commit 1577341ce96389348606b11fa2d787195a83aaae Author: Chris Long Date: Mon Dec 11 08:49:25 2017 -0800 Initial commit diff --git a/.gitignore b/.gitignore new file mode 100755 index 0000000..cefdb27 --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +Vagrant/.vagrant/* +Packer/packer_cache/* +Boxes/* +.DS_Store diff --git a/Boxes/.gitignore b/Boxes/.gitignore new file mode 100755 index 0000000..d6b7ef3 --- /dev/null +++ b/Boxes/.gitignore @@ -0,0 +1,2 @@ +* +!.gitignore diff --git a/Packer/answer_files/10/Autounattend.xml b/Packer/answer_files/10/Autounattend.xml new file mode 100755 index 0000000..419d4eb --- /dev/null +++ b/Packer/answer_files/10/Autounattend.xml @@ -0,0 +1,249 @@ + + + + + + + + + + 1 + Primary + true + + + + + false + NTFS + C + 1 + 1 + + + + 0 + true + + OnError + + + true + Vagrant + Vagrant + + + + + NPPR9-FWDCX-D2C8J-H872K-2YT43 + Never + + + + + + 0 + 1 + + OnError + false + + + /IMAGE/NAME + Windows 10 Enterprise Evaluation + + + + + + + + en-US + + en-US + en-US + en-US + en-US + en-US + + + + + false + + + + + en-US + en-US + en-US + en-US + + + + + vagrant + true</PlainText> + </AdministratorPassword> + <LocalAccounts> + <LocalAccount wcm:action="add"> + <Password> + <Value>vagrant</Value> + <PlainText>true</PlainText> + </Password> + <Description>Vagrant User</Description> + <DisplayName>vagrant</DisplayName> + <Group>administrators</Group> + <Name>vagrant</Name> + </LocalAccount> + </LocalAccounts> + </UserAccounts> + <OOBE> + <HideEULAPage>true</HideEULAPage> + <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE> + <NetworkLocation>Home</NetworkLocation> + <ProtectYourPC>1</ProtectYourPC> + </OOBE> + <AutoLogon> + <Password> + <Value>vagrant</Value> + <PlainText>true</PlainText> + </Password> + <Username>vagrant</Username> + <Enabled>true</Enabled> + </AutoLogon> + <FirstLogonCommands> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c powershell -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force"</CommandLine> + <Description>Set Execution Policy 64 Bit</Description> + <Order>1</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>C:\Windows\SysWOW64\cmd.exe /c powershell -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force"</CommandLine> + <Description>Set Execution Policy 32 Bit</Description> + <Order>2</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c reg add "HKLM\System\CurrentControlSet\Control\Network\NewNetworkWindowOff"</CommandLine> + <Description>Network prompt</Description> + <Order>3</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\fixnetwork.ps1</CommandLine> + <Description>Fix public network</Description> + <Order>4</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\disable-winrm.ps1</CommandLine> + <Description>Disable WinRM</Description> + <Order>5</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v HideFileExt /t REG_DWORD /d 0 /f</CommandLine> + <Order>6</Order> + <Description>Show file extensions in Explorer</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\Console /v QuickEdit /t REG_DWORD /d 1 /f</CommandLine> + <Order>7</Order> + <Description>Enable QuickEdit mode</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v Start_ShowRun /t REG_DWORD /d 1 /f</CommandLine> + <Order>8</Order> + <Description>Show Run command in Start Menu</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v StartMenuAdminTools /t REG_DWORD /d 1 /f</CommandLine> + <Order>9</Order> + <Description>Show Administrative Tools in Start Menu</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKLM\SYSTEM\CurrentControlSet\Control\Power\ /v HibernateFileSizePercent /t REG_DWORD /d 0 /f</CommandLine> + <Order>10</Order> + <Description>Zero Hibernation File</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKLM\SYSTEM\CurrentControlSet\Control\Power\ /v HibernateEnabled /t REG_DWORD /d 0 /f</CommandLine> + <Order>11</Order> + <Description>Disable Hibernation Mode</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c wmic useraccount where "name='vagrant'" set PasswordExpires=FALSE</CommandLine> + <Order>12</Order> + <Description>Disable password expiration for vagrant user</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d "vagrant" /f</CommandLine> + <Order>13</Order> + <Description>Enable AutoLogon</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 1 /f</CommandLine> + <Order>14</Order> + <Description>Enable AutoLogon</Description> + </SynchronousCommand> + <!-- WITHOUT WINDOWS UPDATES --> + <!-- + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\enable-winrm.ps1</CommandLine> + <Description>Enable WinRM</Description> + <Order>99</Order> + </SynchronousCommand> + --> + <!-- END WITHOUT WINDOWS UPDATES --> + <!-- WITH WINDOWS UPDATES --> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c a:\microsoft-updates.bat</CommandLine> + <Order>98</Order> + <Description>Enable Microsoft Updates</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\disable-screensaver.ps1</CommandLine> + <Description>Disable Screensaver</Description> + <Order>99</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\win-updates.ps1</CommandLine> + <Description>Install Windows Updates</Description> + <Order>100</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <!-- END WITH WINDOWS UPDATES --> + </FirstLogonCommands> + <ShowWindowsLive>false</ShowWindowsLive> + </component> + </settings> + <settings pass="specialize"> + <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> + <OEMInformation> + <HelpCustomized>false</HelpCustomized> + </OEMInformation> + <!-- Rename computer here. --> + <ComputerName>vagrant-10</ComputerName> + <TimeZone>Pacific Standard Time</TimeZone> + <RegisteredOwner/> + </component> + <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Security-SPP-UX" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> + <SkipAutoActivation>true</SkipAutoActivation> + </component> + </settings> + <cpi:offlineImage xmlns:cpi="urn:schemas-microsoft-com:cpi" cpi:source="catalog:d:/sources/install_windows 7 ENTERPRISE.clg"/> +</unattend> diff --git a/Packer/answer_files/2012/Autounattend.xml b/Packer/answer_files/2012/Autounattend.xml new file mode 100755 index 0000000..efc2a28 --- /dev/null +++ b/Packer/answer_files/2012/Autounattend.xml @@ -0,0 +1,292 @@ +<?xml version="1.0" encoding="utf-8"?> +<unattend xmlns="urn:schemas-microsoft-com:unattend"> + <servicing/> + <settings pass="windowsPE"> + <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> + <DiskConfiguration> + <Disk wcm:action="add"> + <CreatePartitions> + <CreatePartition wcm:action="add"> + <Order>1</Order> + <Type>Primary</Type> + <Extend>true</Extend> + </CreatePartition> + </CreatePartitions> + <ModifyPartitions> + <ModifyPartition wcm:action="add"> + <Extend>false</Extend> + <Format>NTFS</Format> + <Letter>C</Letter> + <Order>1</Order> + <PartitionID>1</PartitionID> + <Label>Windows 2012</Label> + </ModifyPartition> + </ModifyPartitions> + <DiskID>0</DiskID> + <WillWipeDisk>true</WillWipeDisk> + </Disk> + <WillShowUI>OnError</WillShowUI> + </DiskConfiguration> + <UserData> + <AcceptEula>true</AcceptEula> + <FullName>Vagrant Administrator</FullName> + <Organization>Vagrant Inc.