djpbessems/Packer.Images
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: djpbessems:a0956209deaa6bbd797aca7bd92e9a98682c9820
Branches Tags
djpbessems:master djpbessems:Appliance.AirgappedK8s-1.27.x djpbessems:Appliance.AirgappedK8s-1.26.x djpbessems:Appliance.AirgappedK8s-1.25.x djpbessems:Test_SemRel djpbessems:UbuntuServer22.04 djpbessems:UbuntuServer20.04 djpbessems:Windows10 djpbessems:Server2019 djpbessems:ADDS
djpbessems:K8s_1.25.9-v1.0.0 djpbessems:v1.0.0
...
compare: djpbessems:ADDS
Branches Tags
djpbessems:Appliance.AirgappedK8s-1.27.x djpbessems:Appliance.AirgappedK8s-1.26.x djpbessems:Appliance.AirgappedK8s-1.25.x djpbessems:Test_SemRel djpbessems:UbuntuServer22.04 djpbessems:UbuntuServer20.04 djpbessems:Windows10 djpbessems:master djpbessems:Server2019 djpbessems:ADDS
djpbessems:K8s_1.25.9-v1.0.0 djpbessems:v1.0.0

15 Commits
a0956209de ... ADDS

Author SHA1 Message Date
djpbessems
a57c64a04a Fix plugin version constraint
All checks were successful
continuous-integration/drone/push Build is passing
Details
2021-06-04 22:39:07 +02:00
djpbessems
d3802bba75 Remove redundant feedback 2021-06-04 22:35:56 +02:00
djpbessems
ae98042e4e Housekeeping;Add debugging information
All checks were successful
continuous-integration/drone/push Build is passing
Details
2021-06-04 22:31:53 +02:00
djpbessems
f36f452a59 Remove redundant variable;Fix path
All checks were successful
continuous-integration/drone/push Build is passing
Details
2021-06-04 22:17:55 +02:00
djpbessems
b0615f11d1 Migrate to HCL;Add packer init step;Add variable definitions
Some checks failed
continuous-integration/drone/push Build is failing
Details
2021-06-04 22:16:06 +02:00
djpbessems
483013270d Allow multiple OU's for Delegation of Control
All checks were successful
continuous-integration/drone/push Build is passing
Details
2021-05-03 14:18:58 +02:00
djpbessems
aa2c05df3f Fix yamllint errors #2
All checks were successful
continuous-integration/drone/push Build is passing
Details
2021-04-09 11:25:36 +02:00
djpbessems
280d3e2258 Fix yamllint errors;change yamllint config
Some checks failed
continuous-integration/drone/push Build is failing
Details
2021-04-09 11:24:46 +02:00
djpbessems
632caa89ef Switch yamllint configuration to 'relaxed'
Some checks failed
continuous-integration/drone/push Build is failing
Details
2021-04-09 11:03:40 +02:00
djpbessems
c04081bac1 Add image pull policy
Some checks failed
continuous-integration/drone/push Build is failing
Details
2021-04-09 10:59:46 +02:00
djpbessems
ae1a263129 Add yaml linting step
Some checks failed
continuous-integration/drone/push Build is failing
Details
2021-04-09 10:56:48 +02:00
djpbessems
f8a8cb80c8 Separate firewall configuration between linked OUs
All checks were successful
continuous-integration/drone/push Build is passing
Details
2021-04-08 17:13:24 +02:00
djpbessems
ed69de5d27 Add errorhandling;Fix OU
All checks were successful
continuous-integration/drone/push Build is passing
Details
2021-03-27 08:56:26 +01:00
djpbessems
9dfb51db18 Update hypervisor FQDN
All checks were successful
continuous-integration/drone/push Build is passing
Details
2021-03-24 15:25:16 +01:00
djpbessems
b02dcfa717 Fix switch regex match;Add GPO link debugging 2021-03-24 11:19:27 +01:00
22 changed files with 502 additions and 281 deletions
Expand all files Collapse all files

23
.drone.yml
View File

@ -3,24 +3,35 @@ type: kubernetes
name: 'Packer Build' name: 'Packer Build'
steps: steps:
- name: Active Directory Domain Services - name: Debugging information
image: bv11-cr01.bessems.eu/library/packer-extended image: bv11-cr01.bessems.eu/library/packer-extended
commands: commands:
- yamllint --version
- packer --version
- pwsh --version
- ovftool --version
- name: Active Directory Domain Services
image: bv11-cr01.bessems.eu/library/packer-extended
pull: always
commands:
- |
yamllint -d "{extends: relaxed, rules: {line-length: disable}}" scripts
- |
packer init -upgrade \
./packer
- | - |
packer validate \ packer validate \
-var-file=packer/variables.vsphere.json \
-var vm_name=$DRONE_BUILD_NUMBER-${DRONE_COMMIT_SHA:0:10} \ -var vm_name=$DRONE_BUILD_NUMBER-${DRONE_COMMIT_SHA:0:10} \
-var vsphere_password=$${VSPHERE_PASSWORD} \ -var vsphere_password=$${VSPHERE_PASSWORD} \
-var winrm_password=$${WINRM_PASSWORD} \ -var winrm_password=$${WINRM_PASSWORD} \
packer/adds.json ./packer
- | - |
packer build \ packer build \
-on-error=cleanup \ -on-error=cleanup -timestamp-ui \
-var-file=packer/variables.vsphere.json \
-var vm_name=$DRONE_BUILD_NUMBER-${DRONE_COMMIT_SHA:0:10} \ -var vm_name=$DRONE_BUILD_NUMBER-${DRONE_COMMIT_SHA:0:10} \
-var vsphere_password=$${VSPHERE_PASSWORD} \ -var vsphere_password=$${VSPHERE_PASSWORD} \
-var winrm_password=$${WINRM_PASSWORD} \ -var winrm_password=$${WINRM_PASSWORD} \
packer/adds.json ./packer
environment: environment:
VSPHERE_PASSWORD: VSPHERE_PASSWORD:
from_secret: vsphere_password from_secret: vsphere_password

91
packer/adds.json
View File

@ -1,91 +0,0 @@
{
"builders": [
{
"type": "vsphere-clone",
"name": "adds",
"vcenter_server": "{{user `vcenter_server`}}",
"username": "{{user `vsphere_username`}}",
"password": "{{user `vsphere_password`}}",
"insecure_connection": "true",
"vm_name": "adds-{{user `vm_name`}}",
"datastore": "{{user `vsphere_datastore`}}",
"folder": "{{user `vsphere_folder`}}",
"datacenter": "{{user `vsphere_datacenter`}}",
"host": "{{user `vsphere_host`}}",
"boot_order": "disk,cdrom",
"communicator": "winrm",
"winrm_username": "administrator",
"winrm_password": "{{user `winrm_password`}}",
"winrm_timeout": "10m",
"cpus": 2,
"RAM": 8192,
"template": "Windows-Server-2019-LTSC",
"floppy_files": [
"packer/preseed/ADDS/Sysprep_Unattend.xml"
],
"boot_command": "",
"boot_wait": "2m30s",
"shutdown_command": "C:\\Windows\\System32\\Sysprep\\sysprep.exe /generalize /oobe /unattend:A:\\Sysprep_Unattend.xml",
"shutdown_timeout": "1h",
"export": {
"images": false
}
}
],
"provisioners": [
{
"type": "powershell",
"inline": [
"New-Item -Path 'C:\\Payload\\Scripts' -ItemType 'Directory' -Force:$True -Confirm:$False"
]
},
{
"type": "file",
"source": "scripts/ADDS/payload/",
"destination": "C:\\Payload\\"
},
{
"type": "powershell",
"scripts": [
"scripts/ADDS/Install-Prerequisites.ps1",
"scripts/ADDS/Register-ScheduledTask.ps1"
]
}
],
"post-processors": [[
{
"type": "shell-local",
"inline": [
"pwsh -command \"& scripts/Update-OvfConfiguration.ps1 \\",
" -OVFFile './output-adds/adds-{{user `vm_name`}}.ovf' \\",
" -Parameter @{'appliance.name'='ADDS';'appliance.version'='{{user `vm_name`}}'}\"",
"pwsh -file scripts/Update-Manifest.ps1 \\",
" -ManifestFileName './output-adds/adds-{{user `vm_name`}}.mf'",
"ovftool --acceptAllEulas --allowExtraConfig --overwrite \\",
" './output-adds/adds-{{user `vm_name`}}.ovf' \\",
" /output/ADDS-appliance.ova"
]
}
],
[
{
"type": "shell-local",
"inline": [
"pwsh -file scripts/Remove-Resources.ps1 \\",
" -VMName 'adds-{{user `vm_name`}}' \\",
" -VSphereFQDN '{{user `vcenter_server`}}' \\",
" -VSphereUsername '{{user `vsphere_username`}}' \\",
" -VSpherePassword '{{user `vsphere_password`}}'"
]
}
]]
}

90
packer/adds.pkr.hcl Normal file
View File

@ -0,0 +1,90 @@
packer {
required_plugins {
windows-update = {
version = ">= 0.12.0"
source = "github.com/rgl/windows-update"
}
}
}
source "vsphere-clone" "adds" {
vcenter_server = var.vcenter_server
username = var.vsphere_username
password = var.vsphere_password
insecure_connection = "true"
vm_name = "adds-${var.vm_name}"
datacenter = var.vsphere_datacenter
host = var.vsphere_host
folder = var.vsphere_folder
datastore = var.vsphere_datastore
template = "Windows-Server-2019-LTSC"
boot_order = "disk,cdrom"
boot_command = [""]
boot_wait = "2m30s"
communicator = "winrm"
winrm_password = var.winrm_password
winrm_timeout = "10m"
winrm_username = "administrator"
RAM = 8192
CPUs = 2
floppy_files = [
"packer/preseed/ADDS/Sysprep_Unattend.xml"
]
shutdown_command = "C:\\Windows\\System32\\Sysprep\\sysprep.exe /generalize /oobe /unattend:A:\\Sysprep_Unattend.xml"
shutdown_timeout = "1h"
export {
images = false
}
}
build {
sources = ["source.vsphere-clone.adds"]
provisioner "powershell" {
inline = [
"New-Item -Path 'C:\\Payload\\Scripts' -ItemType 'Directory' -Force:$True -Confirm:$False"
]
}
provisioner "file" {
destination = "C:\\Payload\\"
source = "scripts/ADDS/payload/"
}
provisioner "powershell" {
scripts = [
"scripts/ADDS/Install-Prerequisites.ps1",
"scripts/ADDS/Register-ScheduledTask.ps1"
]
}
post-processor "shell-local" {
inline = [
"pwsh -command \"& scripts/Update-OvfConfiguration.ps1 \\",
" -OVFFile './output-adds/adds-${var.vm_name}.ovf' \\",
" -Parameter @{'appliance.name'='ADDS';'appliance.version'='${var.vm_name}'}\"",
"pwsh -file scripts/Update-Manifest.ps1 \\",
" -ManifestFileName './output-adds/adds-${var.vm_name}.mf'",
"ovftool --acceptAllEulas --allowExtraConfig --overwrite \\",
" './output-adds/adds-${var.vm_name}.ovf' \\",
" /output/ADDS-appliance.ova"
]
}
post-processor "shell-local" {
inline = [
"pwsh -file scripts/Remove-Resources.ps1 \\",
" -VMName 'adds-${var.vm_name}' \\",
" -VSphereFQDN '${var.vcenter_server}' \\",
" -VSphereUsername '${var.vsphere_username}' \\",
" -VSpherePassword '${var.vsphere_password}'"
]
}
}

14
packer/variables.pkr.hcl Normal file
View File

@ -0,0 +1,14 @@
variable "vcenter_server" {}
variable "vsphere_username" {}
variable "vsphere_password" {}
variable "vsphere_host" {}
variable "vsphere_datacenter" {}
variable "vsphere_templatefolder" {}
variable "vsphere_folder" {}
variable "vsphere_datastore" {}
variable "vsphere_network" {}
variable "vm_name" {}
variable "winrm_password" {}

