From 6ec2eb61a02f9e55ef5b8d22a5ca61ca53ca05e7 Mon Sep 17 00:00:00 2001 From: heqnx Date: Fri, 11 Jul 2025 21:55:20 +0300 Subject: added initial setup for domain controller --- ansible/.env.proxmox.example | 46 + ansible/files/SQL2019-SSEI-Expr.exe | Bin 0 -> 6379936 bytes ansible/files/adcs/ADCSTemplate/ADCSTemplate.psd1 | Bin 0 -> 9442 bytes ansible/files/adcs/ADCSTemplate/ADCSTemplate.psm1 | 466 ++++++++ ansible/files/adcs/templates/ESC1.json | Bin 0 -> 4252 bytes ansible/files/adcs/templates/ESC2.json | Bin 0 -> 4096 bytes ansible/files/adcs/templates/ESC3-CRA.json | Bin 0 -> 4158 bytes ansible/files/adcs/templates/ESC3.json | Bin 0 -> 4572 bytes ansible/files/adcs/templates/ESC4.json | Bin 0 -> 4308 bytes ansible/files/software/BgInfo.bgi | Bin 0 -> 1174 bytes ansible/files/software/BgInfo.exe | Bin 0 -> 2198952 bytes ansible/files/software/PsExec64.exe | Bin 0 -> 833472 bytes ansible/files/software/Sysmon64.exe | Bin 0 -> 4545344 bytes .../googlechromestandaloneenterprise64.msi | Bin 0 -> 119250944 bytes ansible/files/software/npp.exe | Bin 0 -> 4840120 bytes ansible/files/software/sysmonconfig-export.xml | 1200 ++++++++++++++++++++ ansible/group_vars/all/connectors.yaml | 10 + ansible/group_vars/all/main.yaml | 57 + ansible/main.yaml | 45 + ansible/roles/dc01/tasks/cleanup.yaml | 3 + ansible/roles/dc01/tasks/init.yaml | 3 + ansible/roles/dc01/tasks/install_software.yaml | 3 + ansible/roles/dc01/tasks/main.yaml | 41 + ansible/roles/dc01/tasks/populate_ad.yaml | 7 + ansible/roles/dc01/tasks/reboot.yaml | 3 + ansible/roles/dc01/tasks/set_hostname.yaml | 2 + ansible/roles/dc01/tasks/setup_domain.yaml | 6 + ansible/roles/dc01/tasks/setup_gpo.yaml | 7 + ansible/roles/dc01/tasks/wait_for_ready.yaml | 3 + ansible/roles/proxmox_vm/tasks/create_vm.yaml | 16 + .../proxmox_vm/tasks/enable_qemu_guest_agent.yaml | 12 + ansible/roles/proxmox_vm/tasks/get_ip.yaml | 29 + ansible/roles/proxmox_vm/tasks/main.yaml | 17 + ansible/roles/proxmox_vm/tasks/set_network.yaml | 20 + ansible/roles/proxmox_vm/tasks/start_vm.yaml | 13 + ansible/roles/proxmox_vm/tasks/upload_files.yaml | 9 + ansible/scripts/cleanup.ps1 | 9 + ansible/scripts/dc-wait-for-ready.ps1 | 17 + ansible/scripts/init.ps1 | 10 + ansible/scripts/install-software.ps1 | 10 + ansible/scripts/join-domain.ps1 | 14 + ansible/scripts/join-domain.sh | 46 + ansible/scripts/populate-ad.ps1 | 318 ++++++ ansible/scripts/setup-adcs-esc.ps1 | 20 + ansible/scripts/setup-adcs.ps1 | 50 + ansible/scripts/setup-child-domain.ps1 | 50 + ansible/scripts/setup-gpo.ps1 | 29 + ansible/scripts/setup-iis.ps1 | 128 +++ ansible/scripts/setup-main-domain.ps1 | 45 + ansible/scripts/setup-mssql-link.ps1 | 18 + ansible/scripts/setup-mssql.ps1 | 90 ++ ansible/scripts/setup-tree-domain.ps1 | 50 + 52 files changed, 2922 insertions(+) create mode 100644 ansible/.env.proxmox.example create mode 100644 ansible/files/SQL2019-SSEI-Expr.exe create mode 100644 ansible/files/adcs/ADCSTemplate/ADCSTemplate.psd1 create mode 100644 ansible/files/adcs/ADCSTemplate/ADCSTemplate.psm1 create mode 100644 ansible/files/adcs/templates/ESC1.json create mode 100644 ansible/files/adcs/templates/ESC2.json create mode 100644 ansible/files/adcs/templates/ESC3-CRA.json create mode 100644 ansible/files/adcs/templates/ESC3.json create mode 100644 ansible/files/adcs/templates/ESC4.json create mode 100644 ansible/files/software/BgInfo.bgi create mode 100644 ansible/files/software/BgInfo.exe create mode 100644 ansible/files/software/PsExec64.exe create mode 100644 ansible/files/software/Sysmon64.exe create mode 100644 ansible/files/software/googlechromestandaloneenterprise64.msi create mode 100644 ansible/files/software/npp.exe create mode 100644 ansible/files/software/sysmonconfig-export.xml create mode 100644 ansible/group_vars/all/connectors.yaml create mode 100644 ansible/group_vars/all/main.yaml create mode 100644 ansible/main.yaml create mode 100644 ansible/roles/dc01/tasks/cleanup.yaml create mode 100644 ansible/roles/dc01/tasks/init.yaml create mode 100644 ansible/roles/dc01/tasks/install_software.yaml create mode 100644 ansible/roles/dc01/tasks/main.yaml create mode 100644 ansible/roles/dc01/tasks/populate_ad.yaml create mode 100644 ansible/roles/dc01/tasks/reboot.yaml create mode 100644 ansible/roles/dc01/tasks/set_hostname.yaml create mode 100644 ansible/roles/dc01/tasks/setup_domain.yaml create mode 100644 ansible/roles/dc01/tasks/setup_gpo.yaml create mode 100644 ansible/roles/dc01/tasks/wait_for_ready.yaml create mode 100644 ansible/roles/proxmox_vm/tasks/create_vm.yaml create mode 100644 ansible/roles/proxmox_vm/tasks/enable_qemu_guest_agent.yaml create mode 100644 ansible/roles/proxmox_vm/tasks/get_ip.yaml create mode 100644 ansible/roles/proxmox_vm/tasks/main.yaml create mode 100644 ansible/roles/proxmox_vm/tasks/set_network.yaml create mode 100644 ansible/roles/proxmox_vm/tasks/start_vm.yaml create mode 100644 ansible/roles/proxmox_vm/tasks/upload_files.yaml create mode 100644 ansible/scripts/cleanup.ps1 create mode 100644 ansible/scripts/dc-wait-for-ready.ps1 create mode 100644 ansible/scripts/init.ps1 create mode 100644 ansible/scripts/install-software.ps1 create mode 100644 ansible/scripts/join-domain.ps1 create mode 100644 ansible/scripts/join-domain.sh create mode 100644 ansible/scripts/populate-ad.ps1 create mode 100644 ansible/scripts/setup-adcs-esc.ps1 create mode 100644 ansible/scripts/setup-adcs.ps1 create mode 100644 ansible/scripts/setup-child-domain.ps1 create mode 100644 ansible/scripts/setup-gpo.ps1 create mode 100644 ansible/scripts/setup-iis.ps1 create mode 100644 ansible/scripts/setup-main-domain.ps1 create mode 100644 ansible/scripts/setup-mssql-link.ps1 create mode 100644 ansible/scripts/setup-mssql.ps1 create mode 100644 ansible/scripts/setup-tree-domain.ps1 (limited to 'ansible') diff --git a/ansible/.env.proxmox.example b/ansible/.env.proxmox.example new file mode 100644 index 0000000..70c9580 --- /dev/null +++ b/ansible/.env.proxmox.example @@ -0,0 +1,46 @@ +# proxmox connection details, ssh must be enabled +export proxmox_hostname="proxmox01.local" +export proxmox_username="root@pam" +export proxmox_api_token_id="ansible" +export proxmox_api_token_secret="" +export proxmox_node="proxmox01" + +# default local credentials for linux and windows +export linux_username="root" +export linux_password="root" +export windows_username="packer" +export windows_password="packer" +export windows_svc_password="Svc1234!" + +# proxmox vm and template details +export windows_server_template_id="200" +export windows_server_template_name="winserver2019-tmpl" +#export linux_server_template_id="201" +#export linux_server_template_name="base-img-ubuntu-24.04-server" +#export kali_template_id="202" +#export kali_template_name="base-img-kali-top10-xfce" + +# domain details +export main_domain_name="contoso.com" + +export main_dc01_vmid="5000" +export main_dc01_hostname="dc01" +export main_dc01_ip_address="192.168.1.50" + +export network_gateway="192.168.1.1" + +#export mssql01_hostname="mssql01" +#export mssql02_hostname="mssql02" +#export web01_hostname="web01" +#export adcs01_hostname="adcs01" +#export workstation01_hostname="workstation01" +#export linux_srv01_hostname="srv01" +#export kali_attackbox_hostname="kali-attackbox" +# +#export mssql01_ip_address="192.168.1.111" +#export mssql02_ip_address="192.168.1.112" +#export web01_ip_address="192.168.1.113" +#export adcs01_ip_address="192.168.1.114" +#export workstation01_ip_address="192.168.1.115" +#export linux_srv01_ip_address="192.168.1.116" +#export kali_attackbox_ip_address="192.168.1.120" diff --git a/ansible/files/SQL2019-SSEI-Expr.exe b/ansible/files/SQL2019-SSEI-Expr.exe new file mode 100644 index 0000000..e8cf49d Binary files /dev/null and b/ansible/files/SQL2019-SSEI-Expr.exe differ diff --git a/ansible/files/adcs/ADCSTemplate/ADCSTemplate.psd1 b/ansible/files/adcs/ADCSTemplate/ADCSTemplate.psd1 new file mode 100644 index 0000000..daf338f Binary files /dev/null and b/ansible/files/adcs/ADCSTemplate/ADCSTemplate.psd1 differ diff --git a/ansible/files/adcs/ADCSTemplate/ADCSTemplate.psm1 b/ansible/files/adcs/ADCSTemplate/ADCSTemplate.psm1 new file mode 100644 index 0000000..39da019 --- /dev/null +++ b/ansible/files/adcs/ADCSTemplate/ADCSTemplate.psm1 @@ -0,0 +1,466 @@ +#requires -Version 5.0 -Modules ActiveDirectory + +Function Get-RandomHex { +param ([int]$Length) + $Hex = '0123456789ABCDEF' + [string]$Return = $null + For ($i=1;$i -le $length;$i++) { + $Return += $Hex.Substring((Get-Random -Minimum 0 -Maximum 16),1) + } + Return $Return +} + +Function IsUniqueOID { +param ($cn,$TemplateOID,$Server,$ConfigNC) + $Search = Get-ADObject -Server $Server ` + -SearchBase "CN=OID,CN=Public Key Services,CN=Services,$ConfigNC" ` + -Filter {cn -eq $cn -and msPKI-Cert-Template-OID -eq $TemplateOID} + If ($Search) {$False} Else {$True} +} + +Function New-TemplateOID { +Param($Server,$ConfigNC) + <# + OID CN/Name [10000000-99999999].[32 hex characters (MD5hash)] + OID msPKI-Cert-Template-OID [Forest base OID].[1000000-99999999].[10000000-99999999] <--- second number same as first number in OID name + #> + do { + $OID_Part_1 = Get-Random -Minimum 10000000 -Maximum 99999999 + $OID_Part_2 = Get-Random -Minimum 10000000 -Maximum 99999999 + $OID_Part_3 = Get-RandomHex -Length 32 + $OID_Forest = Get-ADObject -Server $Server ` + -Identity "CN=OID,CN=Public Key Services,CN=Services,$ConfigNC" ` + -Properties msPKI-Cert-Template-OID | + Select-Object -ExpandProperty msPKI-Cert-Template-OID + $msPKICertTemplateOID = "$OID_Forest.$OID_Part_1.$OID_Part_2" + $Name = "$OID_Part_2.$OID_Part_3" + } until (IsUniqueOID -cn $Name -TemplateOID $msPKICertTemplateOID -Server $Server -ConfigNC $ConfigNC) + Return @{ + TemplateOID = $msPKICertTemplateOID + TemplateName = $Name + } +} + + +<# +.SYNOPSIS +Returns the properties of either a single or all Active Directory Certificate Template(s). +.DESCRIPTION +Returns the properties of either a single or list of Active Directory Certificate Template(s) +depending on whether a DisplayName parameter was passed. +.PARAMETER DisplayName +Name of an AD CS template to retrieve. +.PARAMETER Server +FQDN of Active Directory Domain Controller to target for the operation. +When not specified it will search for the nearest Domain Controller. +.EXAMPLE +PS C:\> Get-ADCSTemplate +.EXAMPLE +PS C:\> Get-ADCSTemplate -DisplayName PowerShellCMS +.EXAMPLE +PS C:\> Get-ADCSTemplate | Sort-Object Name | ft Name, Created, Modified +.EXAMPLE +PS C:\> ###View template permissions +(Get-ADCSTemplate pscms).nTSecurityDescriptor +(Get-ADCSTemplate pscms).nTSecurityDescriptor.Sddl +(Get-ADCSTemplate pscms).nTSecurityDescriptor.Access +ConvertFrom-SddlString -Sddl (Get-ADCSTemplate pscms).nTSecurityDescriptor.sddl -Type ActiveDirectoryRights +.NOTES +Requires Enterprise Administrator permissions, since this touches the AD Configuration partition. +#> +Function Get-ADCSTemplate { +param( + [parameter(Position=0)] + [string] + $DisplayName, + + [string] + $Server = (Get-ADDomainController -Discover -ForceDiscover -Writable).HostName[0] +) + If ($PSBoundParameters.ContainsKey('DisplayName')) { + $LDAPFilter = "(&(objectClass=pKICertificateTemplate)(displayName=$DisplayName))" + } Else { + $LDAPFilter = '(objectClass=pKICertificateTemplate)' + } + + $ConfigNC = $((Get-ADRootDSE -Server $Server).configurationNamingContext) + $TemplatePath = "CN=Certificate Templates,CN=Public Key Services,CN=Services,$ConfigNC" + Get-ADObject -SearchScope Subtree -SearchBase $TemplatePath -LDAPFilter $LDAPFilter -Properties * -Server $Server +} + + +<# +.SYNOPSIS +Adds an ACL to an Active Directory Certificate template. +.DESCRIPTION +Adds an ACL to an Active Directory Certificate template. +Default permission is read (without the Enroll or AutoEnroll switches). +.PARAMETER DisplayName +Name of an AD CS template to receive the ACL. +.PARAMETER Server +FQDN of Active Directory Domain Controller to target for the operation. +When not specified it will search for the nearest Domain Controller. +.PARAMETER Type +ACL type: Allow or Deny +.PARAMETER Identity +String or string array of Active Directory identities (users or groups) +.PARAMETER Enroll +Set the Enroll permission +.PARAMETER AutoEnroll +Set the AutoEnroll permission +.EXAMPLE +PS C:\> Set-ADCSTemplateACL -DisplayName PowerShellCMS -Type Allow -Identity 'CONTOSO\Servers Group' -Enroll +.EXAMPLE +PS C:\> Set-ADCSTemplateACL -DisplayName PowerShellCMS -Type Allow -Identity 'CONTOSO\Servers Group','CONTOSO\Workstations Group' -Enroll -AutoEnroll +.EXAMPLE +PS C:\> Set-ADCSTemplateACL -DisplayName PowerShellCMS -Type Deny -Identity 'CONTOSO\Servers Group' +.NOTES +Requires Enterprise Administrator permissions, since this touches the AD Configuration partition. +#> +Function Set-ADCSTemplateACL { +param( + [parameter(Mandatory)] + [string]$DisplayName, + [string]$Server = (Get-ADDomainController -Discover -ForceDiscover -Writable).HostName[0], + [ValidateSet('Allow','Deny')] + [string]$Type = 'Allow', + [string[]]$Identity, + [switch]$Enroll, + [switch]$AutoEnroll +) + ## Potential issue here that the AD: drive may not be targetting the selected DC in the -SERVER parameter + $TemplatePath = "AD:\" + (Get-ADCSTemplate -DisplayName $DisplayName -Server $Server).DistinguishedName + $acl = Get-ACL $TemplatePath + $InheritedObjectType = [GUID]'00000000-0000-0000-0000-000000000000' + ForEach ($Group in $Identity) { + $account = New-Object System.Security.Principal.NTAccount($Group) + $sid = $account.Translate([System.Security.Principal.SecurityIdentifier]) + + If ($Type -ne 'Deny') { + # Read, but only if Allow + $ObjectType = [GUID]'00000000-0000-0000-0000-000000000000' + $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ` + $sid, 'GenericRead', $Type, $ObjectType, 'None', $InheritedObjectType + $acl.AddAccessRule($ace) + } + + If ($Enroll) { + $ObjectType = [GUID]'0e10c968-78fb-11d2-90d4-00c04f79dc55' + $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ` + $sid, 'ExtendedRight', $Type, $ObjectType, 'None', $InheritedObjectType + $acl.AddAccessRule($ace) + } + + If ($AutoEnroll) { + $ObjectType = [GUID]'a05b8cc2-17bc-4802-a710-e7c15ab866a2' + $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ` + $sid, 'ExtendedRight', $Type, $ObjectType, 'None', $InheritedObjectType + $acl.AddAccessRule($ace) + } + } + Set-ACL $TemplatePath -AclObject $acl +} + + +<# +.SYNOPSIS +Returns a JSON string with the properties of an Active Directory certificate template. +.DESCRIPTION +Returns a JSON string with the properties of an Active Directory certificate template. +By default returns only the PKI-related properties of the object. These properties are +sufficient for passing to the New-ADCSTemplate function. +.PARAMETER DisplayName +DisplayName for the certificate to export. +.PARAMETER Server +FQDN of Active Directory Domain Controller to target for the operation. +When not specified it will search for the nearest Domain Controller. +.PARAMETER Detailed +Includes all ADObject properties of the template. These are not required for +use with the New-ADCSTemplate function. +.NOTES +C.R.U.D. AD CS Template Operations in this module. +No longer have to use the cert GUI to clone a template and build a new one. +Create one manually the first time in the GUI, then export it to JSON. +Pass the JSON in your new environment (file, here string, DSC, etc.) to build from scratch. +Requires Enterprise Administrator permissions, since this touches the AD Configuration partition. +.EXAMPLE +PS C:\> Export-ADCSTemplate -DisplayName PowerShellCMS +.EXAMPLE +PS C:\> Export-ADCSTemplate -DisplayName PowerShellCMS -Detailed +.EXAMPLE +### Backup all the templates to JSON +md C:\ADCSTemplates -ErrorAction SilentlyContinue +cd C:\ADCSTemplates +(Get-ADCSTemplate).name | ForEach-Object {"Exporting $_"; Export-ADCSTemplate -DisplayName $_ | Out-File .\$_.json -Force} +dir +.EXAMPLE +PS C:\> New-ADCSTemplate -DisplayName PowerShellCMS-NEW -JSON (Export-ADCSTemplate -DisplayName PowerShellCMS-OLD) +#> +Function Export-ADCSTemplate { +param( + [parameter(Mandatory)] + [string]$DisplayName, + [string]$Server = (Get-ADDomainController -Discover -ForceDiscover -Writable).HostName[0], + [switch]$Detailed # Detailed output is not required for export/import. Use for documentation/backup purposes. +) + If ($Detailed) { + Get-ADCSTemplate -DisplayName $DisplayName -Server $Server | + ConvertTo-Json + } Else { + Get-ADCSTemplate -DisplayName $DisplayName -Server $Server | + Select-Object -Property name, displayName, objectClass, flags, revision, *pki* | + ConvertTo-Json + } +} + +<# +.SYNOPSIS +Creates a new Active Directory Certificate Services template based on a JSON export. +.DESCRIPTION +Creates a new Active Directory Certificate Services template based on a JSON export. +Optionally can permission and publish the template (best practice). +.PARAMETER DisplayName +DisplayName for the certificate template to create. This does not have to match +the original name of the exported template. +.PARAMETER JSON +JSON string output from Export-ADCSTemplate. Defines the template to create. +Can be retrieved from file using Get-Content -Raw. +.PARAMETER Server +FQDN of Active Directory Domain Controller to target for the operation. +When not specified it will search for the nearest Domain Controller. +.PARAMETER Identity +String or string array of Active Directory identities (users or groups). +This is optional for permissioning the template. +.PARAMETER AutoEnroll +Default permission is Read and Enroll. Use this switch to also grant AutoEnroll +to the identity. Only used when Identity parameter is used. +.PARAMETER Publish +Publish the template to *ALL* Certificate Authority issuers. Use with caution +in production environments. You may want to manually publish to only specific +Certificate Authorities in production. In a lab this is ideal. +.NOTES +This function does not use the official (complicated) API for PKI management. +Instead it creates the exact same AD objects that are generated by the API, +including AD forest-specific OIDs. +Requires Enterprise Administrator permissions, since this touches the AD Configuration partition. +.EXAMPLE +PS C:\> New-ADCSTemplate -DisplayName PowerShellCMS -JSON (Get-Content .\pscms.json -Raw) +.EXAMPLE +PS C:\> New-ADCSTemplate -DisplayName PowerShellCMS -JSON (Get-Content .\pscms.json -Raw) -Server dc1.contoso.com -Identity G_DSCNodes -AutoEnroll -Publish + +# From a client configured for AD CS autoenrollment: +$Req = @{ + Template = 'PowerShellCMS' + Url = 'ldap:' + CertStoreLocation = 'Cert:\LocalMachine\My' +} +Get-Certificate @Req +# Note: If you have the Carbon module installed, it conflicts with Get-Certificate native cmdlet. + +$DocEncrCert = (dir Cert:\LocalMachine\My -DocumentEncryptionCert | Sort-Object NotBefore)[-1] +Protect-CmsMessage -To $DocEncrCert -Content "Encrypted with my new cert from the new template!" +.EXAMPLE +PS C:\> New-ADCSTemplate -DisplayName PowerShellCMS-NEW -JSON (Export-ADCSTemplate -DisplayName PowerShellCMS-OLD) +#> +Function New-ADCSTemplate { +param( + [parameter(Mandatory)] + [string]$DisplayName, # name in JSON export is ignored + [parameter(Mandatory)] + [string]$JSON, + [string]$Server = (Get-ADDomainController -Discover -ForceDiscover -Writable).HostName[0], + [string[]]$Identity, # = "$((Get-ADDomain).NetBIOSName)\Domain Computers", + [switch]$AutoEnroll, + [switch]$Publish +) + ### Put GroupName and AutoEnroll into a parameter set + + # Manually import AD module to get AD: drive used later for permissions + Import-Module ActiveDirectory -Verbose:$false + + $ConfigNC = $((Get-ADRootDSE -Server $Server).configurationNamingContext) + + #region CREATE OID + <# + CN : 14891906.F2AC4390685318BD1D950A66EDB50FF4 + DisplayName : TemplateNameHere + DistinguishedName : CN=14891906.F2AC4390685318BD1D950A66EDB50FF4,CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=contoso,DC=com + dSCorePropagationData : {1/1/1601 12:00:00 AM} + flags : 1 + instanceType : 4 + msPKI-Cert-Template-OID : 1.3.6.1.4.1.311.21.8.11489019.14294623.5588661.594850.12204198.151.6616009.14891906 + Name : 14891906.F2AC4390685318BD1D950A66EDB50FF4 + ObjectCategory : CN=ms-PKI-Enterprise-Oid,CN=Schema,CN=Configuration,DC=contoso,DC=com + ObjectClass : msPKI-Enterprise-Oid + #> + $OID = New-TemplateOID -Server $Server -ConfigNC $ConfigNC + $TemplateOIDPath = "CN=OID,CN=Public Key Services,CN=Services,$ConfigNC" + $oa = @{ + 'DisplayName' = $DisplayName + 'flags' = [System.Int32]'1' + 'msPKI-Cert-Template-OID' = $OID.TemplateOID + } + New-ADObject -Path $TemplateOIDPath -OtherAttributes $oa -Name $OID.TemplateName -Type 'msPKI-Enterprise-Oid' -Server $Server + #endregion + + #region CREATE TEMPLATE + # https://docs.microsoft.com/en-us/powershell/dsc/securemof#certificate-requirements + # https://blogs.technet.microsoft.com/option_explicit/2012/04/09/pki-certificates-and-the-x-509-standard/ + # https://technet.microsoft.com/en-us/library/cc776447(v=ws.10).aspx + $import = $JSON | ConvertFrom-Json + $oa = @{ 'msPKI-Cert-Template-OID' = $OID.TemplateOID } + ForEach ($prop in ($import | Get-Member -MemberType NoteProperty)) { + Switch ($prop.Name) { + { $_ -in 'flags', + 'msPKI-Certificate-Name-Flag', + 'msPKI-Enrollment-Flag', + 'msPKI-Minimal-Key-Size', + 'msPKI-Private-Key-Flag', + 'msPKI-Template-Minor-Revision', + 'msPKI-Template-Schema-Version', + 'msPKI-RA-Signature', + 'pKIMaxIssuingDepth', + 'pKIDefaultKeySpec', + 'revision' + } { $oa.Add($_,[System.Int32]$import.$_); break } + + { $_ -in 'msPKI-Certificate-Application-Policy', + 'pKICriticalExtensions', + 'pKIDefaultCSPs', + 'pKIExtendedKeyUsage', + 'msPKI-RA-Application-Policies' + } { $oa.Add($_,[Microsoft.ActiveDirectory.Management.ADPropertyValueCollection]$import.$_); break } + + { $_ -in 'pKIExpirationPeriod', + 'pKIKeyUsage', + 'pKIOverlapPeriod' + } { $oa.Add($_,[System.Byte[]]$import.$_); break } + + } + } + $TemplatePath = "CN=Certificate Templates,CN=Public Key Services,CN=Services,$ConfigNC" + New-ADObject -Path $TemplatePath -OtherAttributes $oa -Name $DisplayName.Replace(' ','') ` + -DisplayName $DisplayName -Type pKICertificateTemplate -Server $Server + #endregion + + #region PERMISSIONS + ## Potential issue here that the AD: drive may not be targetting the selected DC in the -SERVER parameter + If ($PSBoundParameters.ContainsKey('Identity')) { + If ($AutoEnroll) { + Set-ADCSTemplateACL -DisplayName $DisplayName -Server $Server -Type Allow -Identity $Identity -Enroll -AutoEnroll + } Else { + Set-ADCSTemplateACL -DisplayName $DisplayName -Server $Server -Type Allow -Identity $Identity -Enroll + } + } + #endregion + + #region ISSUE + If ($Publish) { + ### WARNING: Issues on all available CAs. Test in your environment. + $EnrollmentPath = "CN=Enrollment Services,CN=Public Key Services,CN=Services,$ConfigNC" + $CAs = Get-ADObject -SearchBase $EnrollmentPath -SearchScope OneLevel -Filter * -Server $Server + ForEach ($CA in $CAs) { + Set-ADObject -Identity $CA.DistinguishedName -Add @{certificateTemplates=$DisplayName.Replace(' ','')} -Server $Server + } + } + #endregion +} + + +<# +.SYNOPSIS +Removes a certificate template from Active Directory. +.DESCRIPTION +Removes the template from any issuers where it is published. +Removes the template itself. +Removes the unique OID object of the template. +.PARAMETER DisplayName +DisplayName for the certificate template to delete. +.PARAMETER Server +FQDN of Active Directory Domain Controller to target for the operation. +When not specified it will search for the nearest Domain Controller. +.EXAMPLE +PS C:\> Remove-ADCSTemplate -DisplayName PowerShellCMS +.EXAMPLE +PS C:\> (Get-ADCSTemplate).name | Where-Object {$_ -like "PowerShellCMS*"} | ForEach-Object {Remove-ADCSTemplate -DisplayName $_ -Verbose} +.NOTES +Use with caution! +Requires Enterprise Administrator permissions, since this touches the AD Configuration partition. +#> +Function Remove-ADCSTemplate { +[CmdletBinding(SupportsShouldProcess=$true,ConfirmImpact='High')] +param( + [parameter(Mandatory)] + [string]$DisplayName, + [string]$Server = (Get-ADDomainController -Discover -ForceDiscover -Writable).HostName[0] +) + if ($pscmdlet.ShouldProcess($DisplayName, 'Remove certificate template')) { + $ConfigNC = $((Get-ADRootDSE -Server $Server).configurationNamingContext) + + $Template = Get-ADCSTemplate -DisplayName $DisplayName -Server $Server + + #region REMOVE ISSUE IF IT EXISTS + $EnrollmentPath = "CN=Enrollment Services,CN=Public Key Services,CN=Services,$ConfigNC" + $CAs = Get-ADObject -SearchBase $EnrollmentPath -SearchScope OneLevel -Filter * -Server $Server + ForEach ($CA in $CAs) { + Set-ADObject -Identity $CA.DistinguishedName -Remove @{certificateTemplates=$Template.cn} -Server $Server -Confirm:$false + } + #endregion + + #region REMOVE TEMPLATE + Remove-ADObject -Identity $Template.distinguishedName -Server $Server -Confirm:$false + #endregion + + #region REMOVE OID + $TemplateOIDPath = "CN=OID,CN=Public Key Services,CN=Services,$ConfigNC" + Get-ADObject -SearchBase $TemplateOIDPath -LDAPFilter "(DisplayName=$DisplayName)" -Server $Server | Remove-ADObject -Confirm:$false + #endregion + } +} + + +<# +.SYNOPSIS +Maps a PowerShell drive to the Active Directory Certificate Services location. +.DESCRIPTION +Maps a PowerShell drive to the Active Directory Certificate Services location +of the Configuration partition under CN=Public Key Services,CN=Services,... . +The new drive is ADCS:. This is purely for convenience of checking the objects +updated by functions in the ADCSTemplate module. +.PARAMETER Server +FQDN of Active Directory Domain Controller to target for the operation. +When not specified it will search for the nearest Domain Controller. +.EXAMPLE +PS C:\> New-ADCSDrive +PS C:\> Set-Location ADCS: +.EXAMPLE +### Explore templates with drive +New-ADCSDrive +Get-PSDrive +cd ADCS: +dir + +# List templates +cd '.\CN=Certificate Templates' +dir +dir | fl * +dir *WebServer* + +# list CAs +cd \ +cd '.