</Organization> + <!-- Product Key from http://technet.microsoft.com/en-us/library/jj612867.aspx --> + <ProductKey> + <!-- Do not uncomment the Key element if you are using trial ISOs --> + <!-- You must uncomment the Key element (and optionally insert your own key) if you are using retail or volume license ISOs --> + <!--<Key>XC9B7-NBPP2-83J2H-RHMBY-92BT4</Key>--> + <WillShowUI>Never</WillShowUI> + </ProductKey> + </UserData> + <ImageInstall> + <OSImage> + <InstallTo> + <DiskID>0</DiskID> + <PartitionID>1</PartitionID> + </InstallTo> + <WillShowUI>OnError</WillShowUI> + <InstallToAvailablePartition>false</InstallToAvailablePartition> + <InstallFrom> + <MetaData wcm:action="add"> + <Key>/IMAGE/NAME</Key> + <Value>Windows Server 2012 SERVERSTANDARD</Value> + </MetaData> + </InstallFrom> + </OSImage> + </ImageInstall> + </component> + <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-International-Core-WinPE" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> + <SetupUILanguage> + <UILanguage>en-US</UILanguage> + </SetupUILanguage> + <InputLocale>de-DE</InputLocale> + <SystemLocale>de-DE</SystemLocale> + <UILanguage>en-US</UILanguage> + <UILanguageFallback>en-US</UILanguageFallback> + <UserLocale>de-DE</UserLocale> + </component> + </settings> + <settings pass="offlineServicing"> + <component name="Microsoft-Windows-LUA-Settings" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> + <EnableLUA>false</EnableLUA> + </component> + </settings> + <settings pass="oobeSystem"> + <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> + <UserAccounts> + <AdministratorPassword> + <Value>vagrant</Value> + <PlainText>true</PlainText> + </AdministratorPassword> + <LocalAccounts> + <LocalAccount wcm:action="add"> + <Password> + <Value>vagrant</Value> + <PlainText>true</PlainText> + </Password> + <Description>Vagrant User</Description> + <DisplayName>vagrant</DisplayName> + <Group>administrators</Group> + <Name>vagrant</Name> + </LocalAccount> + </LocalAccounts> + </UserAccounts> + <OOBE> + <HideEULAPage>true</HideEULAPage> + <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE> + <NetworkLocation>Home</NetworkLocation> + <ProtectYourPC>1</ProtectYourPC> + <HideOnlineAccountScreens>true</HideOnlineAccountScreens> + <HideLocalAccountScreen>true</HideLocalAccountScreen> + <SkipUserOOBE>true</SkipUserOOBE> + <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen> + </OOBE> + <AutoLogon> + <Password> + <Value>vagrant</Value> + <PlainText>true</PlainText> + </Password> + <Username>vagrant</Username> + <Enabled>true</Enabled> + </AutoLogon> + <FirstLogonCommands> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c powershell -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force"</CommandLine> + <Description>Set Execution Policy 64 Bit</Description> + <Order>1</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>C:\Windows\SysWOW64\cmd.exe /c powershell -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force"</CommandLine> + <Description>Set Execution Policy 32 Bit</Description> + <Order>2</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c winrm quickconfig -q</CommandLine> + <Description>winrm quickconfig -q</Description> + <Order>3</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c winrm quickconfig -transport:http</CommandLine> + <Description>winrm quickconfig -transport:http</Description> + <Order>4</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c winrm set winrm/config @{MaxTimeoutms="1800000"}</CommandLine> + <Description>Win RM MaxTimoutms</Description> + <Order>5</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c winrm set winrm/config/winrs @{MaxMemoryPerShellMB="800"}</CommandLine> + <Description>Win RM MaxMemoryPerShellMB</Description> + <Order>6</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c winrm set winrm/config/service @{AllowUnencrypted="true"}</CommandLine> + <Description>Win RM AllowUnencrypted</Description> + <Order>7</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c winrm set winrm/config/service/auth @{Basic="true"}</CommandLine> + <Description>Win RM auth Basic</Description> + <Order>8</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c winrm set winrm/config/client/auth @{Basic="true"}</CommandLine> + <Description>Win RM client auth Basic</Description> + <Order>9</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c winrm set winrm/config/listener?Address=*+Transport=HTTP @{Port="5985"} </CommandLine> + <Description>Win RM listener Address/Port</Description> + <Order>10</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes </CommandLine> + <Description>Win RM adv firewall enable</Description> + <Order>11</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c netsh firewall add portopening TCP 5985 "Port 5985" </CommandLine> + <Description>Win RM port open</Description> + <Order>12</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c net stop winrm </CommandLine> + <Description>Stop Win RM Service </Description> + <Order>13</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c sc config winrm start= auto</CommandLine> + <Description>Win RM Autostart</Description> + <Order>14</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c net start winrm</CommandLine> + <Description>Start Win RM Service</Description> + <Order>15</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v HideFileExt /t REG_DWORD /d 0 /f</CommandLine> + <Order>16</Order> + <Description>Show file extensions in Explorer</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\Console /v QuickEdit /t REG_DWORD /d 1 /f</CommandLine> + <Order>17</Order> + <Description>Enable QuickEdit mode</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v Start_ShowRun /t REG_DWORD /d 1 /f</CommandLine> + <Order>18</Order> + <Description>Show Run command in Start Menu</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v StartMenuAdminTools /t REG_DWORD /d 1 /f</CommandLine> + <Order>19</Order> + <Description>Show Administrative Tools in Start Menu</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKLM\SYSTEM\CurrentControlSet\Control\Power\ /v HibernateFileSizePercent /t REG_DWORD /d 0 /f</CommandLine> + <Order>20</Order> + <Description>Zero Hibernation File</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKLM\SYSTEM\CurrentControlSet\Control\Power\ /v HibernateEnabled /t REG_DWORD /d 0 /f</CommandLine> + <Order>21</Order> + <Description>Disable Hibernation Mode</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c wmic useraccount where "name='vagrant'" set PasswordExpires=FALSE</CommandLine> + <Order>22</Order> + <Description>Disable password expiration for vagrant user</Description> + </SynchronousCommand> + <!