11
packer/variables.vsphere.json
View File

@ -1,11 +0,0 @@
{
"vcenter_server": "bv11-vc01.bessems.lan",
"vsphere_username": "administrator@vsphere.local",
"vsphere_datacenter": "DeSchakel",
"vsphere_host": "bv11-esx.bessems.eu",
"vsphere_hostip": "192.168.11.200",
"vsphere_datastore": "Datastore02.SSD",
"vsphere_folder": "/Packer",
"vsphere_templatefolder": "/Templates",
"vsphere_network": "LAN"
}

8
packer/vsphere.auto.pkrvars.hcl Normal file
View File

@ -0,0 +1,8 @@
vcenter_server = "bv11-vc.bessems.lan"
vsphere_username = "administrator@vsphere.local"
vsphere_datacenter = "DeSchakel"
vsphere_host = "bv11-esx.bessems.lan"
vsphere_datastore = "Datastore01.SSD"
vsphere_folder = "/Packer"
vsphere_templatefolder = "/Templates"
vsphere_network = "LAN"

2
scripts/ADDS/payload/scripts/01.Organizational units.yml
View File

@ -7,6 +7,8 @@ OrganizationalUnits:
Description: '' Description: ''
- DistinguishedName: OU=Laptops,OU=Clients,OU=Computer accounts - DistinguishedName: OU=Laptops,OU=Clients,OU=Computer accounts
Description: '' Description: ''
- DistinguishedName: OU=Kiosks,OU=Clients,OU=Computer accounts
Description: ''
- DistinguishedName: OU=Servers,OU=Computer accounts - DistinguishedName: OU=Servers,OU=Computer accounts
Description: '' Description: ''

1
scripts/ADDS/payload/scripts/03.Users.yml
View File

@ -11,7 +11,6 @@ Users:
- DistinguishedName: CN=zzLDAP,OU=Service accounts,OU=Privileged,OU=User accounts - DistinguishedName: CN=zzLDAP,OU=Service accounts,OU=Privileged,OU=User accounts
Password: "{{ password.zzldap }}" Password: "{{ password.zzldap }}"
MemberOf: [] MemberOf: []
--- ---
Variables: Variables:
- Name: password.janedoe - Name: password.janedoe

79
scripts/ADDS/payload/scripts/04.Delegation of Control.ps1
View File

@ -65,52 +65,61 @@ If (@('primary','standalone') -contains $Parameter['deployment.type']) {
$GUIDMap['null'] = [Guid]::Empty $GUIDMap['null'] = [Guid]::Empty
ForEach ($Entry in $Delegations.DelegationEntries) { ForEach ($Entry in $Delegations.DelegationEntries) {
$GetADObjectSplat = @{
Identity = $Entry.OrganizationalUnit + (($Parameter['addsconfig.domainname'] -split '\.' | ForEach-Object {',DC={0}' -f $_}) -join '')
}
$OU = Get-ADObject @GetADObjectSplat
$GetACLSPlat = @{
Path = "$($PSDrive.Name):\$($OU.DistinguishedName)"
}
$ACL = Get-ACL @GetACLSPlat
$GetADObjectSplat = @{ $GetADObjectSplat = @{
Filter = "sAMAccountName -eq '$($Entry.Principal)'" Filter = "sAMAccountName -eq '$($Entry.Principal)'"
Properties = 'objectSID' Properties = 'objectSID'
} }
$Principal = Get-ADObject @GetADObjectSplat $Principal = Get-ADObject @GetADObjectSplat
ForEach ($Rule in $Entry.AccessRules) { ForEach ($OU in $Entry.OrganizationalUnit) {
If ($Rule.ObjectType -eq '') { $GetADObjectSplat = @{
$Rule.ObjectType = 'null' Identity = ($OU + (',{0}' -f (Get-ADRootDSE).rootDomainNamingContext))
ErrorAction = 'SilentlyContinue'
} }
If ($Rule.InheritedObjectType -eq '') { $OU = Get-ADObject @GetADObjectSplat
$Rule.InheritedObjectType = 'null' If ([boolean]$OU) {
$GetACLSPlat = @{
Path = "$($PSDrive.Name):\$($OU.DistinguishedName)"
}
$ACL = Get-ACL @GetACLSPlat
}
Else {
# Respective OU was not found in Active Directory; skipping permission assignment
Continue
} }
$NewACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule( ForEach ($Rule in $Entry.AccessRules) {
# An IdentityReference object that identifies the trustee of the access rule. If ($Rule.ObjectType -eq '') {
[System.Security.Principal.IdentityReference]$Principal.objectSID, $Rule.ObjectType = 'null'
# A combination of one or more of the ActiveDirectoryRights enumeration values that specifies the rights of the access rule. }
[System.DirectoryServices.ActiveDirectoryRights]$Rule.ActiveDirectoryRights, If ($Rule.InheritedObjectType -eq '') {
# One of the AccessControlType enumeration values that specifies the access rule type. $Rule.InheritedObjectType = 'null'
[System.Security.AccessControl.AccessControlType]$Rule.AccessControlType, }
# The schema GUID of the object to which the access rule applies.
[Guid]$GUIDMap[$Rule.ObjectType], $NewACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
# One of the ActiveDirectorySecurityInheritance enumeration values that specifies the inheritance type of the access rule. # An IdentityReference object that identifies the trustee of the access rule.
[System.DirectoryServices.ActiveDirectorySecurityInheritance]$Rule.ActiveDirectorySecurityInheritance, [System.Security.Principal.IdentityReference]$Principal.objectSID,
# The schema GUID of the child object type that can inherit this access rule. # A combination of one or more of the ActiveDirectoryRights enumeration values that specifies the rights of the access rule.
[Guid]$GUIDMap[$Rule.InheritedObjectType] [System.DirectoryServices.ActiveDirectoryRights]$Rule.ActiveDirectoryRights,
) # One of the AccessControlType enumeration values that specifies the access rule type.
$ACL.AddAccessRule($NewACE) [System.Security.AccessControl.AccessControlType]$Rule.AccessControlType,
} # The schema GUID of the object to which the access rule applies.
[Guid]$GUIDMap[$Rule.ObjectType],
# One of the ActiveDirectorySecurityInheritance enumeration values that specifies the inheritance type of the access rule.
[System.DirectoryServices.ActiveDirectorySecurityInheritance]$Rule.ActiveDirectorySecurityInheritance,
# The schema GUID of the child object type that can inherit this access rule.
[Guid]$GUIDMap[$Rule.InheritedObjectType]
)
$ACL.AddAccessRule($NewACE)
}
$SetAclSplat = @{ $SetAclSplat = @{
Path = "$($PSDrive.Name):\$($OU.DistinguishedName)" Path = "$($PSDrive.Name):\$($OU.DistinguishedName)"
AclObject = $ACL AclObject = $ACL
ErrorAction = 'Continue' ErrorAction = 'Continue'
}
Set-Acl @SetAclSplat
} }
Set-Acl @SetAclSplat
} }
If ([boolean]($PSDrive.Name -eq 'ADDS') -eq $True) { If ([boolean]($PSDrive.Name -eq 'ADDS') -eq $True) {

