDate = "2022-11-16"
$Path = "C:\WinRM\"
$Hostname = $env:COMPUTERNAME.ToUpper()
$ConfigFile = $Path + $AppName +".xml"
$LogPath = $Path +"Logs\"
$LogFile = $LogPath + $Hostname +"_"+ $AppName + "_"+ (Get-Date -Format yyyyMMdd) +".log"
$LogRetention = 90
if(Test-Path -Path ($LogPath))
{
} else
{
New-Item -Path ($LogPath) -ItemType directory
}
Get-ChildItem ($LogPath) -Include ("*"+$AppName +"_*.log") -Recurse | Where-Object {$_.LastWriteTime -lt (Get-Date).AddDays((-1 * $LogRetention))} | Remove-Item
$Error.Clear()
$MyERROR = $false
$CFGFound = $false
$RunningConfig = @{}
#---------------------------------------------------------------------------------------------------------------------
#---------------------------------------------------------------------------------------------------------------------
Function Write-MyLog
{
param (
[Parameter()]
[string] $LOGSeverity, # START, STOP, END, WARN, ERROR, OUT, INFO, LINE
[string] $LOGMessage
)
$now = Get-Date -UFormat "%Y-%m-%d %T %Z"
if ($LOGSeverity -eq "LINE") { $LOGMessage = '----------------------------------------------------------------------------------------------------' }
$_message = $now+ ' '+ ('['+ $LOGSeverity + ']').PadRight(7) +' ' +$LOGMessage
write-host $_message
try
{
$_message | Out-File -Encoding UTF8 -Append -FilePath $LogFile
} Catch
{
$ErrorMessage = $_.Exception.Message
$FailedItem = $_.Exception.ItemName
Write-Host $ErrorMessage
Write-Host $FailedItem
Break
}
}
#---------------------------------------------------------------------------------------------------------------------
#---------------------------------------------------------------------------------------------------------------------
Function New-LegacySelfSignedCert
{
Param (
[string]$SubjectName,
[int]$ValidDays = 1095
)
$hostnonFQDN = $env:computerName
$hostFQDN = [System.Net.Dns]::GetHostByName(($env:computerName)).Hostname
$SignatureAlgorithm = "SHA256"
$name = New-Object -COM "X509Enrollment.CX500DistinguishedName.1"
$name.Encode("CN=$SubjectName", 0)
$key = New-Object -COM "X509Enrollment.CX509PrivateKey.1"
$key.ProviderName = "Microsoft Enhanced RSA and AES Cryptographic Provider"
$key.KeySpec = 1
$key.Length = 4096
$key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)"
$key.MachineContext = 1
$key.Create()
$serverauthoid = New-Object -COM "X509Enrollment.CObjectId.1"
$serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1")
$ekuoids = New-Object -COM "X509Enrollment.CObjectIds.1"
$ekuoids.Add($serverauthoid)
$ekuext = New-Object -COM "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1"
$ekuext.InitializeEncode($ekuoids)
$cert = New-Object -COM "X509Enrollment.CX509CertificateRequestCertificate.1"
$cert.InitializeFromPrivateKey(2, $key, "")
$cert.Subject = $name
$cert.Issuer = $cert.Subject
$cert.NotBefore = (Get-Date).AddDays(-1)
$cert.NotAfter = $cert.NotBefore.AddDays($ValidDays)
$SigOID = New-Object -ComObject X509Enrollment.CObjectId
$SigOID.InitializeFromValue(([Security.Cryptography.Oid]$SignatureAlgorithm).Value)
[string[]] $AlternativeName += $hostnonFQDN
$AlternativeName += $hostFQDN
$IAlternativeNames = New-Object -ComObject X509Enrollment.CAlternativeNames
foreach ($AN in $AlternativeName)
{
$AltName = New-Object -ComObject X509Enrollment.CAlternativeName
$AltName.InitializeFromString(0x3, $AN)
$IAlternativeNames.Add($AltName)
}
$SubjectAlternativeName = New-Object -ComObject X509Enrollment.CX509ExtensionAlternativeNames
$SubjectAlternativeName.InitializeEncode($IAlternativeNames)
[String[]]$KeyUsage = ("DigitalSignature", "KeyEncipherment")
$KeyUsageObj = New-Object -ComObject X509Enrollment.CX509ExtensionKeyUsage
$KeyUsageObj.InitializeEncode([int][Security.Cryptography.X509Certificates.X509KeyUsageFlags]($KeyUsage))
$KeyUsageObj.Critical = $true
$cert.X509Extensions.Add($KeyUsageObj)
$cert.X509Extensions.Add($ekuext)
$cert.SignatureInformation.HashAlgorithm = $SigOID
$cert.X509Extensions.Add($SubjectAlternativeName)
$cert.Encode()
$enrollment = New-Object -COM "X509Enrollment.CX509Enrollment.1"
$enrollment.InitializeFromRequest($cert)
$certdata = $enrollment.CreateRequest(0)
$enrollment.InstallResponse(2, $certdata, 0, "")
# extract/return the thumbprint from the generated cert
$parsed_cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$parsed_cert.Import([System.Text.Encoding]::UTF8.GetBytes($certdata))
return $parsed_cert.Thumbprint
}
#---------------------------------------------------------------------------------------------------------------------
#---------------------------------------------------------------------------------------------------------------------
Function Run
{
Write-MyLog -LOGSeverity "START" -LOGMessage ("Application : "+ $AppName +", Version : "+ $AppVersion + ", date : "+ $AppDate)
$StopWatch = [system.diagnostics.stopwatch]::StartNew()
$Config = New-Object -TypeName XML
try
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Loading configuration : "+ $ConfigFile)
$Config.Load($ConfigFile)
} catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't load config file !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
if (-not $MyError)
{
$CFG = $Config.ConfigWinRM.Options
if ($CFG )
{
$CFGFound = $true
}
}
if($CFGFound -and (-not $MyError))
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Using configuration for computer Hostname : <"+ $Hostname +">.")