-- WITHOUT WINDOWS UPDATES --> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\openssh.ps1 -AutoStart</CommandLine> + <Description>Install OpenSSH</Description> + <Order>99</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <!-- END WITHOUT WINDOWS UPDATES --> + <!-- WITH WINDOWS UPDATES --> + <!-- + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c a:\microsoft-updates.bat</CommandLine> + <Order>98</Order> + <Description>Enable Microsoft Updates</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\win-updates.ps1</CommandLine> + <Description>Install Windows Updates</Description> + <Order>100</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + --> + <!-- END WITH WINDOWS UPDATES --> + </FirstLogonCommands> + <ShowWindowsLive>false</ShowWindowsLive> + </component> + </settings> + <settings pass="specialize"> + <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> + <OEMInformation> + <HelpCustomized>false</HelpCustomized> + </OEMInformation> + <!-- Rename computer here. --> + <ComputerName>vagrant-2012</ComputerName> + <TimeZone>W. Europe Standard Time</TimeZone> + <RegisteredOwner/> + </component> + <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-ServerManager-SvrMgrNc" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> + <DoNotOpenServerManagerAtLogon>true</DoNotOpenServerManagerAtLogon> + </component> + <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-IE-ESC" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> + <!-- Disable IE ESC. --> + <IEHardenAdmin>false</IEHardenAdmin> + <IEHardenUser>false</IEHardenUser> + </component> + <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-OutOfBoxExperience" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> + <DoNotOpenInitialConfigurationTasksAtLogon>true</DoNotOpenInitialConfigurationTasksAtLogon> + </component> + <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Security-SPP-UX" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> + <SkipAutoActivation>true</SkipAutoActivation> + </component> + </settings> + <cpi:offlineImage xmlns:cpi="urn:schemas-microsoft-com:cpi" cpi:source="catalog:d:/sources/install_windows server 2008 r2 serverdatacenter.clg"/> +</unattend> diff --git a/Packer/answer_files/2012_r2/Autounattend.xml b/Packer/answer_files/2012_r2/Autounattend.xml new file mode 100755 index 0000000..be7d920 --- /dev/null +++ b/Packer/answer_files/2012_r2/Autounattend.xml @@ -0,0 +1,242 @@ +<?xml version="1.0" encoding="utf-8"?> +<unattend xmlns="urn:schemas-microsoft-com:unattend"> + <settings pass="windowsPE"> + <component name="Microsoft-Windows-International-Core-WinPE" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <SetupUILanguage> + <UILanguage>en-US</UILanguage> + </SetupUILanguage> + <InputLocale>en-US</InputLocale> + <SystemLocale>en-US</SystemLocale> + <UILanguage>en-US</UILanguage> + <UILanguageFallback>en-US</UILanguageFallback> + <UserLocale>en-US</UserLocale> + </component> + <component name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <DiskConfiguration> + <Disk wcm:action="add"> + <CreatePartitions> + <CreatePartition wcm:action="add"> + <Type>Primary</Type> + <Order>1</Order> + <Size>350</Size> + </CreatePartition> + <CreatePartition wcm:action="add"> + <Order>2</Order> + <Type>Primary</Type> + <Extend>true</Extend> + </CreatePartition> + </CreatePartitions> + <ModifyPartitions> + <ModifyPartition wcm:action="add"> + <Active>true</Active> + <Format>NTFS</Format> + <Label>boot</Label> + <Order>1</Order> + <PartitionID>1</PartitionID> + </ModifyPartition> + <ModifyPartition wcm:action="add"> + <Format>NTFS</Format> + <Label>Windows 2012 R2</Label> + <Letter>C</Letter> + <Order>2</Order> + <PartitionID>2</PartitionID> + </ModifyPartition> + </ModifyPartitions> + <DiskID>0</DiskID> + <WillWipeDisk>true</WillWipeDisk> + </Disk> + </DiskConfiguration> + <ImageInstall> + <OSImage> + <InstallFrom> + <MetaData wcm:action="add"> + <Key>/IMAGE/NAME </Key> + <Value>Windows Server 2012 R2 SERVERSTANDARD</Value> + </MetaData> + </InstallFrom> + <InstallTo> + <DiskID>0</DiskID> + <PartitionID>2</PartitionID> + </InstallTo> + </OSImage> + </ImageInstall> + <UserData> + <!-- Product Key from http://technet.microsoft.com/en-us/library/jj612867.aspx --> + <ProductKey> + <!-- Do not uncomment the Key element if you are using trial ISOs --> + <!-- You must uncomment the Key element (and optionally insert your own key) if you are using retail or volume license ISOs --> + <!--<Key>D2N9P-3P6X9-2R39C-7RTCD-MDVJX</Key>--> + <WillShowUI>OnError</WillShowUI> + </ProductKey> + <AcceptEula>true</AcceptEula> + <FullName>Vagrant</FullName> + <Organization>Vagrant</Organization> + </UserData> + </component> + </settings> + <settings pass="specialize"> + <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <OEMInformation> + <HelpCustomized>false</HelpCustomized> + </OEMInformation> + <ComputerName>vagrant-2012-r2</ComputerName> + <TimeZone>W. Europe Standard Time</TimeZone> + <RegisteredOwner /> + </component> + <component name="Microsoft-Windows-ServerManager-SvrMgrNc" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <DoNotOpenServerManagerAtLogon>true</DoNotOpenServerManagerAtLogon> + </component> + <component name="Microsoft-Windows-IE-ESC" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <IEHardenAdmin>false</IEHardenAdmin> + <IEHardenUser>false</IEHardenUser> + </component> + <component name="Microsoft-Windows-OutOfBoxExperience" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <DoNotOpenInitialConfigurationTasksAtLogon>true</DoNotOpenInitialConfigurationTasksAtLogon> + </component> + <component name="Microsoft-Windows-Security-SPP-UX" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <SkipAutoActivation>true</SkipAutoActivation> + </component> + <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <RunSynchronous> + <RunSynchronousCommand wcm:action="add"> + <Order>1</Order> + <Description>Set Execution Policy 64 Bit</Description> + <Path>cmd.exe /c powershell -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force"</Path> + </RunSynchronousCommand> + <RunSynchronousCommand wcm:action="add"> + <Order>2</Order> + <Description>Set Execution Policy 32 Bit</Description> + <Path>cmd.exe /c powershell -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force"</Path> + </RunSynchronousCommand> + <RunSynchronousCommand wcm:action="add"> + <Order>3</Order> + <Description>Disable WinRM</Description> + <Path>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\disable-winrm.ps1</Path> + </RunSynchronousCommand> + </RunSynchronous> + </component> + </settings> + <settings