joaocc · November 10, 2016 11:02
diff --git a/ConfigureRemotingForAnsible.ps1 b/ConfigureRemotingForAnsible.ps1
 # Configure a Windows host for remote management with Ansible
 # -----------------------------------------------------------
 #
 # This script checks the current WinRM/PSRemoting configuration and makes the
 # necessary changes to allow Ansible to connect, authenticate and execute
 # PowerShell commands.
 #
 # Set $VerbosePreference = "Continue" before running the script in order to
 # see the output messages.
 # Set $SkipNetworkProfileCheck to skip the network profile check.  Without
 # specifying this the script will only run if the device's interfaces are in
 # DOMAIN or PRIVATE zones.  Provide this switch if you want to enable winrm on
 # a device with an interface in PUBLIC zone.
 #
 # Set $ForceNewSSLCert if the system has been syspreped and a new SSL Cert
 # must be forced on the WinRM Listener when re-running this script. This
 # is necessary when a new SID and CN name is created.
 #
 # Written by Trond Hindenes <[email protected]>
 # Updated by Chris Church <[email protected]>
 # Updated by Michael Crilly <[email protected]>
 # Updated by Anton Ouzounov <[email protected]>
 #
 # Version 1.0 - July 6th, 2014
 # Version 1.1 - November 11th, 2014
 # Version 1.2 - May 15th, 2015
 # Version 1.3 - April 4th, 2016

 Param (
    [string]$SubjectName = $env:COMPUTERNAME,
    [int]$CertValidityDays = 730,
    [switch]$SkipNetworkProfileCheck,
    $CreateSelfSignedCert = $true,
    [switch]$ForceNewSSLCert
 )

 Function New-LegacySelfSignedCert
 {
    Param (
        [string]$SubjectName,
        [int]$ValidDays = 730
    )

    $name = New-Object -COM "X509Enrollment.CX500DistinguishedName.1"
    $name.Encode("CN=$SubjectName", 0)

    $key = New-Object -COM "X509Enrollment.CX509PrivateKey.1"
    $key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
    $key.KeySpec = 1
    $key.Length = 2048
    $key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)"
    $key.MachineContext = 1
    $key.Create()

    $serverauthoid = New-Object -COM "X509Enrollment.CObjectId.1"
    $serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1")
    $ekuoids = New-Object -COM "X509Enrollment.CObjectIds.1"
    $ekuoids.Add($serverauthoid)
    $ekuext = New-Object -COM "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1"
    $ekuext.InitializeEncode($ekuoids)

    $cert = New-Object -COM "X509Enrollment.CX509CertificateRequestCertificate.1"
    $cert.InitializeFromPrivateKey(2, $key, "")
    $cert.Subject = $name
    $cert.Issuer = $cert.Subject
    $cert.NotBefore = (Get-Date).AddDays(-1)
    $cert.NotAfter = $cert.NotBefore.AddDays($ValidDays)
    $cert.X509Extensions.Add($ekuext)
    $cert.Encode()

    $enrollment = New-Object -COM "X509Enrollment.CX509Enrollment.1"
    $enrollment.InitializeFromRequest($cert)
    $certdata = $enrollment.CreateRequest(0)
    $enrollment.InstallResponse(2, $certdata, 0, "")

    # Return the thumbprint of the last installed certificate;
    # This is needed for the new HTTPS WinRM listerner we're
    # going to create further down.
    Get-ChildItem "Cert:\LocalMachine\my"| Sort-Object NotBefore -Descending | Select -First 1 | Select -Expand Thumbprint
 }

 # Setup error handling.
 Trap
 {
    $_
    Exit 1
 }
 $ErrorActionPreference = "Stop"

 # Detect PowerShell version.
 If ($PSVersionTable.PSVersion.Major -lt 3)
 {
    Throw "PowerShell version 3 or higher is required."
 }

 # Find and start the WinRM service.
 Write-Verbose "Verifying WinRM service."
 If (!(Get-Service "WinRM"))
 {
    Throw "Unable to find the WinRM service."
 }
 ElseIf ((Get-Service "WinRM").Status -ne "Running")
 {
    Write-Verbose "Starting WinRM service."
    Start-Service -Name "WinRM" -ErrorAction Stop
    Write-Verbose "Setting WinRM service to start automatically on boot."
    Set-Service -Name "WinRM" -StartupType Automatic
 }

 # WinRM should be running; check that we have a PS session config.
 If (!(Get-PSSessionConfiguration -Verbose:$false) -or (!(Get-ChildItem WSMan:\localhost\Listener)))
 {
  if ($SkipNetworkProfileCheck) {
    Write-Verbose "Enabling PS Remoting without checking Network profile."
    Enable-PSRemoting -SkipNetworkProfileCheck -Force -ErrorAction Stop
  }
  else {
    Write-Verbose "Enabling PS Remoting"
    Enable-PSRemoting -Force -ErrorAction Stop
  }
 }
 Else
 {
    Write-Verbose "PS Remoting is already enabled."
 }

 # Make sure there is a SSL listener.
 $listeners = Get-ChildItem WSMan:\localhost\Listener
 If (!($listeners | Where {$_.Keys -like "TRANSPORT=HTTPS"}))
 {
    # HTTPS-based endpoint does not exist.
    If (Get-Command "New-SelfSignedCertificate" -ErrorAction SilentlyContinue)
    {
        $cert = New-SelfSignedCertificate -DnsName $SubjectName -CertStoreLocation "Cert:\LocalMachine\My"
        $thumbprint = $cert.Thumbprint
        Write-Host "Self-signed SSL certificate generated; thumbprint: $thumbprint"
    }
    Else
    {
        $thumbprint = New-LegacySelfSignedCert -SubjectName $SubjectName
        Write-Host "(Legacy) Self-signed SSL certificate generated; thumbprint: $thumbprint"
    }

    # Create the hashtables of settings to be used.
    $valueset = @{}
    $valueset.Add('Hostname', $SubjectName)
    $valueset.Add('CertificateThumbprint', $thumbprint)

    $selectorset = @{}
    $selectorset.Add('Transport', 'HTTPS')
    $selectorset.Add('Address', '*')

    Write-Verbose "Enabling SSL listener."
    New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset -ValueSet $valueset
 }
 Else
 {
    Write-Verbose "SSL listener is already active."
    
    # Force a new SSL cert on Listener if the $ForceNewSSLCert
    if($ForceNewSSLCert){
        
        # Create the new cert.
        If (Get-Command "New-SelfSignedCertificate" -ErrorAction SilentlyContinue)
        {
            $cert = New-SelfSignedCertificate -DnsName $SubjectName -CertStoreLocation "Cert:\LocalMachine\My"
            $thumbprint = $cert.Thumbprint
            Write-Host "Self-signed SSL certificate generated; thumbprint: $thumbprint"
        }
        Else
        {
            $thumbprint = New-LegacySelfSignedCert -SubjectName $SubjectName
            Write-Host "(Legacy) Self-signed SSL certificate generated; thumbprint: $thumbprint"
        }

        $valueset = @{}
        $valueset.Add('Hostname', $SubjectName)
        $valueset.Add('CertificateThumbprint', $thumbprint)

        # Delete the listener for SSL
        $selectorset = @{}
        $selectorset.Add('Transport', 'HTTPS')
        $selectorset.Add('Address', '*')
        Remove-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset

        # Add new Listener with new SSL cert
        New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset -ValueSet $valueset
    }
 }

 # Check for basic authentication.
 $basicAuthSetting = Get-ChildItem WSMan:\localhost\Service\Auth | Where {$_.Name -eq "Basic"}
 If (($basicAuthSetting.Value) -eq $false)
 {
    Write-Verbose "Enabling basic auth support."
    Set-Item -Path "WSMan:\localhost\Service\Auth\Basic" -Value $true
 }
 Else
 {
    Write-Verbose "Basic auth is already enabled."
 }