\CN=Enrollment Services' +dir +cd C: +.NOTES +Requires Enterprise Administrator permissions, since this touches the AD Configuration partition. +#> +Function New-ADCSDrive { +param( + [string]$Server = (Get-ADDomainController -Discover -ForceDiscover -Writable).HostName[0] +) + $ConfigNC = $((Get-ADRootDSE -Server $Server).configurationNamingContext) + New-PSDrive -Name ADCS -PSProvider ActiveDirectory -Root "CN=Public Key Services,CN=Services,$ConfigNC" -Server $Server -Scope Global +} + + +Export-ModuleMember -Function *-ADCS* diff --git a/ansible/files/adcs/templates/ESC1.json b/ansible/files/adcs/templates/ESC1.json new file mode 100644 index 0000000..a102696 Binary files /dev/null and b/ansible/files/adcs/templates/ESC1.json differ diff --git a/ansible/files/adcs/templates/ESC2.json b/ansible/files/adcs/templates/ESC2.json new file mode 100644 index 0000000..82414d6 Binary files /dev/null and b/ansible/files/adcs/templates/ESC2.json differ diff --git a/ansible/files/adcs/templates/ESC3-CRA.json b/ansible/files/adcs/templates/ESC3-CRA.json new file mode 100644 index 0000000..2882ef5 Binary files /dev/null and b/ansible/files/adcs/templates/ESC3-CRA.json differ diff --git a/ansible/files/adcs/templates/ESC3.json b/ansible/files/adcs/templates/ESC3.json new file mode 100644 index 0000000..fb346c7 Binary files /dev/null and b/ansible/files/adcs/templates/ESC3.json differ diff --git a/ansible/files/adcs/templates/ESC4.json b/ansible/files/adcs/templates/ESC4.json new file mode 100644 index 0000000..a5f29a3 Binary files /dev/null and b/ansible/files/adcs/templates/ESC4.json differ diff --git a/ansible/files/software/BgInfo.bgi b/ansible/files/software/BgInfo.bgi new file mode 100644 index 0000000..ecd219f Binary files /dev/null and b/ansible/files/software/BgInfo.bgi differ diff --git a/ansible/files/software/BgInfo.exe b/ansible/files/software/BgInfo.exe new file mode 100644 index 0000000..76d3d31 Binary files /dev/null and b/ansible/files/software/BgInfo.exe differ diff --git a/ansible/files/software/PsExec64.exe b/ansible/files/software/PsExec64.exe new file mode 100644 index 0000000..db94608 Binary files /dev/null and b/ansible/files/software/PsExec64.exe differ diff --git a/ansible/files/software/Sysmon64.exe b/ansible/files/software/Sysmon64.exe new file mode 100644 index 0000000..8d72282 Binary files /dev/null and b/ansible/files/software/Sysmon64.exe differ diff --git a/ansible/files/software/googlechromestandaloneenterprise64.msi b/ansible/files/software/googlechromestandaloneenterprise64.msi new file mode 100644 index 0000000..b958b6f Binary files /dev/null and b/ansible/files/software/googlechromestandaloneenterprise64.msi differ diff --git a/ansible/files/software/npp.exe b/ansible/files/software/npp.exe new file mode 100644 index 0000000..3ca17fa Binary files /dev/null and b/ansible/files/software/npp.exe differ diff --git a/ansible/files/software/sysmonconfig-export.xml b/ansible/files/software/sysmonconfig-export.xml new file mode 100644 index 0000000..028d373 --- /dev/null +++ b/ansible/files/software/sysmonconfig-export.xml @@ -0,0 +1,1200 @@ + + + + + md5,sha256,IMPHASH + + + + + + + + + + + + + + + + + "C:\Windows\system32\wermgr.exe" "-queuereporting_svc" + C:\Windows\system32\DllHost.exe /Processid + C:\Windows\system32\wbem\wmiprvse.exe -Embedding + C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding + C:\Windows\system32\wermgr.exe -upload + C:\Windows\system32\SearchIndexer.exe /Embedding + C:\windows\system32\wermgr.exe -queuereporting + \??\C:\Windows\system32\autochk.exe * + \SystemRoot\System32\smss.exe + C:\Windows\System32\RuntimeBroker.exe -Embedding + C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe + C:\Windows\System32\TokenBrokerCookies.exe + C:\Windows\System32\plasrv.exe + C:\Windows\System32\wifitask.exe + C:\Windows\system32\CompatTelRunner.exe + C:\Windows\system32\PrintIsolationHost.exe + C:\Windows\system32\SppExtComObj.Exe + C:\Windows\system32\audiodg.exe + C:\Windows\system32\conhost.exe + C:\Windows\system32\mobsync.exe + C:\Windows\system32\musNotification.exe + C:\Windows\system32\musNotificationUx.exe + C:\Windows\system32\powercfg.exe + C:\Windows\system32\sndVol.exe + C:\Windows\system32\sppsvc.exe + C:\Windows\system32\wbem\WmiApSrv.exe + AppContainer + %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows + C:\windows\system32\wermgr.exe -queuereporting + C:\WINDOWS\system32\devicecensus.exe UserCxt + C:\Windows\System32\usocoreworker.exe -Embedding + C:\Windows\system32\SearchIndexer.exe + + C:\Windows\system32\svchost.exe -k appmodel -s StateRepository + C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc + C:\Windows\system32\svchost.exe -k appmodel + C:\Windows\system32\svchost.exe -k appmodel -p -s tiledatamodelsvc + C:\Windows\system32\svchost.exe -k camera -s FrameServer + C:\Windows\system32\svchost.exe -k dcomlaunch -s LSM + C:\Windows\system32\svchost.exe -k dcomlaunch -s PlugPlay + C:\Windows\system32\svchost.exe -k defragsvc + C:\Windows\system32\svchost.exe -k devicesflow -s DevicesFlowUserSvc + C:\Windows\system32\svchost.exe -k imgsvc + C:\Windows\system32\svchost.exe -k localService -s EventSystem + C:\Windows\system32\svchost.exe -k localService -s bthserv + C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc + C:\Windows\system32\svchost.exe -k localService -s nsi + C:\Windows\system32\svchost.exe -k localService -s w32Time + C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation + C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -p + C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s Dhcp + C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s EventLog + C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s TimeBrokerSvc + C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -s WFDSConMgrSvc + C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -s BTAGService + C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService + C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted + C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SensrSvc + C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -p -s SSDPSRV + C:\Windows\system32\svchost.exe -k localServiceNoNetwork + C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s WPDBusEnum + C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s fhsvc + C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s DeviceAssociationService + C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s NcbService + C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s SensorService + C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s TabletInputService + C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s UmRdpService + C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WPDBusEnum + C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -p -s NgcSvc + C:\Windows\system32\svchost.exe -k localServiceNetworkRestricted -p -s NgcCtnrSvc + C:\Windows\system32\svchost.exe -k localServiceAndNoImpersonation -s SCardSvr + C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv + C:\Windows\System32\svchost.exe -k netsvcs -p -s SessionEnv + C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted -s WdiSystemHost + C:\Windows\System32\svchost.exe -k localSystemNetworkRestricted -p -s WdiSystemHost + C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted + C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc + C:\Windows\system32\svchost.exe -k netsvcs -p -s ncaSvc + C:\Windows\system32\svchost.exe -k netsvcs -s BDESVC + C:\Windows\System32\svchost.exe -k netsvcs -p -s BDESVC + C:\Windows\system32\svchost.exe -k netsvcs -p -s BITS + C:\Windows\system32\svchost.exe -k netsvcs -s BITS + C:\Windows\system32\svchost.exe -k netsvcs -s CertPropSvc + C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc + C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo + C:\Windows\system32\svchost.exe -k netsvcs -s Gpsvc + C:\Windows\system32\svchost.exe -k netsvcs -s ProfSvc + C:\Windows\system32\svchost.exe -k netsvcs -s SENS + C:\Windows\system32\svchost.exe -k netsvcs -s SessionEnv + C:\Windows\system32\svchost.exe -k netsvcs -s Themes + C:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt + C:\Windows\system32\svchost.exe -k netsvcs + C:\Windows\system32\svchost.exe -k networkService -p -s DoSvc + C:\Windows\system32\svchost.exe -k networkService -s Dnscache + C:\Windows\system32\svchost.exe -k networkService -s LanmanWorkstation + C:\Windows\system32\svchost.exe -k networkService -s NlaSvc + C:\Windows\system32\svchost.exe -k networkService -s TermService + C:\Windows\system32\svchost.exe -k networkService + C:\Windows\system32\svchost.exe -k networkService -p + C:\Windows\system32\svchost.exe -k networkServiceNetworkRestricted + C:\Windows\system32\svchost.exe -k rPCSS + C:\Windows\system32\svchost.exe -k secsvcs + C:\Windows\system32\svchost.exe -k swprv + C:\Windows\system32\svchost.exe -k unistackSvcGroup + C:\Windows\system32\svchost.exe -k utcsvc + C:\Windows\system32\svchost.exe -k wbioSvcGroup + C:\Windows\system32\svchost.exe -k werSvcGroup + C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc + C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC + C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc + C:\Windows\system32\svchost.exe -k wsappx -s ClipSVC + C:\Windows\system32\svchost.exe -k wsappx + C:\Windows\system32\svchost.exe -k netsvcs + C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted + C:\Windows\system32\deviceenroller.exe /c /AutoEnrollMDM + + "C:\Program Files (x86)\Microsoft\Edge Dev\Application\msedge.exe" --type= + + C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe + C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\Ngen.exe + C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe + C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe + C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe + C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe + C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe + C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe + C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe + C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe + C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe + C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe + + C:\Program Files\Microsoft Office\Office16\MSOSYNC.EXE + C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE + C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE + C:\Program Files\Microsoft Office\Office16\msoia.exe + C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe + + C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe + C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe + C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe + + C:\Program Files\Windows Media Player\wmpnscfg.exe + + "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type= + "C:\Program Files\Google\Chrome\Application\chrome.exe" --type= + + + + + + + + + + C:\Users + .exe + \Device\HarddiskVolumeShadowCopy + + + + + + OneDrive.exe + C:\Windows\system32\backgroundTaskHost.exe + setup + install + Update\ + redist.exe + msiexec.exe + TrustedInstaller.exe + \NVIDIA\NvBackend\ApplicationOntology\ + + + + + + + + + + + + + + + + + C:\Users + C:\Recycle + C:\ProgramData + C:\Windows\Temp + \ + C:\perflogs + C:\intel + C:\Windows\fonts + C:\Windows\system32\config + + at.exe + certutil.exe + cmd.exe + cmstp.exe + cscript.exe + driverquery.exe + dsquery.exe + hh.exe + infDefaultInstall.exe + java.exe + javaw.exe + javaws.exe + mmc.exe + msbuild.exe + mshta.exe + msiexec.exe + nbtstat.exe + net.exe + net1.exe + notepad.exe + nslookup.exe + powershell.exe + powershell_ise.exe + qprocess.exe + qwinsta.exe + qwinsta.exe + reg.exe + regsvcs.exe + regsvr32.exe + rundll32.exe + rwinsta.exe + sc.exe + schtasks.exe + taskkill.exe + tasklist.exe + wmic.exe + wscript.exe + + bitsadmin.exe + esentutl.exe + expand.exe + extrac32.exe + findstr.exe + GfxDownloadWrapper.exe + ieexec.exe + makecab.exe + replace.exe + Excel.exe + Powerpnt.exe + Winword.exe + squirrel.exe + + nc.exe + ncat.exe + psexec.exe + psexesvc.exe + tor.exe + vnc.exe + vncservice.exe + vncviewer.exe + winexesvc.exe + nmap.exe + psinfo.exe + + 22 + 23 + 25 + 143 + 3389 + 5800 + 5900 + 4444 + + 1080 + 3128 + 8080 + + 1723 + 9001 + 9030 + + + + + + + C:\ProgramData\Microsoft\Windows Defender\Platform\ + AppData\Local\Microsoft\Teams\current\Teams.exe + .microsoft.com + microsoft.com.akadns.net + microsoft.com.nsatc.net + + 23.4.43.27 + 72.21.91.29 + + 127.0.0.1 + fe80:0:0:0 + + + + + + + + + + + + + + + C:\Users + \ + + + + + + + + + + + + + + + + microsoft + windows + Intel + + + + + + + + + + + + + + + + + + + + + + C:\Windows\system32\wbem\WmiPrvSE.exe + C:\Windows\system32\svchost.exe + C:\Windows\system32\wininit.exe + C:\Windows\system32\csrss.exe + C:\Windows\system32\services.exe + C:\Windows\system32\winlogon.exe + C:\Windows\system32\audiodg.exe + C:\Windows\system32\kernel32.dll + C:\Program Files (x86)\Google\Chrome\Application\chrome.exe + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \Start Menu + \Startup\ + \Content.Outlook\ + \Downloads\ + .application + .appref-ms + .bat + .chm + .cmd + .cmdline + .crx + .dmp + .docm + .dll + .exe + .exe.log + .jar + .jnlp + .jse + .hta + .job + .pptm + .ps1 + .sct + .sys + .scr + .vbe + .vbs + .wsc + .wsf + .xlsm + .ocx + proj + .sln + .xls + C:\Users\Default + C:\Windows\system32\Drivers + C:\Windows\SysWOW64\Drivers + C:\Windows\system32\GroupPolicy\Machine\Scripts + C:\Windows\system32\GroupPolicy\User\Scripts + C:\Windows\system32\Wbem + C:\Windows\SysWOW64\Wbem + C:\Windows\system32\WindowsPowerShell + C:\Windows\SysWOW64\WindowsPowerShell + C:\Windows\Tasks\ + C:\Windows\system32\Tasks + C:\Windows\SysWOW64\Tasks + \Device\HarddiskVolumeShadowCopy + + C:\Windows\AppPatch\Custom + VirtualStore + + .xls + .ppt + .rtf + + + + + + + C:\Program Files (x86)\EMET 5.5\EMET_Service.exe + + C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe + + C:\Windows\system32\smss.exe + C:\Windows\system32\CompatTelRunner.exe + \\?