pass="oobeSystem"> + <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <AutoLogon> + <Password> + <Value>vagrant</Value> + <PlainText>true</PlainText> + </Password> + <Enabled>true</Enabled> + <Username>vagrant</Username> + </AutoLogon> + <FirstLogonCommands> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c powershell -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force"</CommandLine> + <Description>Set Execution Policy 64 Bit</Description> + <Order>1</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>C:\Windows\SysWOW64\cmd.exe /c powershell -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force"</CommandLine> + <Description>Set Execution Policy 32 Bit</Description> + <Order>2</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\disable-winrm.ps1</CommandLine> + <Description>Disable WinRM</Description> + <Order>3</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v HideFileExt /t REG_DWORD /d 0 /f</CommandLine> + <Order>4</Order> + <Description>Show file extensions in Explorer</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\Console /v QuickEdit /t REG_DWORD /d 1 /f</CommandLine> + <Order>5</Order> + <Description>Enable QuickEdit mode</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v Start_ShowRun /t REG_DWORD /d 1 /f</CommandLine> + <Order>6</Order> + <Description>Show Run command in Start Menu</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v StartMenuAdminTools /t REG_DWORD /d 1 /f</CommandLine> + <Order>7</Order> + <Description>Show Administrative Tools in Start Menu</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKLM\SYSTEM\CurrentControlSet\Control\Power\ /v HibernateFileSizePercent /t REG_DWORD /d 0 /f</CommandLine> + <Order>8</Order> + <Description>Zero Hibernation File</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKLM\SYSTEM\CurrentControlSet\Control\Power\ /v HibernateEnabled /t REG_DWORD /d 0 /f</CommandLine> + <Order>9</Order> + <Description>Disable Hibernation Mode</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c wmic useraccount where "name='vagrant'" set PasswordExpires=FALSE</CommandLine> + <Order>10</Order> + <Description>Disable password expiration for vagrant user</Description> + </SynchronousCommand> + <!-- WITHOUT WINDOWS UPDATES --> + <!-- + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\enable-winrm.ps1</CommandLine> + <Description>Enable WinRM</Description> + <Order>99</Order> + </SynchronousCommand> + --> + <!-- END WITHOUT WINDOWS UPDATES --> + <!-- WITH WINDOWS UPDATES --> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c a:\microsoft-updates.bat</CommandLine> + <Order>98</Order> + <Description>Enable Microsoft Updates</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\win-updates.ps1</CommandLine> + <Description>Install Windows Updates</Description> + <Order>100</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <!-- END WITH WINDOWS UPDATES --> + </FirstLogonCommands> + <OOBE> + <HideEULAPage>true</HideEULAPage> + <HideLocalAccountScreen>true</HideLocalAccountScreen> + <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen> + <HideOnlineAccountScreens>true</HideOnlineAccountScreens> + <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE> + <NetworkLocation>Home</NetworkLocation> + <ProtectYourPC>1</ProtectYourPC> + </OOBE> + <UserAccounts> + <AdministratorPassword> + <Value>vagrant</Value> + <PlainText>true</PlainText> + </AdministratorPassword> + <LocalAccounts> + <LocalAccount wcm:action="add"> + <Password> + <Value>vagrant</Value> + <PlainText>true</PlainText> + </Password> + <Group>administrators</Group> + <DisplayName>Vagrant</DisplayName> + <Name>vagrant</Name> + <Description>Vagrant User</Description> + </LocalAccount> + </LocalAccounts> + </UserAccounts> + <RegisteredOwner /> + </component> + </settings> + <settings pass="offlineServicing"> + <component name="Microsoft-Windows-LUA-Settings" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <EnableLUA>false</EnableLUA> + </component> + </settings> + <cpi:offlineImage cpi:source="wim:c:/wim/install.wim#Windows Server 2012 R2 SERVERSTANDARD" xmlns:cpi="urn:schemas-microsoft-com:cpi" /> +</unattend> diff --git a/Packer/answer_files/2012_r2_core/Autounattend.xml b/Packer/answer_files/2012_r2_core/Autounattend.xml new file mode 100755 index 0000000..4860c85 --- /dev/null +++ b/Packer/answer_files/2012_r2_core/Autounattend.xml @@ -0,0 +1,242 @@ +<?xml version="1.0" encoding="utf-8"?> +<unattend xmlns="urn:schemas-microsoft-com:unattend"> + <settings pass="windowsPE"> + <component name="Microsoft-Windows-International-Core-WinPE" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <SetupUILanguage> + <UILanguage>en-US</UILanguage> + </SetupUILanguage> + <InputLocale>de-DE</InputLocale> + <SystemLocale>de-DE</SystemLocale> + <UILanguage>en-US</UILanguage> + <UILanguageFallback>en-US</UILanguageFallback> + <UserLocale>de-DE</UserLocale> + </component> + <component name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <DiskConfiguration> + <Disk wcm:action="add"> + <CreatePartitions> + <CreatePartition wcm:action="add"> + <Type>Primary</Type> + <Order>1</Order> + <Size>350</Size> + </CreatePartition> + <CreatePartition wcm:action="add"> + <Order>2</Order> + <Type>Primary</Type> + <Extend>true</Extend> + </CreatePartition> + </CreatePartitions> + <ModifyPartitions> + <ModifyPartition wcm:action="add"> + <Active>true</Active> + <Format>NTFS</Format> + <Label>boot</Label> + <Order>1</Order> + <PartitionID>1</PartitionID> + </ModifyPartition> + <ModifyPartition wcm:action="add"> + <Format>NTFS</Format> + <Label>Windows 2012 R2</Label> + <Letter>C</Letter> + <Order>2</Order> + <PartitionID>2</PartitionID> + </ModifyPartition> + </ModifyPartitions> + <DiskID>0</DiskID> + <WillWipeDisk>true</WillWipeDisk> + </Disk> + </DiskConfiguration> + <ImageInstall> + <OSImage> + <InstallFrom> + <MetaData wcm:action="add"> + <Key>/IMAGE/NAME </Key> + <Value>Windows Server 2012 R2 SERVERSTANDARDCORE</Value> + </MetaData> + </InstallFrom> + <InstallTo> + <DiskID>0</DiskID> + <PartitionID>2</PartitionID> + </InstallTo> + </OSImage> + </ImageInstall> + <UserData> + <!-- Product Key from http://technet.microsoft.com/en-us/library/jj612867.aspx --> + <ProductKey> + <!-- Do not uncomment the Key element if you are using trial ISOs --> + <!-- You must uncomment the Key element (and optionally insert your own key) if you are using retail or volume license ISOs --> + <!