9
scripts/ADDS/payload/scripts/04.Delegation of Control.yml
View File

@ -1,6 +1,8 @@
DelegationEntries: DelegationEntries:
- Principal: admJaneD - Principal: admJaneD # Entries will be concatenated with ',DC=<example>,DC=<org>' automatically
OrganizationalUnit: CN=Computers # Entries will be concatenated with ',DC=<example>,DC=<org>' automatically OrganizationalUnit:
- CN=Computers
- OU=Kiosks,OU=Clients,OU=Computer accounts
AccessRules: AccessRules:
- ActiveDirectoryRights: Self # A combination of one or more of the ActiveDirectoryRights enumeration values that specifies the rights of the access rule. - ActiveDirectoryRights: Self # A combination of one or more of the ActiveDirectoryRights enumeration values that specifies the rights of the access rule.
AccessControlType: Allow # One of the AccessControlType enumeration values that specifies the access rule type. AccessControlType: Allow # One of the AccessControlType enumeration values that specifies the access rule type.
@ -48,7 +50,8 @@ DelegationEntries:
ObjectType: Computer ObjectType: Computer
InheritedObjectType: '' InheritedObjectType: ''
- Principal: admJaneD - Principal: admJaneD
OrganizationalUnit: OU=Clients,OU=Computer accounts OrganizationalUnit:
- OU=Clients,OU=Computer accounts
AccessRules: AccessRules:
- ActiveDirectoryRights: CreateChild, DeleteChild - ActiveDirectoryRights: CreateChild, DeleteChild
AccessControlType: Allow AccessControlType: Allow

5
scripts/ADDS/payload/scripts/05.Firewall.yml → scripts/ADDS/payload/scripts/05.Firewall.clients.yml
View File

@ -1,3 +1,6 @@
Name: 'COMP: Firewall (Clients)'
LinkedOUs:
- OU=Clients,OU=Computer accounts
FirewallRules: FirewallRules:
- Description: Rule A - Description: Rule A
Action: Block Action: Block
@ -59,4 +62,4 @@ FirewallProfiles:
# Variables: # Variables:
# - Name: foo # - Name: foo
# Expression: | # Expression: |
# Write-Host 'bar' # Write-Host 'bar'

65
scripts/ADDS/payload/scripts/05.Firewall.domaincontrollers.yml Normal file
View File

@ -0,0 +1,65 @@
Name: 'COMP: Firewall (DomainControllers)'
LinkedOUs:
- OU=Domain Controllers
FirewallRules:
- Description: Rule A
Action: Block
Direction: Inbound
Program: ''
Port: '21-22,25'
Protocol: TCP
- Description: Rule B
Action: Allow
Direction: Inbound
Program: D:\MSSQL\sqlsvr.exe
Port: ''
Protocol: ''
FirewallProfiles:
- Name: Domain
Enabled: 'True'
Connections:
Inbound: Block
Outbound: Allow
Settings:
DisplayNotification: 'False'
ApplyLocalFirewallRules: 'True'
ApplyLocalConnectionSecurityRules: 'True'
Logging:
Name: '%SYSTEMROOT%\System32\Logfiles\Firewall\domainfw.log'
SizeLimit: 16384
LogDroppedPackets: 'True'
LogSuccessfullConnections: 'False'
- Name: Private
Enabled: 'True'
Connections:
Inbound: Block
Outbound: Allow
Settings:
DisplayNotification: 'False'
ApplyLocalFirewallRules: 'True'
ApplyLocalConnectionSecurityRules: 'True'
Logging:
Name: '%SYSTEMROOT%\System32\Logfiles\Firewall\privatefw.log'
SizeLimit: 16384
LogDroppedPackets: 'True'
LogSuccessfullConnections: 'False'
- Name: Public
Enabled: 'True'
Connections:
Inbound: Block
Outbound: Allow
Settings:
DisplayNotification: 'False'
ApplyLocalFirewallRules: 'True'
ApplyLocalConnectionSecurityRules: 'True'
Logging:
Name: '%SYSTEMROOT%\System32\Logfiles\Firewall\publicfw.log'
SizeLimit: 16384
LogDroppedPackets: 'True'
LogSuccessfullConnections: 'False'
# ---
# Variables:
# - Name: foo
# Expression: |
# Write-Host 'bar'

213
scripts/ADDS/payload/scripts/05.Firewall.ps1
View File

@ -6,104 +6,135 @@ Param(
# Only executed on primary or standalone Domain Controller # Only executed on primary or standalone Domain Controller
If (@('primary','standalone') -contains $Parameter['deployment.type']) { If (@('primary','standalone') -contains $Parameter['deployment.type']) {
$GetContentSplat = @{ $GetItemSplat = @{
Path = "$($PSScriptRoot)\$($MyInvocation.MyCommand)".Replace('.ps1', '.yml') Path = "$($PSScriptRoot)\$($MyInvocation.MyCommand)".Replace('.ps1', '.yml')
Raw = $true
} }
$RawContent = Get-Content @GetContentSplat ForEach ($File in (Get-Item @GetItemSplat)) {
$ConvertFromYamlSplat = @{ Try {
Yaml = $RawContent Write-Host "Loading/parsing file '$($File)' ..."
AllDocuments = $True $GetContentSplat = @{
} Path = $File
$YamlDocuments = ConvertFrom-Yaml @ConvertFromYamlSplat Raw = $True
}
# Check if the respective .yml file declared substitutions which need to be parsed $RawContent = Get-Content @GetContentSplat
If (($YamlDocuments.Count -gt 1) -and $YamlDocuments[-1].Variables) { $ConvertFromYamlSplat = @{
ForEach ($Pattern in $YamlDocuments[-1].Variables) { Yaml = $RawContent
$RawContent = $RawContent -replace "\{\{ ($($Pattern.Name)) \}\}", [string](Invoke-Expression -Command $Pattern.Expression) AllDocuments = $True
}
$YamlDocuments = ConvertFrom-Yaml @ConvertFromYamlSplat
} }
# Perform conversion to Yaml again, now with parsed file contents Catch {
$ConvertFromYamlSplat = @{ $ParseErrors += "While processing '$($File)': $($_.Exception.Message)"
Yaml = $RawContent Continue
AllDocuments = $True
} }
$YamlDocuments = ConvertFrom-Yaml @ConvertFromYamlSplat
$Settings = $YamlDocuments[0..($YamlDocuments.Count - 2)] # Check if the respective .yml file declared substitutions which need to be parsed
} If (($YamlDocuments.Count -gt 1) -and $YamlDocuments[-1].Variables) {
Else { Try {
$Settings = $YamlDocuments ForEach ($Pattern in $YamlDocuments[-1].Variables) {
} $RawContent = $RawContent -replace "\{\{ ($($Pattern.Name)) \}\}", [string](Invoke-Expression -Command $Pattern.Expression)
}
# Perform conversion to Yaml again, now with parsed file contents
$ConvertFromYamlSplat = @{
Yaml = $RawContent
AllDocuments = $True
}
$YamlDocuments = ConvertFrom-Yaml @ConvertFromYamlSplat
}
Catch {
$ParseErrors += "While processing '$($File)' (after substitutions): $($_.Exception.Message)"
Continue
}
$NewGPOSplat = @{ $Settings = $YamlDocuments[0..($YamlDocuments.Count - 2)]
Name = 'COMP: Firewall (Servers)'
}
$NewGPO = New-GPO @NewGPOSplat
$OpenNetGPOSplat = @{
PolicyStore = "$($Parameter['addsconfig.domainname'])\$($NewGPO.DisplayName)"
}
$GPOSession = Open-NetGPO @OpenNetGPOSplat
ForEach ($Rule in $Settings.FirewallRules) {
$NewNetFirewallRuleSplat = @{
# Using so-called string formatting with the '-f' operator (looks more complicated than it is) to create consistent policy names:
# Examples:
# 'DENY: Inbound port 443 (TCP)'
# 'ALLOW: Inbound 'D:\MSSQL\bin\sqlservr.exe'
DisplayName = ("{0}: {1} {2} {3} {4}" -f
$Rule.Action.ToUpper(),
$Rule.Direction,
("'$($Rule.Program)'", $NULL)[!($Rule.Program)],
("Port $($Rule.Port)", $NULL)[!($Rule.Port)],
("($($Rule.Protocol))", $NULL)[!($Rule.Protocol)]
) -replace '\s+',' '
Description = $Rule.Description
Action = $Rule.Action
Direction = $Rule.Direction
Program = ($Rule.Program, 'Any')[!($Rule.Program)]
LocalPort = ($Rule.Port.Split(','), 'Any')[!($Rule.Port)]
Protocol = ($Rule.Protocol, 'Any')[!($Rule.Protocol)]
GPOSession = $GPOSession
PolicyStore = $NewGPO.DisplayName
Confirm = $False
} }
New-NetFirewallRule @NewNetFirewallRuleSplat Else {
} $Settings = $YamlDocuments
}
ForEach ($Profile in $Settings.FirewallProfiles) {
$SetNetFirewallProfileSplat = @{ $NewGPOSplat = @{
Name = $Profile.Name Name = $Settings.Name
Enabled = $Profile.Enabled }
DefaultInboundAction = $Profile.Connections.Inbound $NewGPO = New-GPO @NewGPOSplat
DefaultOutboundAction = $Profile.Connections.Outbound
LogAllowed = $Profile.Logging.LogSuccessfullConnections $OpenNetGPOSplat = @{
LogBlocked = $Profile.Logging.LogDroppedPackets PolicyStore = "$($Parameter['addsconfig.domainname'])\$($NewGPO.DisplayName)"
LogFileName = $Profile.Logging.Name }
LogMaxSizeKilobytes = $Profile.Logging.SizeLimit $GPOSession = Open-NetGPO @OpenNetGPOSplat
AllowLocalFirewallRules = $Profile.Settings.ApplyLocalFirewallRules
AllowLocalIPsecRules = $Profile.Settings.ApplyLocalConnectionSecurityRules ForEach ($Rule in $Settings.FirewallRules) {
NotifyOnListen = $Profile.Settings.DisplayNotification $NewNetFirewallRuleSplat = @{
GPOSession = $GPOSession # Using so-called string formatting with the '-f' operator (looks more complicated than it is) to create consistent policy names:
PolicyStore = $NewGPO.DisplayName # Examples:
Confirm = $False # 'DENY: Inbound port 443 (TCP)'
# 'ALLOW: Inbound 'D:\MSSQL\bin\sqlservr.exe'
DisplayName = ("{0}: {1} {2} {3} {4}" -f
$Rule.Action.ToUpper(),
$Rule.Direction,
("'$($Rule.Program)'", $NULL)[!($Rule.Program)],
("Port $($Rule.Port)", $NULL)[!($Rule.Port)],
("($($Rule.Protocol))", $NULL)[!($Rule.Protocol)]
) -replace '\s+',' '
Description = $Rule.Description
Action = $Rule.Action
Direction = $Rule.Direction
Program = ($Rule.Program, 'Any')[!($Rule.Program)]
LocalPort = ($Rule.Port.Split(','), 'Any')[!($Rule.Port)]
Protocol = ($Rule.Protocol, 'Any')[!($Rule.Protocol)]
GPOSession = $GPOSession
PolicyStore = $NewGPO.DisplayName
Confirm = $False
}
New-NetFirewallRule @NewNetFirewallRuleSplat
}
ForEach ($Profile in $Settings.FirewallProfiles) {
$SetNetFirewallProfileSplat = @{
Name = $Profile.Name
Enabled = $Profile.Enabled
DefaultInboundAction = $Profile.Connections.Inbound
DefaultOutboundAction = $Profile.Connections.Outbound
LogAllowed = $Profile.Logging.LogSuccessfullConnections
LogBlocked = $Profile.Logging.LogDroppedPackets
LogFileName = $Profile.Logging.Name
LogMaxSizeKilobytes = $Profile.Logging.SizeLimit
AllowLocalFirewallRules = $Profile.Settings.ApplyLocalFirewallRules
AllowLocalIPsecRules = $Profile.Settings.ApplyLocalConnectionSecurityRules
NotifyOnListen = $Profile.Settings.DisplayNotification
GPOSession = $GPOSession
PolicyStore = $NewGPO.DisplayName
Confirm = $False
}
Set-NetFirewallProfile @SetNetFirewallProfileSplat
}
$SaveNetGPOSplat = @{
GPOSession = $GPOSession
}
Save-NetGPO @SaveNetGPOSplat
ForEach ($OU in $Settings.LinkedOUs) {
If (Test-Path "AD:\$($OU + (',{0}' -f (Get-ADRootDSE).rootDomainNamingContext))") {
Try {
Write-Host "Linking policy '$($NewGPO.DisplayName)' to OU '$($OU)' ..."
$NewGPLinkSplat = @{
Name = $NewGPO.DisplayName
Target = $OU + (',{0}' -f (Get-ADRootDSE).rootDomainNamingContext)
}
New-GPLink @NewGPLinkSplat | Out-Null
}
Catch {
$ParseErrors += "Could not link GPO '$($NewGPO.DisplayName)' to OU '$($OU)'"
Continue
}
}
Else {
$ParseErrors += "Path not accessible (referred to by '$($NewGPO.DisplayName)'): 'AD:\$($OU + (',{0}' -f (Get-ADRootDSE).rootDomainNamingContext))'"
Continue
}
} }
Set-NetFirewallProfile @SetNetFirewallProfileSplat
} }
If ($ParseErrors) {
$SaveNetGPOSplat = @{ Throw "One or more errors occurred:`n$($ParseErrors -join "`n")"
GPOSession = $GPOSession
} }
Save-NetGPO @SaveNetGPOSplat
$NewGPLinkSplat = @{
Name = $NewGPO.DisplayName
# Should probably be configurable through yml
Target = 'OU=Servers,OU=Computer accounts,DC=' + $Parameter['addsconfig.domainname'].Replace('.', ',DC=')
}
New-GPLink @NewGPLinkSplat
$NewGPLinkSplat = @{
Name = $NewGPO.DisplayName
Target = 'OU=Domain Controllers,DC=' + $Parameter['addsconfig.domainname'].Replace('.', ',DC=')
}
New-GPLink @NewGPLinkSplat
} }

65
scripts/ADDS/payload/scripts/05.Firewall.servers.yml Normal file
View File

@ -0,0 +1,65 @@
Name: 'COMP: Firewall (Servers)'
LinkedOUs:
- OU=Servers,OU=Computer accounts
FirewallRules:
- Description: Rule A
Action: Block
Direction: Inbound
Program: ''
Port: '21-22,25'
Protocol: TCP
- Description: Rule B
Action: Allow
Direction: Inbound
Program: D:\MSSQL\sqlsvr.exe
Port: ''
Protocol: ''
FirewallProfiles:
- Name: Domain
Enabled: 'True'
Connections:
Inbound: Block
Outbound: Allow
Settings:
DisplayNotification: 'False'
ApplyLocalFirewallRules: 'True'
ApplyLocalConnectionSecurityRules: 'True'
Logging:
Name: '%SYSTEMROOT%\System32\Logfiles\Firewall\domainfw.log'
SizeLimit: 16384
LogDroppedPackets: 'True'
LogSuccessfullConnections: 'False'
- Name: Private
Enabled: 'True'
Connections:
Inbound: Block
Outbound: Allow
Settings:
DisplayNotification: 'False'
ApplyLocalFirewallRules: 'True'
ApplyLocalConnectionSecurityRules: 'True'
Logging:
Name: '%SYSTEMROOT%\System32\Logfiles\Firewall\privatefw.log'
SizeLimit: 16384
LogDroppedPackets: 'True'
LogSuccessfullConnections: 'False'
- Name: Public
Enabled: 'True'
Connections:
Inbound: Block
Outbound: Allow
Settings:
DisplayNotification: 'False'
ApplyLocalFirewallRules: 'True'
ApplyLocalConnectionSecurityRules: 'True'
Logging:
Name: '%SYSTEMROOT%\System32\Logfiles\Firewall\publicfw.log'
SizeLimit: 16384
LogDroppedPackets: 'True'
LogSuccessfullConnections: 'False'
# ---
# Variables:
# - Name: foo
# Expression: |
# Write-Host 'bar'

2
scripts/ADDS/payload/scripts/09.DNS records.secondary.yml
View File

@ -24,4 +24,4 @@ Variables:
(Resolve-DnsName -Name $Parameter['addsconfig.domainname'] | Sort-Object)[0].IPAddress (Resolve-DnsName -Name $Parameter['addsconfig.domainname'] | Sort-Object)[0].IPAddress
- Name: secondarydc - Name: secondarydc
Expression: | Expression: |
(Resolve-DnsName -Name $Parameter['addsconfig.domainname'] | Sort-Object)[1].IPAddress (Resolve-DnsName -Name $Parameter['addsconfig.domainname'] | Sort-Object)[1].IPAddress

2
scripts/ADDS/payload/scripts/10.Group Policy WMI Filters.yml
View File

@ -6,4 +6,4 @@
# Variables: # Variables:
# - Name: foo # - Name: foo
# Expression: | # Expression: |
# Write-Host 'bar' # Write-Host 'bar'

2
scripts/ADDS/payload/scripts/11.GPO+GPP.LoopbackProcessing.yml
View File

@ -16,4 +16,4 @@ RegistryEntries:
- Key: HKLM\Software\Policies\Microsoft\Windows\System - Key: HKLM\Software\Policies\Microsoft\Windows\System
Type: Dword Type: Dword
ValueName: UserPolicyMode ValueName: UserPolicyMode
Value: 2 Value: 2

