de21038feb
Instead of asking the user to type something prior to running the script, why not allow -Verbose on the command line directly. Also log important events to EventLog, so that it can be traced e.g. when running via RunOnce mechanism. The documentation is updated as well.
293 lines
9.9 KiB
PowerShell
293 lines
9.9 KiB
PowerShell
# Configure a Windows host for remote management with Ansible
|
|
# -----------------------------------------------------------
|
|
#
|
|
# This script checks the current WinRM/PSRemoting configuration and makes the
|
|
# necessary changes to allow Ansible to connect, authenticate and execute
|
|
# PowerShell commands.
|
|
#
|
|
# All events are logged to the Windows EventLog, useful for unattended runs.
|
|
#
|
|
# Use option -Verbose in order to see the verbose output messages.
|
|
#
|
|
# Use option -SkipNetworkProfileCheck to skip the network profile check.
|
|
# Without specifying this the script will only run if the device's interfaces
|
|
# are in DOMAIN or PRIVATE zones. Provide this switch if you want to enable
|
|
# WinRM on a device with an interface in PUBLIC zone.
|
|
#
|
|
# Use option -ForceNewSSLCert if the system has been SysPreped and a new
|
|
# SSL Certifcate must be forced on the WinRM Listener when re-running this
|
|
# script. This is necessary when a new SID and CN name is created.
|
|
#
|
|
# Written by Trond Hindenes <trond@hindenes.com>
|
|
# Updated by Chris Church <cchurch@ansible.com>
|
|
# Updated by Michael Crilly <mike@autologic.cm>
|
|
# Updated by Anton Ouzounov <Anton.Ouzounov@careerbuilder.com>
|
|
# Updated by Dag Wieërs <dag@wieers.com>
|
|
#
|
|
# Version 1.0 - 2014-07-06
|
|
# Version 1.1 - 2014-11-11
|
|
# Version 1.2 - 2015-05-15
|
|
# Version 1.3 - 2016-04-04
|
|
# Version 1.4 - 2017-01-05
|
|
|
|
# Support -Verbose option
|
|
[CmdletBinding()]
|
|
|
|
Param (
|
|
[string]$SubjectName = $env:COMPUTERNAME,
|
|
[int]$CertValidityDays = 365,
|
|
[switch]$SkipNetworkProfileCheck,
|
|
$CreateSelfSignedCert = $true,
|
|
[switch]$ForceNewSSLCert
|
|
)
|
|
|
|
Function Write-Log
|
|
{
|
|
$Message = $args[0]
|
|
Write-EventLog -LogName Application -Source $EventSource -EntryType Information -EventId 1 -Message $Message
|
|
}
|
|
|
|
Function Write-VerboseLog
|
|
{
|
|
$Message = $args[0]
|
|
Write-Verbose $Message
|
|
Write-Log $Message
|
|
}
|
|
|
|
Function Write-HostLog
|
|
{
|
|
$Message = $args[0]
|
|
Write-Host $Message
|
|
Write-Log $Message
|
|
}
|
|
|
|
Function New-LegacySelfSignedCert
|
|
{
|
|
Param (
|
|
[string]$SubjectName,
|
|
[int]$ValidDays = 365
|
|
)
|
|
|
|
$name = New-Object -COM "X509Enrollment.CX500DistinguishedName.1"
|
|
$name.Encode("CN=$SubjectName", 0)
|
|
|
|
$key = New-Object -COM "X509Enrollment.CX509PrivateKey.1"
|
|
$key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
|
|
$key.KeySpec = 1
|
|
$key.Length = 1024
|
|
$key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)"
|
|
$key.MachineContext = 1
|
|
$key.Create()
|
|
|
|
$serverauthoid = New-Object -COM "X509Enrollment.CObjectId.1"
|
|
$serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1")
|
|
$ekuoids = New-Object -COM "X509Enrollment.CObjectIds.1"
|
|
$ekuoids.Add($serverauthoid)
|
|
$ekuext = New-Object -COM "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1"
|
|
$ekuext.InitializeEncode($ekuoids)
|
|
|
|
$cert = New-Object -COM "X509Enrollment.CX509CertificateRequestCertificate.1"
|
|
$cert.InitializeFromPrivateKey(2, $key, "")
|
|
$cert.Subject = $name
|
|
$cert.Issuer = $cert.Subject
|
|
$cert.NotBefore = (Get-Date).AddDays(-1)
|
|
$cert.NotAfter = $cert.NotBefore.AddDays($ValidDays)
|
|
$cert.X509Extensions.Add($ekuext)
|
|
$cert.Encode()
|
|
|
|
$enrollment = New-Object -COM "X509Enrollment.CX509Enrollment.1"
|
|
$enrollment.InitializeFromRequest($cert)
|
|
$certdata = $enrollment.CreateRequest(0)
|
|
$enrollment.InstallResponse(2, $certdata, 0, "")
