-
Notifications
You must be signed in to change notification settings - Fork 11
/
AtlasBase.ps1
163 lines (135 loc) · 6.9 KB
/
AtlasBase.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
Param (
[string]$emailTo,
[string]$smtpServer,
[string]$skipUpdates
)
$scriptName = 'AtlasBase.ps1'
$imageLog = 'c:\VagrantBox.txt'
cmd /c "exit 0"
# Write to standard out and file
function writeLog ($message) {
Write-Host "[$scriptName] $message"
Add-Content $imageLog "[$scriptName] $message"
}
# Common expression logging and error handling function, copied, not referenced to ensure atomic process
function executeExpression ($expression) {
$error.clear()
writeLog "[$(Get-date)] $expression"
try {
Invoke-Expression $expression
if(!$?) { writeLog "`$? = $?"; exit 1 }
} catch { Write-Output $_.Exception|format-list -force; exit 2 }
if ( $error[0] ) { writeLog "`$error[0] = $error"; exit 3 }
if (( $LASTEXITCODE ) -and ( $LASTEXITCODE -ne 0 )) { writeLog "`$LASTEXITCODE = $LASTEXITCODE "; exit $LASTEXITCODE }
}
# Exception Handling email sending
function emailAndExit ($exitCode) {
if ($smtpServer) {
Send-MailMessage -To "$emailTo" -From 'no-reply@cdaf.info' -Subject "[$scriptName] ERROR $exitCode" -SmtpServer "$smtpServer"
}
exit $exitCode
}
# Informational email notification
function emailProgress ($subject) {
if ($smtpServer) {
Send-MailMessage -To "$emailTo" -From 'no-reply@cdaf.info' -Subject "[$scriptName] $subject" -SmtpServer "$smtpServer"
}
}
emailProgress "starting, logging to $imageLog"
writeLog "---------- start ----------"
if ($emailTo) {
writeLog "emailTo : $emailTo"
} else {
writeLog "emailTo : (not specified, email will not be attempted)"
}
if ($smtpServer) {
writeLog "smtpServer : $smtpServer"
} else {
writeLog "smtpServer : (not specified, email will not be attempted)"
}
if ($skipUpdates) {
writeLog "skipUpdates : $skipUpdates"
} else {
$skipUpdates = 'yes'
writeLog "skipUpdates : $skipUpdates (default)"
}
Write-Host "`n[$scriptName] Set TLS to version 1.2 or higher"
executeExpression "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Tls11,Tls12'"
executeExpression "cd C:\"
if ( Test-Path windows-master ) {
executeExpression "Remove-Item -Force -Recurse windows-master"
}
executeExpression "mkdir windows-master"
executeExpression "cd windows-master"
$zipFile = "WU-CDAF.zip"
$url = "http://cdaf.io/static/app/downloads/$zipFile"
executeExpression "(New-Object System.Net.WebClient).DownloadFile('$url', '$PWD\$zipFile')"
executeExpression "Add-Type -AssemblyName System.IO.Compression.FileSystem"
executeExpression "[System.IO.Compression.ZipFile]::ExtractToDirectory('$PWD\$zipfile', '$PWD')"
executeExpression "rm .\WU-CDAF.zip"
writeLog "Enable Remote Desktop and Open firewall"
$obj = executeExpression "Get-WmiObject -Class `"Win32_TerminalServiceSetting`" -Namespace root\cimv2\terminalservices"
executeExpression "`$obj.SetAllowTsConnections(1,1)"
executeExpression "Set-NetFirewallRule -Name RemoteDesktop-UserMode-In-TCP -Enabled True"
writeLog "Disable User Account Controls (UAC)"
executeExpression "reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f /reg:64"
writeLog "Ensure all adapters set to private (ignore failure if on DC)"
executeExpression "Get-NetConnectionProfile | Set-NetConnectionProfile -NetworkCategory Private"
writeLog "configure the computer to receive remote commands"
executeExpression "Enable-PSRemoting -Force"
writeLog "Open Firewall for WinRM"
