-
Notifications
You must be signed in to change notification settings - Fork 0
/
winrm-ssl-setup.ps1
120 lines (102 loc) · 5.53 KB
/
winrm-ssl-setup.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
<#
.Synopsis
This script configures Windows Remote Management (WinRM) with HTTPS listener using a self-signed certificate.
- Ensure the script is run with administrative privileges.
- Modify the script as necessary for specific configuration requirements.
.Description
It performs the following tasks:
1. Retrieves system details such as the computer's DNS name.
2. Creates an event log source if it doesn't already exist.
3. Logs the start of the WinRM configuration process.
4. Removes any existing HTTP listeners.
5. Generates a self-signed certificate for WinRM.
6. Configures WinRM settings for secure communication.
7. Restarts the WinRM service to apply the changes.
8. Configures the Windows Firewall to allow WinRM HTTPS traffic.
9. Logs the completion of the configuration process along with execution time.
.Example
winrm-ssl-setup.ps1
.Notes
Author : Ivica Agatunovic
WebSite: https://github.com/ivicaagatunovic
Linkedin: www.linkedin.com/in/ivica-agatunovic-96090024
#>
# variable
$StartTime = (Get-Date).Second
$LogSource = "WinRMsetup"
$EventID = "1111"
$DnsName = (Get-WmiObject Win32_Computersystem).Name
# Create EventLog
try {
# Create New event Log
New-EventLog -LogName Application -Source $LogSource
}
catch {
$ErrorMessage = $_.Exception.Message
Throw "Error while creating Event Log type [$ErrorMessage]"
exit 1
}
Write-EventLog -LogName Application -Source $LogSource -EntryType Information -EventId $EventID -Message "[WinRM] Configuration starting..."
# Remove HTTP listener
Write-EventLog -LogName Application -Source $LogSource -EntryType Information -EventId $EventID -Message "[WinRM] Remove any existing HTTP Listener."
try {
Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse
Write-EventLog -LogName Application -Source $LogSource -EntryType Information -EventId $EventID -Message "[WinRM] All listener(s) successfully removed"
}
catch {
$ErrorMessage = $_.Exception.Message
Write-EventLog -LogName Application -Source $LogSource -EntryType Error -EventId $EventID -Message "[WinRM] Unable to remove existing listener(s) [$ErrorMessage]"
}
# Generate Certificate
Write-EventLog -LogName Application -Source $LogSource -EntryType Information -EventId $EventID -Message "[WinRM] Generating self signed certificate."
try {
$Cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName $DnsName
New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint -Force
Write-EventLog -LogName Application -Source $LogSource -EntryType Information -EventId $EventID -Message "[WinRM] Certificate successfully generated."
}
catch {
$ErrorMessage = $_.Exception.Message
Write-EventLog -LogName Application -Source $LogSource -EntryType Error -EventId $EventID -Message "[WinRM] Unable to generate self signed certificate [$ErrorMessage]"
exit 1
}
# WinRM
Write-EventLog -LogName Application -Source $LogSource -EntryType Information -EventId $EventID -Message "[WinRM] Configuring WinRM."
try {
winrm quickconfig -q
winrm set "winrm/config" '@{MaxTimeoutms="1800000"}'
winrm set "winrm/config/winrs" '@{MaxMemoryPerShellMB="1024"}'
winrm set "winrm/config/service" '@{AllowUnencrypted="true"}'
winrm set "winrm/config/client" '@{AllowUnencrypted="true"}'
winrm set "winrm/config/service/auth" '@{Basic="true"}'
winrm set "winrm/config/client/auth" '@{Basic="true"}'
winrm set "winrm/config/service/auth" '@{CredSSP="true"}'
winrm set "winrm/config/listener?Address=*+Transport=HTTPS" "@{Port=`"5986`";Hostname=`"$($DnsName)`";CertificateThumbprint=`"$($Cert.Thumbprint)`"}"
Write-EventLog -LogName Application -Source $LogSource -EntryType Information -EventId $EventID -Message "[WinRM] WinRM configuration successfully applied."
}
catch {
$ErrorMessage = $_.Exception.Message
Write-EventLog -LogName Application -Source $LogSource -EntryType Error -EventId $EventID -Message "[WinRM] Unable configure winrm [$ErrorMessage]"
exit 1
}
# Restart service
Write-EventLog -LogName Application -Source $LogSource -EntryType Information -EventId $EventID -Message "[WinRM] Restarting WinRM service"
try {
Restart-Service WinRM
Write-EventLog -LogName Application -Source $LogSource -EntryType Information -EventId $EventID -Message "[WinRM] WinRM service successfully restarted."
}
catch {
$ErrorMessage = $_.Exception.Message
Write-EventLog -LogName Application -Source $LogSource -EntryType Error -EventId $EventID -Message "[WinRM] Unable restart winrm service [$ErrorMessage]"
}
# Firewall
Write-EventLog -LogName Application -Source $LogSource -EntryType Information -EventId $EventID -Message "[WinRM] Restarting WinRM service"
try {
netsh advfirewall firewall add rule name="WinRM-HTTPS" dir=in localport=5986 protocol=TCP action=allow
Write-EventLog -LogName Application -Source $LogSource -EntryType Information -EventId $EventID -Message "[WinRM] firewall flow for https 5986 successfully added."
}
catch {
$ErrorMessage = $_.Exception.Message
Write-EventLog -LogName Application -Source $LogSource -EntryType Error -EventId $EventID -Message "[WinRM] Unable add firewall rule for winrm in local firewall [$ErrorMessage]"
}
$EndTime = (Get-Date).Second
Write-EventLog -LogName Application -Source $LogSource -EntryType Information -EventId $EventID -Message "[WinRM] Configuration finished [Exection time : $($EndTime - $Starttime)s]"