diff options
27 files changed, 251 insertions, 100 deletions
diff --git a/ansible/.env.proxmox.example b/ansible/.env.proxmox.example index 7b9a1d6..b1e272b 100644 --- a/ansible/.env.proxmox.example +++ b/ansible/.env.proxmox.example @@ -28,26 +28,22 @@ export main_domain_name="contoso.com" export main_dc01_vmid="5000" export main_dc01_hostname="dc01" -export main_dc01_ip_address="192.168.1.50" +export main_dc01_ip_address="192.168.1.100" export main_linux_srv01_vmid="5001" export main_linux_srv01_hostname="srv01" -export main_linux_srv01_ip_address="192.168.1.51" +export main_linux_srv01_ip_address="192.168.1.101" -export network_gateway="192.168.1.1" +export main_adcs01_vmid="5002" +export main_adcs01_hostname="adcs01" +export main_adcs01_ip_address="192.168.1.102" + +export main_websql01_vmid="5003" +export main_websql01_hostname="websql01" +export main_websql01_ip_address="192.168.1.103" -#export mssql01_hostname="mssql01" -#export mssql02_hostname="mssql02" -#export web01_hostname="web01" -#export adcs01_hostname="adcs01" -#export workstation01_hostname="workstation01" -#export linux_srv01_hostname="srv01" -#export kali_attackbox_hostname="kali-attackbox" -# -#export mssql01_ip_address="192.168.1.111" -#export mssql02_ip_address="192.168.1.112" -#export web01_ip_address="192.168.1.113" -#export adcs01_ip_address="192.168.1.114" -#export workstation01_ip_address="192.168.1.115" -#export linux_srv01_ip_address="192.168.1.116" -#export kali_attackbox_ip_address="192.168.1.120" +export main_mssql02_vmid="5004" +export main_mssql02_hostname="mssql02" +export main_mssql02_ip_address="192.168.1.104" + +export network_gateway="192.168.1.1" diff --git a/ansible/roles/dc01/tasks/main.yaml b/ansible/roles/dc01/tasks/main.yaml index d9b0b40..472c191 100644 --- a/ansible/roles/dc01/tasks/main.yaml +++ b/ansible/roles/dc01/tasks/main.yaml @@ -29,6 +29,9 @@ - name: execute setup-gpo.ps1 as domain admin import_tasks: setup_gpo.yaml +- name: execute setup-defender-gpo.ps1 as domain admin + import_tasks: setup_defender_gpo.yaml + - name: reboot after gpo setup import_tasks: reboot.yaml diff --git a/ansible/roles/dc01/tasks/setup_defender_gpo.yaml b/ansible/roles/dc01/tasks/setup_defender_gpo.yaml new file mode 100644 index 0000000..56e7809 --- /dev/null +++ b/ansible/roles/dc01/tasks/setup_defender_gpo.yaml @@ -0,0 +1,7 @@ +- name: execute setup-defender-gpo.ps1 as domain admin + ansible.windows.win_command: powershell.exe -ExecutionPolicy Bypass -File C:\scripts\setup-defender-gpo.ps1 -DomainName "{{ main_domain_name }}" + become: yes + become_method: runas + become_user: "{{ main_domain_name }}\\Administrator" + vars: + ansible_become_password: "{{ default_win_password }}" diff --git a/ansible/roles/mssql02/tasks/cleanup.yaml b/ansible/roles/mssql02/tasks/cleanup.yaml new file mode 100644 index 0000000..0e59407 --- /dev/null +++ b/ansible/roles/mssql02/tasks/cleanup.yaml @@ -0,0 +1,3 @@ +- name: execute cleanup.ps1 + ansible.windows.win_powershell: + script: C:\scripts\cleanup.ps1 diff --git a/ansible/roles/mssql02/tasks/init.yaml b/ansible/roles/mssql02/tasks/init.yaml new file mode 100644 index 0000000..a75d6cc --- /dev/null +++ b/ansible/roles/mssql02/tasks/init.yaml @@ -0,0 +1,9 @@ +- name: execute init.ps1 + ansible.windows.win_powershell: + script: C:\scripts\init.ps1 + +- name: copy mssql installer + ansible.builtin.copy: + src: files/SQL2019-SSEI-Expr.exe + dest: C:\setup\SQL2019-SSEI-Expr.exe + diff --git a/ansible/roles/mssql02/tasks/install_software.yaml b/ansible/roles/mssql02/tasks/install_software.yaml new file mode 100644 index 0000000..a5018a8 --- /dev/null +++ b/ansible/roles/mssql02/tasks/install_software.yaml @@ -0,0 +1,3 @@ +- name: execute install-software.ps1 + ansible.windows.win_powershell: + script: C:\scripts\install-software.ps1 diff --git a/ansible/roles/mssql02/tasks/join_domain.yaml b/ansible/roles/mssql02/tasks/join_domain.yaml new file mode 100644 index 0000000..6736ba2 --- /dev/null +++ b/ansible/roles/mssql02/tasks/join_domain.yaml @@ -0,0 +1,13 @@ +- name: join domain + ansible.windows.win_domain_membership: + dns_domain_name: "{{ main_domain_name }}" + domain_admin_user: "{{ main_domain_name }}\\Administrator" + domain_admin_password: "{{ default_win_password }}" + state: domain + register: domain_state + +- name: reboot + win_reboot: + reboot_timeout: 3600 + when: domain_state.reboot_required + diff --git a/ansible/roles/mssql02/tasks/main.yaml b/ansible/roles/mssql02/tasks/main.yaml new file mode 100644 index 0000000..64c2469 --- /dev/null +++ b/ansible/roles/mssql02/tasks/main.yaml @@ -0,0 +1,40 @@ +- name: wait for winrm to be available + ansible.builtin.wait_for: + host: "{{ ansible_host }}" + port: "{{ ansible_port }}" + timeout: 300 + delegate_to: localhost + +- name: execute init.ps1 + import_tasks: init.yaml + +- name: set hostname + import_tasks: set_hostname.yaml + +- name: reboot after hostname change + import_tasks: reboot.yaml + +- name: join domain and reboot + import_tasks: join_domain.yaml + +- name: execute setup-mssql.ps1 + import_tasks: setup_mssql.yaml + +- name: reboot after mssql setup + import_tasks: reboot.yaml + +- name: pause 5 minutes for mssql setup to complete + pause: + minutes: 5 + +- name: execute setup-mssql-link.ps1 + import_tasks: setup_mssql_link.yaml + +- name: reboot after mssql link setup + import_tasks: reboot.yaml + +- name: execute install-software.ps1 + import_tasks: install_software.yaml + +- name: execute cleanup.ps1 + import_tasks: cleanup.yaml diff --git a/ansible/roles/mssql02/tasks/reboot.yaml b/ansible/roles/mssql02/tasks/reboot.yaml new file mode 100644 index 0000000..a7266d0 --- /dev/null +++ b/ansible/roles/mssql02/tasks/reboot.yaml @@ -0,0 +1,3 @@ +- name: reboot + win_reboot: + reboot_timeout: 3600 diff --git a/ansible/roles/mssql02/tasks/set_hostname.yaml b/ansible/roles/mssql02/tasks/set_hostname.yaml new file mode 100644 index 0000000..7c53a16 --- /dev/null +++ b/ansible/roles/mssql02/tasks/set_hostname.yaml @@ -0,0 +1,2 @@ +- name: set hostname + win_shell: Rename-Computer -NewName "{{ main_websql01_hostname }}" -Force diff --git a/ansible/roles/mssql02/tasks/setup_mssql.yaml b/ansible/roles/mssql02/tasks/setup_mssql.yaml new file mode 100644 index 0000000..a219c82 --- /dev/null +++ b/ansible/roles/mssql02/tasks/setup_mssql.yaml @@ -0,0 +1,7 @@ +- name: execute setup-mssql.ps1 + ansible.windows.win_powershell: + script: C:\scripts\setup-mssql.ps1 + parameters: + DomainName: "{{ main_domain_name }}" + SvcUsername: svc_mssql02 + SvcPassword: "{{ default_win_svc_password }}" diff --git a/ansible/roles/mssql02/tasks/setup_mssql_link.yaml b/ansible/roles/mssql02/tasks/setup_mssql_link.yaml new file mode 100644 index 0000000..0e22754 --- /dev/null +++ b/ansible/roles/mssql02/tasks/setup_mssql_link.yaml @@ -0,0 +1,5 @@ +- name: execute setup-mssql-link.ps1 + ansible.windows.win_powershell: + script: C:\scripts\setup-mssql-link.ps1 + parameters: + LinkServer: websql01 diff --git a/ansible/roles/proxmox_vm/tasks/set_network.yaml b/ansible/roles/proxmox_vm/tasks/set_network.yaml index da809d5..5420fc2 100644 --- a/ansible/roles/proxmox_vm/tasks/set_network.yaml +++ b/ansible/roles/proxmox_vm/tasks/set_network.yaml @@ -1,6 +1,7 @@ - name: "{{ fqdn }} : (windows) set up static ip address on" win_shell: | - Start-Transcript -Path C:\set_domain_network_log.txt -Append + New-Item -Path C:\Logs -ItemType Directory -Force + Start-Transcript -Path C:\Logs\set_domain_network_log.txt -Append Get-NetIpAddress -InterfaceAlias 'Ethernet' | Remove-NetIPAddress -Confirm:$false New-NetIPAddress -InterfaceAlias 'Ethernet' -IPAddress "{{ ip }}" -PrefixLength 24 -DefaultGateway "{{ gateway }}" Set-DnsClientServerAddress -InterfaceAlias 'Ethernet' -ServerAddresses "{{ dns }}" diff --git a/ansible/roles/websql01/tasks/setup_websql.yaml b/ansible/roles/websql01/tasks/setup_websql.yaml index ea527b6..d82831d 100644 --- a/ansible/roles/websql01/tasks/setup_websql.yaml +++ b/ansible/roles/websql01/tasks/setup_websql.yaml @@ -3,5 +3,5 @@ script: C:\scripts\setup-websql.ps1 parameters: DomainName: "{{ main_domain_name }}" - SvcUsername: svc_mssql02 + SvcUsername: svc_websql01 SvcPassword: "{{ default_win_svc_password }}" diff --git a/ansible/scripts/dc-wait-for-ready.ps1 b/ansible/scripts/dc-wait-for-ready.ps1 index afdf8ee..246f0a3 100644 --- a/ansible/scripts/dc-wait-for-ready.ps1 +++ b/ansible/scripts/dc-wait-for-ready.ps1 @@ -4,14 +4,14 @@ Start-Transcript -Path $logFile -Append while ($true) { try { - Write-Host "[INFO] Checking if domain is ready" + Write-Host "[inf] Checking if domain is ready" Get-ADDomain break } catch { - Write-Host "[INFO] Sleeping for 60s" + Write-Host "[inf] Sleeping for 60s" Start-Sleep -Seconds 60 } } -Write-Host "[INFO] Domain is ready" +Write-Host "[inf] Domain is ready" Stop-Transcript
\ No newline at end of file diff --git a/ansible/scripts/init.ps1 b/ansible/scripts/init.ps1 index d6b9ff7..2a477de 100644 --- a/ansible/scripts/init.ps1 +++ b/ansible/scripts/init.ps1 @@ -2,7 +2,7 @@ New-Item -Path C:\Logs -ItemType Directory -Force New-Item -Path C:\BgInfo -ItemType Directory -Force New-Item -Path C:\setup -ItemType Directory -Force -Write-Host "[INFO] Disabling password complexity policy" +Write-Host "[inf] Disabling password complexity policy" secedit /export /cfg C:\secpol.cfg (Get-Content C:\secpol.cfg).replace("PasswordComplexity = 1", "PasswordComplexity = 0") | Out-File C:\secpol.cfg secedit /configure /db C:\Windows\security\local.sdb /cfg C:\secpol.cfg /areas SECURITYPOLICY diff --git a/ansible/scripts/populate-ad.ps1 b/ansible/scripts/populate-ad.ps1 index 0b57c77..3d8917a 100644 --- a/ansible/scripts/populate-ad.ps1 +++ b/ansible/scripts/populate-ad.ps1 @@ -65,7 +65,7 @@ Function SetAclExtended($for, $to, $right, $extendedRightGUID, $inheritance) Set-ADObject $to -Description "$($for | Select-Object -ExpandProperty Name) has $right, $extendedRightGUID on this object" } -Write-Host "[INFO] Setting weak NTLM compatibility level" +Write-Host "[inf] Setting weak NTLM compatibility level" Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LmCompatibilityLevel" -Value 1 -Force If (-Not (Get-ADOrganizationalUnit -SearchBase "$DomainNameDN" -Filter "Name -like '$DomainOU'")) { @@ -98,14 +98,14 @@ ForEach ($user in $users) { -PasswordNeverExpires $true $created_users += $user } catch { - Write-Host "[ERR] Failed to create user $user" + Write-Host "[err] Failed to create user $user" } } Get-RandomObject -User | % { Add-ADGroupMember -Identity "Domain Admins" -Members $_; Set-ADUser -Identity $_ -Description "domain admin" } Get-RandomObject -User | % { Add-ADGroupMember -Identity "Domain Admins" -Members $_; Set-ADUser -Identity $_ -Description "domain admin" } -Write-Host "[INFO] Created users: $($created_users -Join ', ')" +Write-Host "[inf] Created users: $($created_users -Join ', ')" $created_computers = @() 1..20 | % { @@ -115,16 +115,17 @@ $created_computers = @() New-ADComputer -SamAccountName "$server$_" -Name "$server$_" -DNSHostName "$server$_.$DomainName" -Path "OU=$ComputersOU,OU=$DomainOU,$DomainNameDN" $created_computers += $server } catch { - Write-Host "[ERR] Failed to create server $server$_" + Write-Host "[err] Failed to create server $server$_" } } } -Write-Host "[INFO] Created computers: $($created_computers -Join ', ')" +Write-Host "[inf] Created computers: $($created_computers -Join ', ')" $svc_users = @{ "svc_mssql01" = @{"type" = "spn"; "value" = "MSSQLSVC"} "svc_mssql02" = @{"type" = "spn"; "value" = "MSSQLSVC"} + "svc_websql01" = @{"type" = "spn"; "value" = @("MSSQLSVC", "HTTP")} "svc_cifs01" = @{"type" = "spn"; "value" = "CIFS"} "svc_cifs02" = @{"type" = "spn"; "value" = "CIFS"} "svc_iis01" = @{"type" = "spn"; "value" = "HTTP"} @@ -161,12 +162,21 @@ ForEach ($user in $svc_users.keys) { -Enabled $true ` -PasswordNeverExpires $true ` -PassThru - Set-ADUser -Identity "$u" -ServicePrincipalNames @{Add="$value/$comp"} - Set-ADObject $u -Description "SPN on $value/$comp" - $created_svc_users += "$user ($value/$comp)" + $spns = @() + if ($value -is [string]) { + $spns += "$value/$comp" + } else { + foreach ($v in $value) { + $spns += "$v/$comp" + } + } + + Set-ADUser -Identity "$u" -ServicePrincipalNames @{Add=$spns} + Set-ADObject $u -Description ("SPNs: " + ($spns -join ", ")) + $created_svc_users += "$user ($($spns -join ', '))" } catch { - Write-Host "[ERR] Failed to create $value/$comp for $user" + Write-Host "[err] Failed to create SPNs for $user" } } "group" { @@ -183,13 +193,13 @@ ForEach ($user in $svc_users.keys) { $created_svc_users += "$user ($value)" } catch { - Write-Host "[ERR] Failed to add $user to $value" + Write-Host "[err] Failed to add $user to $value" } } } } -Write-Host "[INFO] Created svc users: $($created_svc_users -Join ', ')" +Write-Host "[inf] Created svc users: $($created_svc_users -Join ', ')" $dcsync_user = Get-RandomObject -User $acl = Get-Acl -Path "AD:$DomainNameDN" @@ -210,19 +220,19 @@ $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRul Set-Acl -Path "AD:$adminsdholder" -AclObject $acl Set-ADObject $adminsdholder_user -Description "GenericAll on AdminSDHolder" -Write-Host "[INFO] Configuring anonymous LDAP binding via dsHeuristics for contoso.com" +Write-Host "[inf] Configuring anonymous LDAP binding via dsHeuristics for contoso.com" $rootDSE = Get-ADRootDSE $configNC = $rootDSE.ConfigurationNamingContext $directoryServicePath = "CN=Directory Service,CN=Windows NT,CN=Services,$configNC" $directoryService = Get-ADObject -Identity $directoryServicePath -Properties dsHeuristics $currentHeuristics = $directoryService.dsHeuristics $newHeuristics = "0000002" -Write-Host "[INFO] Overwriting dsHeuristics with '0000002'" +Write-Host "[inf] Overwriting dsHeuristics with '0000002'" Set-ADObject -Identity $directoryServicePath ` -Replace @{"dsHeuristics" = $newHeuristics} ` -Description "Anonymous LDAP enabled for contoso.com" ` -ErrorAction Stop -Write-Host "[INFO] Successfully set dsHeuristics to '$newHeuristics'" +Write-Host "[inf] Successfully set dsHeuristics to '$newHeuristics'" Set-ADDomain -Identity $DomainName -Replace @{"ms-DS-MachineAccountQuota"=50} @@ -301,7 +311,7 @@ Set-ADObject -Identity $constrained_delegation_comp1 -Add @{'msDS-AllowedToDeleg Set-ADAccountControl -Identity $constrained_delegation_comp1 -TrustedForDelegation $false -TrustedToAuthForDelegation $true Set-ADObject $constrained_delegation_comp1 -Description "msDS-AllowedToDelegateTo to $($constrained_delegation_comp2 | Select-Object -ExpandProperty Name)" -Write-Host "[INFO] Created vulnerable ACLs, delegation, and Kerberos configurations" +Write-Host "[inf] Created vulnerable ACLs, delegation, and Kerberos configurations" @" Domain content diff --git a/ansible/scripts/setup-adcs.ps1 b/ansible/scripts/setup-adcs.ps1 index 134b9a9..408e7b0 100644 --- a/ansible/scripts/setup-adcs.ps1 +++ b/ansible/scripts/setup-adcs.ps1 @@ -18,9 +18,9 @@ try { Install-WindowsFeature -Name ADCS-Web-Enrollment Install-WindowsFeature -Name RSAT - Write-Host "[INFO] Installed ADCS Windows Features" + Write-Host "[inf] Installed ADCS Windows Features" } catch { - Write-Host "[ERR] Failed to install ADCS Windows Features" + Write-Host "[err] Failed to install ADCS Windows Features" } try { @@ -35,16 +35,16 @@ try { -CACommonName $CACommonName ` -Force - Write-Host "[INFO] Installed ADCS Certification Authority" + Write-Host "[inf] Installed ADCS Certification Authority" } catch { - Write-Host "[ERR] Failed to install ADCS Certification Authority" + Write-Host "[err] Failed to install ADCS Certification Authority" } try { Install-AdcsWebEnrollment -Force - Write-Host "[INFO] Installed ADCS Web Enrollment" + Write-Host "[inf] Installed ADCS Web Enrollment" } catch { - Write-Host "[ERR] Failed to install ADCS Web Enrollment" + Write-Host "[err] Failed to install ADCS Web Enrollment" } Stop-Transcript
