Skip to content

Instantly share code, notes, and snippets.

@trondhindenes
Last active August 2, 2024 13:26
Show Gist options
  • Save trondhindenes/b9b5b25b11273cc35659 to your computer and use it in GitHub Desktop.
Save trondhindenes/b9b5b25b11273cc35659 to your computer and use it in GitHub Desktop.
Configure Windows 2008R2/2012/2012R2 for SSL-based remoting
Param (
[string]$SubjectName = $env:COMPUTERNAME,
[int]$CertValidityDays = 365,
$CreateSelfSignedCert = $true
)
#region function defs
Function New-LegacySelfSignedCert
{
Param (
[string]$SubjectName,
[int]$ValidDays = 365
)
$name = new-object -com "X509Enrollment.CX500DistinguishedName.1"
$name.Encode("CN=$SubjectName", 0)
$key = new-object -com "X509Enrollment.CX509PrivateKey.1"
$key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
$key.KeySpec = 1
$key.Length = 1024
$key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)"
$key.MachineContext = 1
$key.Create()
$serverauthoid = new-object -com "X509Enrollment.CObjectId.1"
$serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1")
$ekuoids = new-object -com "X509Enrollment.CObjectIds.1"
$ekuoids.add($serverauthoid)
$ekuext = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1"
$ekuext.InitializeEncode($ekuoids)
$cert = new-object -com "X509Enrollment.CX509CertificateRequestCertificate.1"
$cert.InitializeFromPrivateKey(2, $key, "")
$cert.Subject = $name
$cert.Issuer = $cert.Subject
$cert.NotBefore = (get-date).addDays(-1)
$cert.NotAfter = $cert.NotBefore.AddDays($ValidDays)
$cert.X509Extensions.Add($ekuext)
$cert.Encode()
$enrollment = new-object -com "X509Enrollment.CX509Enrollment.1"
$enrollment.InitializeFromRequest($cert)
$certdata = $enrollment.CreateRequest(0)
$enrollment.InstallResponse(2, $certdata, 0, "")
#return the thumprint of the last installed cert
ls "Cert:\LocalMachine\my"| Sort-Object notbefore -Descending | select -First 1 | select -expand Thumbprint
}
#endregion
#Start script
$ErrorActionPreference = "Stop"
#Detect PowerShell version
if ($PSVersionTable.PSVersion.Major -lt 3)
{
Write-Error "PowerShell/Windows Management Framework needs to be updated to 3 or higher. Stopping script"
}
#Detect OS
$Win32_OS = Get-WmiObject Win32_OperatingSystem
switch ($Win32_OS.Version)
{
"6.2.9200" {$OSVersion = "Windows Server 2012"}
"6.1.7601" {$OSVersion = "Windows Server 2008R2"}
}
#Set up remoting
Write-verbose "Verifying WS-MAN"
if (!(get-service "WinRM"))
{
Write-Error "I couldnt find the winRM service on this computer. Stopping"
}
Elseif ((get-service "WinRM").Status -ne "Running")
{
Write-Verbose "Starting WinRM"
Start-Service -Name "WinRM" -ErrorAction Stop
}
#At this point, winrm should be running
#Check that we have a ps session config
if (!(Get-PSSessionConfiguration -verbose:$false) -or (!(get-childitem WSMan:\localhost\Listener)))
{
Write-Verbose "PS remoting is not enabled. Activating"
try
{
Enable-PSRemoting -Force -ErrorAction SilentlyContinue
}
catch{}
}
Else
{
Write-Verbose "PS remoting is already active and running"
}
#At this point, test a remoting connection to localhost, which should work
$result = invoke-command -ComputerName localhost -ScriptBlock {$env:computername} -ErrorVariable localremotingerror -ErrorAction SilentlyContinue
$options = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$resultssl = New-PSSession -UseSSL -ComputerName "localhost" -SessionOption $options -ErrorVariable localremotingsslerror -ErrorAction SilentlyContinue
if (!$result -and $resultssl)
{
Write-Verbose "HTTP-based sessions not enabled, HTTPS based sessions enabled"
}
ElseIf (!$result -and !$resultssl)
{
Write-error "Could not establish session on either HTTP or HTTPS. Breaking"
}
#at this point, make sure there is a SSL-based listener
$listeners = dir WSMan:\localhost\Listener
if (!($listeners | where {$_.Keys -like "TRANSPORT=HTTPS"}))
{
#HTTPS-based endpoint does not exist.
if (($CreateSelfSignedCert) -and ($OSVersion -notmatch "2012"))
{
$thumprint = New-LegacySelfSignedCert -SubjectName $env:COMPUTERNAME
}
if (($CreateSelfSignedCert) -and ($OSVersion -match "2012"))
{
$cert = New-SelfSignedCertificate -DnsName $env:COMPUTERNAME -CertStoreLocation "Cert:\LocalMachine\My"
$thumprint = $cert.Thumbprint
}
# Create the hashtables of settings to be used.
$valueset = @{}
$valueset.add('Hostname',$env:COMPUTERNAME)
$valueset.add('CertificateThumbprint',$thumprint)
$selectorset = @{}
$selectorset.add('Transport','HTTPS')
$selectorset.add('Address','*')
Write-Verbose "Enabling SSL-based remoting"
New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset -ValueSet $valueset
}
Else
{
Write-Verbose "SSL-based remoting already active"
}
#Check for basic authentication
$basicauthsetting = Get-ChildItem WSMan:\localhost\Service\Auth | where {$_.Name -eq "Basic"}
if (($basicauthsetting.Value) -eq $false)
{
Write-Verbose "Enabling basic auth"
Set-Item -Path "WSMan:\localhost\Service\Auth\Basic" -Value $true
}
Else
{
Write-verbose "basic auth already enabled"
}
#FIrewall
netsh advfirewall firewall add rule Profile=public name="Allow WinRM HTTPS" dir=in localport=5986 protocol=TCP action=allow
Write-Verbose "PS Remoting successfully setup for Ansible"
@trondhindenes
Copy link
Author

Run PowerShell as admin, and then paste in the following in order to run:

$VerbosePreference = "Continue"
iex ((new-object net.webclient).DownloadString("https://gist.githubusercontent.com/trondhindenes/b9b5b25b11273cc35659/raw/a56f8dd73a1c48872be493285104b2d732fb850a/configure-ansibletarget.ps1"))

@AutomateIT1979
Copy link

@trondhindenes

In case I run the command as mentioned above it should enable WinRM on the target server?
I mean on the server where this script was executed, I'm right?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment