diff options
Diffstat (limited to 'ansible/scripts')
| -rw-r--r-- | ansible/scripts/dc-wait-for-ready.ps1 | 6 | ||||
| -rw-r--r-- | ansible/scripts/init.ps1 | 2 | ||||
| -rw-r--r-- | ansible/scripts/populate-ad.ps1 | 40 | ||||
| -rw-r--r-- | ansible/scripts/setup-adcs.ps1 | 12 | ||||
| -rw-r--r-- | ansible/scripts/setup-child-domain.ps1 | 12 | ||||
| -rw-r--r-- | ansible/scripts/setup-defender-gpo.ps1 | 50 | ||||
| -rw-r--r-- | ansible/scripts/setup-gpo.ps1 | 8 | ||||
| -rw-r--r-- | ansible/scripts/setup-iis.ps1 | 16 | ||||
| -rw-r--r-- | ansible/scripts/setup-main-domain.ps1 | 12 | ||||
| -rw-r--r-- | ansible/scripts/setup-mssql-link.ps1 | 4 | ||||
| -rw-r--r-- | ansible/scripts/setup-mssql.ps1 | 16 | ||||
| -rw-r--r-- | ansible/scripts/setup-tree-domain.ps1 | 12 | ||||
| -rw-r--r-- | ansible/scripts/setup-websql.ps1 | 129 |
13 files changed, 200 insertions, 119 deletions
diff --git a/ansible/scripts/dc-wait-for-ready.ps1 b/ansible/scripts/dc-wait-for-ready.ps1 index afdf8ee..246f0a3 100644 --- a/ansible/scripts/dc-wait-for-ready.ps1 +++ b/ansible/scripts/dc-wait-for-ready.ps1 @@ -4,14 +4,14 @@ Start-Transcript -Path $logFile -Append while ($true) { try { - Write-Host "[INFO] Checking if domain is ready" + Write-Host "[inf] Checking if domain is ready" Get-ADDomain break } catch { - Write-Host "[INFO] Sleeping for 60s" + Write-Host "[inf] Sleeping for 60s" Start-Sleep -Seconds 60 } } -Write-Host "[INFO] Domain is ready" +Write-Host "[inf] Domain is ready" Stop-Transcript
\ No newline at end of file diff --git a/ansible/scripts/init.ps1 b/ansible/scripts/init.ps1 index d6b9ff7..2a477de 100644 --- a/ansible/scripts/init.ps1 +++ b/ansible/scripts/init.ps1 @@ -2,7 +2,7 @@ New-Item -Path C:\Logs -ItemType Directory -Force New-Item -Path C:\BgInfo -ItemType Directory -Force New-Item -Path C:\setup -ItemType Directory -Force -Write-Host "[INFO] Disabling password complexity policy" +Write-Host "[inf] Disabling password complexity policy" secedit /export /cfg C:\secpol.cfg (Get-Content C:\secpol.cfg).replace("PasswordComplexity = 1", "PasswordComplexity = 0") | Out-File C:\secpol.cfg secedit /configure /db C:\Windows\security\local.sdb /cfg C:\secpol.cfg /areas SECURITYPOLICY diff --git a/ansible/scripts/populate-ad.ps1 b/ansible/scripts/populate-ad.ps1 index 0b57c77..3d8917a 100644 --- a/ansible/scripts/populate-ad.ps1 +++ b/ansible/scripts/populate-ad.ps1 @@ -65,7 +65,7 @@ Function SetAclExtended($for, $to, $right, $extendedRightGUID, $inheritance) Set-ADObject $to -Description "$($for | Select-Object -ExpandProperty Name) has $right, $extendedRightGUID on this object" } -Write-Host "[INFO] Setting weak NTLM compatibility level" +Write-Host "[inf] Setting weak NTLM compatibility level" Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LmCompatibilityLevel" -Value 1 -Force If (-Not (Get-ADOrganizationalUnit -SearchBase "$DomainNameDN" -Filter "Name -like '$DomainOU'")) { @@ -98,14 +98,14 @@ ForEach ($user in $users) { -PasswordNeverExpires $true $created_users += $user } catch { - Write-Host "[ERR] Failed to create user $user" + Write-Host "[err] Failed to create user $user" } } Get-RandomObject -User | % { Add-ADGroupMember -Identity "Domain Admins" -Members $_; Set-ADUser -Identity $_ -Description "domain admin" } Get-RandomObject -User | % { Add-ADGroupMember -Identity "Domain Admins" -Members $_; Set-ADUser -Identity $_ -Description "domain admin" } -Write-Host "[INFO] Created users: $($created_users -Join ', ')" +Write-Host "[inf] Created users: $($created_users -Join ', ')" $created_computers = @() 1..20 | % { @@ -115,16 +115,17 @@ $created_computers = @() New-ADComputer -SamAccountName "$server$_" -Name "$server$_" -DNSHostName "$server$_.$DomainName" -Path "OU=$ComputersOU,OU=$DomainOU,$DomainNameDN" $created_computers += $server } catch { - Write-Host "[ERR] Failed to create server $server$_" + Write-Host "[err] Failed to create server $server$_" } } } -Write-Host "[INFO] Created computers: $($created_computers -Join ', ')" +Write-Host "[inf] Created computers: $($created_computers -Join ', ')" $svc_users = @{ "svc_mssql01" = @{"type" = "spn"; "value" = "MSSQLSVC"} "svc_mssql02" = @{"type" = "spn"; "value" = "MSSQLSVC"} + "svc_websql01" = @{"type" = "spn"; "value" = @("MSSQLSVC", "HTTP")} "svc_cifs01" = @{"type" = "spn"; "value" = "CIFS"} "svc_cifs02" = @{"type" = "spn"; "value" = "CIFS"} "svc_iis01" = @{"type" = "spn"; "value" = "HTTP"} @@ -161,12 +162,21 @@ ForEach ($user in $svc_users.keys) { -Enabled $true ` -PasswordNeverExpires $true ` -PassThru - Set-ADUser -Identity "$u" -ServicePrincipalNames @{Add="$value/$comp"} - Set-ADObject $u -Description "SPN on $value/$comp" - $created_svc_users += "$user ($value/$comp)" + $spns = @() + if ($value -is [string]) { + $spns += "$value/$comp" + } else { + foreach ($v in $value) { + $spns += "$v/$comp" + } + } + + Set-ADUser -Identity "$u" -ServicePrincipalNames @{Add=$spns} + Set-ADObject $u -Description ("SPNs: " + ($spns -join ", ")) + $created_svc_users += "$user ($($spns -join ', '))" } catch { - Write-Host "[ERR] Failed to create $value/$comp for $user" + Write-Host "[err] Failed to create SPNs for $user" } } "group" { @@ -183,13 +193,13 @@ ForEach ($user in $svc_users.keys) { $created_svc_users += "$user ($value)" } catch { - Write-Host "[ERR] Failed to add $user to $value" + Write-Host "[err] Failed to add $user to $value" } } } } -Write-Host "[INFO] Created svc users: $($created_svc_users -Join ', ')" +Write-Host "[inf] Created svc users: $($created_svc_users -Join ', ')" $dcsync_user = Get-RandomObject -User $acl = Get-Acl -Path "AD:$DomainNameDN" @@ -210,19 +220,19 @@ $acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRul Set-Acl -Path "AD:$adminsdholder" -AclObject $acl Set-ADObject $adminsdholder_user -Description "GenericAll on AdminSDHolder" -Write-Host "[INFO] Configuring anonymous LDAP binding via dsHeuristics for contoso.com" +Write-Host "[inf] Configuring anonymous LDAP binding via dsHeuristics for contoso.com" $rootDSE = Get-ADRootDSE $configNC = $rootDSE.ConfigurationNamingContext $directoryServicePath = "CN=Directory Service,CN=Windows NT,CN=Services,$configNC" $directoryService = Get-ADObject -Identity $directoryServicePath -Properties dsHeuristics $currentHeuristics = $directoryService.dsHeuristics $newHeuristics = "0000002" -Write-Host "[INFO] Overwriting dsHeuristics with '0000002'" +Write-Host "[inf] Overwriting dsHeuristics with '0000002'" Set-ADObject -Identity $directoryServicePath ` -Replace @{"dsHeuristics" = $newHeuristics} ` -Description "Anonymous LDAP enabled for contoso.com" ` -ErrorAction Stop -Write-Host "[INFO] Successfully set dsHeuristics to '$newHeuristics'" +Write-Host "[inf] Successfully set dsHeuristics to '$newHeuristics'" Set-ADDomain -Identity $DomainName -Replace @{"ms-DS-MachineAccountQuota"=50} @@ -301,7 +311,7 @@ Set-ADObject -Identity $constrained_delegation_comp1 -Add @{'msDS-AllowedToDeleg Set-ADAccountControl -Identity $constrained_delegation_comp1 -TrustedForDelegation $false -TrustedToAuthForDelegation $true Set-ADObject $constrained_delegation_comp1 -Description "msDS-AllowedToDelegateTo to $($constrained_delegation_comp2 | Select-Object -ExpandProperty Name)" -Write-Host "[INFO] Created vulnerable ACLs, delegation, and Kerberos configurations" +Write-Host "[inf] Created vulnerable ACLs, delegation, and