\C:\Windows\system32\wbem\WMIADAP.EXE + C:\Windows\system32\mobsync.exe + C:\Windows\system32\DriverStore\Temp\ + C:\Windows\system32\wbem\Performance\ + C:\Windows\Installer\ + + C:\$WINDOWS.~BT\Sources\ + C:\Windows\winsxs\amd64_microsoft-windows + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + CurrentVersion\Run + Policies\Explorer\Run + Group Policy\Scripts + Windows\System\Scripts + CurrentVersion\Windows\Load + CurrentVersion\Windows\Run + CurrentVersion\Winlogon\Shell + CurrentVersion\Winlogon\System + HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify + HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell + HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit + HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 + HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute + HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug + UserInitMprLogonScript + user shell folders\startup + + \ServiceDll + \ServiceManifest + \ImagePath + \Start + + Control\Terminal Server\WinStations\RDP-Tcp\PortNumber + Control\Terminal Server\fSingleSessionPerUser + fDenyTSConnections + LastLoggedOnUser + RDP-tcp\PortNumber + Services\PortProxy\v4tov4 + + \command\ + \ddeexec\ + {86C86720-42A0-1069-A2E8-08002B30309D} + exefile + + \InprocServer32\(Default) + + \Hidden + \ShowSuperHidden + \HideFileExt + + Classes\*\ + Classes\AllFilesystemObjects\ + Classes\Directory\ + Classes\Drive\ + Classes\Folder\ + Classes\PROTOCOLS\ + ContextMenuHandlers\ + CurrentVersion\Shell + HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks + HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjectDelayLoad + HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers + + HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\ + + HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram + + HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\ + + HKLM\SYSTEM\CurrentControlSet\Services\WinSock + \ProxyServer + + HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider + HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ + HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders + HKLM\Software\Microsoft\Netsh + Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable + + HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\ + HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles + \EnableFirewall + \DoNotAllowExceptions + HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List + HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List + + HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\ + HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\ + HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\ + + Microsoft\Office\Outlook\Addins\ + Office Test\ + Security\Trusted Documents\TrustRecords + \EnableBHO + + Internet Explorer\Toolbar\ + Internet Explorer\Extensions\ + Browser Helper Objects\ + \DisableSecuritySettingsCheck + \3\1206 + \3\2500 + \3\1809 + + HKLM\Software\Classes\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\ + HKLM\Software\Classes\WOW6432Node\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\ + HKLM\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\ + HKLM\Software\Classes\WOW6432Node\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\ + + \UrlUpdateInfo + \InstallSource + \EulaAccepted + + \DisableAntiSpyware + \DisableAntiVirus + \SpynetReporting + DisableRealtimeMonitoring + \SubmitSamplesConsent + HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\ + + HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA + HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy + + HKLM\Software\Microsoft\Security Center\ + SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth + + HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom + HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB + VirtualStore + + HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ + HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\ + HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\ + HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\ + \FriendlyName + HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\InProgress\(Default) + HKLM\Software\Microsoft\Tracing\RASAPI32 + HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\ + \Keyboard Layout\Preload + \Keyboard Layout\Substitutes + + \LowerCaseLongPath + \Publisher + \BinProductVersion + \DriverVersion + \DriverVerVersion + \LinkDate + Compatibility Assistant\Store\ + + regedit.exe + \ + + + + + + + + \{CAFEEFAC- + CreateKey + HKLM\COMPONENTS + + HKLM\Software\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache + + Toolbar\WebBrowser + Browser\ITBar7Height + Browser\ITBar7Layout + Internet Explorer\Toolbar\Locked + Toolbar\WebBrowser\{47833539-D0C5-4125-9FA8-0819E2EAAC93} + }\PreviousPolicyAreas + \Control\WMI\Autologger\ + HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc\Start + \Lsa\OfflineJoin\CurrentValue + HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\ + _Classes\AppX + HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\ + + HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LsaPid + HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache + HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains + + \Services\BITS\Start + \services\clr_optimization_v2.0.50727_32\Start + \services\clr_optimization_v2.0.50727_64\Start + \services\clr_optimization_v4.0.30319_32\Start + \services\clr_optimization_v4.0.30319_64\Start + \services\deviceAssociationService\Start + \services\fhsvc\Start + \services\nal\Start + \services\trustedInstaller\Start + \services\tunnel\Start + \services\usoSvc\Start + + \UserChoice\ProgId + \UserChoice\Hash + \OpenWithList\MRUList + Shell Extentions\Cached + + HKLM\System\CurrentControlSet\Control\Lsa\Audit\SpecialGroups + SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\PSScriptOrder + SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\SOM-ID + SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\GPO-ID + SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\IsPowershell + SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\0\ExecTime + SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\PSScriptOrder + SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\SOM-ID + SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\GPO-ID + SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\IsPowershell + SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\0\ExecTime + \safer\codeidentifiers\0\HASHES\{ + + VirtualStore\MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\ + HKLM\SOFTWARE\Microsoft\Office\ClickToRun\ + + C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe + HKCR\VLC. + HKCR\iTunes. + + HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{945a8954-c147-4acd-923f-40c45405a658} + + + + + + + + + + + Downloads + Temp\7z + Startup + .bat + .cmd + .doc + .hta + .jse + .lnk + .ppt + .ps1 + .ps2 + .reg + .sct + .vb + .vbe + .vbs + .wsc + .wsf + + + + + + + + + + + + + + + + + + + + + + + + + + paexec;remcom;csexec + + \lsadump;\cachedump;\wceservicepipe + + \isapi_http;\isapi_dg;\isapi_dg2;\sdlrpc;\ahexec;\winsession;\lsassw;\46a676ab7f179e511e30dd2dc41bd388;\9f81f59bc58452127884ce513865ed20;\e710f28d59aa529d6792ca6ff0ca1b34;\rpchlp_3;\NamePipe_MoreWindows;\pcheap_reuse;\gruntsvc;\583da945-62af-10e8-4902-a8f205c72b2e;\bizkaz;\svcctl;\Posh;\jaccdpqnvbrrxlaf;\csexecsvc + \atctl;\userpipe;\iehelper;\sdlrpc;\comnap + + MSSE-;-server + \postex_ + \postex_ssh_ + \status_ + \msagent_ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + .arpa. + .arpa + .msftncsi.com + ..localmachine + localhost + + -pushp.svc.ms + .b-msedge.net + .bing.com + .hotmail.com + .live.com + .live.net + .s-microsoft.com + .microsoft.com + .microsoftonline.com + .microsoftstore.com + .ms-acdc.office.com + .msedge.net + .msn.com + .msocdn.com + .skype.com + .skype.net + .windows.com + .windows.net.nsatc.net + .windowsupdate.com + .xboxlive.com + login.windows.net + C:\ProgramData\Microsoft\Windows Defender\Platform\ + + .activedirectory.windowsazure.com + .aria.microsoft.com + .msauth.net + .msftauth.net + .office.net + .opinsights.azure.com + .res.office365.com + acdc-direct.office.com + atm-fp-direct.office.com + loki.delve.office.com + management.azure.com + messaging.office.com + outlook.office365.com + portal.azure.com + protection.outlook.com + substrate.office.com + .measure.office.com + + .adobe.com + .adobe.io + .mozaws.net + .mozilla.com + .mozilla.net + .mozilla.org + .spotify.com + .spotify.map.fastly.net + .wbx2.com + .webex.com + clients1.google.com + clients2.google.com + clients3.google.com + clients4.google.com + clients5.google.com + clients6.google.com + safebrowsing.googleapis.com + + .akadns.net + .netflix.com + aspnetcdn.com + ajax.googleapis.com + cdnjs.cloudflare.com + fonts.googleapis.com + .typekit.net + cdnjs.cloudflare.com + .stackassets.com + .steamcontent.com + play.google.com + content-autofill.googleapis.com + + .disqus.com + .fontawesome.com + disqus.com + + .1rx.io + .2mdn.net + .3lift.com + .adadvisor.net + .adap.tv + .addthis.com + .adform.net + .adnxs.com + .adroll.com + .adrta.com + .adsafeprotected.com + .adsrvr.org + .adsymptotic.com + .advertising.com + .agkn.com + .amazon-adsystem.com + .amazon-adsystem.com + .analytics.yahoo.com + .aol.com + .betrad.com + .bidswitch.net + .casalemedia.com + .chartbeat.net + .cnn.com + .convertro.com + .criteo.com + .criteo.net + .crwdcntrl.net + .demdex.net + .domdex.com + .dotomi.com + .doubleclick.net + .doubleverify.com + .emxdgt.com + .everesttech.net + .exelator.com + .google-analytics.com + .googleadservices.com + .googlesyndication.com + .googletagmanager.com + .googlevideo.com + .gstatic.com + .gvt1.com + .gvt2.com + .ib-ibi.com + .jivox.com + .krxd.net + .lijit.com + .mathtag.com + .moatads.com + .moatpixel.com + .mookie1.com + .myvisualiq.net + .netmng.com + .nexac.com + .openx.net + .optimizely.com + .outbrain.com + .pardot.com + .phx.gbl + .pinterest.com + .pubmatic.com + .quantcount.com + .quantserve.com + .revsci.net + .rfihub.net + .rlcdn.com + .rubiconproject.com + .scdn.co + .scorecardresearch.com + .serving-sys.com + .sharethrough.com + .simpli.fi + .sitescout.com + .smartadserver.com + .snapads.com + .spotxchange.com + .taboola.com + .taboola.map.fastly.net + .tapad.com + .tidaltv.com + .trafficmanager.net + .tremorhub.com + .tribalfusion.com + .turn.com + .twimg.com + .tynt.com + .w55c.net + .ytimg.com + .zorosrv.com + 1rx.io + adservice.google.com + ampcid.google.com + clientservices.googleapis.com + googleadapis.l.google.com + imasdk.googleapis.com + l.google.com + ml314.com + mtalk.google.com + update.googleapis.com + www.googletagservices.com + + .pscp.tv + + .amazontrust.com + .digicert.com + .globalsign.com + .globalsign.net + .intel.com + .symcb.com + .symcd.com + .thawte.com + .usertrust.com + .verisign.com + ocsp.identrust.com + pki.goog + msocsp.com + ocsp.comodoca.com + ocsp.entrust.net + ocsp.godaddy.com + ocsp.int-x3.letsencrypt.org + ocsp.msocsp.com + pki.goog + ocsp.godaddy.com + amazontrust.com + ocsp.sectigo.com + pki-goog.l.google.com + .usertrust.com + ocsp.comodoca.com + ocsp.verisign.com + ocsp.entrust.net + ocsp.identrust.com + status.rapidssl.com + status.thawte.com + ocsp.int-x3.letsencrypt.org + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/ansible/group_vars/all/connectors.yaml b/ansible/group_vars/all/connectors.yaml new file mode 100644 index 0000000..b378f0b --- /dev/null +++ b/ansible/group_vars/all/connectors.yaml @@ -0,0 +1,10 @@ +linux_connector : "paramiko" +linux_port : "22" +win_connector : "winrm" +win_port : "5985" +ansible_connection : "{{ win_connector }}" +ansible_user : "{{ default_win_username }}" +ansible_password : "{{ default_win_password }}" +ansible_winrm_transport : basic +ansible_port : "{{ win_port }}" +ansible_winrm_server_cert_validation : ignore diff --git a/ansible/group_vars/all/main.yaml b/ansible/group_vars/all/main.yaml new file mode 100644 index 0000000..280d0d3 --- /dev/null +++ b/ansible/group_vars/all/main.yaml @@ -0,0 +1,57 @@ +proxmox_hostname : "{{ lookup('ansible.builtin.env', 'proxmox_hostname') }}" +proxmox_username : "{{ lookup('ansible.builtin.env', 'proxmox_username') }}" +proxmox_api_token_id : "{{ lookup('ansible.builtin.env', 'proxmox_api_token_id') }}" +proxmox_api_token_secret : "{{ lookup('ansible.builtin.env', 'proxmox_api_token_secret') }}" +proxmox_node : "{{ lookup('ansible.builtin.env', 'proxmox_node') }}" + +default_win_username : "{{ lookup('ansible.builtin.env', 'windows_username') }}" +default_win_password : "{{ lookup('ansible.builtin.env', 'windows_password') }}" +default_win_safemode_password : "{{ lookup('ansible.builtin.env', 'windows_safemode_password') }}" +default_win_user_password : "{{ lookup('ansible.builtin.env', 'windows_user_password') }}" +default_win_svc_password : "{{ lookup('ansible.builtin.env', 'windows_svc_password') }}" + +default_linux_username : "{{ lookup('ansible.builtin.env', 'linux_username') }}" +default_linux_password : "{{ lookup('ansible.builtin.env', 'linux_password') }}" + +windows_server_template_id : "{{ lookup('ansible.builtin.env', 'windows_server_template_id') }}" +windows_server_template_name : "{{ lookup('ansible.builtin.env', 'windows_server_template_name') }}" +windows_desktop_template_id : "{{ lookup('ansible.builtin.env', 'windows_desktop_template_id') }}" +windows_desktop_template_name : "{{ lookup('ansible.builtin.env', 'windows_desktop_template_name') }}" +linux_server_template_id : "{{ lookup('ansible.builtin.env', 'linux_server_template_id') }}" +linux_server_template_name : "{{ lookup('ansible.builtin.env', 'linux_server_template_name') }}" +kali_template_id : "{{ lookup('ansible.builtin.env', 'kali_template_id') }}" +kali_template_name : "{{ lookup('ansible.builtin.env', 'kali_template_name') }}" + +main_domain_name : "{{ lookup('ansible.builtin.env', 'main_domain_name') }}" +tree_domain_name : "{{ lookup('ansible.builtin.env', 'tree_domain_name') }}" +child_domain_name : "{{ lookup('ansible.builtin.env', 'child_domain_name') }}" +main_dc01_hostname : "{{ lookup('ansible.builtin.env', 'main_dc01_hostname') }}" +main_dc01_vmid : "{{ lookup('ansible.builtin.env', 'main_dc01_vmid') }}" +tree_dc02_hostname : "{{ lookup('ansible.builtin.env', 'tree_dc02_hostname') }}" +tree_dc02_vmid : "{{ lookup('ansible.builtin.env', 'tree_dc02_vmid') }}" +child_dc03_hostname : "{{ lookup('ansible.builtin.env', 'child_dc03_hostname') }}" +child_dc03_vmid : "{{ lookup('ansible.builtin.env', 'child_dc03_vmid') }}" +main_mssql01_hostname : "{{ lookup('ansible.builtin.env', 'main_mssql01_hostname') }}" +main_mssql01_vmid : "{{ lookup('ansible.builtin.env', 'main_mssql01_vmid') }}" +main_mssql02_hostname : "{{ lookup('ansible.builtin.env', 'main_mssql02_hostname') }}" +main_mssql02_vmid : "{{ lookup('ansible.builtin.env', 'main_mssql02_vmid') }}" +main_web01_hostname : "{{ lookup('ansible.builtin.env', 'main_web01_hostname') }}" +main_web01_vmid : "{{ lookup('ansible.builtin.env', 'main_web01_vmid') }}" +main_adcs01_hostname : "{{ lookup('ansible.builtin.env', 'main_adcs01_hostname') }}" +main_adcs01_vmid : "{{ lookup('ansible.builtin.env', 'main_adcs01_vmid') }}" +main_linux_srv01_hostname : "{{ lookup('ansible.builtin.env', 'main_linux_srv01_hostname') }}" +main_linux_srv01_vmid : "{{ lookup('ansible.builtin.env', 'main_linux_srv01_vmid') }}" +kali_attackbox_hostname : "{{ lookup('ansible.builtin.env', 'kali_attackbox_hostname') }}" +kali_attackbox_vmid : "{{ lookup('ansible.builtin.env', 'kali_attackbox_vmid') }}" + +main_dc01_ip_address : "{{ lookup('ansible.builtin.env', 'main_dc01_ip_address') }}" +tree_dc02_ip_address : "{{ lookup('ansible.builtin.env', 'tree_dc02_ip_address') }}" +child_dc03_ip_address : "{{ lookup('ansible.builtin.env', 'child_dc03_ip_address') }}" +main_mssql01_ip_address : "{{ lookup('ansible.builtin.env', 'main_mssql01_ip_address') }}" +main_mssql02_ip_address : "{{ lookup('ansible.builtin.env', 'main_mssql02_ip_address') }}" +main_web01_ip_address : "{{ lookup('ansible.builtin.env', 'main_web01_ip_address') }}" +main_adcs01_ip_address : "{{ lookup('ansible.builtin.env', 'main_adcs01_ip_address') }}" +main_workstation01_ip_address : "{{ lookup('ansible.builtin.env', 'main_workstation01_ip_address') }}" +main_linux_srv01_ip_address : "{{ lookup('ansible.builtin.env', 'main_linux_srv01_ip_address') }}" +kali_attackbox_ip_address : "{{ lookup('ansible.builtin.env', 'kali_attackbox_ip_address') }}" +network_gateway : "{{ lookup('ansible.builtin.env', 'network_gateway') }}" diff --git a/ansible/main.yaml b/ansible/main.yaml new file mode 100644 index 0000000..cb46c17 --- /dev/null +++ b/ansible/main.yaml @@ -0,0 +1,45 @@ +- name: deploy active directory range on proxmox + hosts: localhost + gather_facts: no + tasks: + - name: deploy main domain vm on proxmox + include_role: + name: proxmox_vm + vars: + template: "{{ windows_server_template_name }}" + id: "{{ windows_server_template_id }}" + vm: "{{ main_dc01_hostname }}" + newid: "{{ main_dc01_vmid }}" + vmid: "{{ main_dc01_vmid }}" + ip: "{{ main_dc01_ip_address }}" + gateway: "{{ network_gateway }}" + dns: "8.8.8.8" + hostname: "{{ main_dc01_hostname }}" + domain: "{{ main_domain_name }}" + fqdn: "{{ main_dc01_hostname }}.{{ main_domain_name }}" + + - name: add windows vm to in-memory inventory + add_host: + name: "{{ main_dc01_hostname }}.{{ main_domain_name }}" + ansible_host: "{{ main_dc01_ip_address }}" + ansible_connection: "{{ win_connector }}" + ansible_user: "{{ default_win_username }}" + ansible_password: "{{ default_win_password }}" + ansible_port: "{{ win_port }}" + ansible_winrm_transport: basic + ansible_winrm_server_cert_validation: ignore + changed_when: false + +- name: configure windows domain controller + hosts: "{{ main_dc01_hostname }}.{{ main_domain_name }}" + gather_facts: no + vars_files: + - group_vars/all/connectors.yaml + - group_vars/all/main.yaml + tasks: + - name: configure windows dc + include_role: + name: dc01 + vars: + hostname: "{{ main_dc01_hostname }}" + domain_name: "{{ main_domain_name }}" diff --git a/ansible/roles/dc01/tasks/cleanup.yaml b/ansible/roles/dc01/tasks/cleanup.yaml new file mode 100644 index 0000000..e30df58 --- /dev/null +++ b/ansible/roles/dc01/tasks/cleanup.yaml @@ -0,0 +1,3 @@ +- name: "{{ ansible_host }}: execute cleanup.ps1" + ansible.windows.win_powershell: + script: C:\scripts\cleanup.ps1 diff --git a/ansible/roles/dc01/tasks/init.yaml b/ansible/roles/dc01/tasks/init.yaml new file mode 100644 index 0000000..afd2820 --- /dev/null +++ b/ansible/roles/dc01/tasks/init.yaml @@ -0,0 +1,3 @@ +- name: "{{ ansible_host }}: execute init.ps1" + ansible.windows.win_powershell: + script: C:\scripts\init.ps1 diff --git a/ansible/roles/dc01/tasks/install_software.yaml b/ansible/roles/dc01/tasks/install_software.yaml new file mode 100644 index 0000000..4c43d2b --- /dev/null +++ b/ansible/roles/dc01/tasks/install_software.yaml @@ -0,0 +1,3 @@ +- name: "{{ ansible_host }}: execute install-software.ps1" + ansible.windows.win_powershell: + script: C:\scripts\install-software.ps1 diff --git a/ansible/roles/dc01/tasks/main.yaml b/ansible/roles/dc01/tasks/main.yaml new file mode 100644 index 0000000..2ce79c9 --- /dev/null +++ b/ansible/roles/dc01/tasks/main.yaml @@ -0,0 +1,41 @@ +- name: wait for winrm to be available + ansible.builtin.wait_for: + host: "{{ ansible_host }}" + port: "{{ ansible_port }}" + timeout: 300 + delegate_to: localhost + vars: + ansible_connection: local + +- name: execute init.ps1 + import_tasks: init.yaml + +- name: set hostname + import_tasks: set_hostname.yaml + +- name: reboot after hostname change + import_tasks: reboot.yaml + +- name: execute setup-main-domain.ps1 + import_tasks: setup_domain.yaml + +- name: reboot after domain setup + import_tasks: reboot.yaml + +- name: execute dc-wait-for-ready.ps1 + import_tasks: wait_for_ready.yaml + +- name: execute populate-ad.ps1 + import_tasks: populate_ad.yaml + +- name: execute setup-gpo.ps1 as domain admin + import_tasks: setup_gpo.yaml + +- name: reboot after gpo setup + import_tasks: reboot.yaml + +- name: execute install-software.ps1 + import_tasks: install_software.yaml + +- name: execute cleanup.ps1 + import_tasks: cleanup.yaml diff --git a/ansible/roles/dc01/tasks/populate_ad.yaml b/ansible/roles/dc01/tasks/populate_ad.yaml new file mode 100644 index 0000000..1cc0308 --- /dev/null +++ b/ansible/roles/dc01/tasks/populate_ad.yaml @@ -0,0 +1,7 @@ +- name: "{{ ansible_host }}: execute populate-ad.ps1" + ansible.windows.win_powershell: + script: C:\scripts\populate-ad.ps1 + parameters: + DomainName: "{{ domain_name }}" + UserPassword: "{{ default_win_user_password }}" + SvcPassword: "{{ default_win_svc_password }}" diff --git a/ansible/roles/dc01/tasks/reboot.yaml b/ansible/roles/dc01/tasks/reboot.yaml new file mode 100644 index 0000000..6c17c3d --- /dev/null +++ b/ansible/roles/dc01/tasks/reboot.yaml @@ -0,0 +1,3 @@ +- name: "{{ ansible_host }}: reboot" + ansible.windows.win_reboot: + reboot_timeout: 3600 diff --git a/ansible/roles/dc01/tasks/set_hostname.yaml b/ansible/roles/dc01/tasks/set_hostname.yaml new file mode 100644 index 0000000..7cca168 --- /dev/null +++ b/ansible/roles/dc01/tasks/set_hostname.yaml @@ -0,0 +1,2 @@ +- name: "{{ ansible_host }}: set hostname" + ansible.windows.win_shell: Rename-Computer -NewName "{{ hostname }}" -Force diff --git a/ansible/roles/dc01/tasks/setup_domain.yaml b/ansible/roles/dc01/tasks/setup_domain.yaml new file mode 100644 index 0000000..43fcfc4 --- /dev/null +++ b/ansible/roles/dc01/tasks/setup_domain.yaml @@ -0,0 +1,6 @@ +- name: "{{ ansible_host }}: execute setup-main-domain.ps1" + ansible.windows.win_powershell: + script: C:\scripts\setup-main-domain.ps1 + parameters: + DomainName: "{{ domain_name }}" + SafeModePassword: "{{ default_win_safemode_password }}" diff --git a/ansible/roles/dc01/tasks/setup_gpo.yaml b/ansible/roles/dc01/tasks/setup_gpo.yaml new file mode 100644 index 0000000..aa84237 --- /dev/null +++ b/ansible/roles/dc01/tasks/setup_gpo.yaml @@ -0,0 +1,7 @@ +- name: "{{ ansible_host }}: execute setup-gpo.ps1 as domain admin" + ansible.windows.win_command: powershell.exe -ExecutionPolicy Bypass -File C:\scripts\setup-gpo.ps1 -DomainName "{{ domain_name }}" + become: yes + become_method: runas + become_user: "{{ domain_name }}\\Administrator" + vars: + ansible_become_password: "{{ default_win_password }}" diff --git a/ansible/roles/dc01/tasks/wait_for_ready.yaml b/ansible/roles/dc01/tasks/wait_for_ready.yaml new file mode 100644 index 0000000..c43431c --- /dev/null +++ b/ansible/roles/dc01/tasks/wait_for_ready.yaml @@ -0,0 +1,3 @@ +- name: "{{ ansible_host }}: execute dc-wait-for-ready.ps1" + ansible.windows.win_powershell: + script: C:\scripts\dc-wait-for-ready.ps1 diff --git a/ansible/roles/proxmox_vm/tasks/create_vm.yaml b/ansible/roles/proxmox_vm/tasks/create_vm.yaml new file mode 100644 index 0000000..21645b9 --- /dev/null +++ b/ansible/roles/proxmox_vm/tasks/create_vm.yaml @@ -0,0 +1,16 @@ +--- +- name: "create vm from template" + community.general.proxmox_kvm: + api_host: "{{ proxmox_hostname }}" + api_user: "{{ proxmox_username }}" + api_token_id: "{{ proxmox_api_token_id }}" + api_token_secret: "{{ proxmox_api_token_secret }}" + node: "{{ proxmox_node }}" + clone: "{{ template }}" + vmid: "{{ id }}" + newid: "{{ newid | int }}" + name: "{{ vm }}" + full: true + storage: "local-lvm" + timeout: 1337 + register: clone_result diff --git a/ansible/roles/proxmox_vm/tasks/enable_qemu_guest_agent.yaml b/ansible/roles/proxmox_vm/tasks/enable_qemu_guest_agent.yaml new file mode 100644 index 0000000..df6da92 --- /dev/null +++ b/ansible/roles/proxmox_vm/tasks/enable_qemu_guest_agent.yaml @@ -0,0 +1,12 @@ +--- +- name: "vmid {{ clone_result.vmid }}: enabling qemu guest agent via proxmox api" + uri: + url: "https://{{ proxmox_hostname }}:8006/api2/json/nodes/{{ proxmox_node }}/qemu/{{ clone_result.vmid }}/config" + method: PUT + headers: + Authorization: "PVEAPIToken={{ proxmox_username }}!{{ proxmox_api_token_id }}={{ proxmox_api_token_secret }}" + body: + agent: 1 + body_format: json + validate_certs: no + diff --git a/ansible/roles/proxmox_vm/tasks/get_ip.yaml b/ansible/roles/proxmox_vm/tasks/get_ip.yaml new file mode 100644 index 0000000..584b44d --- /dev/null +++ b/ansible/roles/proxmox_vm/tasks/get_ip.yaml @@ -0,0 +1,29 @@ +--- +- name: "vmid {{ clone_result.vmid }}: getting config via proxmox api" + set_fact: + vm_config: "{{ lookup('url', config_url, validate_certs=False, headers=config_headers) }}" + vars: + config_url: "https://{{ proxmox_hostname }}:8006/api2/json/nodes/{{ proxmox_node }}/qemu/{{ clone_result.vmid }}/agent/network-get-interfaces" + config_headers: + Authorization: "PVEAPIToken={{ proxmox_username }}!