Write-MyLog -LOGSeverity "LINE"
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM-HTTP : [ " + $CFG.WinRMHTTP +" ].")
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM-HTTPs : [ " + $CFG.WinRMHTTPS +" ].")
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("FW-WinRM-HTTP : [ " + $CFG.FWWinRMHTTP +" ].")
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("FW-WinRM-HTTPS : [ " + $CFG.FWWinRMHTTPS +" ].")
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("FW-WinRM-TrustedHosts : [ " + $CFG.FWWinRMTrustedHosts +" ].")
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("SelfCert-Force : [ " + $CFG.SelfCertForce +" ].")
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("SelfCert-Validity : [ " + $CFG.SelfCertValidity +" ].")
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("BasicAuth : [ " + $CFG.BasicAuth +" ].")
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("KerberosAuth : [ " + $CFG.KerberosAuth +" ].")
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("CredSSPAuth : [ " + $CFG.CredSSPAuth +" ].")
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("DigestAuth : [ " + $CFG.DigestAuth +" ].")
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("NegotiateAuth : [ " + $CFG.NegotiateAuth +" ].")
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("CertificateAuth : [ " + $CFG.CertificateAuth +" ].")
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("LocalAccountTokenFilterPolicy : [ "+ $CFG.LocalAccountTokenFilterPolicy +" ].")
}
else
{
$MyError = $true
}
#--------------------------------------------------------------------------------------------------
if (-not $MyError)
{
$dotNET = (Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -Recurse | Get-ItemProperty -name Version, Release -EA 0 | Where-Object { $_.PSChildName -match '^(?!S)\p{L}'} | Sort-Object -Property Version | Select-Object @{name = "dotNET"; expression = {$_.PSChildName}}, Version)
Write-MyLog -LOGSeverity "LINE"
Write-MyLog -LOGSeverity "INFO" -LOGMessage ('User Name : '+ $env:UserName)
Write-MyLog -LOGSeverity "INFO" -LOGMessage ('User Domain : '+ $env:UserDomain)
Write-MyLog -LOGSeverity "INFO" -LOGMessage ('Hostname : '+ $env:computername)
Write-MyLog -LOGSeverity "INFO" -LOGMessage ('IP Address : '+ (Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter 'ipenabled = "true"').IPAddress)
Write-MyLog -LOGSeverity "INFO" -LOGMessage ('MAC Address : '+ (Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter 'ipenabled = "true"').MACAddress)
Write-MyLog -LOGSeverity "INFO" -LOGMessage ('Manufacturer : '+ (Get-WmiObject -Class Win32_ComputerSystem).Manufacturer)
Write-MyLog -LOGSeverity "INFO" -LOGMessage ('Model : '+ (Get-WmiObject -Class Win32_ComputerSystem).Model)
Write-MyLog -LOGSeverity "INFO" -LOGMessage ('Serial Number : '+ (Get-WmiObject -Class Win32_Bios).SerialNumber)
Write-MyLog -LOGSeverity "INFO" -LOGMessage ('OS Name : '+ (Get-WmiObject -class Win32_OperatingSystem).Caption)
Write-MyLog -LOGSeverity "INFO" -LOGMessage ('OS Version : '+ (Get-WMIObject win32_operatingsystem).Version)
Write-MyLog -LOGSeverity "INFO" -LOGMessage ('OS ServicePack : '+ (Get-WMIObject win32_operatingsystem).CSDVersion)
Write-MyLog -LOGSeverity "INFO" -LOGMessage ('OS Build : '+ (Get-WmiObject -class Win32_OperatingSystem).BuildNumber)
Write-MyLog -LOGSeverity "INFO" -LOGMessage ('OS Architecture : '+ (Get-WmiObject Win32_OperatingSystem).OSArchitecture)
Write-MyLog -LOGSeverity "INFO" -LOGMessage ('OS Install date : '+ [timezone]::CurrentTimeZone.ToLocalTime(([datetime]'1/1/1970').AddSeconds($(get-itemproperty 'HKLM:\Software\Microsoft\Windows NT\CurrentVersion').InstallDate)).ToString("yyyy-MM-dd HH:mm:ss"))
Write-MyLog -LOGSeverity "INFO" -LOGMessage ('RAM Size (MB) : '+ (Get-WmiObject -Class Win32_ComputerSystem).TotalPhysicalMemory / 1MB)
Write-MyLog -LOGSeverity "INFO" -LOGMessage ('Disk free (GB) : '+ (Get-PSDrive C).Free /1GB)
Write-MyLog -LOGSeverity "INFO" -LOGMessage ('PShell version : '+ $PSVersionTable.PSversion.ToString())
Write-MyLog -LOGSeverity "INFO" -LOGMessage ('PShell CLR : '+ $PSVersionTable.CLRVersion.ToString())
Write-MyLog -LOGSeverity "INFO" -LOGMessage ('Verze .NET : ')
foreach ($verze in $dotNET)
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ((' : '+ $verze.Version + $Tab +'-'+ $Tab + $verze.dotNET))
}
Write-MyLog -LOGSeverity "LINE"
}
#--------------------------------------------------------------------------------------------------
if (-not $MyError)
{
# Get the ID and security principal of the current user account
$myWindowsID = [System.Security.Principal.WindowsIdentity]::GetCurrent()
$myWindowsPrincipal = new-object System.Security.Principal.WindowsPrincipal($myWindowsID)
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Script running as user : [ "+ $myWindowsID.name +" ].")