Kerberos configurations" @" Domain content diff --git a/ansible/scripts/setup-adcs.ps1 b/ansible/scripts/setup-adcs.ps1 index 134b9a9..408e7b0 100644 --- a/ansible/scripts/setup-adcs.ps1 +++ b/ansible/scripts/setup-adcs.ps1 @@ -18,9 +18,9 @@ try { Install-WindowsFeature -Name ADCS-Web-Enrollment Install-WindowsFeature -Name RSAT - Write-Host "[INFO] Installed ADCS Windows Features" + Write-Host "[inf] Installed ADCS Windows Features" } catch { - Write-Host "[ERR] Failed to install ADCS Windows Features" + Write-Host "[err] Failed to install ADCS Windows Features" } try { @@ -35,16 +35,16 @@ try { -CACommonName $CACommonName ` -Force - Write-Host "[INFO] Installed ADCS Certification Authority" + Write-Host "[inf] Installed ADCS Certification Authority" } catch { - Write-Host "[ERR] Failed to install ADCS Certification Authority" + Write-Host "[err] Failed to install ADCS Certification Authority" } try { Install-AdcsWebEnrollment -Force - Write-Host "[INFO] Installed ADCS Web Enrollment" + Write-Host "[inf] Installed ADCS Web Enrollment" } catch { - Write-Host "[ERR] Failed to install ADCS Web Enrollment" + Write-Host "[err] Failed to install ADCS Web Enrollment" } Stop-Transcript
\ No newline at end of file diff --git a/ansible/scripts/setup-child-domain.ps1 b/ansible/scripts/setup-child-domain.ps1 index ad23d45..77aead2 100644 --- a/ansible/scripts/setup-child-domain.ps1 +++ b/ansible/scripts/setup-child-domain.ps1 @@ -14,20 +14,20 @@ Start-Transcript -Path $logFile -Append $p = ConvertTo-SecureString $Password -AsPlainText -Force $c = New-Object System.Management.Automation.PSCredential("$ParentDomainName\$Username", $p) -Write-Host "[INFO] Setting Administrator password" +Write-Host "[inf] Setting Administrator password" $computerName = $env:COMPUTERNAME $adminPassword = $Password $adminUser = [ADSI] "WinNT://$computerName/Administrator,User" $adminUser.SetPassword($adminPassword) -Write-Host "[INFO] Installing AD-Domain-Services feature" +Write-Host "[inf] Installing AD-Domain-Services feature" Install-WindowsFeature AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools -Write-Host "[INFO] Importing ADDSDeployment module" +Write-Host "[inf] Importing ADDSDeployment module" Import-Module ADDSDeployment try { - Write-Host "[INFO] Installing New Child Domain in Existing Forest" + Write-Host "[inf] Installing New Child Domain in Existing Forest" Install-ADDSDomain ` -InstallDns ` -ParentDomainName $ParentDomainName ` @@ -41,9 +41,9 @@ try { -Credential $c ` -SafeModeAdministratorPassword (ConvertTo-SecureString -AsPlainText -Force "$SafeModePassword") - Write-Host "[INFO] Successfully added new child domain: $ChildDomainName" + Write-Host "[inf] Successfully added new child domain: $ChildDomainName" } catch { - Write-Host "[ERR] Failed to add new child domain: $ChildDomainName" + Write-Host "[err] Failed to add new child domain: $ChildDomainName" Write-Host $_.Exception.Message } diff --git a/ansible/scripts/setup-defender-gpo.ps1 b/ansible/scripts/setup-defender-gpo.ps1 new file mode 100644 index 0000000..688949a --- /dev/null +++ b/ansible/scripts/setup-defender-gpo.ps1 @@ -0,0 +1,50 @@ +param ( + [string]$DomainName = "contoso.com" +) + +$scriptName = $MyInvocation.MyCommand.Name +$logFile = "C:\Logs\${scriptName}_log.txt" +Start-Transcript -Path $logFile -Append + +Import-Module GroupPolicy -ErrorAction Stop + +$DomainNameDN = "DC=$($DomainName.Split(".")[0]),DC=$($DomainName.Split(".")