{{ proxmox_api_token_id }}={{ proxmox_api_token_secret }}" + +- name: "vmid {{ clone_result.vmid }}: extracting ipv4 address" + set_fact: + vm_ip: >- + {{ + vm_config['data']['result'] + | map(attribute='ip-addresses') + | flatten + | selectattr("ip-address-type", "equalto", "ipv4") + | selectattr("ip-address", "ne", "127.0.0.1") + | map(attribute="ip-address") + | first + }} + +- name: "vmid {{ clone_result.vmid }}: ip address result" + ansible.builtin.debug: + msg: "vmid {{ clone_result.vmid }} ip address is {{ vm_ip }}" + +- name: "vmid {{ clone_result.vmid }}: set ip to {{ vm_ip }}" + set_fact: + ansible_host: "{{ vm_ip }}" diff --git a/ansible/roles/proxmox_vm/tasks/main.yaml b/ansible/roles/proxmox_vm/tasks/main.yaml new file mode 100644 index 0000000..c6abe93 --- /dev/null +++ b/ansible/roles/proxmox_vm/tasks/main.yaml @@ -0,0 +1,17 @@ +- name: create vm from template + import_tasks: create_vm.yaml + +- name: enable qemu guest agent + import_tasks: enable_qemu_guest_agent.yaml + +- name: start vm + import_tasks: start_vm.yaml + +- name: get vm ip address + import_tasks: get_ip.yaml + +- name: set vm network configuration + import_tasks: set_network.yaml + +- name: upload files to vm + import_tasks: upload_files.yaml diff --git a/ansible/roles/proxmox_vm/tasks/set_network.yaml b/ansible/roles/proxmox_vm/tasks/set_network.yaml new file mode 100644 index 0000000..20ab31c --- /dev/null +++ b/ansible/roles/proxmox_vm/tasks/set_network.yaml @@ -0,0 +1,20 @@ +--- +- name: "vmid {{ clone_result.vmid }}: set up static ip address" + win_shell: | + Start-Transcript -Path C:\set_domain_network_log.txt -Append + Get-NetIpAddress -InterfaceAlias 'Ethernet' | Remove-NetIPAddress -Confirm:$false + New-NetIPAddress -InterfaceAlias 'Ethernet' -IPAddress "{{ ip }}" -PrefixLength 24 -DefaultGateway "{{ gateway }}" + Set-DnsClientServerAddress -InterfaceAlias 'Ethernet' -ServerAddresses "{{ dns }}" + Get-NetConnectionProfile -InterfaceAlias 'Ethernet' | Set-NetConnectionProfile -NetworkCategory Private + Stop-Transcript + async: 15 + poll: 0 + delegate_to: "{{ vm_ip }}" + +- name: "vmid {{ clone_result.vmid }}: update ip to {{ ip }}" + set_fact: + ansible_host: "{{ ip }}" + +- name: "vmid {{ clone_result.vmid }}: pause execution for 1 minute to allow ip change and reconnect" + pause: + minutes: 1 diff --git a/ansible/roles/proxmox_vm/tasks/start_vm.yaml b/ansible/roles/proxmox_vm/tasks/start_vm.yaml new file mode 100644 index 0000000..f2ed036 --- /dev/null +++ b/ansible/roles/proxmox_vm/tasks/start_vm.yaml @@ -0,0 +1,13 @@ +- name: "start vm" + community.general.proxmox_kvm: + api_host: "{{ proxmox_hostname }}" + api_user: "{{ proxmox_username }}" + api_token_id: "{{ proxmox_api_token_id }}" + api_token_secret: "{{ proxmox_api_token_secret }}" + node: "{{ proxmox_node }}" + vmid: "{{ vmid | int }}" + state: started + +- name: "pause execution for 3 minutes to allow vm to fully boot" + pause: + minutes: 3 diff --git a/ansible/roles/proxmox_vm/tasks/upload_files.yaml b/ansible/roles/proxmox_vm/tasks/upload_files.yaml new file mode 100644 index 0000000..651d203 --- /dev/null +++ b/ansible/roles/proxmox_vm/tasks/upload_files.yaml @@ -0,0 +1,9 @@ +--- +- name: "upload directories" + ansible.builtin.copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + loop: + - { src: ../../../scripts/, dest: C:\scripts\ } + - { src: ../../../files/software/, dest: C:\software\ } + delegate_to: "{{ ansible_host }}" diff --git a/ansible/scripts/cleanup.ps1 b/ansible/scripts/cleanup.ps1 new file mode 100644 index 0000000..8ac42bf --- /dev/null +++ b/ansible/scripts/cleanup.ps1 @@ -0,0 +1,9 @@ +$scriptName = $MyInvocation.MyCommand.Name +$logFile = "C:\Logs\${scriptName}_log.txt" +Start-Transcript -Path $logFile -Append + +Remove-Item -Path C:\tmp -Recurse -Force +Remove-Item -Path C:\setup -Recurse -Force +Remove-Item -Path C:\scripts -Recurse -Force +Remove-Item -Path C:\software -Recurse -Force +Stop-Transcript \ No newline at end of file diff --git a/ansible/scripts/dc-wait-for-ready.ps1 b/ansible/scripts/dc-wait-for-ready.ps1 new file mode 100644 index 0000000..afdf8ee --- /dev/null +++ b/ansible/scripts/dc-wait-for-ready.ps1 @@ -0,0 +1,17 @@ +$scriptName = $MyInvocation.MyCommand.Name +$logFile = "C:\Logs\${scriptName}_log.txt" +Start-Transcript -Path $logFile -Append + +while ($true) { + try { + Write-Host "[INFO] Checking if domain is ready" + Get-ADDomain + break + } catch { + Write-Host "[INFO] Sleeping for 60s" + Start-Sleep -Seconds 60 + } +} + +Write-Host "[INFO] Domain is ready" +Stop-Transcript \ No newline at end of file diff --git a/ansible/scripts/init.ps1 b/ansible/scripts/init.ps1 new file mode 100644 index 0000000..d6b9ff7 --- /dev/null +++ b/ansible/scripts/init.ps1 @@ -0,0 +1,10 @@ +New-Item -Path C:\Logs -ItemType Directory -Force +New-Item -Path C:\BgInfo -ItemType Directory -Force +New-Item -Path C:\setup -ItemType Directory -Force + +Write-Host "[INFO] Disabling password complexity policy" +secedit /export /cfg C:\secpol.cfg +(Get-Content C:\secpol.cfg).replace("PasswordComplexity = 1", "PasswordComplexity = 0") | Out-File C:\secpol.cfg +secedit /configure /db C:\Windows\security\local.sdb /cfg C:\secpol.cfg /areas SECURITYPOLICY +Remove-Item -Force C:\secpol.cfg -Confirm:$false + diff --git a/ansible/scripts/install-software.ps1 b/ansible/scripts/install-software.ps1 new file mode 100644 index 0000000..db0f10d --- /dev/null +++ b/ansible/scripts/install-software.ps1 @@ -0,0 +1,10 @@ +$scriptName = $MyInvocation.MyCommand.Name +$logFile = "C:\Logs\${scriptName}_log.txt" +Start-Transcript -Path $logFile -Append + +Set-MpPreference -DisableRealtimeMonitoring $true -ErrorAction SilentlyContinue +Start-Process -FilePath "C:\software\Sysmon64.exe" -ArgumentList "-accepteula -i C:\software\sysmonconfig-export.xml" -Wait -Verbose +Start-Process -FilePath "C:\Windows\System32\MsiExec.exe" -ArgumentList "/i C:\software\googlechromestandaloneenterprise64.msi /qb" -Wait -Verbose +Start-Process -FilePath "C:\software\npp.exe" -ArgumentList "/S" -Wait -Verbose +[Microsoft.Win32.Registry]::SetValue("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", "bginfo", "C:\BgInfo\Bginfo.exe C:\BgInfo\BgInfo.bgi /timer:00 /nolicprompt /silent") +Stop-Transcript \ No newline at end of file diff --git a/ansible/scripts/join-domain.ps1 b/ansible/scripts/join-domain.ps1 new file mode 100644 index 0000000..08c90b2 --- /dev/null +++ b/ansible/scripts/join-domain.ps1 @@ -0,0 +1,14 @@ +param +( + [string]$DomainName = "contoso.com", + [string]$Username = "Administrator", + [string]$Password = "packer" +) +$scriptName = $MyInvocation.MyCommand.Name +$logFile = "C:\$scriptName_log.txt" +Start-Transcript -Path $logFile -Append + +$p = ConvertTo-SecureString $Password -AsPlainText -Force +$c = New-Object System.Management.Automation.PSCredential($Username, $p) +Add-Computer -DomainName $DomainName -Credential $c +Stop-Transcript \ No newline at end of file diff --git a/ansible/scripts/join-domain.sh b/ansible/scripts/join-domain.sh new file mode 100644 index 0000000..24c87b0 --- /dev/null +++ b/ansible/scripts/join-domain.sh @@ -0,0 +1,46 @@ +#!/bin/bash + +[[ $EUID -ne 0 ]] && printf "%s\n" "run as root" && exit 1 + +while getopts "d:n:p:" arg; do + case $arg in + d) domain="${OPTARG}";; + n) nameserver="${OPTARG}";; + p) password="${OPTARG}";; + esac +done + +DEBIAN_FRONTEND=noninteractive apt-get update -yqq &>/dev/null +DEBIAN_FRONTEND=noninteractive apt-get install -yqq realmd sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin oddjob oddjob-mkhomedir packagekit krb5-user &>/dev/null +DEBIAN_FRONTEND=noninteractive apt-get autoremove --purge -yqq &>/dev/null +DEBIAN_FRONTEND=noninteractive apt-get clean &>/dev/null +DEBIAN_FRONTEND=noninteractive apt-get autoclean &>/dev/null + +if systemctl is-active systemd-resolved; then + systemctl disable --now systemd-resolved --no-pager + systemctl mask systemd-resolved --no-pager +fi + +rm -rf /etc/resolv.conf +cat > /etc/resolv.conf << EOF +nameserver ${nameserver} +EOF +chattr +i /etc/resolv.conf + +if realm discover $domain; then + echo $password | realm join $domain + printf "%s\n" "[INFO] Joined ${domain}" +else + printf "%s\n" "[ERR] Failed to discover ${domain}" +fi + +mkdir -p /usr/share/pam-configs &>/dev/null +cat > /usr/share/pam-configs/mkhomedir << EOF +Name: Create home directory on login +Default: yes +Priority: 900 +Session-Type: Additional +Session: + optional pam_mkhomedir.so +EOF +DEBIAN_FRONTEND=noninteractive pam-auth-update --enable mkhomedir diff --git a/ansible/scripts/populate-ad.ps1 b/ansible/scripts/populate-ad.ps1 new file mode 100644 index 0000000..0b57c77 --- /dev/null +++ b/ansible/scripts/populate-ad.ps1 @@ -0,0 +1,318 @@ +param +( + [string]$DomainName = "contoso.com", + [string]$FunctionalLevel = "WinThreshold", + [string]$UserPassword = "User1234!", + [string]$ServiceUserPassword = "Svc1234!" +) +$scriptName = $MyInvocation.MyCommand.Name +$logFile = "C:\Logs\${scriptName}_log.txt" +Start-Transcript -Path $logFile -Append + +$DomainNameDN = "DC=$($DomainName.Split(".")[0]),DC=$($DomainName.Split(".")[1])" +$DomainOU = $DomainName.Split(".")[0] +$UsersOU = "Users" +$ComputersOU = "Computers" +$ServiceAccountsOU = "Service Accounts" + +Function Get-RandomObject { + [CmdletBinding()] + param( + [Parameter()] + [switch]$User, + [Parameter()] + [switch]$Computer + ) + + if ($User) { + return (Get-ADUser -Filter 'Description -notlike "*"' -SearchBase "OU=$UsersOU,OU=$DomainOU,$DomainNameDN" -Properties Description | Get-Random) + } + + if ($Computer) { + return (Get-ADComputer -Filter 'Description -notlike "*"' -SearchBase "OU=$ComputersOU,OU=$DomainOU,$DomainNameDN" -Properties Description | Get-Random) + } +} + +Function SetAcl($for, $to, $right, $inheritance) +{ + Set-Location AD: + $forSID = New-Object System.Security.Principal.SecurityIdentifier (Get-ADUser $for).SID + $objOU = ($to).DistinguishedName + $objAcl = get-acl $objOU + $adRight = [System.DirectoryServices.ActiveDirectoryRights] $right + $type = [System.Security.AccessControl.AccessControlType] "Allow" + $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] $inheritance + $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $forSID,$adRight,$type,$inheritanceType + $objAcl.AddAccessRule($ace) + Set-Acl -AclObject $objAcl -path $objOU + Set-ADObject $for -Description "$right on $($to | Select-Object -ExpandProperty Name)" + Set-ADObject $to -Description "$($for | Select-Object -ExpandProperty Name) has $right on this object" +} + +Function SetAclExtended($for, $to, $right, $extendedRightGUID, $inheritance) +{ + Set-Location AD: + $forSID = New-Object System.Security.Principal.SecurityIdentifier (Get-ADUser $for).SID + $objOU = ($to).DistinguishedName + $objAcl = get-acl $objOU + $adRight = [System.DirectoryServices.ActiveDirectoryRights] $right + $type = [System.Security.AccessControl.AccessControlType] "Allow" + $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] $inheritance + $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $forSID,$adRight,$type,$extendedRightGUID,$inheritanceType + $objAcl.AddAccessRule($ace) + Set-Acl -AclObject $objAcl -path $objOU + Set-ADObject $for -Description "$right, $extendedRightGUID on $($to | Select-Object -ExpandProperty Name)" + Set-ADObject $to -Description "$($for | Select-Object -ExpandProperty Name) has $right, $extendedRightGUID on this object" +} + +Write-Host "[INFO] Setting weak NTLM compatibility level" +Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LmCompatibilityLevel" -Value 1 -Force + +If (-Not (Get-ADOrganizationalUnit -SearchBase "$DomainNameDN" -Filter "Name -like '$DomainOU'")) { + New-ADOrganizationalUnit -Name "$DomainOU" -Path "$DomainNameDN" +} + +if (-Not (Get-ADOrganizationalUnit -SearchBase "OU=$DomainOU,$DomainNameDN" -Filter "Name -like '$UsersOU'")) { + New-ADOrganizationalUnit -Name "$UsersOU" -Path "OU=$DomainOU,$DomainNameDN" +} + +if (-Not (Get-ADOrganizationalUnit -SearchBase "OU=$DomainOU,$DomainNameDN" -Filter "Name -like '$ComputersOU'")) { + New-ADOrganizationalUnit -Name "$ComputersOU" -Path "OU=$DomainOU,$DomainNameDN" +} + +if (-Not (Get-ADOrganizationalUnit -SearchBase "OU=$DomainOU,$DomainNameDN" -Filter "Name -like '$ServiceAccountsOU'")) { + New-ADOrganizationalUnit -Name "$ServiceAccountsOU" -Path "OU=$DomainOU,$DomainNameDN" +} + +$users = @("michael","christopher","jessica","matthew","ashley","jennifer","joshua","amanda","daniel","david","james","robert","john","joseph","andrew","ryan","brandon","jason","justin","sarah","william","jonathan","stephanie","brian","nicole","nicholas","anthony","heather","eric","elizabeth","adam","megan","melissa","kevin","steven","thomas","timothy","christina","kyle","rachel","laura","lauren","amber","brittany","danielle","richard","kimberly","jeffrey","amy","crystal","michelle","tiffany","jeremy","benjamin","mark","emily","aaron","charles","rebecca","jacob","stephen","patrick","sean","erin","zachary","jamie","kelly","samantha","nathan","sara","dustin","paul","angela","tyler","scott","katherine","andrea","gregory","erica","mary","travis","lisa","kenneth","bryan","lindsey","kristen","jose","alexander","jesse","katie","lindsay","shannon","vanessa","courtney","christine","alicia","cody","allison","bradley","samuel") + +$created_users = @() +ForEach ($user in $users) { + try { + New-ADUser -Name "$user" ` + -SamAccountName "$user" ` + -EmailAddress "$user@$($DomainName.ToLower())" ` + -Path "OU=$UsersOU,OU=$DomainOU,$DomainNameDN" ` + -AccountPassword (ConvertTo-SecureString -AsPlainText -Force $UserPassword) ` + -Enabled $true ` + -PasswordNeverExpires $true + $created_users += $user + } catch { + Write-Host "[ERR] Failed to create user $user" + } +} + +Get-RandomObject -User | % { Add-ADGroupMember -Identity "Domain Admins" -Members $_; Set-ADUser -Identity $_ -Description "domain admin" } +Get-RandomObject -User | % { Add-ADGroupMember -Identity "Domain Admins" -Members $_; Set-ADUser -Identity $_ -Description "domain admin" } + +Write-Host "[INFO] Created users: $($created_users -Join ', ')" + +$created_computers = @() +1..20 | % { + $servers = @("srv", "sql", "smb") + ForEach ($server in $servers) { + try { + New-ADComputer -SamAccountName "$server$_" -Name "$server$_" -DNSHostName "$server$_.$DomainName" -Path "OU=$ComputersOU,OU=$DomainOU,$DomainNameDN" + $created_computers += $server + } catch { + Write-Host "[ERR] Failed to create server $server$_" + } + } +} + +Write-Host "[INFO] Created computers: $($created_computers -Join ', ')" + +$svc_users = @{ + "svc_mssql01" = @{"type" = "spn"; "value" = "MSSQLSVC"} + "svc_mssql02" = @{"type" = "spn"; "value" = "MSSQLSVC"} + "svc_cifs01" = @{"type" = "spn"; "value" = "CIFS"} + "svc_cifs02" = @{"type" = "spn"; "value" = "CIFS"} + "svc_iis01" = @{"type" = "spn"; "value" = "HTTP"} + "svc_iis02" = @{"type" = "spn"; "value" = "HTTP"} + "svc_backup01" = @{"type" = "group"; "value" = "Backup Operators"} + "svc_backup02" = @{"type" = "group"; "value" = "Backup Operators"} + "svc_dns01" = @{"type" = "group"; "value" = "DnsAdmins"} + "svc_dns02" = @{"type" = "group"; "value" = "DnsAdmins"} + "svc_srvoperator01" = @{"type" = "group"; "value" = "Server Operators"} + "svc_srvoperator02" = @{"type" = "group"; "value" = "Server Operators"} + "svc_evtvwr01" = @{"type" = "group"; "value" = "Event Log Readers"} + "svc_evtvwr02" = @{"type" = "group"; "value" = "Event Log Readers"} + "svc_acctoperator01" = @{"type" = "group"; "value" = "Account Operators"} + "svc_acctoperator02" = @{"type" = "group"; "value" = "Account Operators"} + "svc_printoperator01" = @{"type" = "group"; "value" = "Print Operators"} + "svc_printoperator02" = @{"type" = "group"; "value" = "Print Operators"} + "svc_mgmtuser01" = @{"type" = "group"; "value" = "Remote Management Users"} + "svc_mgmtuser02" = @{"type" = "group"; "value" = "Remote Management Users"} +} + +$created_svc_users = @() +ForEach ($user in $svc_users.keys) { + $type = $svc_users[$user]["type"] + $value = $svc_users[$user]["value"] + + Switch ("$type") { + "spn" { + try { + $comp = (Get-RandomObject -Computer | Select-Object -ExpandProperty DNSHostName) + $u = New-ADUser -Name "$user" ` + -SamAccountName "$user" ` + -AccountPassword (ConvertTo-SecureString -AsPlainText -Force $ServiceUserPassword) ` + -Path "OU=$ServiceAccountsOU,OU=$DomainOU,$DomainNameDN" ` + -Enabled $true ` + -PasswordNeverExpires $true ` + -PassThru + Set-ADUser -Identity "$u" -ServicePrincipalNames @{Add="$value/$comp"} + Set-ADObject $u -Description "SPN on $value/$comp" + + $created_svc_users += "$user ($value/$comp)" + } catch { + Write-Host "[ERR] Failed to create $value/$comp for $user" + } + } + "group" { + try { + $u = New-ADUser -Name "$user" ` + -SamAccountName "$user" ` + -AccountPassword (ConvertTo-SecureString -AsPlainText -Force $UserPassword) ` + -Path "OU=$ServiceAccountsOU,OU=$DomainOU,$DomainNameDN" ` + -Enabled $true ` + -PasswordNeverExpires $true ` + -PassThru + Add-ADGroupMember -Identity "$value" -Members $u + Set-ADObject $u -Description "member of $value" + + $created_svc_users += "$user ($value)" + } catch { + Write-Host "[ERR] Failed to add $user to $value" + } + } + } +} + +Write-Host "[INFO] Created svc users: $($created_svc_users -Join ', ')" + +$dcsync_user = Get-RandomObject -User +$acl = Get-Acl -Path "AD:$DomainNameDN" +$sid = New-Object System.Security.Principal.SecurityIdentifier (Get-ADUser $dcsync_user).SID +$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule ` + -ArgumentList @($sid, [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight, [System.Security.AccessControl.AccessControlType]::Allow, [Guid]"1131f6aa-9c07-11d1-f79f-00c04fc2dcd2"))) +$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule ` + -ArgumentList @($sid, [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight, [System.Security.AccessControl.AccessControlType]::Allow, [Guid]"1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"))) +Set-Acl -Path "AD:$DomainNameDN" -AclObject $acl +Set-ADObject $dcsync_user -Description "DCSync rights on $DomainName" + +$adminsdholder_user = Get-RandomObject -User +$adminsdholder = "CN=AdminSDHolder,CN=System,$DomainNameDN" +$acl = Get-Acl -Path "AD:$adminsdholder" +$sid = New-Object System.Security.Principal.SecurityIdentifier (Get-ADUser $adminsdholder_user).SID +$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule ` + -ArgumentList @($sid, [System.DirectoryServices.ActiveDirectoryRights]::GenericAll, [System.Security.AccessControl.AccessControlType]::Allow))) +Set-Acl -Path "AD:$adminsdholder" -AclObject $acl +Set-ADObject $adminsdholder_user -Description "GenericAll on AdminSDHolder" + +Write-Host "[INFO] Configuring anonymous LDAP binding via dsHeuristics for contoso.com" +$rootDSE = Get-ADRootDSE +$configNC = $rootDSE.ConfigurationNamingContext +$directoryServicePath = "CN=Directory Service,CN=Windows NT,CN=Services,$configNC" +$directoryService = Get-ADObject -Identity $directoryServicePath -Properties dsHeuristics +$currentHeuristics = $directoryService.dsHeuristics +$newHeuristics = "0000002" +Write-Host "[INFO] Overwriting dsHeuristics with '0000002'" +Set-ADObject -Identity $directoryServicePath ` + -Replace @{"dsHeuristics" = $newHeuristics} ` + -Description "Anonymous LDAP enabled for contoso.com" ` + -ErrorAction Stop +Write-Host "[INFO] Successfully set dsHeuristics to '$newHeuristics'" + +Set-ADDomain -Identity $DomainName -Replace @{"ms-DS-MachineAccountQuota"=50} + +$dc = (Get-ADDomainController | Select-Object -ExpandProperty HostName) +$u = New-ADUser -Name "svc_iis03" ` + -SamAccountName "svc_iis03" ` + -Path "OU=$ServiceAccountsOU,OU=$DomainOU,$DomainNameDN" ` + -AccountPassword (ConvertTo-SecureString -AsPlainText -Force $ServiceUserPassword) ` + -Enabled $true ` + -PasswordNeverExpires $true ` + -PassThru +Set-ADUser -Identity "$u" -ServicePrincipalNames @{Add="HTTP/web01"} +Set-ADObject $u -Description "SPN on HTTP/web01" + +$genericAllUserSrc = Get-RandomObject -User +$genericAllUserTgt = Get-RandomObject -User +SetAcl $genericAllUserSrc $genericAllUserTgt "GenericAll" "None" +Set-ADObject $genericAllUserSrc -Description "User with GenericAll rights over $($genericAllUserTgt.Name)" + +$genericAllDomainAdminsSrc = Get-RandomObject -User +$domainAdminsGroup = Get-ADGroup "Domain Admins" +SetAcl $genericAllDomainAdminsSrc $domainAdminsGroup "GenericAll" "None" +Set-ADObject $genericAllDomainAdminsSrc -Description "User with GenericAll rights over Domain Admins group" + +$genericAllComputerSrc = Get-RandomObject -User +$genericAllComputerTgt = Get-RandomObject -Computer +SetAcl $genericAllComputerSrc $genericAllComputerTgt "GenericAll" "None" +Set-ADObject $genericAllComputerSrc -Description "User with GenericAll rights over computer $($genericAllComputerTgt.Name)" + +$writePropertyDomainAdminsSrc = Get-RandomObject -User +SetAcl $writePropertyDomainAdminsSrc $domainAdminsGroup "WriteProperty" "All" +Set-ADObject $writePropertyDomainAdminsSrc -Description "User with WriteProperty rights over Domain Admins group (all properties)" + +$selfDomainAdminsSrc = Get-RandomObject -User +SetAclExtended $selfDomainAdminsSrc $domainAdminsGroup "Self" "bf9679c0-0de6-11d0-a285-00aa003049e2" "None" +Set-ADObject $selfDomainAdminsSrc -Description "User with Self membership control over Domain Admins group" + +$writePropertyExtDomainAdminsSrc = Get-RandomObject -User +SetAclExtended $writePropertyExtDomainAdminsSrc $domainAdminsGroup "WriteProperty" "bf9679c0-0de6-11d0-a285-00aa003049e2" "All" +Set-ADObject $writePropertyExtDomainAdminsSrc -Description "User with WriteProperty rights to modify Domain Admins group membership" + +$forceChangePwdSrc = Get-RandomObject -User +$forceChangePwdTgt = Get-RandomObject -User +SetAclExtended $forceChangePwdSrc $forceChangePwdTgt "ExtendedRight" "00299570-246d-11d0-a768-00aa006e0529" "None" +Set-ADObject $forceChangePwdSrc -Description "User with ForceChangePassword rights over $($forceChangePwdTgt.Name)" + +$writeOwnerDomainAdminsSrc = Get-RandomObject -User +SetAcl $writeOwnerDomainAdminsSrc $domainAdminsGroup "WriteOwner" "None" +Set-ADObject $writeOwnerDomainAdminsSrc -Description "User with WriteOwner rights to take ownership of Domain Admins group" + +$genericWriteUserSrc = Get-RandomObject -User +$genericWriteUserTgt = Get-RandomObject -User +SetAcl $genericWriteUserSrc $genericWriteUserTgt "GenericWrite" "None" +Set-ADObject $genericWriteUserSrc -Description "User with GenericWrite rights over $($genericWriteUserTgt.Name)" + +$writeDaclDomainAdminsSrc = Get-RandomObject -User +SetAcl $writeDaclDomainAdminsSrc $domainAdminsGroup "WriteDacl" "None" +Set-ADObject $writeDaclDomainAdminsSrc -Description "User with WriteDacl rights to modify Domain Admins group permissions" + +$asreproast_user = Get-RandomObject -User +Set-ADAccountControl -Identity $asreproast_user -DoesNotRequirePreAuth $True +Set-ADObject $asreproast_user -Description "DoesNotRequirePreAuth" + +$kerberoast_user = Get-RandomObject -User +$kerberoast_spn = Get-RandomObject -Computer +Set-ADUser -Identity "$kerberoast_user" -ServicePrincipalNames @{Add="HTTP/$($kerberoast_spn)"} +Set-ADObject $kerberoast_user -Description "$($kerberoast_user | Select-Object -ExpandProperty Name) is kerberoastable on http/$($kerberoast_spn | Select-Object -ExpandProperty Name):80" + +$unconstrained_delegation_comp = Get-RandomObject -Computer +$unconstrained_delegation_comp | Set-ADAccountControl -TrustedForDelegation $true +Set-ADObject $unconstrained_delegation_comp -Description "TrustedForDelegation" + +$constrained_delegation_comp1 = Get-RandomObject -Computer +$constrained_delegation_comp2 = Get-RandomObject -Computer +Set-ADObject -Identity $constrained_delegation_comp1 -Add @{'msDS-AllowedToDelegateTo'=@("HOST/$($constrained_delegation_comp2)/example")} +Set-ADAccountControl -Identity $constrained_delegation_comp1 -TrustedForDelegation $false -TrustedToAuthForDelegation $true +Set-ADObject $constrained_delegation_comp1 -Description "msDS-AllowedToDelegateTo to $($constrained_delegation_comp2 | Select-Object -ExpandProperty Name)" + +Write-Host "[INFO] Created vulnerable ACLs, delegation, and Kerberos configurations" + +@" +Domain content +-------------- +"@ | Out-File C:\README.txt + +Get-AdObject ` + -SearchBase "OU=$DomainOU,$DomainNameDN" ` + -Filter {ObjectClass -ne "OrganizationalUnit"} ` + -Properties Name, ObjectClass, Description ` + | Select-Object Name, ObjectClass, Description ` + | Format-Table -AutoSize ` + | Out-File -Append C:\README.txt +Stop-Transcript diff --git a/ansible/scripts/setup-adcs-esc.ps1 b/ansible/scripts/setup-adcs-esc.ps1 new file mode 100644 index 0000000..44fc8d5 --- /dev/null +++ b/ansible/scripts/setup-adcs-esc.ps1 @@ -0,0 +1,20 @@ +param ( + [string]$DomainName = "contoso.com" +) +$scriptName = $MyInvocation.MyCommand.Name +$logFile = "C:\$scriptName_log.txt" +Start-Transcript -Path $logFile -Append + +Import-Module ADCSTemplate + +Get-ChildItem -Path "C:\setup\templates" -Filter *.json | % { + $TemplateName = $_.BaseName + if (-not(Get-ADCSTemplate -DisplayName $TemplateName)) { + New-ADCSTemplate ` + -DisplayName $TemplateName ` + -JSON (Get-Content "C:\setup\templates\$_" -Raw) ` + -Identity "$DomainName\Domain Users" ` + -Publish + } +} +Stop-Transcript \ No newline at end of file diff --git a/ansible/scripts/setup-adcs.ps1 b/ansible/scripts/setup-adcs.ps1 new file mode 100644 index 0000000..134b9a9 --- /dev/null +++ b/ansible/scripts/setup-adcs.ps1 @@ -0,0 +1,50 @@ +param +( + [string]$DomainName = "contoso.com", + [string]$Username = "Administrator", + [string]$Password = "packer" +) +$scriptName = $MyInvocation.MyCommand.Name +$logFile = "C:\Logs\${scriptName}_log.txt" +Start-Transcript -Path $logFile -Append + +$p = ConvertTo-SecureString $Password -AsPlainText -Force +$c = New-Object System.Management.Automation.PSCredential("$DomainName\$Username", $p) +$CACommonName = "$($DomainName.Split(".")[0].ToUpper())-CA" + +try { + Install-WindowsFeature -Name AD-Certificate -IncludeAllSubFeature -IncludeManagementTools + Install-WindowsFeature -Name ADCS-Cert-Authority + Install-WindowsFeature -Name ADCS-Web-Enrollment + Install-WindowsFeature -Name RSAT + + Write-Host "[INFO] Installed ADCS Windows Features" +} catch { + Write-Host "[ERR] Failed to install ADCS Windows Features" +} + +try { + Install-AdcsCertificationAuthority ` + -Credential $c ` + -CAType EnterpriseRootCA ` + -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" ` + -KeyLength 2048 ` + -HashAlgorithmName SHA256 ` + -ValidityPeriod Years ` + -ValidityPeriodUnits 5 ` + -CACommonName $CACommonName ` + -Force + + Write-Host "[INFO] Installed ADCS Certification Authority" +} catch { + Write-Host "[ERR] Failed to install ADCS Certification Authority" +} + +try { + Install-AdcsWebEnrollment -Force + + Write-Host "[INFO] Installed ADCS Web Enrollment" +} catch { + Write-Host "[ERR] Failed to install ADCS Web Enrollment" +} +Stop-Transcript \ No newline at end of file diff --git a/ansible/scripts/setup-child-domain.ps1 b/ansible/scripts/setup-child-domain.ps1 new file mode 100644 index 0000000..ad23d45 --- /dev/null +++ b/ansible/scripts/setup-child-domain.ps1 @@ -0,0 +1,50 @@ +param +( + [string]$ParentDomainName = "contoso.com", + [string]$ChildDomainName = "dev", + [string]$SafeModePassword = "P4ssw0rd1234!", + [string]$Username = "Administrator", + [string]$Password = "packer" +) + +$scriptName = $MyInvocation.MyCommand.Name +$logFile = "C:\Logs\${scriptName}_log.txt" +Start-Transcript -Path $logFile -Append + +$p = ConvertTo-SecureString $Password -AsPlainText -Force +$c = New-Object System.Management.Automation.PSCredential("$ParentDomainName\$Username", $p) + +Write-Host "[INFO] Setting Administrator password" +$computerName = $env:COMPUTERNAME +$adminPassword = $Password +$adminUser = [ADSI] "WinNT://$computerName/Administrator,User" +$adminUser.SetPassword($adminPassword) + +Write-Host "[INFO] Installing AD-Domain-Services feature" +Install-WindowsFeature AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools + +Write-Host "[INFO] Importing ADDSDeployment module" +Import-Module ADDSDeployment + +try { + Write-Host "[INFO] Installing New Child Domain in Existing Forest" + Install-ADDSDomain ` + -InstallDns ` + -ParentDomainName $ParentDomainName ` + -NewDomainName $ChildDomainName ` + -DomainType ChildDomain ` + -DatabasePath "C:\Windows\NTDS" ` + -LogPath "C:\Windows\NTDS" ` + -SysvolPath "C:\Windows\SYSVOL" ` + -NoRebootOnCompletion ` + -Force ` + -Credential $c ` + -SafeModeAdministratorPassword (ConvertTo-SecureString -AsPlainText -Force "$SafeModePassword") + + Write-Host "[INFO] Successfully added new child domain: $ChildDomainName" +} catch { + Write-Host "[ERR] Failed to add new child domain: $ChildDomainName" + Write-Host $_.Exception.Message +} + +Stop-Transcript diff --git a/ansible/scripts/setup-gpo.ps1 b/ansible/scripts/setup-gpo.ps1 new file mode 100644 index 0000000..8d0bb5d --- /dev/null +++ b/ansible/scripts/setup-gpo.ps1 @@ -0,0 +1,29 @@ +param ( + [string]$DomainName = "contoso.com" +) +$scriptName = $MyInvocation.MyCommand.Name +$logFile = "C:\Logs\${scriptName}_log.txt" +Start-Transcript -Path $logFile -Append + +$DomainNameDN = "DC=$($DomainName.Split(".")