-
Notifications
You must be signed in to change notification settings - Fork 13
/
Copy pathrdp-winrm-ssh-rsync.ps1
executable file
·293 lines (280 loc) · 10.9 KB
/
rdp-winrm-ssh-rsync.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
#ps1_sysnative
param(
[string]$username = "${LocalAdminUsername}",
[string]$password = "${LocalAdminPassword}"
);
#$username = "${LocalAdminUsername}"
#$password = "${LocalAdminPassword}"
Write-Host "Username - $username"
if(!$username){
Write-Error "parameter -username is undefined"
exit 1
}
if(!$password){
$password = "";
}
function Set-NetworksAsPrivate {
<#
.synopsis
Set all network interfaces as private network to enable winrm
#>
try{
Set-NetConnectionProfile -NetworkCategory Private
}catch{
# Get network connections for Windows 7
$networkListManager = [Activator]::CreateInstance([Type]::GetTypeFromCLSID([Guid]"{DCB00C01-570F-4A9B-8D69-199FDBA5723B}"))
$connections = $networkListManager.GetNetworkConnections()
$connections | % {$_.GetNetwork().SetCategory(1)}
}
}
function Enable-WinrmRemote {
<#
.synopsis
Enables WinRM remoting
.description
Turns off network profile check for WinRM, for Windows 7 - turns off firewall
#>
Set-ExecutionPolicy RemoteSigned
Enable-PSRemoting -Force
try{
Set-WSManQuickConfig -SkipNetworkProfileCheck -Force
}catch{
#win7
netsh advfirewall set allprofiles state off
}
}
function Enable-WinrmOverHttp {
<#
.synopsis
Allow WinRM over plain HTTP (AllowUnencrypted)
#>
Set-Item WSMan:\localhost\Service\AllowUnencrypted -Value "true" -Force
Set-Item WSMan:\localhost\Client\TrustedHosts * -Force
Write-Host "WinRM over HTTP is enabled"
}
function Enable-RDP {
Set-ItemProperty -Path "HKLM:\\System\\CurrentControlSet\\Control\\Terminal Server" -name "fDenyTSConnections" -Value 0
Set-ItemProperty -Path "HKLM:\\System\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp" -name "UserAuthentication" -Value 1
$RDP = Get-WmiObject -Class Win32_TerminalServiceSetting -Namespace root\CIMV2\TerminalServices -ErrorAction Stop
$result = $RDP.SetAllowTsConnections(1,1)
if($result.ReturnValue -eq 0) {
Write-Host "Enabled RDP Successfully"
} else {
Write-Host "Failed to enabled RDP"
}
try{
#Enable-NetFirewallRule -DisplayGroup "Remote Desktop*"
Get-NetFirewallRule -DisplayName "Remote Desktop*" | Set-NetFirewallRule -enabled true
}catch{
#Win7 #netsh advfirewall firewall set service type=remotedesktop mode=enable
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
}
}
function New-LocalAdmin {
param([string]$username, [string]$password)
$Computer = [ADSI]"WinNT://$Env:COMPUTERNAME,Computer"
Write-Host "Creating $username user"
$LocalAdmin = $Computer.Create("User", $username)
$LocalAdmin.setPassword($password)
$LocalAdmin.UserFlags = 64 + 65536
$LocalAdmin.setInfo()
$LocalAdmin.FullName = "Local Admin for Powershell"
$LocalAdmin.setInfo()
$LocalAdmin.Description = "Defined by Powershell"
$LocalAdmin.setInfo()
$admGroupSID = get-wmiobject win32_group -Filter "SID='S-1-5-32-544'"
$admGroupName = $admGroupSID.Name
Write-Host ("Adding $username to group $admGroupName")
$groupExpression = "WinNT://$Env:COMPUTERNAME/$admGroupName,Group"
$AdminGroup = [ADSI]$groupExpression
$AdminGroup.Add("WinNT://$username,User")
$AdminGroup.SetInfo()
}
function Get-UsersDir {
$userProfilePath = $env:USERPROFILE
Write-Host "Userprofile $userProfilePathfor user $env:USERNAME"
$usersDir = (get-item $userProfilePath ).parent.FullName
Write-Host "Users directory is $usersDir"
return $usersDir
}
function New-LocalAdminProfile {
<#
.synopsis
Creates Local admin profile
.description
Invokes simple CMD command (echo) under the provided credentials
.parameter username
Username to create profile for.