2
scripts/ADDS/payload/scripts/11.GPO+GPP.PDC Timeserver.yml
View File

@ -33,4 +33,4 @@ RegistryEntries:
Variables: Variables:
- Name: addsconfig.ntpserver - Name: addsconfig.ntpserver
Expression: | Expression: |
($Parameter['addsconfig.ntpserver'] -split ',' | ForEach-Object {'{0},0x1' -f $_}) -join ' ' ($Parameter['addsconfig.ntpserver'] -split ',' | ForEach-Object {'{0},0x1' -f $_}) -join ' '

4
scripts/ADDS/payload/scripts/11.GPO+GPP.Restrict Internet Communication.yml
View File

@ -1,7 +1,7 @@
Name: 'COMP: Restrict Internet Communication' Name: 'COMP: Restrict Internet Communication'
Type: Object Type: Object
LinkedOUs: LinkedOUs:
- OU=Servers - OU=Servers,OU=Computer accounts
WMIFilters: [] WMIFilters: []
RegistryEntries: RegistryEntries:
- Key: HKLM\Software\Policies\Microsoft\InternetManagement - Key: HKLM\Software\Policies\Microsoft\InternetManagement
@ -113,4 +113,4 @@ RegistryEntries:
- Key: HKLM\Software\Policies\Microsoft\WindowsMovieMaker - Key: HKLM\Software\Policies\Microsoft\WindowsMovieMaker
Type: DWord Type: DWord
ValueName: WebPublish ValueName: WebPublish
Value: 1 Value: 1

75
scripts/ADDS/payload/scripts/11.GPO+GPP.ps1
View File

@ -15,33 +15,47 @@ If (@('primary','standalone') -contains $Parameter['deployment.type']) {
} }
$PSSession = New-PSSession @NewPSSessionSplat $PSSession = New-PSSession @NewPSSessionSplat
$ParseErrors = @()
$GetItemSplat = @{ $GetItemSplat = @{
Path = "$($PSScriptRoot)\$($MyInvocation.MyCommand)".Replace('.ps1', '.*.yml') Path = "$($PSScriptRoot)\$($MyInvocation.MyCommand)".Replace('.ps1', '.*.yml')
} }
Get-Item @GetItemSplat | ForEach-Object { ForEach ($File in (Get-Item @GetItemSplat)) {
Write-Host "Loading/parsing file '$($_)' ..." Try {
$GetContentSplat = @{ Write-Host "Loading/parsing file '$($File)' ..."
Path = $_ $GetContentSplat = @{
Raw = $True Path = $File
} Raw = $True
$RawContent = Get-Content @GetContentSplat
$ConvertFromYamlSplat = @{
Yaml = $RawContent
AllDocuments = $True
}
$YamlDocuments = ConvertFrom-Yaml @ConvertFromYamlSplat
# Check if the respective .yml file declared substitutions which need to be parsed
If (($YamlDocuments.Count -gt 1) -and $YamlDocuments[-1].Variables) {
ForEach ($Pattern in $YamlDocuments[-1].Variables) {
$RawContent = $RawContent -replace "\{\{ ($($Pattern.Name)) \}\}", [string](Invoke-Expression -Command $Pattern.Expression)
} }
# Perform conversion to Yaml again, now with parsed file contents $RawContent = Get-Content @GetContentSplat
$ConvertFromYamlSplat = @{ $ConvertFromYamlSplat = @{
Yaml = $RawContent Yaml = $RawContent
AllDocuments = $True AllDocuments = $True
} }
$YamlDocuments = ConvertFrom-Yaml @ConvertFromYamlSplat $YamlDocuments = ConvertFrom-Yaml @ConvertFromYamlSplat
}
Catch {
$ParseErrors += "While processing '$($File)': $($_.Exception.Message)"
Continue
}
# Check if the respective .yml file declared substitutions which need to be parsed
If (($YamlDocuments.Count -gt 1) -and $YamlDocuments[-1].Variables) {
Try {
ForEach ($Pattern in $YamlDocuments[-1].Variables) {
$RawContent = $RawContent -replace "\{\{ ($($Pattern.Name)) \}\}", [string](Invoke-Expression -Command $Pattern.Expression)
}
# Perform conversion to Yaml again, now with parsed file contents
$ConvertFromYamlSplat = @{
Yaml = $RawContent
AllDocuments = $True
}
$YamlDocuments = ConvertFrom-Yaml @ConvertFromYamlSplat
}
Catch {
$ParseErrors += "While processing '$($File)' (after substitutions): $($_.Exception.Message)"
Continue
}
$GroupPolicies = $YamlDocuments[0..($YamlDocuments.Count - 2)] $GroupPolicies = $YamlDocuments[0..($YamlDocuments.Count - 2)]
} }
Else { Else {
@ -160,19 +174,28 @@ If (@('primary','standalone') -contains $Parameter['deployment.type']) {
} }
ForEach ($OU in $GroupPolicy.LinkedOUs) { ForEach ($OU in $GroupPolicy.LinkedOUs) {
If (Test-Path "AD:\$($OU + ',DC=' + $Parameter['addsconfig.domainname'].Replace('.', ',DC='))") { If (Test-Path "AD:\$($OU + (',{0}' -f (Get-ADRootDSE).rootDomainNamingContext))") {
Write-Host "Linking policy '$($NewGPO.DisplayName)' to OU '$($OU)' ..." Try {
$NewGPLinkSplat = @{ Write-Host "Linking policy '$($NewGPO.DisplayName)' to OU '$($OU)' ..."
Name = $NewGPO.DisplayName $NewGPLinkSplat = @{
Target = $OU + ',DC=' + $Parameter['addsconfig.domainname'].Replace('.', ',DC=') Name = $NewGPO.DisplayName
# ErrorAction = 'SilentlyContinue' Target = $OU + (',{0}' -f (Get-ADRootDSE).rootDomainNamingContext)
}
New-GPLink @NewGPLinkSplat | Out-Null
}
Catch {
$ParseErrors += "Could not link GPO '$($NewGPO.DisplayName)' to OU '$($OU)'"
Continue
} }
New-GPLink @NewGPLinkSplat | Out-Null
} }
Else { Else {
Throw "Path not accessible: 'AD:\$($OU + ',DC=' + $Parameter['addsconfig.domainname'].Replace('.', ',DC='))'" $ParseErrors += "Path not accessible (referred to by '$($NewGPO.DisplayName)'): 'AD:\$($OU + (',{0}' -f (Get-ADRootDSE).rootDomainNamingContext))'"
Continue
} }
} }
} }
} }
If ($ParseErrors) {
Throw "One or more errors occurred:`n$($ParseErrors -join "`n")"
}
} }

