fscotto/infra
1
0
Fork 0
mirror of https://github.com/fscotto/infra.git synced 2026-05-30 15:39:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

Use PSRP over HTTPS for Windows remoting

Browse Source
This commit is contained in:
Fabio Scotto di Santolo
2026-04-02 10:42:14 +02:00
parent 6dbd0d5277
commit b7d1a7c2e6
2 changed files with 88 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
ansible/inventory/group_vars/workstation_host_windows.yml
View File

@@ -1,9 +1,9 @@
--- ---
ansible_connection: psrp ansible_connection: psrp
ansible_psrp_auth: negotiate ansible_psrp_auth: ntlm
ansible_psrp_cert_validation: ignore ansible_psrp_cert_validation: ignore
ansible_psrp_protocol: http ansible_psrp_protocol: https
ansible_port: 5985 ansible_port: 5986
ansible_shell_type: powershell ansible_shell_type: powershell
windows_winget_packages: windows_winget_packages:

85
scripts/bootstrap_windows_workstation.ps1
View File

@@ -7,6 +7,75 @@ param(
Set-StrictMode -Version Latest Set-StrictMode -Version Latest
$ErrorActionPreference = 'Stop' $ErrorActionPreference = 'Stop'
function Get-OrCreate-WinRMHttpsCertificate {
$dnsName = $env:COMPUTERNAME
$existingCertificate = Get-ChildItem -Path Cert:\LocalMachine\My |
Where-Object { $_.Subject -eq "CN=$dnsName" } |
Sort-Object NotAfter -Descending |
Select-Object -First 1
if ($null -ne $existingCertificate) {
return $existingCertificate
}
return New-SelfSignedCertificate `
-DnsName $dnsName `
-CertStoreLocation 'Cert:\LocalMachine\My' `
-FriendlyName 'WinRM HTTPS Listener' `
-KeyAlgorithm RSA `
-KeyLength 2048 `
-HashAlgorithm SHA256 `
-NotAfter (Get-Date).AddYears(5)
}
function Ensure-WinRMHttpsListener {
param(
[Parameter(Mandatory = $true)]
[string]$CertificateThumbprint
)
$listener = Get-ChildItem -Path WSMan:\localhost\Listener |
Where-Object {
$_.Keys -match 'Transport=HTTPS' -and $_.Keys -match "Hostname=$($env:COMPUTERNAME)"
} |
Select-Object -First 1
if ($null -eq $listener) {
New-WSManInstance -ResourceURI winrm/config/Listener `
-SelectorSet @{ Transport = 'HTTPS'; Address = '*' } `
-ValueSet @{ Hostname = $env:COMPUTERNAME; CertificateThumbprint = $CertificateThumbprint } | Out-Null
return $true
}
return $false
}
function Ensure-LocalAccountTokenFilterPolicy {
$registryPath = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
$propertyName = 'LocalAccountTokenFilterPolicy'
$currentValue = Get-ItemProperty -Path $registryPath -Name $propertyName -ErrorAction SilentlyContinue | Select-Object -ExpandProperty $propertyName -ErrorAction SilentlyContinue
if ($currentValue -ne 1) {
New-ItemProperty -Path $registryPath -Name $propertyName -Value 1 -PropertyType DWord -Force | Out-Null
return $true
}
return $false
}
function Ensure-CurrentUserInRemoteManagementGroup {
$groupName = 'Utenti gestione remota'
$currentUser = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$members = @(Get-LocalGroupMember -Name $groupName -ErrorAction Stop | Select-Object -ExpandProperty Name)
if ($members -contains $currentUser) {
return @{ Changed = $false; User = $currentUser; Group = $groupName }
}
Add-LocalGroupMember -Group $groupName -Member $currentUser -ErrorAction Stop
return @{ Changed = $true; User = $currentUser; Group = $groupName }
}
function Enable-FeatureIfNeeded { function Enable-FeatureIfNeeded {
param( param(
[Parameter(Mandatory = $true)] [Parameter(Mandatory = $true)]
@@ -39,6 +108,18 @@ if (-not $SkipUbuntuInstall -and $null -eq $installedUbuntuDistribution) {
Enable-PSRemoting -SkipNetworkProfileCheck -Force Enable-PSRemoting -SkipNetworkProfileCheck -Force
Set-Service -Name WinRM -StartupType Automatic Set-Service -Name WinRM -StartupType Automatic
$winrmCertificate = Get-OrCreate-WinRMHttpsCertificate
$httpsListenerChanged = Ensure-WinRMHttpsListener -CertificateThumbprint $winrmCertificate.Thumbprint
$rebootRequired = (Ensure-LocalAccountTokenFilterPolicy) -or $rebootRequired
$remoteManagementGroupState = Ensure-CurrentUserInRemoteManagementGroup
Set-Item -Path WSMan:\localhost\Service\AllowUnencrypted -Value $false
$httpsFirewallRule = Get-NetFirewallRule -DisplayName 'WinRM HTTPS (5986)' -ErrorAction SilentlyContinue
if ($null -eq $httpsFirewallRule) {
New-NetFirewallRule -DisplayName 'WinRM HTTPS (5986)' -Direction Inbound -Action Allow -Protocol TCP -LocalPort 5986 | Out-Null
}
Write-Host '' Write-Host ''
Write-Host 'Bootstrap completato.' Write-Host 'Bootstrap completato.'
Write-Host 'Passi successivi:' Write-Host 'Passi successivi:'
@@ -48,4 +129,8 @@ Write-Host '3. Installa Ansible dentro WSL Ubuntu e lancia il playbook da li.'
Write-Host '4. Le applicazioni Windows saranno installate dal playbook Ansible via winget, non da questo bootstrap.' Write-Host '4. Le applicazioni Windows saranno installate dal playbook Ansible via winget, non da questo bootstrap.'
Write-Host '' Write-Host ''
Write-Host ('WSL distro Ubuntu rilevata: {0}' -f $(if ($null -ne $installedUbuntuDistribution) { $installedUbuntuDistribution } else { 'nessuna, verra installata ' + $Distribution })) Write-Host ('WSL distro Ubuntu rilevata: {0}' -f $(if ($null -ne $installedUbuntuDistribution) { $installedUbuntuDistribution } else { 'nessuna, verra installata ' + $Distribution }))
Write-Host ('PSRP transport consigliato: https://{0}:5986/wsman' -f $env:COMPUTERNAME)
Write-Host ('Certificato WinRM HTTPS: {0}' -f $winrmCertificate.Thumbprint)
Write-Host ('Utente aggiunto a Utenti gestione remota: {0}' -f $remoteManagementGroupState.User)
Write-Host ('Listener HTTPS creato in questo run: {0}' -f $(if ($httpsListenerChanged) { 'yes' } else { 'no' }))
Write-Host ('Riavvio consigliato: {0}' -f $(if ($rebootRequired) { 'yes' } else { 'no' })) Write-Host ('Riavvio consigliato: {0}' -f $(if ($rebootRequired) { 'yes' } else { 'no' }))