 # Configure firewall to allow WinRM HTTPS connections.
 $fwtest1 = netsh advfirewall firewall show rule name="Allow WinRM HTTPS"
 $fwtest2 = netsh advfirewall firewall show rule name="Allow WinRM HTTPS" profile=any
 If ($fwtest1.count -lt 5)
 {
    Write-Verbose "Adding firewall rule to allow WinRM HTTPS."
    netsh advfirewall firewall add rule profile=any name="Allow WinRM HTTPS" dir=in localport=5986 protocol=TCP action=allow
 }
 ElseIf (($fwtest1.count -ge 5) -and ($fwtest2.count -lt 5))
 {
    Write-Verbose "Updating firewall rule to allow WinRM HTTPS for any profile."
    netsh advfirewall firewall set rule name="Allow WinRM HTTPS" new profile=any
 }
 Else
 {
    Write-Verbose "Firewall rule already exists to allow WinRM HTTPS."
 }

 # Test a remoting connection to localhost, which should work.
 $httpResult = Invoke-Command -ComputerName "localhost" -ScriptBlock {$env:COMPUTERNAME} -ErrorVariable httpError -ErrorAction SilentlyContinue
 $httpsOptions = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck

 $httpsResult = New-PSSession -UseSSL -ComputerName "localhost" -SessionOption $httpsOptions -ErrorVariable httpsError -ErrorAction SilentlyContinue

 If ($httpResult -and $httpsResult)
 {
    Write-Verbose "HTTP: Enabled | HTTPS: Enabled"
 }
 ElseIf ($httpsResult -and !$httpResult)
 {
    Write-Verbose "HTTP: Disabled | HTTPS: Enabled"
 }
 ElseIf ($httpResult -and !$httpsResult)
 {
    Write-Verbose "HTTP: Enabled | HTTPS: Disabled"
 }
 Else
 {
    Throw "Unable to establish an HTTP or HTTPS remoting session."
 }
 Write-Verbose "PS Remoting has been successfully configured for Ansible."
diff --git a/win-server.non-dev.1611.boxst b/win-server.non-dev.1611.boxst
 #
 # v1.6.1     2016-11-10    HighSkillz Ltd
 #
 # START https://goo.gl/kBkPWv
 # START http://boxstarter.org/package/url?https://gist.githubusercontent.com/joaocc/65f751c01604c1b3ffc0b4ce82d9d645/raw/win2012r2--nondev-1611.boxst

 # ================================================================
 # Boxstarter options
 $Boxstarter.RebootOk=$true # Allow reboots?
 $Boxstarter.NoPassword=$false # Is this a machine with no login password?
 $Boxstarter.AutoLogin=$true # Save my password securely and auto-login after a reboot

 # ================================================================
 #netdom renamecomputer %computername% /newname:{newComputerName}
 #shutdown /r

 # ================================================================
 # Basic setup
 Update-ExecutionPolicy Unrestricted
 Set-ExplorerOptions -showHidenFilesFoldersDrives -showProtectedOSFiles -showFileExtensions

 Enable-RemoteDesktop
 Disable-InternetExplorerESC
 Disable-UAC
 Set-TaskbarSmall

 netsh.exe advfirewall firewall set rule group="remote desktop" new enable=yes

 # ----------------------------------------------------------------
 # File Share support
 dism.exe /Online /Enable-Feature:File-Services /all
 dism.exe /Online /Enable-Feature:FileServerVSSAgent /all
 dism.exe /Online /Enable-Feature:WindowsServerBackup /all

 # Get-NetConnectionProfile
 # Set-NetConnectionProfile -InterfaceIndex # -NetworkCategory Private

 # ----------------------------------------------------------------
 # server settings
 #Configure-SMRemoting.exe -disable

 Add-WindowsFeature telnet-client

 # ################################################################
 DISM.EXE /enable-feature /online /featureName:MicrosoftWindowsPowerShellISE

 # ################################################################
 Install-WindowsUpdate -AcceptEula

 if (Test-PendingReboot) { Invoke-Reboot }
	# Configure a Windows host for remote management with Ansible
	# -----------------------------------------------------------
	#
	# This script checks the current WinRM/PSRemoting configuration and makes the
	# necessary changes to allow Ansible to connect, authenticate and execute
	# PowerShell commands.
	#
	# Set $VerbosePreference = "Continue" before running the script in order to
	# see the output messages.
	# Set $SkipNetworkProfileCheck to skip the network profile check. Without
	# specifying this the script will only run if the device's interfaces are in
	# DOMAIN or PRIVATE zones. Provide this switch if you want to enable winrm on
	# a device with an interface in PUBLIC zone.
	#
	# Set $ForceNewSSLCert if the system has been syspreped and a new SSL Cert
	# must be forced on the WinRM Listener when re-running this script. This
	# is necessary when a new SID and CN name is created.
	#
	# Written by Trond Hindenes <[email protected]>
	# Updated by Chris Church <[email protected]>
	# Updated by Michael Crilly <[email protected]>
	# Updated by Anton Ouzounov <[email protected]>
	#
	# Version 1.0 - July 6th, 2014
	# Version 1.1 - November 11th, 2014
	# Version 1.2 - May 15th, 2015
	# Version 1.3 - April 4th, 2016

	Param (
	[string]$SubjectName = $env:COMPUTERNAME,
	[int]$CertValidityDays = 730,
	[switch]$SkipNetworkProfileCheck,
	$CreateSelfSignedCert = $true,
	[switch]$ForceNewSSLCert
	)

	Function New-LegacySelfSignedCert
	{
	Param (
	[string]$SubjectName,
	[int]$ValidDays = 730
	)

	$name = New-Object -COM "X509Enrollment.CX500DistinguishedName.1"
	$name.Encode("CN=$SubjectName", 0)

	$key = New-Object -COM "X509Enrollment.CX509PrivateKey.1"
	$key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
	$key.KeySpec = 1
	$key.Length = 2048
	$key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)"
	$key.MachineContext = 1
	$key.Create()

	$serverauthoid = New-Object -COM "X509Enrollment.CObjectId.1"
	$serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1")
	$ekuoids = New-Object -COM "X509Enrollment.CObjectIds.1"
	$ekuoids.Add($serverauthoid)
	$ekuext = New-Object -COM "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1"
	$ekuext.InitializeEncode($ekuoids)

	$cert = New-Object -COM "X509Enrollment.CX509CertificateRequestCertificate.1"
	$cert.InitializeFromPrivateKey(2, $key, "")
	$cert.Subject = $name
	$cert.Issuer = $cert.Subject
	$cert.NotBefore = (Get-Date).AddDays(-1)
	$cert.NotAfter = $cert.NotBefore.AddDays($ValidDays)
	$cert.X509Extensions.Add($ekuext)
	$cert.Encode()

	$enrollment = New-Object -COM "X509Enrollment.CX509Enrollment.1"
	$enrollment.InitializeFromRequest($cert)
	$certdata = $enrollment.CreateRequest(0)
	$enrollment.InstallResponse(2, $certdata, 0, "")

	# Return the thumbprint of the last installed certificate;
	# This is needed for the new HTTPS WinRM listerner we're
	# going to create further down.
	Get-ChildItem "Cert:\LocalMachine\my"\| Sort-Object NotBefore -Descending \| Select -First 1 \| Select -Expand Thumbprint
	}

	# Setup error handling.
	Trap
	{
	$_
	Exit 1
	}
	$ErrorActionPreference = "Stop"

	# Detect PowerShell version.
	If ($PSVersionTable.PSVersion.Major -lt 3)
	{
	Throw "PowerShell version 3 or higher is required."
	}

	# Find and start the WinRM service.
	Write-Verbose "Verifying WinRM service."
	If (!(Get-Service "WinRM"))
	{
	Throw "Unable to find the WinRM service."
	}
	ElseIf ((Get-Service "WinRM").Status -ne "Running")
	{
	Write-Verbose "Starting WinRM service."
	Start-Service -Name "WinRM" -ErrorAction Stop
	Write-Verbose "Setting WinRM service to start automatically on boot."
	Set-Service -Name "WinRM" -StartupType Automatic
	}

	# WinRM should be running; check that we have a PS session config.
	If (!(Get-PSSessionConfiguration -Verbose:$false) -or (!(Get-ChildItem WSMan:\localhost\Listener)))
	{
	if ($SkipNetworkProfileCheck) {
	Write-Verbose "Enabling PS Remoting without checking Network profile."
	Enable-PSRemoting -SkipNetworkProfileCheck -Force -ErrorAction Stop
	}
	else {
	Write-Verbose "Enabling PS Remoting"
	Enable-PSRemoting -Force -ErrorAction Stop
	}
	}
	Else
	{
	Write-Verbose "PS Remoting is already enabled."
	}

	# Make sure there is a SSL listener.
	$listeners = Get-ChildItem WSMan:\localhost\Listener
	If (!($listeners \| Where {$_.Keys -like "TRANSPORT=HTTPS"}))
	{
	# HTTPS-based endpoint does not exist.
	If (Get-Command "New-SelfSignedCertificate" -ErrorAction SilentlyContinue)
	{
	$cert = New-SelfSignedCertificate -DnsName $SubjectName -CertStoreLocation "Cert:\LocalMachine\My"
	$thumbprint = $cert.Thumbprint
	Write-Host "Self-signed SSL certificate generated; thumbprint: $thumbprint"
	}
	Else
	{
	$thumbprint = New-LegacySelfSignedCert -SubjectName $SubjectName
	Write-Host "(Legacy) Self-signed SSL certificate generated; thumbprint: $thumbprint"
	}

	# Create the hashtables of settings to be used.
	$valueset = @{}
	$valueset.Add('Hostname', $SubjectName)
	$valueset.Add('CertificateThumbprint', $thumbprint)

	$selectorset = @{}
	$selectorset.Add('Transport', 'HTTPS')
	$selectorset.Add('Address', '*')

	Write-Verbose "Enabling SSL listener."
	New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset -ValueSet $valueset
	}
	Else
	{
	Write-Verbose "SSL listener is already active."

	# Force a new SSL cert on Listener if the $ForceNewSSLCert
	if($ForceNewSSLCert){

	# Create the new cert.
	If (Get-Command "New-SelfSignedCertificate" -ErrorAction SilentlyContinue)
	{
	$cert = New-SelfSignedCertificate -DnsName $SubjectName -CertStoreLocation "Cert:\LocalMachine\My"
	$thumbprint = $cert.Thumbprint
	Write-Host "Self-signed SSL certificate generated; thumbprint: $thumbprint"
	}
	Else
	{
	$thumbprint = New-LegacySelfSignedCert -SubjectName $SubjectName
	Write-Host "(Legacy) Self-signed SSL certificate generated; thumbprint: $thumbprint"
	}

	$valueset = @{}
	$valueset.Add('Hostname', $SubjectName)
	$valueset.Add('CertificateThumbprint', $thumbprint)

	# Delete the listener for SSL
	$selectorset = @{}
	$selectorset.Add('Transport', 'HTTPS')
	$selectorset.Add('Address', '*')
	Remove-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset

	# Add new Listener with new SSL cert
	New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset -ValueSet $valueset
	}
	}

	# Check for basic authentication.
	$basicAuthSetting = Get-ChildItem WSMan:\localhost\Service\Auth \| Where {$_.Name -eq "Basic"}
	If (($basicAuthSetting.Value) -eq $false)
	{
	Write-Verbose "Enabling basic auth support."
	Set-Item -Path "WSMan:\localhost\Service\Auth\Basic" -Value $true
	}
	Else
	{
	Write-Verbose "Basic auth is already enabled."
	}

	# Configure firewall to allow WinRM HTTPS connections.
	$fwtest1 = netsh advfirewall firewall show rule name="Allow WinRM HTTPS"
	$fwtest2 = netsh advfirewall firewall show rule name="Allow WinRM HTTPS" profile=any
	If ($fwtest1.count -lt 5)
	{
	Write-Verbose "Adding firewall rule to allow WinRM HTTPS."
	netsh advfirewall firewall add rule profile=any name="Allow WinRM HTTPS" dir=in localport=5986 protocol=TCP action=allow
	}
	ElseIf (($fwtest1.count -ge 5) -and ($fwtest2.count -lt 5))
	{
	Write-Verbose "Updating firewall rule to allow WinRM HTTPS for any profile."
	netsh advfirewall firewall set rule name="Allow WinRM HTTPS" new profile=any
	}
	Else
	{
	Write-Verbose "Firewall rule already exists to allow WinRM HTTPS."
	}

	# Test a remoting connection to localhost, which should work.
	$httpResult = Invoke-Command -ComputerName "localhost" -ScriptBlock {$env:COMPUTERNAME} -ErrorVariable httpError -ErrorAction SilentlyContinue
	$httpsOptions = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck

	$httpsResult = New-PSSession -UseSSL -ComputerName "localhost" -SessionOption $httpsOptions -ErrorVariable httpsError -ErrorAction SilentlyContinue

	If ($httpResult -and $httpsResult)
	{
	Write-Verbose "HTTP: Enabled \| HTTPS: Enabled"
	}
	ElseIf ($httpsResult -and !$httpResult)
	{
	Write-Verbose "HTTP: Disabled \| HTTPS: Enabled"
	}
	ElseIf ($httpResult -and !$httpsResult)
	{
	Write-Verbose "HTTP: Enabled \| HTTPS: Disabled"
	}
	Else
	{
	Throw "Unable to establish an HTTP or HTTPS remoting session."
	}
	Write-Verbose "PS Remoting has been successfully configured for Ansible."
	#
	# v1.6.1 2016-11-10 HighSkillz Ltd
	#
	# START https://goo.gl/kBkPWv
	# START http://boxstarter.org/package/url?https://gist.githubusercontent.com/joaocc/65f751c01604c1b3ffc0b4ce82d9d645/raw/win2012r2--nondev-1611.boxst

	# ================================================================
	# Boxstarter options
	$Boxstarter.RebootOk=$true # Allow reboots?
	$Boxstarter.NoPassword=$false # Is this a machine with no login password?
	$Boxstarter.AutoLogin=$true # Save my password securely and auto-login after a reboot

	# ================================================================
	#netdom renamecomputer %computername% /newname:{newComputerName}
	#shutdown /r

	# ================================================================
	# Basic setup
	Update-ExecutionPolicy Unrestricted
	Set-ExplorerOptions -showHidenFilesFoldersDrives -showProtectedOSFiles -showFileExtensions

	Enable-RemoteDesktop
	Disable-InternetExplorerESC
	Disable-UAC
	Set-TaskbarSmall

	netsh.exe advfirewall firewall set rule group="remote desktop" new enable=yes

	# ----------------------------------------------------------------
	# File Share support
	dism.exe /Online /Enable-Feature:File-Services /all
	dism.exe /Online /Enable-Feature:FileServerVSSAgent /all
	dism.exe /Online /Enable-Feature:WindowsServerBackup /all

	# Get-NetConnectionProfile
	# Set-NetConnectionProfile -InterfaceIndex # -NetworkCategory Private

	# ----------------------------------------------------------------
	# server settings
	#Configure-SMRemoting.exe -disable

	Add-WindowsFeature telnet-client

	# ################################################################
	DISM.EXE /enable-feature /online /featureName:MicrosoftWindowsPowerShellISE

	# ################################################################
	Install-WindowsUpdate -AcceptEula

	if (Test-PendingReboot) { Invoke-Reboot }