executeExpression "Set-NetFirewallRule -Name WINRM-HTTP-In-TCP-PUBLIC -RemoteAddress Any"
writeLog "Allow arbitrary script execution"
executeExpression "Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Force"
writeLog "Allow `"hop`""
executeExpression "Enable-WSManCredSSP -Role Server -Force"
writeLog "Settings to support Vagrant integration, Unencypted Remote PowerShell"
executeExpression "winrm set winrm/config `'@{MaxTimeoutms=`"1800000`"}`'"
executeExpression "winrm set winrm/config/service `'@{AllowUnencrypted=`"true`"}`'"
executeExpression "winrm set winrm/config/service/auth `'@{Basic=`"true`"}`'"
executeExpression "winrm set winrm/config/client/auth `'@{Basic=`"true`"}`'"
writeLog "Set to maximum (only applies to Server 2012, already set in 2016)"
executeExpression "winrm set winrm/config/winrs `'@{MaxConcurrentUsers=`"100`"}`'"
executeExpression "winrm set winrm/config/winrs `'@{MaxProcessesPerShell=`"2147483647`"}`'"
executeExpression "winrm set winrm/config/winrs `'@{MaxMemoryPerShellMB=`"2147483647`"}`'"
executeExpression "winrm set winrm/config/winrs `'@{MaxShellsPerUser=`"2147483647`"}`'"
writeLog "List settings for information"
Get-childItem WSMan:\localhost\Shell
writeLog "Disable password policy"
executeExpression "secedit /export /cfg c:\secpol.cfg"
executeExpression "(gc C:\secpol.cfg).replace(`"PasswordComplexity = 1`", `"PasswordComplexity = 0`") | Out-File C:\secpol.cfg"
executeExpression "secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY"
executeExpression "rm -force c:\secpol.cfg -confirm:`$false"
writeLog "Set default Administrator password to `'vagrant`'"
$admin = executeExpression "[adsi]`'WinNT://./Administrator,user`'"
executeExpression "`$admin.SetPassword(`'vagrant`')"
executeExpression "`$admin.UserFlags.value = `$admin.UserFlags.value -bor 0x10000" # Password never expires
executeExpression "`$admin.CommitChanges()"
writeLog "Create the Vagrant user (with password vagrant) in the local administrators group, only if not existing"
if (([adsi]"WinNT://./vagrant,user").path ) {
writeLog "Vagrant user exists, no action required."
} else {
$ADSIComp = executeExpression "[ADSI]`"WinNT://$Env:COMPUTERNAME,Computer`""
$LocalUser = executeExpression "`$ADSIComp.Create(`'User`', `'vagrant`')"
executeExpression "`$LocalUser.SetPassword(`'vagrant`')"
executeExpression "`$LocalUser.SetInfo()"
executeExpression "`$LocalUser.FullName = `'Vagrant Administrator`'"
executeExpression "`$LocalUser.SetInfo()"
executeExpression "`$LocalUser.UserFlags.value = `$LocalUser.UserFlags.value -bor 0x10000" # Password never expires
executeExpression "`$LocalUser.CommitChanges()"
$de = executeExpression "[ADSI]`"WinNT://$env:computername/Administrators,group`""
executeExpression "`$de.psbase.Invoke(`'Add`',([ADSI]`"WinNT://$env:computername/vagrant`").path)"
}
if ( $skipUpdates -eq 'yes' ) {
emailProgress "Base image complete (no updates applied), shutdown ..."
executeExpression "shutdown /s /t 60"
} else {
writeLog "Apply Windows Updates"
executeExpression "./automation/provisioning/applyWindowsUpdates.ps1 no"
emailProgress "Windows Updates applied, reboot ..."
executeExpression "shutdown /r /t 60"
}
executeExpression "cd c:\windows-master"
executeExpression "(New-Object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/cdaf/windows/master/AtlasImage.ps1', '$PWD\AtlasImage.ps1')"
writeLog "---------- stop ----------"
exit 0