[1])" +$DomainUsers = Get-ADGroup "Domain Users" -ErrorAction Stop + +$GpoName = "DisableMicrosoftDefender" + +try { + $GPO = New-GPO -Name $GpoName -Comment "GPO to disable Microsoft Defender in test environment" -ErrorAction Stop + Write-Host "[INFO] Created GPO '$GpoName'" + + Set-GPPermission -Name $GPO.DisplayName -PermissionLevel GpoEditDeleteModifySecurity -TargetName $DomainUsers.Name -TargetType Group -ErrorAction Stop + Write-Host "[INFO] Set GpoEditDeleteModifySecurity permissions for '$($DomainUsers.Name)' on GPO '$GpoName'" + + $RegistrySettings = @( + @{ + Key = "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" + ValueName = "DisableAntiSpyware" + Value = 1 + Type = "DWORD" + }, + @{ + Key = "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" + ValueName = "DisableRealtimeMonitoring" + Value = 1 + Type = "DWORD" + } + ) + + foreach ($Setting in $RegistrySettings) { + Set-GPRegistryValue -Name $GpoName -Key $Setting.Key -ValueName $Setting.ValueName -Type $Setting.Type -Value $Setting.Value -ErrorAction Stop + Write-Host "[INFO] Set registry value: $($Setting.Key)\$($Setting.ValueName) = $($Setting.Value)" + } + + New-GPLink -Name $GPO.DisplayName -Target "$DomainNameDN" -LinkEnabled Yes -ErrorAction Stop + Write-Host "[INFO] Created GP link for '$GpoName' on $DomainNameDN" +} +catch { + Write-Host "[ERR] Failed to configure GPO '$GpoName': $_" +} + +Stop-Transcript diff --git a/ansible/scripts/setup-gpo.ps1 b/ansible/scripts/setup-gpo.ps1 index 8d0bb5d..f837ffc 100644 --- a/ansible/scripts/setup-gpo.ps1 +++ b/ansible/scripts/setup-gpo.ps1 @@ -13,17 +13,17 @@ try { Set-GPPermission -Name $GPO1.DisplayName -PermissionLevel GpoEditDeleteModifySecurity -TargetName $DomainUsers.Name -TargetType Group Set-GPPermission -Name $GPO2.DisplayName -PermissionLevel GpoEditDeleteModifySecurity -TargetName $DomainUsers.Name -TargetType Group - Write-Host "[INFO] Created insecure GPOs $($GPO1.DisplayName), $($GPO2.DisplayName) with GpoEditDeleteModifySecurity" + Write-Host "[inf] Created insecure GPOs $($GPO1.DisplayName), $($GPO2.DisplayName) with GpoEditDeleteModifySecurity" } catch { - Write-Host "[ERR] Failed to create insecure GPOs $($GPO1.DisplayName), $($GPO2.DisplayName) with GpoEditDeleteModifySecurity" + Write-Host "[err] Failed to create insecure GPOs $($GPO1.DisplayName), $($GPO2.DisplayName) with GpoEditDeleteModifySecurity" } try { New-GPLink -Name $GPO1.DisplayName -Target "$DomainNameDN" -LinkEnabled Yes New-GPLink -Name $GPO2.DisplayName -Target "$DomainNameDN" -LinkEnabled Yes - Write-Host "[INFO] Created GP links for $($GPO1.DisplayName), $($GPO2.DisplayName) on $DomainNameDN" + Write-Host "[inf] Created GP links for $($GPO1.DisplayName), $($GPO2.DisplayName) on $DomainNameDN" } catch { - Write-Host "[ERR] Failed to create GP links for $($GPO1.DisplayName), $($GPO2.DisplayName) on $DomainNameDN" + Write-Host "[err] Failed to create GP links for $($GPO1.DisplayName), $($GPO2.DisplayName) on $DomainNameDN" } Stop-Transcript diff --git a/ansible/scripts/setup-iis.ps1 b/ansible/scripts/setup-iis.ps1 index 1bbe48d..1ebdd82 100644 --- a/ansible/scripts/setup-iis.ps1 +++ b/ansible/scripts/setup-iis.ps1 @@ -19,9 +19,9 @@ try { New-NetFirewallRule -DisplayName "HTTP (80)" -Direction Inbound -Protocol TCP -LocalPort 80 -Action Allow Restart-WebAppPool -Name "DefaultAppPool" - Write-Host "[INFO] Created first IIS WebSite, Firewall rule and AppPool" + Write-Host "[inf] Created first IIS WebSite, Firewall rule and AppPool" } catch { - Write-Host "[ERR] Failed to create first IIS WebSite, Firewall rule and AppPool" + Write-Host "[err] Failed to create first IIS WebSite, Firewall rule and AppPool" } try { @@ -30,9 +30,9 @@ try { $acl.SetAccessRule($svcIIS03Rule) Set-Acl -Path $wwwroot1 -AclObject $acl - Write-Host "[INFO] Set ACL for $wwwroot1" + Write-Host "[inf] Set ACL for $wwwroot1" } catch { - Write-Host "[ERR] Failed to set ACL for $wwwroot1" + Write-Host "[err] Failed to set ACL for $wwwroot1" } @" @@ -107,9 +107,9 @@ try { Set-ItemProperty "IIS:\AppPools\DefaultAppPool2" -Name processModel -Value @{ identityType=2 } New-NetFirewallRule -DisplayName "HTTP (8080)" -Direction Inbound -Protocol TCP -LocalPort 8080 -Action Allow - Write-Host "[INFO] Created second IIS WebSite, Firewall rule and AppPool" + Write-Host "[inf] Created second IIS WebSite, Firewall rule and AppPool" } catch { - Write-Host "[ERR] Failed to create second IIS WebSite, Firewall rule and AppPool" + Write-Host "[err] Failed to create second IIS WebSite, Firewall rule and AppPool" } try { @@ -119,9 +119,9 @@ try { $acl.SetAccessRule($rule) Set-Acl -Path $wwwroot2 -AclObject $acl - Write-Host "[INFO] Set ACL for $wwwroot2" + Write-Host "[inf] Set ACL for $wwwroot2" } catch { - Write-Host "[ERR] Failed to set ACL for $wwwroot2" + Write-Host "[err] Failed to set ACL for $wwwroot2" } Restart-WebAppPool -Name "DefaultAppPool2" diff --git a/ansible/scripts/setup-main-domain.ps1 b/ansible/scripts/setup-main-domain.ps1 index 75500ab..770e275 100644 --- a/ansible/scripts/setup-main-domain.ps1 +++ b/ansible/scripts/setup-main-domain.ps1 @@ -10,20 +10,20 @@ Start-Transcript -Path $logFile -Append $NetBiosName = $DomainName.Split(".")[0].ToUpper() -Write-Host "[INFO] Setting Administrator password" +Write-Host "[inf] Setting Administrator password" $computerName = $env:COMPUTERNAME $adminPassword = "packer" $adminUser = [ADSI] "WinNT://$computerName/Administrator,User" $adminUser.SetPassword($adminPassword) -Write-Host "[INFO] Installing Ad-Domain-Services Windows feature + subfeatures" +Write-Host "[inf] Installing Ad-Domain-Services Windows feature + subfeatures" Install-WindowsFeature AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools -Write-Host "[INFO] Importing ADDSDeployment module" +Write-Host "[inf] Importing ADDSDeployment module" Import-Module ADDSDeployment try { - Write-Host "[INFO] Installing ADDSForest" + Write-Host "[inf] Installing ADDSForest" Install-ADDSForest ` -InstallDns ` -CreateDnsDelegation:$false ` @@ -37,9 +37,9 @@ try { -NoRebootOnCompletion ` -Force ` -SafeModeAdministratorPassword (ConvertTo-SecureString -AsPlainText -Force "$SafeModePassword") - Write-Host "[INFO] Created Active Directory domain for $DomainName" + Write-Host "[inf] Created Active Directory domain for $DomainName" } catch { - Write-Host "[ERR] Failed to create Active Directory domain for $DomainName" + Write-Host "[err] Failed to create Active Directory domain for $DomainName" Write-Host $_.Exception.Message } Stop-Transcript diff --git a/ansible/scripts/setup-mssql-link.ps1 b/ansible/scripts/setup-mssql-link.ps1 index 8f51058..db1e76c 100644 --- a/ansible/scripts/setup-mssql-link.ps1 +++ b/ansible/scripts/setup-mssql-link.ps1 @@ -11,8 +11,8 @@ try { SqlCmd -E -Q "EXEC master.dbo.sp_serveroption @server=N'$LinkServer', @optname=N'rpc', @optvalue=N'true'" SqlCmd -E -Q "EXEC master.dbo.sp_serveroption @server=N'$LinkServer', @optname=N'rpc out', @optvalue=N'true'" SqlCmd -E -Q "EXEC master.dbo.sp_addlinkedsrvlogin @rmtsrvname = N'$LinkServer', @locallogin = NULL , @useself = N'True'" - Write-Host "[INFO] Linked $LinkServer to mssql02" + Write-Host "[inf] Linked $LinkServer to mssql02" } catch { - Write-Host "[ERR] Failed to link $LinkServer to mssql02" + Write-Host "[err] Failed to link $LinkServer to mssql02" } Stop-Transcript