|
|
|
|
# Return the thumbprint of the last installed certificate;
|
|
# This is needed for the new HTTPS WinRM listerner we're
|
|
# going to create further down.
|
|
Get-ChildItem "Cert:\LocalMachine\my"| Sort-Object NotBefore -Descending | Select -First 1 | Select -Expand Thumbprint
|
|
}
|
|
|
|
# Setup error handling.
|
|
Trap
|
|
{
|
|
$_
|
|
Exit 1
|
|
}
|
|
$ErrorActionPreference = "Stop"
|
|
$EventSource = $MyInvocation.MyCommand.Name
|
|
If ($EventSource -eq $Null)
|
|
{
|
|
$EventSource = "Powershell CLI"
|
|
}
|
|
|
|
If ([System.Diagnostics.EventLog]::Exists('Application') -eq $False -or [System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False)
|
|
{
|
|
New-EventLog -LogName Application -Source $EventSource
|
|
}
|
|
|
|
# Detect PowerShell version.
|
|
If ($PSVersionTable.PSVersion.Major -lt 3)
|
|
{
|
|
Write-Log "PowerShell version 3 or higher is required."
|
|
Throw "PowerShell version 3 or higher is required."
|
|
}
|
|
|
|
# Find and start the WinRM service.
|
|
Write-Verbose "Verifying WinRM service."
|
|
If (!(Get-Service "WinRM"))
|
|
{
|
|
Write-Log "Unable to find the WinRM service."
|
|
Throw "Unable to find the WinRM service."
|
|
}
|
|
ElseIf ((Get-Service "WinRM").Status -ne "Running")
|
|
{
|
|
Write-Verbose "Starting WinRM service."
|
|
Start-Service -Name "WinRM" -ErrorAction Stop
|
|
Write-Log "Started WinRM service."
|
|
Write-Verbose "Setting WinRM service to start automatically on boot."
|
|
Set-Service -Name "WinRM" -StartupType Automatic
|
|
Write-Log "Set WinRM service to start automatically on boot."
|
|
|
|
}
|
|
|
|
# WinRM should be running; check that we have a PS session config.
|
|
If (!(Get-PSSessionConfiguration -Verbose:$false) -or (!(Get-ChildItem WSMan:\localhost\Listener)))
|
|
{
|
|
If ($SkipNetworkProfileCheck) {
|
|
Write-Verbose "Enabling PS Remoting without checking Network profile."
|
|
Enable-PSRemoting -SkipNetworkProfileCheck -Force -ErrorAction Stop
|
|
Write-Log "Enabled PS Remoting without checking Network profile."
|
|
}
|
|
Else {
|
|
Write-Verbose "Enabling PS Remoting."
|
|
Enable-PSRemoting -Force -ErrorAction Stop
|
|
Write-Log "Enabled PS Remoting."
|
|
}
|
|
}
|
|
Else
|
|
{
|
|
Write-Verbose "PS Remoting is already enabled."
|
|
}
|
|
|
|
# Make sure there is a SSL listener.
|
|
$listeners = Get-ChildItem WSMan:\localhost\Listener
|
|
If (!($listeners | Where {$_.Keys -like "TRANSPORT=HTTPS"}))
|
|
{
|
|
# HTTPS-based endpoint does not exist.
|
|
If (Get-Command "New-SelfSignedCertificate" -ErrorAction SilentlyContinue)
|
|
{
|
|
$cert = New-SelfSignedCertificate -DnsName $SubjectName -CertStoreLocation "Cert:\LocalMachine\My"
|
|
$thumbprint = $cert.Thumbprint
|
|
Write-HostLog "Self-signed SSL certificate generated; thumbprint: $thumbprint"
|
|
}
|
|
Else
|
|
{
|
|
$thumbprint = New-LegacySelfSignedCert -SubjectName $SubjectName
|
|
Write-HostLog "(Legacy) Self-signed SSL certificate generated; thumbprint: $thumbprint"
|
|
}
|
|
|
|
# Create the hashtables of settings to be used.
|
|
$valueset = @{}
|
|
$valueset.Add('Hostname', $SubjectName)
|
|
$valueset.Add('CertificateThumbprint', $thumbprint)
|
|
|
|
$selectorset = @{}
|
|
$selectorset.Add('Transport', 'HTTPS')
|
|
$selectorset.Add('Address', '*')
|
|
|
|
Write-Verbose "Enabling SSL listener."
|
|
New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset -ValueSet $valueset
|
|
Write-Log "Enabled SSL listener."