--<Key>D2N9P-3P6X9-2R39C-7RTCD-MDVJX</Key>--> + <WillShowUI>OnError</WillShowUI> + </ProductKey> + <AcceptEula>true</AcceptEula> + <FullName>Vagrant</FullName> + <Organization>Vagrant</Organization> + </UserData> + </component> + </settings> + <settings pass="specialize"> + <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <OEMInformation> + <HelpCustomized>false</HelpCustomized> + </OEMInformation> + <ComputerName>vagrant-2012-r2</ComputerName> + <TimeZone>W. Europe Standard Time</TimeZone> + <RegisteredOwner/> + </component> + <component name="Microsoft-Windows-ServerManager-SvrMgrNc" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <DoNotOpenServerManagerAtLogon>true</DoNotOpenServerManagerAtLogon> + </component> + <component name="Microsoft-Windows-IE-ESC" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <IEHardenAdmin>false</IEHardenAdmin> + <IEHardenUser>false</IEHardenUser> + </component> + <component name="Microsoft-Windows-OutOfBoxExperience" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <DoNotOpenInitialConfigurationTasksAtLogon>true</DoNotOpenInitialConfigurationTasksAtLogon> + </component> + <component name="Microsoft-Windows-Security-SPP-UX" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <SkipAutoActivation>true</SkipAutoActivation> + </component> + <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <RunSynchronous> + <RunSynchronousCommand wcm:action="add"> + <Order>1</Order> + <Description>Set Execution Policy 64 Bit</Description> + <Path>cmd.exe /c powershell -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force"</Path> + </RunSynchronousCommand> + <RunSynchronousCommand wcm:action="add"> + <Order>2</Order> + <Description>Set Execution Policy 32 Bit</Description> + <Path>cmd.exe /c powershell -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force"</Path> + </RunSynchronousCommand> + <RunSynchronousCommand wcm:action="add"> + <Order>3</Order> + <Description>Disable WinRM</Description> + <Path>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\disable-winrm.ps1</Path> + </RunSynchronousCommand> + </RunSynchronous> + </component> + </settings> + <settings pass="oobeSystem"> + <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <AutoLogon> + <Password> + <Value>vagrant</Value> + <PlainText>true</PlainText> + </Password> + <Enabled>true</Enabled> + <Username>vagrant</Username> + </AutoLogon> + <FirstLogonCommands> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c powershell -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force"</CommandLine> + <Description>Set Execution Policy 64 Bit</Description> + <Order>1</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>C:\Windows\SysWOW64\cmd.exe /c powershell -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force"</CommandLine> + <Description>Set Execution Policy 32 Bit</Description> + <Order>2</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\disable-winrm.ps1</CommandLine> + <Description>Disable WinRM</Description> + <Order>3</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v HideFileExt /t REG_DWORD /d 0 /f</CommandLine> + <Order>4</Order> + <Description>Show file extensions in Explorer</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\Console /v QuickEdit /t REG_DWORD /d 1 /f</CommandLine> + <Order>5</Order> + <Description>Enable QuickEdit mode</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v Start_ShowRun /t REG_DWORD /d 1 /f</CommandLine> + <Order>6</Order> + <Description>Show Run command in Start Menu</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v StartMenuAdminTools /t REG_DWORD /d 1 /f</CommandLine> + <Order>7</Order> + <Description>Show Administrative Tools in Start Menu</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKLM\SYSTEM\CurrentControlSet\Control\Power\ /v HibernateFileSizePercent /t REG_DWORD /d 0 /f</CommandLine> + <Order>8</Order> + <Description>Zero Hibernation File</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKLM\SYSTEM\CurrentControlSet\Control\Power\ /v HibernateEnabled /t REG_DWORD /d 0 /f</CommandLine> + <Order>9</Order> + <Description>Disable Hibernation Mode</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c wmic useraccount where "name='vagrant'" set PasswordExpires=FALSE</CommandLine> + <Order>10</Order> + <Description>Disable password expiration for vagrant user</Description> + </SynchronousCommand> + <!-- WITHOUT WINDOWS UPDATES --> + <!-- + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\enable-winrm.ps1</CommandLine> + <Description>Enable WinRM</Description> + <Order>99</Order> + </SynchronousCommand> + --> + <!-- END WITHOUT WINDOWS UPDATES --> + <!-- WITH WINDOWS UPDATES --> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c a:\microsoft-updates.bat</CommandLine> + <Order>98</Order> + <Description>Enable Microsoft Updates</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\win-updates.ps1</CommandLine> + <Description>Install Windows Updates</Description> + <Order>100</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <!-- END WITH WINDOWS UPDATES --> + </FirstLogonCommands> + <OOBE> + <HideEULAPage>true</HideEULAPage> + <HideLocalAccountScreen>true</HideLocalAccountScreen> + <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen> + <HideOnlineAccountScreens>true</HideOnlineAccountScreens> + <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE> + <NetworkLocation>Home</NetworkLocation> + <ProtectYourPC>1</ProtectYourPC> + </OOBE> + <UserAccounts> + <AdministratorPassword> + <Value>vagrant</Value> + <PlainText>true</PlainText> + </AdministratorPassword> + <LocalAccounts> + <LocalAccount wcm:action="add"> + <Password> + <Value>vagrant</Value> + <PlainText>true</PlainText> + </Password> + <Group>administrators</Group> + <DisplayName>Vagrant</DisplayName> + <Name>vagrant</Name> + <Description>Vagrant User</Description> + </LocalAccount> + </LocalAccounts> + </UserAccounts> + <RegisteredOwner /> + </component> + </settings> + <settings pass="offlineServicing"> + <component name="Microsoft-Windows-LUA-Settings" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <EnableLUA>false</EnableLUA> + </component> + </settings> + <cpi:offlineImage cpi:source="wim:c:/wim/install.wim#Windows Server 2012 R2 SERVERSTANDARD" xmlns:cpi="urn:schemas-microsoft-com:cpi" /> +</unattend> diff --git a/Packer/answer_files/2012_r2_hyperv/Autounattend.xml b/Packer/answer_files/2012_r2_hyperv/Autounattend.xml new file mode 100755 index 0000000..dbb0e2b --- /dev/null +++ b/Packer/answer_files/2012_r2_hyperv/Autounattend.xml @@ -0,0 +1,296 @@ +<?xml version="1.0" encoding="utf-8"?> +<unattend xmlns="urn:schemas-microsoft-com:unattend"> + <settings pass="windowsPE"> + <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-International-Core-WinPE" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> + <SetupUILanguage> + <UILanguage>en-US</UILanguage> + </SetupUILanguage> + <InputLocale>en-US</InputLocale> + <SystemLocale>en-US</SystemLocale> + <UILanguage>en-US</UILanguage> + <UILanguageFallback>en-US</UILanguageFallback> + <UserLocale>en-US</UserLocale> + </component> + <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> + <DiskConfiguration> + <Disk wcm:action="add"> + <CreatePartitions> + <CreatePartition wcm:action="add"> + <Type>Primary</Type> + <Order>1</Order> + <Size>350</Size> + </CreatePartition> + <CreatePartition wcm:action="add"> + <Order>2</Order> + <Type>Primary</Type> + <Extend>true</Extend> + </CreatePartition> + </CreatePartitions> + <ModifyPartitions> + <ModifyPartition wcm:action="add"> + <Active>true</Active> + <Format>NTFS</Format> + <Label>boot</Label> + <Order>1</Order> + <PartitionID>1</PartitionID> + </ModifyPartition> + <ModifyPartition wcm:action="add"> + <Format>NTFS</Format> + <Label>Windows 2012 R2</Label> + <Letter>C</Letter> + <Order>2</Order> + <PartitionID>2</PartitionID> + </ModifyPartition> + </ModifyPartitions> + <DiskID>0</DiskID> + <WillWipeDisk>true</WillWipeDisk> + </Disk> + </DiskConfiguration> + <ImageInstall> + <OSImage> + <InstallFrom> + <MetaData wcm:action="add"> + <Key>/IMAGE/NAME </Key> + <Value>Windows Server 2012 R2 SERVERHYPERCORE</Value> + </MetaData> + </InstallFrom> + <InstallTo> + <DiskID>0</DiskID> + <PartitionID>2</PartitionID> + </InstallTo> + </OSImage> + </ImageInstall> + <UserData> + <!