2
scripts/ADDS/payload/scripts/13.Default Domain Password Policy.yml
View File

@ -11,4 +11,4 @@ Password:
Length: Length:
Minimum: 10 Minimum: 10
History: 0 History: 0
ReversibleEncryption: False ReversibleEncryption: False

18
scripts/Update-OvfConfiguration.ps1
View File

@ -128,13 +128,13 @@ ForEach ($Category in $OVFConfig.PropertyCategories) {
$XMLPropertyAttrKey.Value = $Property.Key $XMLPropertyAttrKey.Value = $Property.Key
$XMLPropertyAttrType = $XML.CreateAttribute('type', $XML.DocumentElement.ovf) $XMLPropertyAttrType = $XML.CreateAttribute('type', $XML.DocumentElement.ovf)
Switch -regex ($Property.Type) { Switch -regex ($Property.Type) {
'boolean' { '^boolean' {
$XMLPropertyAttrType.Value = 'boolean' $XMLPropertyAttrType.Value = 'boolean'
} }
'int' { '^int' {
$XMLPropertyAttrType.Value = 'uint8' $XMLPropertyAttrType.Value = 'uint8'
$Qualifiers = @() $Qualifiers = @()
If ($Property.Type -match 'int\((\d*)\.\.(\d*)\)') { If ($Property.Type -match '^int\((\d*)\.\.(\d*)\)') {
If ($Matches[1]) { If ($Matches[1]) {
$Qualifiers += "MinValue($($Matches[1]))" $Qualifiers += "MinValue($($Matches[1]))"
} }
@ -146,20 +146,20 @@ ForEach ($Category in $OVFConfig.PropertyCategories) {
[void]$XMLProperty.Attributes.Append($XMLPropertyAttrQualifiers) [void]$XMLProperty.Attributes.Append($XMLPropertyAttrQualifiers)
} }
} }
'ip' { '^ip' {
$XMLPropertyAttrType.Value = 'string' $XMLPropertyAttrType.Value = 'string'
$XMLPropertyAttrQualifiers = $XML.CreateAttribute('qualifiers', $XML.DocumentElement.vmw) $XMLPropertyAttrQualifiers = $XML.CreateAttribute('qualifiers', $XML.DocumentElement.vmw)
$XMLPropertyAttrQualifiers.Value = 'Ip' $XMLPropertyAttrQualifiers.Value = 'Ip'
[void]$XMLProperty.Attributes.Append($XMLPropertyAttrQualifiers) [void]$XMLProperty.Attributes.Append($XMLPropertyAttrQualifiers)
} }
'password' { '^password' {
$XMLPropertyAttrType.Value = 'string' $XMLPropertyAttrType.Value = 'string'
$XMLPropertyAttrPassword = $XML.CreateAttribute('password', $XML.DocumentElement.ovf) $XMLPropertyAttrPassword = $XML.CreateAttribute('password', $XML.DocumentElement.ovf)
$XMLPropertyAttrPassword.Value = 'true' $XMLPropertyAttrPassword.Value = 'true'
[void]$XMLProperty.Attributes.Append($XMLPropertyAttrPassword) [void]$XMLProperty.Attributes.Append($XMLPropertyAttrPassword)
$Qualifiers = @() $Qualifiers = @()
If ($Property.Type -match 'password\((\d*)\.\.(\d*)\)') { If ($Property.Type -match '^password\((\d*)\.\.(\d*)\)') {
If ($Matches[1]) { If ($Matches[1]) {
$Qualifiers += "MinLen($($Matches[1]))" $Qualifiers += "MinLen($($Matches[1]))"
} }
@ -171,10 +171,10 @@ ForEach ($Category in $OVFConfig.PropertyCategories) {
[void]$XMLProperty.Attributes.Append($XMLPropertyAttrQualifiers) [void]$XMLProperty.Attributes.Append($XMLPropertyAttrQualifiers)
} }
} }
'string' { '^string' {
$XMLPropertyAttrType.Value = 'string' $XMLPropertyAttrType.Value = 'string'
$Qualifiers = @() $Qualifiers = @()
If ($Property.Type -match 'string\((\d*)\.\.(\d*)\)') { If ($Property.Type -match '^string\((\d*)\.\.(\d*)\)') {
If ($Matches[1]) { If ($Matches[1]) {
$Qualifiers += "MinLen($($Matches[1]))" $Qualifiers += "MinLen($($Matches[1]))"
} }
@ -184,7 +184,7 @@ ForEach ($Category in $OVFConfig.PropertyCategories) {
$XMLPropertyAttrQualifiers = $XML.CreateAttribute('qualifiers', $XML.DocumentElement.ovf) $XMLPropertyAttrQualifiers = $XML.CreateAttribute('qualifiers', $XML.DocumentElement.ovf)
$XMLPropertyAttrQualifiers.Value = $Qualifiers -join ' ' $XMLPropertyAttrQualifiers.Value = $Qualifiers -join ' '
[void]$XMLProperty.Attributes.Append($XMLPropertyAttrQualifiers) [void]$XMLProperty.Attributes.Append($XMLPropertyAttrQualifiers)
} ElseIf ($Property.Type -match 'string\[(.*)\]') { } ElseIf ($Property.Type -match '^string\[(.*)\]') {
$XMLPropertyAttrQualifiers = $XML.CreateAttribute('qualifiers', $XML.DocumentElement.ovf) $XMLPropertyAttrQualifiers = $XML.CreateAttribute('qualifiers', $XML.DocumentElement.ovf)
$XMLPropertyAttrQualifiers.Value = "ValueMap{$($Matches[1] -replace '","', '", "')}" $XMLPropertyAttrQualifiers.Value = "ValueMap{$($Matches[1] -replace '","', '", "')}"
[void]$XMLProperty.Attributes.Append($XMLPropertyAttrQualifiers) [void]$XMLProperty.Attributes.Append($XMLPropertyAttrQualifiers)