\ No newline at end of file diff --git a/ansible/scripts/setup-mssql.ps1 b/ansible/scripts/setup-mssql.ps1 index 032490f..0be1575 100644 --- a/ansible/scripts/setup-mssql.ps1 +++ b/ansible/scripts/setup-mssql.ps1 @@ -57,16 +57,16 @@ FTSVCACCOUNT="NT Service\MSSQLFDLauncher" try { Start-Process -FilePath "C:\setup\SQL2019-SSEI-Expr.exe" -ArgumentList "/configurationfile=C:\setup\sql_conf.ini /IACCEPTSQLSERVERLICENSETERMS /MEDIAPATH=C:\setup\media /QUIET /HIDEPROGRESSBAR" -Wait - Write-Host "[INFO] Installed SQL Server Express" + Write-Host "[inf] Installed SQL Server Express" } catch { - Write-Host "[ERR] Failed to install SQL Server Express" + Write-Host "[err] Failed to install SQL Server Express" } try { Set-ItemProperty -Path "HKLM:\Software\Microsoft\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQLServer\SuperSocketNetLib\Tcp\IPAll" -Name "TcpPort" -Value "1433" -Force - Write-Host "[INFO] Set MSSQL port to 1433" + Write-Host "[inf] Set MSSQL port to 1433" } catch { - Write-Host "[ERR] Failed to set MSSQL port to 1433" + Write-Host "[err] Failed to set MSSQL port to 1433" } Restart-Service -Name "MSSQL`$SQLEXPRESS" @@ -78,11 +78,11 @@ try { SqlCmd -E -Q "ALTER LOGIN sa ENABLE" SqlCmd -E -Q "ALTER LOGIN sa WITH PASSWORD = '$SvcPassword', CHECK_POLICY=OFF" - Write-Host "[INFO] Added $NetBiosName\$SvcUsername as MSSQL login and sysadmin" - Write-Host "[INFO] Enabled SA login" + Write-Host "[inf] Added $NetBiosName\$SvcUsername as MSSQL login and sysadmin" + Write-Host "[inf] Enabled SA login" } catch { - Write-Host "[ERR] Failed to add $NetBiosName\$SvcUsername as MSSQL login and sysadmin" - Write-Host "[ERR] Failed to enable SA login" + Write-Host "[err] Failed to add $NetBiosName\$SvcUsername as MSSQL login and sysadmin" + Write-Host "[err] Failed to enable SA login" } diff --git a/ansible/scripts/setup-tree-domain.ps1 b/ansible/scripts/setup-tree-domain.ps1 index 0f661a1..d6908c1 100644 --- a/ansible/scripts/setup-tree-domain.ps1 +++ b/ansible/scripts/setup-tree-domain.ps1 @@ -14,20 +14,20 @@ Start-Transcript -Path $logFile -Append $p = ConvertTo-SecureString $Password -AsPlainText -Force $c = New-Object System.Management.Automation.PSCredential("$ParentForestRootDomain\$Username", $p) -Write-Host "[INFO] Setting Administrator password" +Write-Host "[inf] Setting Administrator password" $computerName = $env:COMPUTERNAME $adminPassword = $Password $adminUser = [ADSI] "WinNT://$computerName/Administrator,User" $adminUser.SetPassword($adminPassword) -Write-Host "[INFO] Installing AD-Domain-Services feature" +Write-Host "[inf] Installing AD-Domain-Services feature" Install-WindowsFeature AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools -Write-Host "[INFO] Importing ADDSDeployment module" +Write-Host "[inf] Importing ADDSDeployment module" Import-Module ADDSDeployment try { - Write-Host "[INFO] Installing New Tree Domain in Existing Forest" + Write-Host "[inf] Installing New Tree Domain in Existing Forest" Install-ADDSDomain ` -InstallDns ` -ParentDomainName $ParentForestRootDomain ` @@ -41,9 +41,9 @@ try { -Credential $c ` -SafeModeAdministratorPassword (ConvertTo-SecureString -AsPlainText -Force "$SafeModePassword") - Write-Host "[INFO] Successfully added new tree domain: $NewTreeDomainName" + Write-Host "[inf] Successfully added new tree domain: $NewTreeDomainName" } catch { - Write-Host "[ERR] Failed to add new tree domain: $NewTreeDomainName" + Write-Host "[err] Failed to add new tree domain: $NewTreeDomainName" Write-Host $_.Exception.Message } diff --git a/ansible/scripts/setup-websql.ps1 b/ansible/scripts/setup-websql.ps1 index 9f5db5c..7881291 100644 --- a/ansible/scripts/setup-websql.ps1 +++ b/ansible/scripts/setup-websql.ps1 @@ -13,16 +13,77 @@ $wwwroot3 = "C:\inetpub\wwwroot3" Start-Transcript -Path $logFile -Append -# --- IIS Setup --- +try { + New-Item -Path "C:\setup\media" -ItemType "Directory" -Force + @" +;SQL Server Configuration File +[OPTIONS] +IACCEPTSQLSERVERLICENSETERMS="True" +ACTION="Install" +ENU="True" +QUIET="True" +QUIETSIMPLE="False" +UpdateEnabled="False" +ERRORREPORTING="False" +USEMICROSOFTUPDATE="False" +FEATURES=SQLENGINE,FULLTEXT +UpdateSource="MU" +HELP="False" +INDICATEPROGRESS="False" +X86="False" +INSTALLSHAREDDIR="C:\Program Files\Microsoft SQL Server" +INSTALLSHAREDWOWDIR="C:\Program Files (x86)\Microsoft SQL Server" +INSTANCENAME="SQLEXPRESS" +SQMREPORTING="False" +INSTANCEID="SQLEXPRESS" +RSINSTALLMODE="DefaultNativeMode" +INSTANCEDIR="C:\Program Files\Microsoft SQL Server" +AGTSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE" +AGTSVCSTARTUPTYPE="Automatic" +COMMFABRICPORT="0" +COMMFABRICNETWORKLEVEL="0" +COMMFABRICENCRYPTION="0" +MATRIXCMBRICKCOMMPORT="0" +SQLSVCSTARTUPTYPE="Automatic" +FILESTREAMLEVEL="0" +ENABLERANU="False" +SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS" +SQLSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE" +SAPWD="$SvcPassword" +SQLSYSADMINACCOUNTS="BUILTIN\Administrators" +ADDCURRENTUSERASSQLADMIN="True" +TCPENABLED="1" +NPENABLED="0" +BROWSERSVCSTARTUPTYPE="Disabled" +RSSVCSTARTUPTYPE="manual" +FTSVCACCOUNT="NT Service\MSSQLFDLauncher" +"@ | Out-File "C:\setup\sql_conf.ini" + + Start-Process -FilePath "C:\setup\SQL2019-SSEI-Expr.exe" -ArgumentList "/configurationfile=C:\setup\sql_conf.ini /IACCEPTSQLSERVERLICENSETERMS /MEDIAPATH=C:\setup\media /QUIET /HIDEPROGRESSBAR" -Wait + Set-ItemProperty -Path "HKLM:\Software\Microsoft\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQLServer\SuperSocketNetLib\Tcp\IPAll" -Name "TcpPort" -Value "1433" -Force + Restart-Service -Name "MSSQL`$SQLEXPRESS" + New-NetFirewallRule -DisplayName "SQLServer default instance" -Direction Inbound -LocalPort 1433 -Protocol TCP -Action Allow + + $env:Path += ";C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn" + SqlCmd -E -Q "CREATE LOGIN [$NetBiosName\$SvcUsername] FROM WINDOWS" + SqlCmd -E -Q "SP_ADDSRVROLEMEMBER '$NetBiosName\$SvcUsername', 'SYSADMIN'" + + SqlCmd -E -Q "ALTER LOGIN sa ENABLE" + SqlCmd -E -Q "ALTER LOGIN sa WITH PASSWORD = '$SvcPassword', CHECK_POLICY=OFF" + Write-Host "[inf] Added $NetBiosName\$SvcUsername as MSSQL login and sysadmin" + Write-Host "[inf] Enabled SA login" +} catch { + Write-Host "[err] SQL Server setup failed" +} + try { Install-WindowsFeature -Name Web-Server -IncludeManagementTools Install-WindowsFeature -Name Web-Asp-Net45 - Write-Host "[INFO] Installed IIS and ASP.NET" + Write-Host "[inf] Installed IIS and ASP.NET" } catch { - Write-Host "[ERR] Failed to install IIS and ASP.NET" + Write-Host "[err] Failed to install IIS and ASP.NET" } -# Upload form content @" using System; using System.IO; @@ -83,29 +144,26 @@ public partial class UploadPage : Page </configuration> "@ | Out-File "$wwwroot1\Web.config" -Force -# Default site - port 80 try { New-WebSite -Name "MyASPXSite" -Port 80 -PhysicalPath $wwwroot1 -ApplicationPool "DefaultAppPool" Set-ItemProperty "IIS:\AppPools\DefaultAppPool" -Name processModel -Value @{userName="$SvcUsername";password="$SvcPassword";identityType=3} New-NetFirewallRule -DisplayName "HTTP (80)" -Direction Inbound -Protocol TCP -LocalPort 80 -Action Allow Restart-WebAppPool -Name "DefaultAppPool" - Write-Host "[INFO] Site 1 created on port 80" + Write-Host "[inf] Site 1 created on port 80" } catch { - Write-Host "[ERR] Failed to create site 1" + Write-Host "[err] Failed to create site 1" } -# ACLs for wwwroot1 try { $svcRule = New-Object System.Security.AccessControl.FileSystemAccessRule("$DomainName\$SvcUsername", "Modify", "ContainerInherit,ObjectInherit", "None", "Allow") $acl = Get-Acl $wwwroot1 $acl.SetAccessRule($svcRule) Set-Acl -Path $wwwroot1 -AclObject $acl - Write-Host "[INFO] ACL set for $wwwroot1" + Write-Host "[inf] ACL set for $wwwroot1" } catch { - Write-Host "[ERR] Failed to set ACL for $wwwroot1" + Write-Host "[err] Failed to set ACL for $wwwroot1" } -# Second site - port 8080 try { Copy-Item $wwwroot1 -Destination $wwwroot2 -Recurse -Force New-WebAppPool -Name "DefaultAppPool2" @@ -117,47 +175,11 @@ try { $acl.SetAccessRule($rule) Set-Acl -Path $wwwroot2 -AclObject $acl Restart-WebAppPool -Name "DefaultAppPool2" - Write-Host "[INFO] Site 2 created on port 8080" -} catch { - Write-Host "[ERR] Failed to create site 2" -} - -# SQL Server Express setup -try { - New-Item -Path "C:\setup\media" -ItemType "Directory" -Force - @" -;SQL Server Configuration File -[OPTIONS] -IACCEPTSQLSERVERLICENSETERMS="True" -ACTION="Install" -ENU="True" -QUIET="True" -FEATURES=SQLENGINE,FULLTEXT -INSTANCENAME="SQLEXPRESS" -SQLSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE" -SQLSYSADMINACCOUNTS="BUILTIN\Administrators" -ADDCURRENTUSERASSQLADMIN="True" -TCPENABLED="1" -NPENABLED="0" -SAPWD="$SvcPassword" -"@ | Out-File "C:\setup\sql_conf.ini" - - Start-Process -FilePath "C:\setup\SQL2019-SSEI-Expr.exe" -ArgumentList "/configurationfile=C:\setup\sql_conf.ini /IACCEPTSQLSERVERLICENSETERMS /MEDIAPATH=C:\setup\media /QUIET" -Wait - Set-ItemProperty -Path "HKLM:\Software\Microsoft\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQLServer\SuperSocketNetLib\Tcp\IPAll" -Name "TcpPort" -Value "1433" - Restart-Service -Name "MSSQL`$SQLEXPRESS" - New-NetFirewallRule -DisplayName "SQLServer 1433" -Direction Inbound -LocalPort 1433 -Protocol TCP -Action Allow - - $env:Path += ";C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn" - SqlCmd -E -Q "CREATE LOGIN [$NetBiosName\$SvcUsername] FROM WINDOWS" - SqlCmd -E -Q "SP_ADDSRVROLEMEMBER '$NetBiosName\$SvcUsername', 'SYSADMIN'" - SqlCmd -E -Q "ALTER LOGIN sa ENABLE" - SqlCmd -E -Q "ALTER LOGIN sa WITH PASSWORD = '$SvcPassword', CHECK_POLICY=OFF" - Write-Host "[INFO] SQL Server installed/configured" + Write-Host "[inf] Site 2 created on port 8080" } catch { - Write-Host "[ERR] SQL Server setup failed" + Write-Host "[err] Failed to create site 2" } -# Third site - port 9090 with upload + SQL query page try { Copy-Item $wwwroot1 -Destination $wwwroot3 -Recurse -Force New-WebAppPool -Name "SqlQueryAppPool" @@ -165,7 +187,6 @@ try { Set-ItemProperty "IIS:\AppPools\SqlQueryAppPool" -Name processModel -Value @{userName="$SvcUsername";password="$SvcPassword";identityType=3} New-NetFirewallRule -DisplayName "HTTP (9090)" -Direction Inbound -Protocol TCP -LocalPort 9090 -Action Allow - # SQL Query Page @" <%@ Page Language="C#" Debug="true" %> <%@ Import Namespace="System.Data" %> @@ -191,7 +212,7 @@ try { litResults.Text = "<table border='1'><tr>"; foreach (DataColumn col in dt.Columns) { - litResults.Text += $"<th>{col.ColumnName}</th>"; + litResults.Text += string.Format("<th>{0}</th>", col.ColumnName); } litResults.Text += "</tr>"; @@ -200,7 +221,7 @@ try { litResults.Text += "<tr>"; foreach (var item in row.ItemArray) { - litResults.Text += $"<td>{item}</td>"; + litResults.Text += string.Format("<td>{0}</td>", item); } litResults.Text += "</tr>"; } @@ -228,9 +249,9 @@ try { "@ | Out-File "$wwwroot3\sqlquery.aspx" -Force Restart-WebAppPool -Name "SqlQueryAppPool" - Write-Host "[INFO] Site 3 created on port 9090 with SQL query page" + Write-Host "[inf] Site 3 created on port 9090 with SQL query page" } catch { - Write-Host "[ERR] Failed to create SQL query site" + Write-Host "[err] Failed to create SQL query site" } Stop-Transcript |