Packer.Images/scripts/ADDS/payload/scripts/05.Firewall.ps1

#Requires -Modules 'NetSecurity'
Param(
    [Parameter(Mandatory)]
    [hashtable]$Parameter
)

# Only executed on primary or standalone Domain Controller
If (@('primary','standalone') -contains $Parameter['deployment.type']) {
    $GetContentSplat = @{
        Path = "$($PSScriptRoot)\$($MyInvocation.MyCommand)".Replace('.ps1', '.yml')
        Raw  = $true
    }
    $RawContent = Get-Content @GetContentSplat
    $ConvertFromYamlSplat = @{
        Yaml         = $RawContent
        AllDocuments = $True
    }
    $YamlDocuments = ConvertFrom-Yaml @ConvertFromYamlSplat

    # Check if the respective .yml file declared substitutions which need to be parsed
    If (($YamlDocuments.Count -gt 1) -and $YamlDocuments[-1].Variables) {
        ForEach ($Pattern in $YamlDocuments[-1].Variables) {
            $RawContent = $RawContent -replace "\{\{ ($($Pattern.Name)) \}\}", [string](Invoke-Expression -Command $Pattern.Expression)
        }
        # Perform conversion to Yaml again, now with parsed file contents
        $ConvertFromYamlSplat = @{
            Yaml         = $RawContent
            AllDocuments = $True
        }
        $YamlDocuments = ConvertFrom-Yaml @ConvertFromYamlSplat
        $Settings = $YamlDocuments[0..($YamlDocuments.Count - 2)]
    }
    Else {
        $Settings = $YamlDocuments
    }

    $NewGPOSplat = @{
        Name = 'COMP: Firewall (Servers)'
    }
    $NewGPO = New-GPO @NewGPOSplat

    $OpenNetGPOSplat = @{
        PolicyStore = "$($Parameter['addsconfig.domainname'])\$($NewGPO.DisplayName)"
    }
    $GPOSession = Open-NetGPO @OpenNetGPOSplat

    ForEach ($Rule in $Settings.FirewallRules) {
        $NewNetFirewallRuleSplat = @{
            # Using so-called string formatting with the '-f' operator (looks more complicated than it is) to create consistent policy names:
            # Examples:
            #   'DENY: Inbound port 443 (TCP)'
            #   'ALLOW: Inbound 'D:\MSSQL\bin\sqlservr.exe'
            DisplayName = ("{0}: {1} {2} {3} {4}" -f
                    $Rule.Action.ToUpper(),
                    $Rule.Direction,
                    ("'$($Rule.Program)'", $NULL)[!($Rule.Program)],
                    ("Port $($Rule.Port)", $NULL)[!($Rule.Port)],
                    ("($($Rule.Protocol))", $NULL)[!($Rule.Protocol)]
                ) -replace '\s+',' '
            Description = $Rule.Description
            Action      = $Rule.Action
            Direction   = $Rule.Direction
            Program     = ($Rule.Program, 'Any')[!($Rule.Program)]
            LocalPort   = ($Rule.Port.Split(','), 'Any')[!($Rule.Port)]
            Protocol    = ($Rule.Protocol, 'Any')[!($Rule.Protocol)]
            GPOSession  = $GPOSession
            PolicyStore = $NewGPO.DisplayName
            Confirm     = $False
        }
        New-NetFirewallRule @NewNetFirewallRuleSplat
    }

    ForEach ($Profile in $Settings.FirewallProfiles) {
        $SetNetFirewallProfileSplat = @{
            Name                    = $Profile.Name
            Enabled                 = $Profile.Enabled
            DefaultInboundAction    = $Profile.Connections.Inbound
            DefaultOutboundAction   = $Profile.Connections.Outbound
            LogAllowed              = $Profile.Logging.LogSuccessfullConnections
            LogBlocked              = $Profile.Logging.LogDroppedPackets
            LogFileName             = $Profile.Logging.Name
            LogMaxSizeKilobytes     = $Profile.Logging.SizeLimit
            AllowLocalFirewallRules = $Profile.Settings.ApplyLocalFirewallRules
            AllowLocalIPsecRules    = $Profile.Settings.ApplyLocalConnectionSecurityRules
            NotifyOnListen          = $Profile.Settings.DisplayNotification
            GPOSession              = $GPOSession
            PolicyStore             = $NewGPO.DisplayName
            Confirm                 = $False
        }
        Set-NetFirewallProfile @SetNetFirewallProfileSplat
    }

    $SaveNetGPOSplat = @{
        GPOSession = $GPOSession
    }
    Save-NetGPO @SaveNetGPOSplat

    $NewGPLinkSplat = @{
        Name   = $NewGPO.DisplayName
#        Should probably be configurable through yml
        Target = 'OU=Servers,OU=Computer accounts,DC=' + $Parameter['addsconfig.domainname'].Replace('.', ',DC=')
    }
    New-GPLink @NewGPLinkSplat
    $NewGPLinkSplat = @{
        Name   = $NewGPO.DisplayName
        Target = 'OU=Domain Controllers,DC=' + $Parameter['addsconfig.domainname'].Replace('.', ',DC=')
    }
    New-GPLink @NewGPLinkSplat
}
Delete commit history (containing proprietary code) 2021-01-23 15:04:42 +00:00			`#Requires -Modules 'NetSecurity'`
			`Param(`
			`[Parameter(Mandatory)]`
			`[hashtable]$Parameter`
			`)`