# Get the security principal for the Administrator role
$adminRole = [System.Security.Principal.WindowsBuiltInRole]::Administrator
# Check to see if we are currently running "as Administrator"
if (-Not $myWindowsPrincipal.IsInRole($adminRole))
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("You need elevated Administrator privileges in order to run this script. Start Windows PowerShell by using the Run as Administrator.")
$MyError = $true
} else {
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Current user have appropriate rights to run this script.")
}
}
#--------------------------------------------------------------------------------------------------
if (-not $MyError)
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Detecting Powershell version : [ "+ $PSVersionTable.PSVersion +" ].")
If ($PSVersionTable.PSVersion.Major -lt 3)
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Powershell version is not supported :-( !!!")
$MyError = $true
} else {
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Powershell version is supported.")
}
}
#--------------------------------------------------------------------------------------------------
if (-not $MyError)
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Reading status of WinRM service..")
try
{
$RunningConfig.svcWinRM = Get-Service "WinRM" -ErrorAction Stop
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM service status is [ "+ $RunningConfig.svcWinRM.Status +" ] and startup type is [ "+ $RunningConfig.svcWinRM.StartType +" ].")
} catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't read Service WinRM status !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
if (-not $MyError -and $RunningConfig.svcWinRM.StartType -ne "Automatic")
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM needs to be configured to Automatic startup..")
try
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Setting service WinRM startup type Automatic.")
Set-Service -Name "WinRM" -StartupType Automatic
$RunningConfig.svcWinRM = Get-Service "WinRM" -ErrorAction Stop
} catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't change WinRM service startup type. !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
}
if (-not $MyError -and $RunningConfig.svcWinRM.Status -ne "Started")
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM needs to be running..")
try
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Starting service WinRM...")
$StartTimeout = 0
Start-Service -Name "WinRM" -ErrorAction Stop
while ((Get-Service "WinRM" -ErrorAction Stop).Status -ne "Running" -and $StartTimeout -lt 10 )
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Waiting for start service WinRM...")
Start-Sleep -Seconds 1
$StartTimeout ++
}
} catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't start WinRM service. !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Reading status of WinRM service..")
try
{
$RunningConfig.svcWinRM = Get-Service "WinRM" -ErrorAction Stop
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM service status is [ "+ $RunningConfig.svcWinRM.Status +" ] and startup type is [ "+ $RunningConfig.svcWinRM.StartType +" ].")
} catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't read Service WinRM status !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
If ($RunningConfig.svcWinRM.Status -ne "Running")
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't start Service WinRM !!!")
$MyError = $true
}
}
}
#--------------------------------------------------------------------------------------------------
if (-not $MyError)
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Reading WinRM service configuration")
try
{
$RunningConfig.WinRMauth = (Get-WSManInstance -ResourceURI winrm/config/service/auth)
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Authentication methods")
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Basic : [ "+ $RunningConfig.WinRMauth.Basic +" ]")
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Negotiate : [ "+ $RunningConfig.WinRMauth.Negotiate +" ]")
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Certificate : [ "+ $RunningConfig.WinRMauth.Certificate +" ]")
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Kerberos : [ "+ $RunningConfig.WinRMauth.Kerberos +" ]")
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" CredSSP : [ "+ $RunningConfig.WinRMauth.CredSSP +" ]")
}
catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't read WinRM authentication configuration !!!")
$MyError = $true
}
try
{
$RunningConfig.WinRMListeners = (Get-WSManInstance -ResourceURI winrm/config/listener -Enumerate)
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Listener(s)")
foreach ($lncfg in $RunningConfig.WinRMListeners)
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Transport : [ "+ $lncfg.Transport +" ].")
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Port : [ "+ $lncfg.Port +" ].")
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Enabled : [ "+ $lncfg.Enabled +" ].")
if ($lncfg.Hostname) { Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Hostname : [ "+ $lncfg.Hostname +" ].") }
if ($lncfg.Addresss) { Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Address : [ "+ $lncfg.Addresss +" ].") }
if ($lncfg.CertificateThumbprint)
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" CertThumbprint: [ "+ $lncfg.CertificateThumbprint +" ].")
$RunningConfig.WinRMHTTPSCert = (Get-ChildItem -path ("Cert:\*"+ $lncfg.CertificateThumbprint) -Recurse | Select-Object -Unique)
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" CertSubject : [ "+ $RunningConfig.WinRMHTTPSCert.Subject +" ].")
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" CertDnsName : [ "+ $RunningConfig.WinRMHTTPSCert.DnsNameList +" ].")
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" FriendlyName : [ "+ $RunningConfig.WinRMHTTPSCert.FriendlyName +" ].")
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" NotBefore : [ "+ $RunningConfig.WinRMHTTPSCert.NotBefore +" ].")
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" NotAfter : [ "+ $RunningConfig.WinRMHTTPSCert.NotAfter +" ].")
}
}
} catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't read WinRM listeners configuration !!!")
$MyError = $true
}
}
#--------------------------------------------------------------------------------------------------
if (-not $MyError)
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Reading status of Windows Firewall service..")
try
{
$RunningConfig.MPSsvc = Get-Service "MpsSvc" -ErrorAction Stop
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("MPSsvc service status is [ "+ $RunningConfig.MPSsvc.Status +" ] and startup type is [ "+ $RunningConfig.MPSsvc.StartType +" ].")
} catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't read Service MPSsvc status !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
}
#--------------------------------------------------------------------------------------------------
if (-not $MyError)
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Reading local FireWall configuration.")
try
{
$RunningConfig.FWprofile = Get-NetFirewallProfile
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Windows Firewall profile(s): ")
foreach ($prof in $RunningConfig.FWprofile)
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ($prof.profile +" : [ "+ $prof.enabled +" ].")
}
} catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't read Firewall profiles !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
}
#--------------------------------------------------------------------------------------------------
#--------------------------------------------------------------------------------------------------
if (-not $MyError)
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Finding Firewall rules for WinRM ports.")
$RunningConfig.FWHTTPRules = @()
$RunningConfig.FWHTTPPortFilter = @()
$RunningConfig.FWHTTPAddressFilter = @()
$RunningConfig.FWHTTPSRules = @()
$RunningConfig.FWHTTPSPortFilter = @()
$RunningConfig.FWHTTPSAddressFilter = @()
try
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Finding rule for WinRM HTTP - TCP 5985")
$RunningConfig.FWHTTPPortFilter = Get-NetFirewallPortFilter | Where-Object { $_.LocalPort -eq 5985 }
foreach ($PortFilter in $RunningConfig.FWHTTPPortFilter)
{
$RunningConfig.FWHTTPRules += Get-NetFirewallRule | Where-Object { $_.InstanceID -eq $PortFilter.InstanceID }
}
foreach ($rule in $RunningConfig.FWHTTPRules)
{
$RunningConfig.FWHTTPAddressFilter += (Get-NetFirewallAddressFilter | Where-Object { $_.InstanceID -eq $rule.InstanceID })
}
} catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't read Firewall rules !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
if ($RunningConfig.FWHTTPRules)
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("FireWall WinRM HTTP rule")
foreach ($rule in $RunningConfig.FWHTTPRules)
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" [ "+ $rule.DisplayName +" ]")
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Profile : [ "+ $rule.profile +" ]")
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Description : [ "+ $rule.Description +" ]")
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Direction : [ "+ $rule.Direction +" ]")
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Enabled : [ "+ $rule.Enabled +" ]")
$tmp = ($RunningConfig.FWHTTPPortFilter | Where-Object { $_.InstanceID -eq $rule.InstanceID } | Select-Object Protocol, LocalPort, RemotePort, InstanceID)
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Protocol : [ "+ $tmp.Protocol +" ]")
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" LocalPort : [ "+ $tmp.LocalPort +" ]")
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" RemotePort : [ "+ $tmp.RemotePort +" ]")
$tmp = ( $RunningConfig.FWHTTPAddressFilter | Where-Object { $_.InstanceID -eq $rule.InstanceID } | Select-Object LocalAddress, LocalIP, RemoteAddress, RemoteIP)
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" LocalAddress : [ "+ $tmp.LocalAddress +" ]")
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" LocalIP : [ "+ $tmp.LocalIP +" ]")
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" RemoteAddress : [ "+ $tmp.RemoteAddress +" ]")
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" RemoteIP : [ "+ $tmp.RemoteIP +" ]")
}
} else
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("No WinRM HTTP FireWall rule.")
}
try
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Finding rule for WinRM HTTPS - TCP 5986")
$RunningConfig.FWHTTPSPortFilter = Get-NetFirewallPortFilter | Where-Object { $_.LocalPort -eq 5986 }
foreach ($PortFilter in $RunningConfig.FWHTTPSPortFilter)
{
$RunningConfig.FWHTTPSRules += Get-NetFirewallRule | Where-Object { $_.InstanceID -eq $PortFilter.InstanceID }
}
foreach ($rule in $RunningConfig.FWHTTPSRules)
{
$RunningConfig.FWHTTPSAddressFilter += (Get-NetFirewallAddressFilter | Where-Object { $_.InstanceID -eq $rule.InstanceID })
}
} catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't read Firewall rules !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
if ($RunningConfig.FWHTTPSRules)
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("FireWall WinRM HTTPS rule")
foreach ($rule in $RunningConfig.FWHTTPSRules)
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" [ "+ $rule.DisplayName +" ]")
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Profile : [ "+ $rule.profile +" ]")
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Description : [ "+ $rule.Description +" ]")
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Direction : [ "+ $rule.Direction +" ]")
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Enabled : [ "+ $rule.Enabled +" ]")
$tmp = ($RunningConfig.FWHTTPSPortFilter | Where-Object { $_.InstanceID -eq $rule.InstanceID } | Select-Object Protocol, LocalPort, RemotePort, InstanceID)
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" Protocol : [ "+ $tmp.Protocol +" ]")
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" LocalPort : [ "+ $tmp.LocalPort +" ]")
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" RemotePort : [ "+ $tmp.RemotePort +" ]")
$tmp = ( $RunningConfig.FWHTTPSAddressFilter | Where-Object { $_.InstanceID -eq $rule.InstanceID } | Select-Object LocalAddress, LocalIP, RemoteAddress, RemoteIP)
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" LocalAddress : [ "+ $tmp.LocalAddress +" ]")
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" LocalIP : [ "+ $tmp.LocalIP +" ]")
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" RemoteAddress : [ "+ $tmp.RemoteAddress +" ]")
Write-MyLog -LOGSeverity "INFO" -LOGMessage (" RemoteIP : [ "+ $tmp.RemoteIP +" ]")
}
} else
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("No WinRM HTTPS FireWall rule.")