|
|
}
|
|
Else
|
|
{
|
|
Write-Verbose "SSL listener is already active."
|
|
|
|
# Force a new SSL cert on Listener if the $ForceNewSSLCert
|
|
If ($ForceNewSSLCert)
|
|
{
|
|
|
|
# Create the new cert.
|
|
If (Get-Command "New-SelfSignedCertificate" -ErrorAction SilentlyContinue)
|
|
{
|
|
$cert = New-SelfSignedCertificate -DnsName $SubjectName -CertStoreLocation "Cert:\LocalMachine\My"
|
|
$thumbprint = $cert.Thumbprint
|
|
Write-HostLog "Self-signed SSL certificate generated; thumbprint: $thumbprint"
|
|
}
|
|
Else
|
|
{
|
|
$thumbprint = New-LegacySelfSignedCert -SubjectName $SubjectName
|
|
Write-HostLog "(Legacy) Self-signed SSL certificate generated; thumbprint: $thumbprint"
|
|
}
|
|
|
|
$valueset = @{}
|
|
$valueset.Add('Hostname', $SubjectName)
|
|
$valueset.Add('CertificateThumbprint', $thumbprint)
|
|
|
|
# Delete the listener for SSL
|
|
$selectorset = @{}
|
|
$selectorset.Add('Transport', 'HTTPS')
|
|
$selectorset.Add('Address', '*')
|
|
Remove-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset
|
|
|
|
# Add new Listener with new SSL cert
|
|
New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset -ValueSet $valueset
|
|
}
|
|
}
|
|
|
|
# Check for basic authentication.
|
|
$basicAuthSetting = Get-ChildItem WSMan:\localhost\Service\Auth | Where {$_.Name -eq "Basic"}
|
|
If (($basicAuthSetting.Value) -eq $false)
|
|
{
|
|
Write-Verbose "Enabling basic auth support."
|
|
Set-Item -Path "WSMan:\localhost\Service\Auth\Basic" -Value $true
|
|
Write-Log "Enabled basic auth support."
|
|
}
|
|
Else
|
|
{
|
|
Write-Verbose "Basic auth is already enabled."
|
|
}
|
|
|
|
# Configure firewall to allow WinRM HTTPS connections.
|
|
$fwtest1 = netsh advfirewall firewall show rule name="Allow WinRM HTTPS"
|
|
$fwtest2 = netsh advfirewall firewall show rule name="Allow WinRM HTTPS" profile=any
|
|
If ($fwtest1.count -lt 5)
|
|
{
|
|
Write-Verbose "Adding firewall rule to allow WinRM HTTPS."
|
|
netsh advfirewall firewall add rule profile=any name="Allow WinRM HTTPS" dir=in localport=5986 protocol=TCP action=allow
|
|
Write-Log "Added firewall rule to allow WinRM HTTPS."
|
|
}
|
|
ElseIf (($fwtest1.count -ge 5) -and ($fwtest2.count -lt 5))
|
|
{
|
|
Write-Verbose "Updating firewall rule to allow WinRM HTTPS for any profile."
|
|
netsh advfirewall firewall set rule name="Allow WinRM HTTPS" new profile=any
|
|
Write-Log "Updated firewall rule to allow WinRM HTTPS for any profile."
|
|
}
|
|
Else
|
|
{
|
|
Write-Verbose "Firewall rule already exists to allow WinRM HTTPS."
|
|
}
|
|
|
|
# Test a remoting connection to localhost, which should work.
|
|
$httpResult = Invoke-Command -ComputerName "localhost" -ScriptBlock {$env:COMPUTERNAME} -ErrorVariable httpError -ErrorAction SilentlyContinue
|
|
$httpsOptions = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
|
|
|
|
$httpsResult = New-PSSession -UseSSL -ComputerName "localhost" -SessionOption $httpsOptions -ErrorVariable httpsError -ErrorAction SilentlyContinue
|
|
|
|
If ($httpResult -and $httpsResult)
|
|
{
|
|
Write-Verbose "HTTP: Enabled | HTTPS: Enabled"
|
|
}
|
|
ElseIf ($httpsResult -and !$httpResult)
|
|
{
|
|
Write-Verbose "HTTP: Disabled | HTTPS: Enabled"
|
|
}
|
|
ElseIf ($httpResult -and !$httpsResult)
|
|
{
|
|
Write-Verbose "HTTP: Enabled | HTTPS: Disabled"
|
|
}
|
|
Else
|
|
{
|
|
Write-Log "Unable to establish an HTTP or HTTPS remoting session."
|
|
Throw "Unable to establish an HTTP or HTTPS remoting session."
|
|
}
|
|
Write-VerboseLog "PS Remoting has been successfully configured for Ansible."
|