-- Product Key from http://technet.microsoft.com/en-us/library/jj612867.aspx --> + <ProductKey> + <!-- Do not uncomment the Key element if you are using trial ISOs --> + <!-- You must uncomment the Key element (and optionally insert your own key) if you are using retail or volume license ISOs --> + <!--<Key>D2N9P-3P6X9-2R39C-7RTCD-MDVJX</Key>--> + <WillShowUI>OnError</WillShowUI> + </ProductKey> + <AcceptEula>true</AcceptEula> + <FullName>Vagrant</FullName> + <Organization>Vagrant</Organization> + </UserData> + </component> + </settings> + <settings pass="specialize"> + <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> + <OEMInformation> + <HelpCustomized>false</HelpCustomized> + </OEMInformation> + <ComputerName>vagrant-2012-r2</ComputerName> + <TimeZone>Pacific Standard Time</TimeZone> + <RegisteredOwner/> + </component> + <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-ServerManager-SvrMgrNc" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> + <DoNotOpenServerManagerAtLogon>true</DoNotOpenServerManagerAtLogon> + </component> + <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-IE-ESC" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> + <IEHardenAdmin>false</IEHardenAdmin> + <IEHardenUser>false</IEHardenUser> + </component> + <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-OutOfBoxExperience" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> + <DoNotOpenInitialConfigurationTasksAtLogon>true</DoNotOpenInitialConfigurationTasksAtLogon> + </component> + <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Security-SPP-UX" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> + <SkipAutoActivation>true</SkipAutoActivation> + </component> + </settings> + <settings pass="oobeSystem"> + <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> + <AutoLogon> + <Password> + <Value>vagrant</Value> + <PlainText>true</PlainText> + </Password> + <Enabled>true</Enabled> + <Username>vagrant</Username> + </AutoLogon> + <FirstLogonCommands> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c powershell -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force"</CommandLine> + <Description>Set Execution Policy 64 Bit</Description> + <Order>1</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>C:\Windows\SysWOW64\cmd.exe /c powershell -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force"</CommandLine> + <Description>Set Execution Policy 32 Bit</Description> + <Order>2</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c winrm quickconfig -q</CommandLine> + <Description>winrm quickconfig -q</Description> + <Order>3</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c winrm quickconfig -transport:http</CommandLine> + <Description>winrm quickconfig -transport:http</Description> + <Order>4</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c winrm set winrm/config @{MaxTimeoutms="1800000"}</CommandLine> + <Description>Win RM MaxTimoutms</Description> + <Order>5</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c winrm set winrm/config/winrs @{MaxMemoryPerShellMB="800"}</CommandLine> + <Description>Win RM MaxMemoryPerShellMB</Description> + <Order>6</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c winrm set winrm/config/service @{AllowUnencrypted="true"}</CommandLine> + <Description>Win RM AllowUnencrypted</Description> + <Order>7</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c winrm set winrm/config/service/auth @{Basic="true"}</CommandLine> + <Description>Win RM auth Basic</Description> + <Order>8</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c winrm set winrm/config/client/auth @{Basic="true"}</CommandLine> + <Description>Win RM client auth Basic</Description> + <Order>9</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c winrm set winrm/config/listener?Address=*+Transport=HTTP @{Port="5985"} </CommandLine> + <Description>Win RM listener Address/Port</Description> + <Order>10</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes </CommandLine> + <Description>Win RM adv firewall enable</Description> + <Order>11</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c netsh firewall add portopening TCP 5985 "Port 5985" </CommandLine> + <Description>Win RM port open</Description> + <Order>12</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c net stop winrm </CommandLine> + <Description>Stop Win RM Service </Description> + <Order>13</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c sc config winrm start= auto</CommandLine> + <Description>Win RM Autostart</Description> + <Order>14</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c net start winrm</CommandLine> + <Description>Start Win RM Service</Description> + <Order>15</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v HideFileExt /t REG_DWORD /d 0 /f</CommandLine> + <Order>16</Order> + <Description>Show file extensions in Explorer</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\Console /v QuickEdit /t REG_DWORD /d 1 /f</CommandLine> + <Order>17</Order> + <Description>Enable QuickEdit mode</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v Start_ShowRun /t REG_DWORD /d 1 /f</CommandLine> + <Order>18</Order> + <Description>Show Run command in Start Menu</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v StartMenuAdminTools /t REG_DWORD /d 1 /f</CommandLine> + <Order>19</Order> + <Description>Show Administrative Tools in Start Menu</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKLM\SYSTEM\CurrentControlSet\Control\Power\ /v HibernateFileSizePercent /t REG_DWORD /d 0 /f</CommandLine> + <Order>20</Order> + <Description>Zero Hibernation File</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKLM\SYSTEM\CurrentControlSet\Control\Power\ /v HibernateEnabled /t REG_DWORD /d 0 /f</CommandLine> + <Order>21</Order> + <Description>Disable Hibernation Mode</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c wmic useraccount where "name='vagrant'" set PasswordExpires=FALSE</CommandLine> + <Order>22</Order> + <Description>Disable password expiration for vagrant user</Description> + </SynchronousCommand> + <!-- WITHOUT WINDOWS UPDATES --> + <!-- + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\openssh.ps1 -AutoStart</CommandLine> + <Description>Install OpenSSH</Description> + <Order>99</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + --> + <!-- END WITHOUT WINDOWS UPDATES --> + <!-- WITH WINDOWS UPDATES --> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c a:\microsoft-updates.bat</CommandLine> + <Order>98</Order> + <Description>Enable Microsoft Updates</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\win-updates.ps1</CommandLine> + <Description>Install Windows Updates</Description> + <Order>100</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <!-- END WITH WINDOWS UPDATES --> + </FirstLogonCommands> + <OOBE> + <HideEULAPage>true</HideEULAPage> + <HideLocalAccountScreen>true</HideLocalAccountScreen> + <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen> + <HideOnlineAccountScreens>true</HideOnlineAccountScreens> + <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE> + <NetworkLocation>Home</NetworkLocation> + <ProtectYourPC>1</ProtectYourPC> + </OOBE> + <UserAccounts> + <AdministratorPassword> + <Value>vagrant</Value> + <PlainText>true</PlainText> + </AdministratorPassword> + <LocalAccounts> + <LocalAccount wcm:action="add"> + <Password> + <Value>vagrant</Value> + <PlainText>true</PlainText> + </Password> + <Group>administrators</Group> + <DisplayName>Vagrant</DisplayName> + <Name>vagrant</Name> + <Description>Vagrant User</Description> + </LocalAccount> + </LocalAccounts> + </UserAccounts> + <RegisteredOwner/> + </component> + </settings> + <settings pass="offlineServicing"> + <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-LUA-Settings" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> + <EnableLUA>false</EnableLUA> + </component> + </settings> + <cpi:offlineImage xmlns:cpi="urn:schemas-microsoft-com:cpi" cpi:source="wim:c:/wim/install.wim#Windows Server 2012 R2 SERVERSTANDARD"/> +</unattend> diff --git a/Packer/answer_files/2016/Autounattend.xml b/Packer/answer_files/2016/Autounattend.xml new file mode 100755 index 0000000..1379bcc --- /dev/null +++ b/Packer/answer_files/2016/Autounattend.xml @@ -0,0 +1,248 @@ +<?xml version="1.0" encoding="utf-8"?> +<unattend xmlns="urn:schemas-microsoft-com:unattend"> + <settings pass="windowsPE"> + <component name="Microsoft-Windows-International-Core-WinPE" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <SetupUILanguage> + <UILanguage>en-US</UILanguage> + </SetupUILanguage> + <InputLocale>en-US</InputLocale> + <SystemLocale>en-US</SystemLocale> + <UILanguage>en-US</UILanguage> + <UILanguageFallback>en-US</UILanguageFallback> + <UserLocale>en-US</UserLocale> + </component> + <component name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <DiskConfiguration> + <Disk wcm:action="add"> + <CreatePartitions> + <CreatePartition wcm:action="add"> + <Type>Primary</Type> + <Order>1</Order> + <Size>350</Size> + </CreatePartition> + <CreatePartition wcm:action="add"> + <Order>2</Order> + <Type>Primary</Type> + <Extend>true</Extend> + </CreatePartition> + </CreatePartitions> + <ModifyPartitions> + <ModifyPartition wcm:action="add"> + <Active>true</Active> + <Format>NTFS</Format> + <Label>boot</Label> + <Order>1</Order> + <PartitionID>1</PartitionID> + </ModifyPartition> + <ModifyPartition wcm:action="add"> + <Format>NTFS</Format> + <Label>Windows 2016</Label> + <Letter>C</Letter> + <Order>2</Order> + <PartitionID>2</PartitionID> + </ModifyPartition> + </ModifyPartitions> + <DiskID>0</DiskID> + <WillWipeDisk>true</WillWipeDisk> + </Disk> + </DiskConfiguration> + <ImageInstall> + <OSImage> + <InstallFrom> + <MetaData wcm:action="add"> + <Key>/IMAGE/NAME </Key> + <Value>Windows Server 2016 SERVERSTANDARD</Value> + </MetaData> + </InstallFrom> + <InstallTo> + <DiskID>0</DiskID> + <PartitionID>2</PartitionID> + </InstallTo> + </OSImage> + </ImageInstall> + <UserData> + <!-- Product Key from https://www.microsoft.com/de-de/evalcenter/evaluate-windows-server-technical-preview?i=1 --> + <ProductKey> + <!-- Do not uncomment the Key element if you are using trial ISOs --> + <!-- You must uncomment the Key element (and optionally insert your own key) if you are using retail or volume license ISOs --> + <!-- <Key>6XBNX-4JQGW-QX6QG-74P76-72V67</Key> --> + <WillShowUI>OnError</WillShowUI> + </ProductKey> + <AcceptEula>true</AcceptEula> + <FullName>Vagrant</FullName> + <Organization>Vagrant</Organization> + </UserData> + </component> + </settings> + <settings pass="specialize"> + <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <OEMInformation> + <HelpCustomized>false</HelpCustomized> + </OEMInformation> + <ComputerName>vagrant-2016</ComputerName> + <TimeZone>Pacific Standard Time</TimeZone> + <RegisteredOwner/> + </component> + <component name="Microsoft-Windows-ServerManager-SvrMgrNc" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <DoNotOpenServerManagerAtLogon>true</DoNotOpenServerManagerAtLogon> + </component> + <component name="Microsoft-Windows-IE-ESC" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <IEHardenAdmin>false</IEHardenAdmin> + <IEHardenUser>false</IEHardenUser> + </component> + <component name="Microsoft-Windows-OutOfBoxExperience" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <DoNotOpenInitialConfigurationTasksAtLogon>true</DoNotOpenInitialConfigurationTasksAtLogon> + </component> + <component name="Microsoft-Windows-Security-SPP-UX" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <SkipAutoActivation>true</SkipAutoActivation> + </component> + <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <RunSynchronous> + <RunSynchronousCommand wcm:action="add"> + <Order>1</Order> + <Description>Set Execution Policy 64 Bit</Description> + <Path>cmd.exe /c powershell -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force"</Path> + </RunSynchronousCommand> + <RunSynchronousCommand wcm:action="add"> + <Order>2</Order> + <Description>Set Execution Policy 32 Bit</Description> + <Path>cmd.exe /c powershell -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force"</Path> + </RunSynchronousCommand> + <RunSynchronousCommand wcm:action="add"> + <Order>3</Order> + <Description>Disable WinRM</Description> + <Path>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\disable-winrm.ps1</Path> + </RunSynchronousCommand> + </RunSynchronous> + </component> + </settings> + <settings pass="oobeSystem"> + <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <AutoLogon> + <Password> + <Value>vagrant</Value> + <PlainText>true</PlainText> + </Password> + <Enabled>true</Enabled> + <Username>vagrant</Username> + </AutoLogon> + <FirstLogonCommands> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c powershell -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force"</CommandLine> + <Description>Set Execution Policy 64 