}
}
#--------------------------------------------------------------------------------------------------
if (-not $MyError)
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Checking LocalAccountTokenFilterPolicy")
$RunningConfig.LocalAccountTokenFilterPolicy = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\").LocalAccountTokenFilterPolicy
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("LocalAccountTokenFilterPolicy have Value : [ "+ $RunningConfig.LocalAccountTokenFilterPolicy +" ]")
}
#--------------------------------------------------------------------------------------------------
if (-not $MyError)
{
Write-MyLog -LOGSeverity "LINE"
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Starting WinRM config modifications.")
Write-MyLog -LOGSeverity "LINE"
}
#--------------------------------------------------------------------------------------------------
if (-not $MyError -and $CFG.LocalAccountTokenFilterPolicy.ToLower() -eq "enable" -and $RunningConfig.LocalAccountTokenFilterPolicy -eq 0 )
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Setting registry key LocalAccountTokenFilterPolicy to 1.")
try
{
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" -Name "LocalAccountTokenFilterPolicy" -Value 1
}
catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't edit registry key. !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
} elseif (-not $MyError -and $CFG.LocalAccountTokenFilterPolicy.ToLower() -eq "disable" -and $RunningConfig.LocalAccountTokenFilterPolicy -eq 1 )
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Setting registry key LocalAccountTokenFilterPolicy to 0.")
try
{
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" -Name "LocalAccountTokenFilterPolicy" -Value 0
}
catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't edit registry key. !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
} elseif (-not $MyError -and $CFG.LocalAccountTokenFilterPolicy.ToLower() -eq "enable" -and $RunningConfig.LocalAccountTokenFilterPolicy -ne 0 -and -not $RunningConfig.LocalAccountTokenFilterPolicy )
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Creating registry key LocalAccountTokenFilterPolicy with Value 1.")
try
{
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" -PropertyType DWORD -Name "LocalAccountTokenFilterPolicy" -Value 1 | out-null
}
catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't create reguistry key. !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
} elseif (-not $MyError)
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Skipping changes in registry for LocalAccountTokenFilterPolicy.")
}
#--------------------------------------------------------------------------------------------------
# Get WinRM HTTPS listener thumbprint
$winrmOutput = winrm e winrm/config/listener
$winrmThumbprint = ($winrmOutput | Where-Object { $_ -match 'CertificateThumbprint' }) -replace '.*CertificateThumbprint\s*=\s*', ''
# Get local self-signed certificate thumbprint (adjust subject name as needed)
$DN = $env:COMPUTERNAME
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {
$_.Subject -like "*CN=$DN*" -and $_.Issuer -eq $_.Subject
}
$localThumbprint = $cert.Thumbprint
# Compare the thumbprints
if ($localThumbprint -contains $winrmThumbprint)
{
$certisinwinrm = "yes"
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Self-Signed certificate is used in WinRM HTTPS listener.")
}
else
{$certisinwinrm = "no"
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Self-Signed certificate is not used in WinRM HTTPS listener.")
}
if (-not $MyError -and ($RunningConfig.WinRMListeners | Where-Object { $_.Transport -eq "HTTPS" } ) -and $CFG.WINRMHTTPS.ToLower() -eq "enable" -and $CFG.SelfCertForce.ToLower() -eq "enable" -or $certisinwinrm -eq "no" )
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Forcing SSL Self-Certificate reissuing, and recreating WinRM HTTPS listener.")
try
{
$SelfCertThumbprint = New-LegacySelfSignedCert -SubjectName ($env:COMPUTERNAME) -ValidDays $CFG.SelfCertValidityDays
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Self-Certificate issued with thumbprint : [ "+ $SelfCertThumbprint +" ]")
} catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't issuen new Self-Signed certificate. !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
if (-not $MyError)
{
$ValueSet = @{
CertificateThumbprint = $SelfCertThumbprint
Hostname = ($env:COMPUTERNAME)
}
$selectorset = @{
Transport = "HTTPS"
Address = "*"
}
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Removing existing WinRM HTTPS listener")
try
{
Remove-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM SSL listener removed.")
} catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't remove WinRM HTTPS listener. !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
}
if (-not $MyError)
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Creating new listener with new Self-Signed SSL certificate.")
try
{
$a = New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset -ValueSet $valueset
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM HTTPS listener created.")
} catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't create WinRM HTTPS listener. !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
}
}
#--------------------------------------------------------------------------------------------------
if (-not $MyError -and -not ($RunningConfig.WinRMListeners | Where-Object { $_.Transport -eq "HTTPS" } ) -and $CFG.WINRMHTTPS.ToLower() -eq "enable")
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Creating new WinRM HTTPS listener.")
try
{
$SelfCertThumbprint = New-LegacySelfSignedCert -SubjectName ($env:COMPUTERNAME) -ValidDays $CFG.SelfCertValidityDays
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Self-Certificate issued with thumbprint : [ "+ $SelfCertThumbprint +" ]")
} catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't issue new Self-Signed certificate. !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
if (-not $MyError)
{
$ValueSet = @{
CertificateThumbprint = $SelfCertThumbprint
Hostname = ($env:COMPUTERNAME)
}
$selectorset = @{
Transport = "HTTPS"
Address = "*"
}
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Creating new WinRM HTTPS listener with new Self-Signed SSL certificate.")
try
{
$a = New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset -ValueSet $valueset
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM HTTPS listener created.")
} catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't create WinRM HTTPS listener. !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
}
}
#--------------------------------------------------------------------------------------------------
if (-not $MyError -and $RunningConfig.WinRMListeners)
{
if (($RunningConfig.WinRMListeners | Where-Object { $_.Transport.ToUpper() -eq "HTTPS" } ) -and $CFG.WINRMHTTPS.ToLower() -eq "disable")
{
$selectorset = @{
Transport = "HTTPS"
Address = "*"
}
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Removing existing WinRM HTTPS listener")
try
{
Remove-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM HTTPS listener removed.")
} catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't remove WinRM HTTPS listener. !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
}
}
#--------------------------------------------------------------------------------------------------
if (-not $MyError -and -not ($RunningConfig.WinRMListeners | Where-Object { $_.Transport -eq "HTTP" }) -and $CFG.WINRMHTTP.ToLower() -eq "enable")
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Creating new WinRM HTTP listener.")
$selectorset = @{
Transport = "HTTP"
Address = "*"
}
try
{
$a = New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM HTTP listener created.")
} catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't create WinRM HTTP listener. !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
}
#--------------------------------------------------------------------------------------------------
if (-not $MyError -and $RunningConfig.WinRMListeners)
{
if (($RunningConfig.WinRMListeners | Where-Object { $_.Transport.ToUpper() -eq "HTTP" } ) -and $CFG.WINRMHTTP.ToLower() -eq "disable")
{
$selectorset = @{
Transport = "HTTP"
Address = "*"
}
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Removing existing WinRM HTTP listener")
try
{
Remove-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM HTTP listener removed.")
} catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't remove WinRM HTTP listener. !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
}
}
#--------------------------------------------------------------------------------------------------
if (-not $MyError)
{
if ($RunningConfig.WinRMauth.Basic -eq "false" -and $CFG.BasicAuth.ToLower() -eq "enable")
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Enabling WinRM basic auth support.")
try
{
Set-Item -Path "WSMan:\localhost\Service\Auth\Basic" -Value $true
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM basic auth support enabled.")
} catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't enable WinRM basic auth. !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
}
if ($RunningConfig.WinRMauth.Basic -eq "true" -and $CFG.BasicAuth.ToLower() -eq "disable")
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Disabling WinRM basic auth support.")
try
{
Set-Item -Path "WSMan:\localhost\Service\Auth\Basic" -Value $false
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM basic auth support disabled.")
} catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't disable WinRM basic auth. !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
}
}
#--------------------------------------------------------------------------------------------------
if (-not $MyError)
{
if ($RunningConfig.WinRMauth.CredSSP -eq "false" -and $CFG.CredSSPAuth.ToLower() -eq "enable")
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Enabling WinRM CredSSP auth support.")
try
{
Set-Item -Path "WSMan:\localhost\Service\Auth\CredSSP" -Value $true
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM CredSSP auth support enabled.")
} catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't enable WinRM CredSSP auth. !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
}
if ($RunningConfig.WinRMauth.CredSSP -eq "true" -and $CFG.CredSSPAuth.ToLower() -eq "disable")
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Disabling WinRM CredSSP auth support.")
try
{
Set-Item -Path "WSMan:\localhost\Service\Auth\CredSSP" -Value $false
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM CredSSP auth support disabled.")
} catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't disable WinRM CredSSP auth. !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
}
}
#--------------------------------------------------------------------------------------------------
#--------------------------------------------------------------------------------------------------
if (-not $MyError)
{
if ($RunningConfig.WinRMauth.Kerberos -eq "false" -and $CFG.KerberosAuth.ToLower() -eq "enable")
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Enabling WinRM Kerberos auth support.")
try
{
Set-Item -Path "WSMan:\localhost\Service\Auth\Kerberos" -Value $true
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM Kerberos auth support enabled.")
} catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't enable WinRM Kerberos auth. !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
}
if ($RunningConfig.WinRMauth.Kerberos -eq "true" -and $CFG.KerberosAuth.ToLower() -eq "disable")
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Disabling WinRM Kerberos auth support.")
try
{
Set-Item -Path "WSMan:\localhost\Service\Auth\Kerberos" -Value $false
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM Kerberos auth support disabled.")
} catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't disable WinRM Kerberos auth. !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
}
}
#--------------------------------------------------------------------------------------------------
if (-not $MyError)
{
if ($RunningConfig.WinRMauth.Digest -eq "false" -and $CFG.DigestAuth.ToLower() -eq "enable")
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Enabling WinRM Digest auth support.")
try
{
Set-Item -Path "WSMan:\localhost\Service\Auth\Digest" -Value $true
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM Digest auth support enabled.")
} catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't enable WinRM Digest auth. !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
}
if ($RunningConfig.WinRMauth.Digest -eq "true" -and $CFG.DigestAuth.ToLower() -eq "disable")
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Disabling WinRM Digest auth support.")
try
{
Set-Item -Path "WSMan:\localhost\Service\Auth\Digest" -Value $false
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM Digest auth support disabled.")
} catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't disable WinRM Digest auth. !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
}
}
#--------------------------------------------------------------------------------------------------
if (-not $MyError)
{
if ($RunningConfig.WinRMauth.Negotiate -eq "false" -and $CFG.NegotiateAuth.ToLower() -eq "enable")
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Enabling WinRM Negotiate auth support.")
try
{
Set-Item -Path "WSMan:\localhost\Service\Auth\Negotiate" -Value $true
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM Negotiate auth support enabled.")
} catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't enable WinRM Negotiate auth. !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
}
if ($RunningConfig.WinRMauth.Negotiate -eq "true" -and $CFG.NegotiateAuth.ToLower() -eq "disable")
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Disabling WinRM Negotiate auth support.")
try
{
Set-Item -Path "WSMan:\localhost\Service\Auth\Negotiate" -Value $false
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM Negotiate auth support disabled.")
} catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't disable WinRM Negotiate auth. !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
}
}
#--------------------------------------------------------------------------------------------------
#--------------------------------------------------------------------------------------------------
if (-not $MyError)
{
if ($RunningConfig.WinRMauth.Certificate -eq "false" -and $CFG.CertificateAuth.ToLower() -eq "enable")
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Enabling WinRM Certificate auth support.")
try
{
Set-Item -Path "WSMan:\localhost\Service\Auth\Certificate" -Value $true
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM Certificate auth support enabled.")
} catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't enable WinRM Certificate auth. !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
}
if ($RunningConfig.WinRMauth.Certificate -eq "true" -and $CFG.CertificateAuth.ToLower() -eq "disable")
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Disabling WinRM Certificate auth support.")
try
{
Set-Item -Path "WSMan:\localhost\Service\Auth\Certificate" -Value $false
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM Certificate auth support disabled.")
} catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't disable WinRM Certificate auth. !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
}
}
#--------------------------------------------------------------------------------------------------
if (-not $MyError)
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Configuration changes finished, restarting WinRM service.")
try
{
$StartTimeout = 0
Restart-Service -Name "WinRM" -ErrorAction Stop -Force
while ((Get-Service "WinRM" -ErrorAction Stop).Status -ne "Running" -and $StartTimeout -lt 10 )
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Waiting for start service WinRM...")
Start-Sleep -Seconds 1
$StartTimeout ++
}
} catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't start WinRM service. !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Reading status of WinRM service..")
try
{
$RunningConfig.svcWinRM = Get-Service "WinRM" -ErrorAction Stop
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("WinRM service status is [ "+ $RunningConfig.svcWinRM.Status +" ] and startup type is [ "+ $RunningConfig.svcWinRM.StartType +" ].")
} catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't read Service WinRM status !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
If ($RunningConfig.svcWinRM.Status -ne "Running")
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't start Service WinRM !!!")
$MyError = $true
}
}
#--------------------------------------------------------------------------------------------------
if (-not $MyError)
{
if ($RunningConfig.FWHTTPAddressFilter | Where-Object {$_.RemoteAddress -eq $CFG.FWWinRMTrustedHosts })
{
foreach($AddressFilter in ($RunningConfig.FWHTTPAddressFilter | Where-Object {$_.RemoteAddress -eq $CFG.FWWinRMTrustedHosts }))
{
foreach ($FirewallRule in ($RunningConfig.FWHTTPRules | Where-Object { $_.InstanceID -eq $AddressFilter.InstanceID } ))
{
if ($FirewallRule.Enabled -eq "False" -and $CFG.FWWinRMHTTP.Tolower() -eq "enable")
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Enabling WinRM HTTP FireWall rule : [ "+ $FirewallRule.InstanceID +" ].")
try
{
$FirewallRule | Set-NetFirewallRule -Enabled True
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("FireWall rule enabled.")
}
catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't enable FireWall rule !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
}
if ($FirewallRule.Enabled -eq "True" -and $CFG.FWWinRMHTTP.Tolower() -eq "disable")
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Disabling WinRM HTTP FireWall rule : [ "+ $FirewallRule.InstanceID +" ].")
try
{
$FirewallRule | Set-NetFirewallRule -Enabled False
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("FireWall rule disabled..")
}
catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't disable FireWall rule !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
}
}
}
} elseif ($CFG.FWWinRMHTTP.Tolower() -eq "enable" -and $CFG.WinRMHTTP.tolower() -eq "enable")
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Creating new WinRM HTTP FireWall rule.")
try
{
New-NetFirewallRule -Name ("Ansible WinRM Allow (In-HTTP)_"+ $CFG.FWWinRMTrustedHosts) -DisplayName "Ansible WinRM Allow (In-HTTP)" -Direction Inbound -Action Allow -RemoteAddress $CFG.FWWinRMTrustedHosts -Enabled "True" -Protocol TCP -LocalPort 5985 -Description "Allowing Ansible WinRM (In-HTTP) access to system." -Group "Windows Remote Management" -ErrorAction Stop | Out-Null
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("New WinRM HTTP FireWall rule created.")
}
catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't create new FireWall rule !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
}
}
#--------------------------------------------------------------------------------------------------
#--------------------------------------------------------------------------------------------------
if (-not $MyError)
{
if ($RunningConfig.FWHTTPSAddressFilter | Where-Object -FilterScript {$_.RemoteAddress -eq $CFG.FWWinRMTrustedHosts })
{
foreach($AddressFilter in ($RunningConfig.FWHTTPSAddressFilter | Where-Object -FilterScript {$_.RemoteAddress -eq $CFG.FWWinRMTrustedHosts }))
{
foreach ($FirewallRule in ($RunningConfig.FWHTTPSRules | Where-Object { $_.InstanceID -eq $AddressFilter.InstanceID } ))
{
if ($FirewallRule.Enabled -eq "False" -and $CFG.FWWinRMHTTPS.Tolower() -eq "enable")
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Enabling WinRM HTTPS FireWall rule : [ "+ $FirewallRule.InstanceID +" ].")
try
{
$FirewallRule | Set-NetFirewallRule -Enabled True
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("FireWall rule enabled.")
}
catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't enable FireWall rule !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
}
if ($FirewallRule.Enabled -eq "True" -and $CFG.FWWinRMHTTPS.Tolower() -eq "disable")
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Disabling WinRM HTTPS FireWall rule : [ "+ $FirewallRule.InstanceID +" ].")
try
{
$FirewallRule | Set-NetFirewallRule -Enabled False
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("FireWall rule disabled..")
}
catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't disable FireWall rule !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
}
}
}
} elseif ($CFG.FWWinRMHTTPS.Tolower() -eq "enable" -and $CFG.WinRMHTTPS.tolower() -eq "enable")
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Creating new WinRM HTTPS FireWall rule.")
try
{
New-NetFirewallRule -Name ("Ansible WinRM Allow (In-HTTPS)_"+ $CFG.FWWinRMTrustedHosts) -DisplayName "Ansible WinRM Allow (In-HTTPS)" -Direction Inbound -Action Allow -RemoteAddress $CFG.FWWinRMTrustedHosts -Enabled "True" -Protocol TCP -LocalPort 5986 -Description "Allowing Ansible WinRM (In-HTTPS) access to system." -Group "Windows Remote Management" -ErrorAction Stop | Out-Null
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("New WinRM HTTPS FireWall rule created.")
}
catch
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Can't create new FireWall rule !!!")
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Message : " +$_.Exception.Message)
$MyError = $true
}
}
}
#--------------------------------------------------------------------------------------------------
#--------------------------------------------------------------------------------------------------
if (-not $MyError)
{
# Test a remoting connection to localhost, which should work.
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("Testing WinRM connection.")
$httpsOptions = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$httpResult = Invoke-Command -ComputerName "localhost" -ScriptBlock { param($a) Return @{"Source"=$a;"Destination"=$env:computername} } -ArgumentList $env:computername -ErrorVariable httpError -ErrorAction SilentlyContinue
$httpsResult = Invoke-Command -ComputerName "localhost" -ScriptBlock { param($a) Return @{"Source"=$a;"Destination"=$env:computername} } -ArgumentList $env:computername -UseSSL -SessionOption $httpsOptions -ErrorVariable httpError -ErrorAction SilentlyContinue
if ($httpResult -and $httpsResult)
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("HTTP: Enabled | HTTPS: Enabled")
}
ElseIf ($httpsResult -and !$httpResult)
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("HTTP: Disabled | HTTPS: Enabled")
}
ElseIf ($httpResult -and !$httpsResult)
{
Write-MyLog -LOGSeverity "INFO" -LOGMessage ("HTTP: Enabled | HTTPS: Disabled")
}
Else
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("Unable to establish an HTTP or HTTPS remoting session.")
$MyError = $true
}
}
#--------------------------------------------------------------------------------------------------
#################################################################
if($MyERROR)
{
Write-MyLog -LOGSeverity "ERROR" -LOGMessage ("ERROR during checks...")
$StopWatch.Stop()
Write-MyLog -LOGSeverity "END" -LOGMessage ("Running Time : "+ $StopWatch.Elapsed.TotalSeconds +"s.")
}
else
{
Write-MyLog -LOGSeverity "OK" -LOGMessage ("PS Remoting has been successfully configured for Ansible.")
$StopWatch.Stop()
Write-MyLog -LOGSeverity "END" -LOGMessage ("Running Time : "+ $StopWatch.Elapsed.TotalSeconds +"s.")
}
}
################################################################
Run;
# HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
Reference in New Issue View Git Blame Copy Permalink