.parameter password
Password of the user to create profile for.
#>
param([string]$username, [string]$password)
$cred_user = ".\$username"
$cred_password = ConvertTo-SecureString -String $password -AsPlainText -Force
$UCredential = New-Object -typename System.Management.Automation.PSCredential -argumentlist $cred_user, $cred_password
#Start-Process powershell.exe -Credential $Credential -Verb RunAs -ArgumentList ("-file $args")
#Run simple console command as LocalAdmin to create Windows user's profile
[void](Invoke-Command -ComputerName "." -Credential $UCredential -Authentication Negotiate -Script {
$proc = New-Object System.Diagnostics.ProcessStartInfo
$proc.FileName = "cmd.exe"
$proc.RedirectStandardError = $true
$proc.RedirectStandardOutput = $true
$proc.UseShellExecute = $false
$proc.Arguments = "/c echo hello"
$pr = New-Object System.Diagnostics.Process
$pr.StartInfo = $proc
$pr.Start() | Out-Null
$pr.WaitForExit()
$stdout = $pr.StandardOutput.ReadToEnd()
$stderr = $pr.StandardError.ReadToEnd()
Write-Host "HELLO OUT: $stdout"
Write-Host "HELLO ERROR: $stderr"
Write-Host "HELLO exit code: " + $pr.ExitCode
})
}
function GrantLogonAsSerivce {
<#
.synopsis
Grants logon as a service right to user
.parameter username
username that can logon as service
#>
param([string]$username)
# Grant logon as a service right
$tempPath = [System.IO.Path]::GetTempPath()
$import = Join-Path -Path $tempPath -ChildPath "import.inf"
if(Test-Path $import) { Remove-Item -Path $import -Force }
$export = Join-Path -Path $tempPath -ChildPath "export.inf"
if(Test-Path $export) { Remove-Item -Path $export -Force }
$secedt = Join-Path -Path $tempPath -ChildPath "secedt.sdb"
if(Test-Path $secedt) { Remove-Item -Path $secedt -Force }
try {
Write-Host ("Granting SeServiceLogonRight to user account: {0}." -f $username)
$sid = ((New-Object System.Security.Principal.NTAccount($username)).Translate([System.Security.Principal.SecurityIdentifier])).Value
secedit /export /cfg $export
$sids = (Select-String $export -Pattern "SeServiceLogonRight").Line
foreach ($line in @("[Unicode]", "Unicode=yes", "[System Access]", "[Event Audit]", "[Registry Values]", "[Version]", "signature=`"`$CHICAGO$`"", "Revision=1", "[Profile Description]", "Description=GrantLogOnAsAService security template", "[Privilege Rights]", "SeServiceLogonRight = *$sids,*$sid")){
Add-Content $import $line
}
secedit /import /db $secedt /cfg $import
secedit /configure /db $secedt
gpupdate /force
Remove-Item -Path $import -Force
Remove-Item -Path $export -Force
Remove-Item -Path $secedt -Force
}
catch {
Write-Host ("Failed to grant SeServiceLogonRight to user account: {0}" -f $username)
$error[0]
}
}
function Install-SshKeys {
<#
.synopsis
Puts cloud keys to the specified user profile, that will run SSH daemon.
.parameter username
username that runs SSH daemon
#>
param([string]$username)
Write-Host "Searching authorized_keys in users profiles"
$usersDir = Get-UsersDir
$table = Get-ChildItem $usersDir -recurse | Where-Object {$_.PSIsContainer -eq $true -and $_.Name -match ".ssh"}
foreach($file in $table){
$sshdir = $file.FullName
Write-Host $sshdir
$keyFile = "$sshdir\authorized_keys"
$authkey = Get-Item $keyFile
Write-Host "Found" $authkey.FullName
#$sshKeysCopy = [Environment]::GetFolderPath("UserProfile")+"\.ssh"
$sshKeysCopy = "$usersDir\$username\.ssh"
( New-Item $sshKeysCopy -type directory -force ) > $null
$sshKeysCopy = "$sshKeysCopy\authorized_keys"
( Copy-Item -Path $authkey.FullName -Destination $sshKeysCopy ) > $null
break
}
}
function DownloadFromHttp {
<#
.synopsis
Downloads file from web server to the specified directory
.parameter url
URL of the file on web server
.parameter dir
Local directory to save file.
.parameter filename
Name of the file in local directory where to save download.
#>
param([string]$url, [string]$dir, [string]$filename)
New-Item $dir -type directory -Force | Out-Null
$saveTo = "$dir\$filename"
Write-Host "Downloading $url into $saveTo"
(New-Object System.Net.WebClient).DownloadFile($url, $saveTo) | Out-Null
return $saveTo
}
function Install-Sshd {
<#
.synopsis
Downloads and runs OpenSSH server for Windows
.parameter password
./sshd_server account's password that will run OpenSSH service
#>
param([string]$password)
$saveTo = DownloadFromHttp -url "http://www.mls-software.com/files/setupssh-7.2p2-1-v1.exe" -dir "C:\TEMP\Downloads" -filename "OpenSSH-Install.exe"
$sshDir = "C:\Program Files\OpenSSH"
Write-Host "Installing OpenSSH service"
$pinfo = New-Object System.Diagnostics.ProcessStartInfo
$pinfo.FileName = $saveTo
#$pinfo.RedirectStandardError = $true
#$pinfo.RedirectStandardOutput = $true
$pinfo.UseShellExecute = $false
$pinfo.Arguments = "/S /password=$password /domain=0 /privsep=1 /serveronly=1"
$p = New-Object System.Diagnostics.Process
$p.StartInfo = $pinfo
$p.Start() | Out-Null
$p.WaitForExit()
Write-Host "exit code: " + $p.ExitCode
Write-Host "Installed from $saveTo"
Set-Location $sshDir
$regex = "(.*)(StrictModes|PubkeyAuthentication|AuthorizedKeysFile)\s+(.+)"
(Get-Content etc/sshd_config) | % {
$line = $_
if($_ -match $regex){
$line = $line -ireplace $regex, "`$2"
$line = $line -replace "StrictModes", "StrictModes no"
$line = $line -replace "PubkeyAuthentication", "PubkeyAuthentication yes"
$line = $line -replace "AuthorizedKeysFile", "AuthorizedKeysFile .ssh/authorized_keys"
}
$line
} | Set-Content etc/sshd_config
Write-Host "Removing DOMAIN or HOSTNAME from service account name"
$service = Get-WMIObject -namespace "root\cimv2" -class Win32_Service -Filter "Name='opensshd'"
$newAccount = ".\sshd_server"
$service.Change($null,$null,$null,$null,$null,$null,$newAccount,$password)
Restart-Service "opensshd"
}
# Step 4: Disable Automatic Updates
# Reference: http://www.benmorris.me/2012/05/1st-test-blog-post.html
$AutoUpdate = (New-Object -com "Microsoft.Update.AutoUpdate").Settings
$AutoUpdate.NotificationLevel = 1
$AutoUpdate.Save()
Write-Host "Windows Update has been disabled." -ForegroundColor Green
# Step 5: Disable Complex Passwords
# Reference: http://vlasenko.org/2011/04/27/removing-password-complexity-requirements-from-windows-server-2008-core/
$seccfg = [IO.Path]::GetTempFileName()
secedit /export /cfg $seccfg
(Get-Content $seccfg) | Foreach-Object {$_ -replace "PasswordComplexity\s*=\s*1", "PasswordComplexity=0"} | Set-Content $seccfg
secedit /configure /db $env:windir\security\new.sdb /cfg $seccfg /areas SECURITYPOLICY
del $seccfg
Write-Host "Complex Passwords have been disabled." -ForegroundColor Green
Set-NetworksAsPrivate
Enable-WinrmRemote
Enable-WinrmOverHttp
Restart-Service winrm
Enable-RDP
New-LocalAdmin -username $username -password $password
New-LocalAdminProfile -username $username -password $password
GrantLogonAsSerivce -username $username
Install-SshKeys -username $username
#iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
#choco install cygwin
#Install-Sshd -password $password