[0]),DC=$($DomainName.Split(".")[1])" +$DomainUsers = Get-ADGroup "Domain Users" +try { + $GPO1 = New-GPO -Name "TestGPO1" + $GPO2 = New-GPO -Name "TestGPO2" + Set-GPPermission -Name $GPO1.DisplayName -PermissionLevel GpoEditDeleteModifySecurity -TargetName $DomainUsers.Name -TargetType Group + Set-GPPermission -Name $GPO2.DisplayName -PermissionLevel GpoEditDeleteModifySecurity -TargetName $DomainUsers.Name -TargetType Group + + Write-Host "[INFO] Created insecure GPOs $($GPO1.DisplayName), $($GPO2.DisplayName) with GpoEditDeleteModifySecurity" +} catch { + Write-Host "[ERR] Failed to create insecure GPOs $($GPO1.DisplayName), $($GPO2.DisplayName) with GpoEditDeleteModifySecurity" +} + +try { + New-GPLink -Name $GPO1.DisplayName -Target "$DomainNameDN" -LinkEnabled Yes + New-GPLink -Name $GPO2.DisplayName -Target "$DomainNameDN" -LinkEnabled Yes + + Write-Host "[INFO] Created GP links for $($GPO1.DisplayName), $($GPO2.DisplayName) on $DomainNameDN" +} catch { + Write-Host "[ERR] Failed to create GP links for $($GPO1.DisplayName), $($GPO2.DisplayName) on $DomainNameDN" +} +Stop-Transcript diff --git a/ansible/scripts/setup-iis.ps1 b/ansible/scripts/setup-iis.ps1 new file mode 100644 index 0000000..1bbe48d --- /dev/null +++ b/ansible/scripts/setup-iis.ps1 @@ -0,0 +1,128 @@ + param +( + [string]$DomainName = "contoso.com", + [string]$SvcUsername = "svc_iis03", + [string]$SvcPassword = "Svc1234!" +) +$scriptName = $MyInvocation.MyCommand.Name +$logFile = "C:\Logs\${scriptName}_log.txt" +Start-Transcript -Path $logFile -Append + +$wwwroot1 = "C:\inetpub\wwwroot" +$wwwroot2 = "C:\inetpub\wwwroot2" + +try { + Install-WindowsFeature -Name Web-Server -IncludeManagementTools + Install-WindowsFeature -Name Web-Asp-Net45 + New-WebSite -Name "MyASPXSite" -Port 80 -PhysicalPath "C:\inetpub\wwwroot" -ApplicationPool "DefaultAppPool" + Set-ItemProperty "IIS:\AppPools\DefaultAppPool" -Name processModel -Value @{userName="$SvcUsername";password="$SvcPassword";identityType=3} + New-NetFirewallRule -DisplayName "HTTP (80)" -Direction Inbound -Protocol TCP -LocalPort 80 -Action Allow + Restart-WebAppPool -Name "DefaultAppPool" + + Write-Host "[INFO] Created first IIS WebSite, Firewall rule and AppPool" +} catch { + Write-Host "[ERR] Failed to create first IIS WebSite, Firewall rule and AppPool" +} + +try { + $svcIIS03Rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$DomainName\$SvcUsername", "Modify", "ContainerInherit, ObjectInherit", "None", "Allow") + $acl = Get-Acl $wwwroot1 + $acl.SetAccessRule($svcIIS03Rule) + Set-Acl -Path $wwwroot1 -AclObject $acl + + Write-Host "[INFO] Set ACL for $wwwroot1" +} catch { + Write-Host "[ERR] Failed to set ACL for $wwwroot1" +} + +@" +using System; +using System.IO; +using System.Web.UI; + +public partial class UploadPage : Page +{ + protected void UploadFile(object sender, EventArgs e) + { + if (fileUpload.PostedFile != null && fileUpload.PostedFile.ContentLength > 0) + { + try + { + string filename = Path.GetFileName(fileUpload.PostedFile.FileName); + fileUpload.PostedFile.SaveAs(Server.MapPath(filename)); + lblMessage.Text = "File uploaded successfully!"; + } + catch (Exception ex) + { + lblMessage.Text = "Error: " + ex.Message; + } + } + else + { + lblMessage.Text = "Please select a file to upload."; + } + } +} +"@ | Out-File C:\inetpub\wwwroot\upload.aspx.cs + +@" +<%@ Page Language="C#" AutoEventWireup="true" CodeFile="upload.aspx.cs" Inherits="UploadPage" %> + + + + + File Upload Page + + +
+
+ +
+ +
+ +
+
+ + +"@ | Out-File C:\inetpub\wwwroot\upload.aspx + +@" + + + + + + + + +"@ | Out-File C:\inetpub\wwwroot\Web.config + +Restart-WebAppPool -Name "DefaultAppPool" + +try { + Copy-Item "C:\inetpub\wwwroot" -Destination "C:\inetpub\wwwroot2" -Recurse + New-WebAppPool -Name "DefaultAppPool2" + New-WebSite -Name "MyASPXSite2" -Port 8080 -PhysicalPath "C:\inetpub\wwwroot2" -ApplicationPool "DefaultAppPool2" + Set-ItemProperty "IIS:\AppPools\DefaultAppPool2" -Name processModel -Value @{ identityType=2 } + New-NetFirewallRule -DisplayName "HTTP (8080)" -Direction Inbound -Protocol TCP -LocalPort 8080 -Action Allow + + Write-Host "[INFO] Created second IIS WebSite, Firewall rule and AppPool" +} catch { + Write-Host "[ERR] Failed to create second IIS WebSite, Firewall rule and AppPool" +} + +try { + $acl = Get-Acl $wwwroot2 + $iisIUSRSGroup = "IIS_IUSRS" + $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("IIS_IUSRS", "Modify", "ContainerInherit, ObjectInherit", "None", "Allow") + $acl.SetAccessRule($rule) + Set-Acl -Path $wwwroot2 -AclObject $acl + + Write-Host "[INFO] Set ACL for $wwwroot2" +} catch { + Write-Host "[ERR] Failed to set ACL for $wwwroot2" +} + +Restart-WebAppPool -Name "DefaultAppPool2" +Stop-Transcript \ No newline at end of file diff --git a/ansible/scripts/setup-main-domain.ps1 b/ansible/scripts/setup-main-domain.ps1 new file mode 100644 index 0000000..75500ab --- /dev/null +++ b/ansible/scripts/setup-main-domain.ps1 @@ -0,0 +1,45 @@ +param +( + [string]$DomainName = "contoso.com", + [string]$FunctionalLevel = "WinThreshold", + [string]$SafeModePassword = "P4ssw0rd1234!" +) +$scriptName = $MyInvocation.MyCommand.Name +$logFile = "C:\Logs\${scriptName}_log.txt" +Start-Transcript -Path $logFile -Append + +$NetBiosName = $DomainName.Split(".")[0].ToUpper() + +Write-Host "[INFO] Setting Administrator password" +$computerName = $env:COMPUTERNAME +$adminPassword = "packer" +$adminUser = [ADSI] "WinNT://$computerName/Administrator,User" +$adminUser.SetPassword($adminPassword) + +Write-Host "[INFO] Installing Ad-Domain-Services Windows feature + subfeatures" +Install-WindowsFeature AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools + +Write-Host "[INFO] Importing ADDSDeployment module" +Import-Module ADDSDeployment + +try { + Write-Host "[INFO] Installing ADDSForest" + Install-ADDSForest ` + -InstallDns ` + -CreateDnsDelegation:$false ` + -ForestMode $FunctionalLevel ` + -DomainMode $FunctionalLevel ` + -DomainName $DomainName ` + -DomainNetbiosName $NetBiosName ` + -DatabasePath "C:\Windows\NTDS" ` + -LogPath "C:\Windows\NTDS" ` + -SysvolPath "C:\Windows\SYSVOL" ` + -NoRebootOnCompletion ` + -Force ` + -SafeModeAdministratorPassword (ConvertTo-SecureString -AsPlainText -Force "$SafeModePassword") + Write-Host "[INFO] Created Active Directory domain for $DomainName" +} catch { + Write-Host "[ERR] Failed to create Active Directory domain for $DomainName" + Write-Host $_.Exception.Message +} +Stop-Transcript diff --git a/ansible/scripts/setup-mssql-link.ps1 b/ansible/scripts/setup-mssql-link.ps1 new file mode 100644 index 0000000..8f51058 --- /dev/null +++ b/ansible/scripts/setup-mssql-link.ps1 @@ -0,0 +1,18 @@ +param +( + [string]$LinkServer = "mssql01" +) +$scriptName = $MyInvocation.MyCommand.Name +$logFile = "C:\Logs\${scriptName}_log.txt" +Start-Transcript -Path $logFile -Append + +try { + SqlCmd -E -Q "EXEC master.dbo.sp_addlinkedserver @server = N'$LinkServer', @srvproduct=N'', @provider=N'SQLOLEDB', @datasrc=N'$LinkServer'" + SqlCmd -E -Q "EXEC master.dbo.sp_serveroption @server=N'$LinkServer', @optname=N'rpc', @optvalue=N'true'" + SqlCmd -E -Q "EXEC master.dbo.sp_serveroption @server=N'$LinkServer', @optname=N'rpc out', @optvalue=N'true'" + SqlCmd -E -Q "EXEC master.dbo.sp_addlinkedsrvlogin @rmtsrvname = N'$LinkServer', @locallogin = NULL , @useself = N'True'" + Write-Host "[INFO] Linked $LinkServer to mssql02" +} catch { + Write-Host "[ERR] Failed to link $LinkServer to mssql02" +} +Stop-Transcript \ No newline at end of file diff --git a/ansible/scripts/setup-mssql.ps1 b/ansible/scripts/setup-mssql.ps1 new file mode 100644 index 0000000..032490f --- /dev/null +++ b/ansible/scripts/setup-mssql.ps1 @@ -0,0 +1,90 @@ +param +( + [string]$DomainName = "contoso.com", + [string]$SvcUsername = "svc_mssql01", + [string]$SvcPassword = "Svc1234!" +) +$scriptName = $MyInvocation.MyCommand.Name +$logFile = "C:\Logs\${scriptName}_log.txt" +$NetBiosName = $DomainName.Split(".")[0].ToUpper() +Start-Transcript -Path $logFile -Append + +New-Item -Path "C:\setup\media" -ItemType "Directory" -Force + +@" +;SQL Server Configuration File +[OPTIONS] +IACCEPTSQLSERVERLICENSETERMS="True" +ACTION="Install" +ENU="True" +QUIET="True" +QUIETSIMPLE="False" +UpdateEnabled="False" +ERRORREPORTING="False" +USEMICROSOFTUPDATE="False" +FEATURES=SQLENGINE,FULLTEXT +UpdateSource="MU" +HELP="False" +INDICATEPROGRESS="False" +X86="False" +INSTALLSHAREDDIR="C:\Program Files\Microsoft SQL Server" +INSTALLSHAREDWOWDIR="C:\Program Files (x86)\Microsoft SQL Server" +INSTANCENAME="SQLEXPRESS" +SQMREPORTING="False" +INSTANCEID="SQLEXPRESS" +RSINSTALLMODE="DefaultNativeMode" +INSTANCEDIR="C:\Program Files\Microsoft SQL Server" +AGTSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE" +AGTSVCSTARTUPTYPE="Automatic" +COMMFABRICPORT="0" +COMMFABRICNETWORKLEVEL="0" +COMMFABRICENCRYPTION="0" +MATRIXCMBRICKCOMMPORT="0" +SQLSVCSTARTUPTYPE="Automatic" +FILESTREAMLEVEL="0" +ENABLERANU="False" +SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS" +SQLSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE" +SAPWD="$SvcPassword" +SQLSYSADMINACCOUNTS="BUILTIN\Administrators" +ADDCURRENTUSERASSQLADMIN="True" +TCPENABLED="1" +NPENABLED="0" +BROWSERSVCSTARTUPTYPE="Disabled" +RSSVCSTARTUPTYPE="manual" +FTSVCACCOUNT="NT Service\MSSQLFDLauncher" +"@ | Out-File "C:\setup\sql_conf.ini" + +try { + Start-Process -FilePath "C:\setup\SQL2019-SSEI-Expr.exe" -ArgumentList "/configurationfile=C:\setup\sql_conf.ini /IACCEPTSQLSERVERLICENSETERMS /MEDIAPATH=C:\setup\media /QUIET /HIDEPROGRESSBAR" -Wait + Write-Host "[INFO] Installed SQL Server Express" +} catch { + Write-Host "[ERR] Failed to install SQL Server Express" +} + +try { + Set-ItemProperty -Path "HKLM:\Software\Microsoft\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQLServer\SuperSocketNetLib\Tcp\IPAll" -Name "TcpPort" -Value "1433" -Force + Write-Host "[INFO] Set MSSQL port to 1433" +} catch { + Write-Host "[ERR] Failed to set MSSQL port to 1433" +} + +Restart-Service -Name "MSSQL`$SQLEXPRESS" + +try { + $env:Path += ";C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn" + SqlCmd -E -Q "CREATE LOGIN [$NetBiosName\$SvcUsername] FROM WINDOWS" + SqlCmd -E -Q "SP_ADDSRVROLEMEMBER '$NetBiosName\$SvcUsername', 'SYSADMIN'" + + SqlCmd -E -Q "ALTER LOGIN sa ENABLE" + SqlCmd -E -Q "ALTER LOGIN sa WITH PASSWORD = '$SvcPassword', CHECK_POLICY=OFF" + Write-Host "[INFO] Added $NetBiosName\$SvcUsername as MSSQL login and sysadmin" + Write-Host "[INFO] Enabled SA login" +} catch { + Write-Host "[ERR] Failed to add $NetBiosName\$SvcUsername as MSSQL login and sysadmin" + Write-Host "[ERR] Failed to enable SA login" + +} + +New-NetFirewallRule -DisplayName "SQLServer default instance" -Direction Inbound -LocalPort 1433 -Protocol TCP -Action Allow +Stop-Transcript \ No newline at end of file diff --git a/ansible/scripts/setup-tree-domain.ps1 b/ansible/scripts/setup-tree-domain.ps1 new file mode 100644 index 0000000..0f661a1 --- /dev/null +++ b/ansible/scripts/setup-tree-domain.ps1 @@ -0,0 +1,50 @@ +param +( + [string]$ParentForestRootDomain = "contoso.com", + [string]$NewTreeDomainName = "msp.org", + [string]$SafeModePassword = "P4ssw0rd1234!", + [string]$Username = "Administrator", + [string]$Password = "packer" +) + +$scriptName = $MyInvocation.MyCommand.Name +$logFile = "C:\Logs\${scriptName}_log.txt" +Start-Transcript -Path $logFile -Append + +$p = ConvertTo-SecureString $Password -AsPlainText -Force +$c = New-Object System.Management.Automation.PSCredential("$ParentForestRootDomain\$Username", $p) + +Write-Host "[INFO] Setting Administrator password" +$computerName = $env:COMPUTERNAME +$adminPassword = $Password +$adminUser = [ADSI] "WinNT://$computerName/Administrator,User" +$adminUser.SetPassword($adminPassword) + +Write-Host "[INFO] Installing AD-Domain-Services feature" +Install-WindowsFeature AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools + +Write-Host "[INFO] Importing ADDSDeployment module" +Import-Module ADDSDeployment + +try { + Write-Host "[INFO] Installing New Tree Domain in Existing Forest" + Install-ADDSDomain ` + -InstallDns ` + -ParentDomainName $ParentForestRootDomain ` + -NewDomainName $NewTreeDomainName ` + -DomainType TreeDomain ` + -DatabasePath "C:\Windows\NTDS" ` + -LogPath "C:\Windows\NTDS" ` + -SysvolPath "C:\Windows\SYSVOL" ` + -NoRebootOnCompletion ` + -Force ` + -Credential $c ` + -SafeModeAdministratorPassword (ConvertTo-SecureString -AsPlainText -Force "$SafeModePassword") + + Write-Host "[INFO] Successfully added new tree domain: $NewTreeDomainName" +} catch { + Write-Host "[ERR] Failed to add new tree domain: $NewTreeDomainName" + Write-Host $_.Exception.Message +} + +Stop-Transcript -- cgit v1.2.3