Payloadscripts act on 'deployment.type' 2021-01-27 11:12:44 +00:00			`# Only executed on primary or standalone Domain Controller`
			`If (@('primary','standalone') -contains $Parameter['deployment.type']) {`
Delete commit history (containing proprietary code) 2021-01-23 15:04:42 +00:00			`$GetContentSplat = @{`
			`Path = "$($PSScriptRoot)\$($MyInvocation.MyCommand)".Replace('.ps1', '.yml')`
			`Raw = $true`
			`}`
			`$RawContent = Get-Content @GetContentSplat`
			`$ConvertFromYamlSplat = @{`
			`Yaml = $RawContent`
			`AllDocuments = $True`
			`}`
			`$YamlDocuments = ConvertFrom-Yaml @ConvertFromYamlSplat`

			`# Check if the respective .yml file declared substitutions which need to be parsed`
			`If (($YamlDocuments.Count -gt 1) -and $YamlDocuments[-1].Variables) {`
			`ForEach ($Pattern in $YamlDocuments[-1].Variables) {`
			`$RawContent = $RawContent -replace "\{\{ ($($Pattern.Name)) \}\}", [string](Invoke-Expression -Command $Pattern.Expression)`
			`}`
			`# Perform conversion to Yaml again, now with parsed file contents`
			`$ConvertFromYamlSplat = @{`
			`Yaml = $RawContent`
			`AllDocuments = $True`
			`}`
			`$YamlDocuments = ConvertFrom-Yaml @ConvertFromYamlSplat`
			`$Settings = $YamlDocuments[0..($YamlDocuments.Count - 2)]`
			`}`
			`Else {`
			`$Settings = $YamlDocuments`
			`}`

			`$NewGPOSplat = @{`
			`Name = 'COMP: Firewall (Servers)'`
			`}`
			`$NewGPO = New-GPO @NewGPOSplat`

			`$OpenNetGPOSplat = @{`
			`PolicyStore = "$($Parameter['addsconfig.domainname'])\$($NewGPO.DisplayName)"`
			`}`
			`$GPOSession = Open-NetGPO @OpenNetGPOSplat`

			`ForEach ($Rule in $Settings.FirewallRules) {`
			`$NewNetFirewallRuleSplat = @{`
			`# Using so-called string formatting with the '-f' operator (looks more complicated than it is) to create consistent policy names:`
			`# Examples:`
			`# 'DENY: Inbound port 443 (TCP)'`
			`# 'ALLOW: Inbound 'D:\MSSQL\bin\sqlservr.exe'`
			`DisplayName = ("{0}: {1} {2} {3} {4}" -f`
			`$Rule.Action.ToUpper(),`
			`$Rule.Direction,`
			`("'$($Rule.Program)'", $NULL)[!($Rule.Program)],`
			`("Port $($Rule.Port)", $NULL)[!($Rule.Port)],`
			`("($($Rule.Protocol))", $NULL)[!($Rule.Protocol)]`
			`) -replace '\s+',' '`
			`Description = $Rule.Description`
			`Action = $Rule.Action`
			`Direction = $Rule.Direction`
			`Program = ($Rule.Program, 'Any')[!($Rule.Program)]`
			`LocalPort = ($Rule.Port.Split(','), 'Any')[!($Rule.Port)]`
			`Protocol = ($Rule.Protocol, 'Any')[!($Rule.Protocol)]`
			`GPOSession = $GPOSession`
			`PolicyStore = $NewGPO.DisplayName`
			`Confirm = $False`
			`}`
			`New-NetFirewallRule @NewNetFirewallRuleSplat`
			`}`

			`ForEach ($Profile in $Settings.FirewallProfiles) {`
			`$SetNetFirewallProfileSplat = @{`
			`Name = $Profile.Name`
			`Enabled = $Profile.Enabled`
			`DefaultInboundAction = $Profile.Connections.Inbound`
			`DefaultOutboundAction = $Profile.Connections.Outbound`
			`LogAllowed = $Profile.Logging.LogSuccessfullConnections`
			`LogBlocked = $Profile.Logging.LogDroppedPackets`
			`LogFileName = $Profile.Logging.Name`
			`LogMaxSizeKilobytes = $Profile.Logging.SizeLimit`
			`AllowLocalFirewallRules = $Profile.Settings.ApplyLocalFirewallRules`
			`AllowLocalIPsecRules = $Profile.Settings.ApplyLocalConnectionSecurityRules`
			`NotifyOnListen = $Profile.Settings.DisplayNotification`
			`GPOSession = $GPOSession`
			`PolicyStore = $NewGPO.DisplayName`
			`Confirm = $False`
			`}`
			`Set-NetFirewallProfile @SetNetFirewallProfileSplat`
			`}`

			`$SaveNetGPOSplat = @{`
			`GPOSession = $GPOSession`
			`}`
			`Save-NetGPO @SaveNetGPOSplat`

			`$NewGPLinkSplat = @{`
			`Name = $NewGPO.DisplayName`
			`# Should probably be configurable through yml`
			`Target = 'OU=Servers,OU=Computer accounts,DC=' + $Parameter['addsconfig.domainname'].Replace('.', ',DC=')`
			`}`
			`New-GPLink @NewGPLinkSplat`
			`$NewGPLinkSplat = @{`
			`Name = $NewGPO.DisplayName`
			`Target = 'OU=Domain Controllers,DC=' + $Parameter['addsconfig.domainname'].Replace('.', ',DC=')`
			`}`
			`New-GPLink @NewGPLinkSplat`
			`}`