\ No newline at end of file diff --git a/ansible/scripts/setup-child-domain.ps1 b/ansible/scripts/setup-child-domain.ps1 index ad23d45..77aead2 100644 --- a/ansible/scripts/setup-child-domain.ps1 +++ b/ansible/scripts/setup-child-domain.ps1 @@ -14,20 +14,20 @@ Start-Transcript -Path $logFile -Append $p = ConvertTo-SecureString $Password -AsPlainText -Force $c = New-Object System.Management.Automation.PSCredential("$ParentDomainName\$Username", $p) -Write-Host "[INFO] Setting Administrator password" +Write-Host "[inf] Setting Administrator password" $computerName = $env:COMPUTERNAME $adminPassword = $Password $adminUser = [ADSI] "WinNT://$computerName/Administrator,User" $adminUser.SetPassword($adminPassword) -Write-Host "[INFO] Installing AD-Domain-Services feature" +Write-Host "[inf] Installing AD-Domain-Services feature" Install-WindowsFeature AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools -Write-Host "[INFO] Importing ADDSDeployment module" +Write-Host "[inf] Importing ADDSDeployment module" Import-Module ADDSDeployment try { - Write-Host "[INFO] Installing New Child Domain in Existing Forest" + Write-Host "[inf] Installing New Child Domain in Existing Forest" Install-ADDSDomain ` -InstallDns ` -ParentDomainName $ParentDomainName ` @@ -41,9 +41,9 @@ try { -Credential $c ` -SafeModeAdministratorPassword (ConvertTo-SecureString -AsPlainText -Force "$SafeModePassword") - Write-Host "[INFO] Successfully added new child domain: $ChildDomainName" + Write-Host "[inf] Successfully added new child domain: $ChildDomainName" } catch { - Write-Host "[ERR] Failed to add new child domain: $ChildDomainName" + Write-Host "[err] Failed to add new child domain: $ChildDomainName" Write-Host $_.Exception.Message } diff --git a/ansible/scripts/setup-defender-gpo.ps1 b/ansible/scripts/setup-defender-gpo.ps1 new file mode 100644 index 0000000..688949a --- /dev/null +++ b/ansible/scripts/setup-defender-gpo.ps1 @@ -0,0 +1,50 @@ +param ( + [string]$DomainName = "contoso.com" +) + +$scriptName = $MyInvocation.MyCommand.Name +$logFile = "C:\Logs\${scriptName}_log.txt" +Start-Transcript -Path $logFile -Append + +Import-Module GroupPolicy -ErrorAction Stop + +$DomainNameDN = "DC=$($DomainName.Split(".")[0]),DC=$($DomainName.Split(".")[1])" +$DomainUsers = Get-ADGroup "Domain Users" -ErrorAction Stop + +$GpoName = "DisableMicrosoftDefender" + +try { + $GPO = New-GPO -Name $GpoName -Comment "GPO to disable Microsoft Defender in test environment" -ErrorAction Stop + Write-Host "[INFO] Created GPO '$GpoName'" + + Set-GPPermission -Name $GPO.DisplayName -PermissionLevel GpoEditDeleteModifySecurity -TargetName $DomainUsers.Name -TargetType Group -ErrorAction Stop + Write-Host "[INFO] Set GpoEditDeleteModifySecurity permissions for '$($DomainUsers.Name)' on GPO '$GpoName'" + + $RegistrySettings = @( + @{ + Key = "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" + ValueName = "DisableAntiSpyware" + Value = 1 + Type = "DWORD" + }, + @{ + Key = "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" + ValueName = "DisableRealtimeMonitoring" + Value = 1 + Type = "DWORD" + } + ) + + foreach ($Setting in $RegistrySettings) { + Set-GPRegistryValue -Name $GpoName -Key $Setting.Key -ValueName $Setting.ValueName -Type $Setting.Type -Value $Setting.Value -ErrorAction Stop + Write-Host "[INFO] Set registry value: $($Setting.Key)\$($Setting.ValueName) = $($Setting.Value)" + } + + New-GPLink -Name $GPO.DisplayName -Target "$DomainNameDN" -LinkEnabled Yes -ErrorAction Stop + Write-Host "[INFO] Created GP link for '$GpoName' on $DomainNameDN" +} +catch { + Write-Host "[ERR] Failed to configure GPO '$GpoName': $_" +} + +Stop-Transcript diff --git a/ansible/scripts/setup-gpo.ps1 b/ansible/scripts/setup-gpo.ps1 index 8d0bb5d..f837ffc 100644 --- a/ansible/scripts/setup-gpo.ps1 +++ b/ansible/scripts/setup-gpo.ps1 @@ -13,17 +13,17 @@ try { Set-GPPermission -Name $GPO1.DisplayName -PermissionLevel GpoEditDeleteModifySecurity -TargetName $DomainUsers.Name -TargetType Group Set-GPPermission -Name $GPO2.DisplayName -PermissionLevel GpoEditDeleteModifySecurity -TargetName $DomainUsers.Name -TargetType Group - Write-Host "[INFO] Created insecure GPOs $($GPO1.DisplayName), $($GPO2.DisplayName) with GpoEditDeleteModifySecurity" + Write-Host "[inf] Created insecure GPOs $($GPO1.DisplayName), $($GPO2.DisplayName) with GpoEditDeleteModifySecurity" } catch { - Write-Host "[ERR] Failed to create insecure GPOs $($GPO1.DisplayName), $($GPO2.DisplayName) with GpoEditDeleteModifySecurity" + Write-Host "[err] Failed to create insecure GPOs $($GPO1.DisplayName), $($GPO2.DisplayName) with GpoEditDeleteModifySecurity" } try { New-GPLink -Name $GPO1.DisplayName -Target "$DomainNameDN" -LinkEnabled Yes New-GPLink -Name $GPO2.DisplayName -Target "$DomainNameDN" -LinkEnabled Yes - Write-Host "[INFO] Created GP links for $($GPO1.DisplayName), $($GPO2.DisplayName) on $DomainNameDN" + Write-Host "[inf] Created GP links for $($GPO1.DisplayName), $($GPO2.DisplayName) on $DomainNameDN" } catch { - Write-Host "[ERR] Failed to create GP links for $($GPO1.DisplayName), $($GPO2.DisplayName) on $DomainNameDN" + Write-Host "[err] Failed to create GP links for $($GPO1.DisplayName), $($GPO2.DisplayName) on $DomainNameDN" } Stop-Transcript diff --git a/ansible/scripts/setup-iis.ps1 b/ansible/scripts/setup-iis.ps1 index 1bbe48d..1ebdd82 100644 --- a/ansible/scripts/setup-iis.ps1 +++ b/ansible/scripts/setup-iis.ps1 @@ -19,9 +19,9 @@ try { New-NetFirewallRule -DisplayName "HTTP (80)" -Direction Inbound -Protocol TCP -LocalPort 80 -Action Allow Restart-WebAppPool -Name "DefaultAppPool" - Write-Host "[INFO] Created first IIS WebSite, Firewall rule and AppPool" + Write-Host "[inf] Created first IIS WebSite, Firewall rule and AppPool" } catch { - Write-Host "[ERR] Failed to create first IIS WebSite, Firewall rule and AppPool" + Write-Host "[err] Failed to create first IIS WebSite, Firewall rule and AppPool" } try { @@ -30,9 +30,9 @@ try { $acl.SetAccessRule($svcIIS03Rule) Set-Acl -Path $wwwroot1 -AclObject $acl - Write-Host "[INFO] Set ACL for $wwwroot1" + Write-Host "[inf] Set ACL for $wwwroot1" } catch { - Write-Host "[ERR] Failed to set ACL for $wwwroot1" + Write-Host "[err] Failed to set ACL for $wwwroot1" } @" @@ -107,9 +107,9 @@ try { Set-ItemProperty "IIS:\AppPools\DefaultAppPool2" -Name processModel -Value @{ identityType=2 } New-NetFirewallRule -DisplayName "HTTP (8080)" -Direction Inbound -Protocol TCP -LocalPort 8080 -Action Allow - Write-Host "[INFO] Created second IIS WebSite, Firewall rule and AppPool" + Write-Host "[inf] Created second IIS WebSite, Firewall rule and AppPool" } catch { - Write-Host "[ERR] Failed to create second IIS WebSite, Firewall rule and AppPool" + Write-Host "[err] Failed to create second IIS WebSite, Firewall rule and AppPool" } try { @@ -119,9 +119,9 @@ try { $acl.SetAccessRule($rule) Set-Acl -Path $wwwroot2 -AclObject $acl - Write-Host "[INFO] Set ACL for $wwwroot2" + Write-Host "[inf] Set ACL for $wwwroot2" } catch { - Write-Host "[ERR] Failed to set ACL for $wwwroot2" + Write-Host "[err] Failed to set ACL for $wwwroot2" } Restart-WebAppPool -Name "DefaultAppPool2" diff --git a/ansible/scripts/setup-main-domain.ps1 b/ansible/scripts/setup-main-domain.ps1 index 75500ab..770e275 100644 --- a/ansible/scripts/setup-main-domain.ps1 +++ b/ansible/scripts/setup-main-domain.ps1 @@ -10,20 +10,20 @@ Start-Transcript -Path $logFile -Append $NetBiosName = $DomainName.Split(".")[0].ToUpper() -Write-Host "[INFO] Setting Administrator password" +Write-Host "[inf] Setting Administrator password" $computerName = $env:COMPUTERNAME $adminPassword = "packer" $adminUser = [ADSI] "WinNT://$computerName/Administrator,User" $adminUser.SetPassword($adminPassword) -Write-Host "[INFO] Installing Ad-Domain-Services Windows feature + subfeatures" +Write-Host "[inf] Installing Ad-Domain-Services Windows feature + subfeatures" Install-WindowsFeature AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools -Write-Host "[INFO] Importing ADDSDeployment module" +Write-Host "[inf] Importing ADDSDeployment module" Import-Module ADDSDeployment try { - Write-Host "[INFO] Installing ADDSForest" + Write-Host "[inf] Installing ADDSForest" Install-ADDSForest ` -InstallDns ` -CreateDnsDelegation:$false ` @@ -37,9 +37,9 @@ try { -NoRebootOnCompletion ` -Force ` -SafeModeAdministratorPassword (ConvertTo-SecureString -AsPlainText -Force "$SafeModePassword") - Write-Host "[INFO] Created Active Directory domain for $DomainName" + Write-Host "[inf] Created Active Directory domain for $DomainName" } catch { - Write-Host "[ERR] Failed to create Active Directory domain for $DomainName" + Write-Host "[err] Failed to create Active Directory domain for $DomainName" Write-Host $_.Exception.Message } Stop-Transcript diff --git a/ansible/scripts/setup-mssql-link.ps1 b/ansible/scripts/setup-mssql-link.ps1 index 8f51058..db1e76c 100644 --- a/ansible/scripts/setup-mssql-link.ps1 +++ b/ansible/scripts/setup-mssql-link.ps1 @@ -11,8 +11,8 @@ try { SqlCmd -E -Q "EXEC master.dbo.sp_serveroption @server=N'$LinkServer', @optname=N'rpc', @optvalue=N'true'" SqlCmd -E -Q "EXEC master.dbo.sp_serveroption @server=N'$LinkServer', @optname=N'rpc out', @optvalue=N'true'" SqlCmd -E -Q "EXEC master.dbo.sp_addlinkedsrvlogin @rmtsrvname = N'$LinkServer', @locallogin = NULL , @useself = N'True'" - Write-Host "[INFO] Linked $LinkServer to mssql02" + Write-Host "[inf] Linked $LinkServer to mssql02" } catch { - Write-Host "[ERR] Failed to link $LinkServer to mssql02" + Write-Host "[err] Failed to link $LinkServer to mssql02" } Stop-Transcript
\ No newline at end of file diff --git a/ansible/scripts/setup-mssql.ps1 b/ansible/scripts/setup-mssql.ps1 index 032490f..0be1575 100644 --- a/ansible/scripts/setup-mssql.ps1 +++ b/ansible/scripts/setup-mssql.ps1 @@ -57,16 +57,16 @@ FTSVCACCOUNT="NT Service\MSSQLFDLauncher" try { Start-Process -FilePath "C:\setup\SQL2019-SSEI-Expr.exe" -ArgumentList "/configurationfile=C:\setup\sql_conf.ini /IACCEPTSQLSERVERLICENSETERMS /MEDIAPATH=C:\setup\media /QUIET /HIDEPROGRESSBAR" -Wait - Write-Host "[INFO] Installed SQL Server Express" + Write-Host "[inf] Installed SQL Server Express" } catch { - Write-Host "[ERR] Failed to install SQL Server Express" + Write-Host "[err] Failed to install SQL Server Express" } try { Set-ItemProperty -Path "HKLM:\Software\Microsoft\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQLServer\SuperSocketNetLib\Tcp\IPAll" -Name "TcpPort" -Value "1433" -Force - Write-Host "[INFO] Set MSSQL port to 1433" + Write-Host "[inf] Set MSSQL port to 1433" } catch { - Write-Host "[ERR] Failed to set MSSQL port to 1433" + Write-Host "[err] Failed to set MSSQL port to 1433" } Restart-Service -Name "MSSQL`$SQLEXPRESS" @@ -78,11 +78,11 @@ try { SqlCmd -E -Q "ALTER LOGIN sa ENABLE" SqlCmd -E -Q "ALTER LOGIN sa WITH PASSWORD = '$SvcPassword', CHECK_POLICY=OFF" - Write-Host "[INFO] Added $NetBiosName\$SvcUsername as MSSQL login and sysadmin" - Write-Host "[INFO] Enabled SA login" + Write-Host "[inf] Added $NetBiosName\$SvcUsername as MSSQL login and sysadmin" + Write-Host "[inf] Enabled SA login" } catch { - Write-Host "[ERR] Failed to add $NetBiosName\$SvcUsername as MSSQL login and sysadmin" - Write-Host "[ERR] Failed to enable SA login" + Write-Host "[err] Failed to add $NetBiosName\$SvcUsername as MSSQL login and sysadmin" + Write-Host "[err] Failed to enable SA login" } diff --git a/ansible/scripts/setup-tree-domain.ps1 b/ansible/scripts/setup-tree-domain.ps1 index 0f661a1..d6908c1 100644 --- a/ansible/scripts/setup-tree-domain.ps1 +++ b/ansible/scripts/setup-tree-domain.ps1 @@ -14,20 +14,20 @@ Start-Transcript -Path $logFile -Append $p = ConvertTo-SecureString $Password -AsPlainText -Force $c = New-Object System.Management.Automation.PSCredential("$ParentForestRootDomain\$Username", $p) -Write-Host "[INFO] Setting Administrator password" +Write-Host "[inf] Setting Administrator password" $computerName = $env:COMPUTERNAME $adminPassword = $Password $adminUser = [ADSI] "WinNT://$computerName/Administrator,User" $adminUser.SetPassword($adminPassword) -Write-Host "[INFO] Installing AD-Domain-Services feature" +Write-Host "[inf] Installing AD-Domain-Services feature" Install-WindowsFeature AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools -Write-Host "[INFO] Importing ADDSDeployment module" +Write-Host "[inf] Importing ADDSDeployment module" Import-Module ADDSDeployment try { - Write-Host "[INFO] Installing New Tree Domain in Existing Forest" + Write-Host "[inf] Installing New Tree Domain in Existing Forest" Install-ADDSDomain ` -InstallDns ` -ParentDomainName $ParentForestRootDomain ` @@ -41,9 +41,9 @@ try { -Credential $c ` -SafeModeAdministratorPassword (ConvertTo-SecureString -AsPlainText -Force "$SafeModePassword") - Write-Host "[INFO] Successfully added new tree domain: $NewTreeDomainName" + Write-Host "[inf] Successfully added new tree domain: $NewTreeDomainName" } catch { - Write-Host "[ERR] Failed to add new tree domain: $NewTreeDomainName" + Write-Host "[err] Failed to add new tree domain: $NewTreeDomainName" Write-Host $_.Exception.Message } diff --git a/ansible/scripts/setup-websql.ps1 b/ansible/scripts/setup-websql.ps1 index 7865091..7881291 100644 --- a/ansible/scripts/setup-websql.ps1 +++ b/ansible/scripts/setup-websql.ps1 @@ -1,7 +1,6 @@ param ( [string]$DomainName = "contoso.com", - #[string]$SvcUsername = "svc_websql01", - [string]$SvcUsername = "svc_mssql02", + [string]$SvcUsername = "svc_websql01", [string]$SvcPassword = "Svc1234!" ) @@ -71,18 +70,18 @@ FTSVCACCOUNT="NT Service\MSSQLFDLauncher" SqlCmd -E -Q "ALTER LOGIN sa ENABLE" SqlCmd -E -Q "ALTER LOGIN sa WITH PASSWORD = '$SvcPassword', CHECK_POLICY=OFF" - Write-Host "[INFO] Added $NetBiosName\$SvcUsername as MSSQL login and sysadmin" - Write-Host "[INFO] Enabled SA login" + Write-Host "[inf] Added $NetBiosName\$SvcUsername as MSSQL login and sysadmin" + Write-Host "[inf] Enabled SA login" } catch { - Write-Host "[ERR] SQL Server setup failed" + Write-Host "[err] SQL Server setup failed" } try { Install-WindowsFeature -Name Web-Server -IncludeManagementTools Install-WindowsFeature -Name Web-Asp-Net45 - Write-Host "[INFO] Installed IIS and ASP.NET" + Write-Host "[inf] Installed IIS and ASP.NET" } catch { - Write-Host "[ERR] Failed to install IIS and ASP.NET" + Write-Host "[err] Failed to install IIS and ASP.NET" } @" @@ -150,9 +149,9 @@ try { Set-ItemProperty "IIS:\AppPools\DefaultAppPool" -Name processModel -Value @{userName="$SvcUsername";password="$SvcPassword";identityType=3} New-NetFirewallRule -DisplayName "HTTP (80)" -Direction Inbound -Protocol TCP -LocalPort 80 -Action Allow Restart-WebAppPool -Name "DefaultAppPool" - Write-Host "[INFO] Site 1 created on port 80" + Write-Host "[inf] Site 1 created on port 80" } catch { - Write-Host "[ERR] Failed to create site 1" + Write-Host "[err] Failed to create site 1" } try { @@ -160,9 +159,9 @@ try { $acl = Get-Acl $wwwroot1 $acl.SetAccessRule($svcRule) Set-Acl -Path $wwwroot1 -AclObject $acl - Write-Host "[INFO] ACL set for $wwwroot1" + Write-Host "[inf] ACL set for $wwwroot1" } catch { - Write-Host "[ERR] Failed to set ACL for $wwwroot1" + Write-Host "[err] Failed to set ACL for $wwwroot1" } try { @@ -176,9 +175,9 @@ try { $acl.SetAccessRule($rule) Set-Acl -Path $wwwroot2 -AclObject $acl Restart-WebAppPool -Name "DefaultAppPool2" - Write-Host "[INFO] Site 2 created on port 8080" + Write-Host "[inf] Site 2 created on port 8080" } catch { - Write-Host "[ERR] Failed to create site 2" + Write-Host "[err] Failed to create site 2" } try { @@ -250,9 +249,9 @@ try { "@ | Out-File "$wwwroot3\sqlquery.aspx" -Force Restart-WebAppPool -Name "SqlQueryAppPool" - Write-Host "[INFO] Site 3 created on port 9090 with SQL query page" + Write-Host "[inf] Site 3 created on port 9090 with SQL query page" } catch { - Write-Host "[ERR] Failed to create SQL query site" + Write-Host "[err] Failed to create SQL query site" } Stop-Transcript |