Bit</Description> + <Order>1</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>C:\Windows\SysWOW64\cmd.exe /c powershell -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force"</CommandLine> + <Description>Set Execution Policy 32 Bit</Description> + <Order>2</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\disable-winrm.ps1</CommandLine> + <Description>Disable WinRM</Description> + <Order>3</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v HideFileExt /t REG_DWORD /d 0 /f</CommandLine> + <Order>4</Order> + <Description>Show file extensions in Explorer</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\Console /v QuickEdit /t REG_DWORD /d 1 /f</CommandLine> + <Order>5</Order> + <Description>Enable QuickEdit mode</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v Start_ShowRun /t REG_DWORD /d 1 /f</CommandLine> + <Order>6</Order> + <Description>Show Run command in Start Menu</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v StartMenuAdminTools /t REG_DWORD /d 1 /f</CommandLine> + <Order>7</Order> + <Description>Show Administrative Tools in Start Menu</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKLM\SYSTEM\CurrentControlSet\Control\Power\ /v HibernateFileSizePercent /t REG_DWORD /d 0 /f</CommandLine> + <Order>8</Order> + <Description>Zero Hibernation File</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKLM\SYSTEM\CurrentControlSet\Control\Power\ /v HibernateEnabled /t REG_DWORD /d 0 /f</CommandLine> + <Order>9</Order> + <Description>Disable Hibernation Mode</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c wmic useraccount where "name='vagrant'" set PasswordExpires=FALSE</CommandLine> + <Order>10</Order> + <Description>Disable password expiration for vagrant user</Description> + </SynchronousCommand> + <!-- WITHOUT WINDOWS UPDATES --> + <!-- + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\enable-winrm.ps1</CommandLine> + <Description>Enable WinRM</Description> + <Order>99</Order> + </SynchronousCommand> + --> + <!-- END WITHOUT WINDOWS UPDATES --> + <!-- WITH WINDOWS UPDATES --> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c a:\microsoft-updates.bat</CommandLine> + <Order>98</Order> + <Description>Enable Microsoft Updates</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\disable-screensaver.ps1</CommandLine> + <Description>Disable Screensaver</Description> + <Order>99</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\win-updates.ps1</CommandLine> + <Description>Install Windows Updates</Description> + <Order>100</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <!-- END WITH WINDOWS UPDATES --> + </FirstLogonCommands> + <OOBE> + <HideEULAPage>true</HideEULAPage> + <HideLocalAccountScreen>true</HideLocalAccountScreen> + <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen> + <HideOnlineAccountScreens>true</HideOnlineAccountScreens> + <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE> + <NetworkLocation>Home</NetworkLocation> + <ProtectYourPC>1</ProtectYourPC> + </OOBE> + <UserAccounts> + <AdministratorPassword> + <Value>vagrant</Value> + <PlainText>true</PlainText> + </AdministratorPassword> + <LocalAccounts> + <LocalAccount wcm:action="add"> + <Password> + <Value>vagrant</Value> + <PlainText>true</PlainText> + </Password> + <Group>administrators</Group> + <DisplayName>Vagrant</DisplayName> + <Name>vagrant</Name> + <Description>Vagrant User</Description> + </LocalAccount> + </LocalAccounts> + </UserAccounts> + <RegisteredOwner /> + </component> + </settings> + <settings pass="offlineServicing"> + <component name="Microsoft-Windows-LUA-Settings" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <EnableLUA>false</EnableLUA> + </component> + </settings> + <cpi:offlineImage cpi:source="wim:c:/wim/install.wim#Windows Server 2012 R2 SERVERSTANDARD" xmlns:cpi="urn:schemas-microsoft-com:cpi" /> +</unattend> diff --git a/Packer/answer_files/2016/Autounattend_sysprep.xml b/Packer/answer_files/2016/Autounattend_sysprep.xml new file mode 100755 index 0000000..cb538aa --- /dev/null +++ b/Packer/answer_files/2016/Autounattend_sysprep.xml @@ -0,0 +1,49 @@ +<?xml version="1.0" encoding="utf-8"?> +<unattend xmlns="urn:schemas-microsoft-com:unattend"> + <settings pass="generalize"> + <component name="Microsoft-Windows-Security-SPP" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <SkipRearm>0</SkipRearm> + </component> + <component name="Microsoft-Windows-PnpSysprep" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <PersistAllDeviceInstalls>false</PersistAllDeviceInstalls> + <DoNotCleanUpNonPresentDevices>false</DoNotCleanUpNonPresentDevices> + </component> + </settings> + <settings pass="oobeSystem"> + <component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <InputLocale>en-US</InputLocale> + <SystemLocale>en-US</SystemLocale> + <UILanguage>en-US</UILanguage> + <UserLocale>en-US</UserLocale> + </component> + <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <OOBE> + <HideEULAPage>true</HideEULAPage> + <ProtectYourPC>1</ProtectYourPC> + <NetworkLocation>Home</NetworkLocation> + <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE> + </OOBE> + <TimeZone>UTC</TimeZone> + <UserAccounts> + <AdministratorPassword> + <Value>vagrant</Value> + <PlainText>true</PlainText> + </AdministratorPassword> + <LocalAccounts> + <LocalAccount wcm:action="add"> + <Password> + <Value>vagrant</Value> + <PlainText>true</PlainText> + </Password> + <Group>administrators</Group> + <DisplayName>Vagrant</DisplayName> + <Name>vagrant</Name> + <Description>Vagrant User</Description> + </LocalAccount> + </LocalAccounts> + </UserAccounts> + </component> + </settings> + <settings pass="specialize"> + </settings> +</unattend> diff --git a/Packer/answer_files/2016_core/Autounattend.xml b/Packer/answer_files/2016_core/Autounattend.xml new file mode 100755 index 0000000..929d76b --- /dev/null +++ b/Packer/answer_files/2016_core/Autounattend.xml @@ -0,0 +1,229 @@ +<?xml version="1.0" encoding="utf-8"?> +<unattend xmlns="urn:schemas-microsoft-com:unattend"> + <settings pass="windowsPE"> + <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-International-Core-WinPE" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> + <SetupUILanguage> + <UILanguage>en-US</UILanguage> + </SetupUILanguage> + <InputLocale>en-US</InputLocale> + <SystemLocale>en-US</SystemLocale> + <UILanguage>en-US</UILanguage> + <UILanguageFallback>en-US</UILanguageFallback> + <UserLocale>en-US</UserLocale> + </component> + <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> + <DiskConfiguration> + <Disk wcm:action="add"> + <CreatePartitions> + <CreatePartition wcm:action="add"> + <Type>Primary</Type> + <Order>1</Order> + <Size>350</Size> + </CreatePartition> + <CreatePartition wcm:action="add"> + <Order>2</Order> + <Type>Primary</Type> + <Extend>true</Extend> + </CreatePartition> + </CreatePartitions> + <ModifyPartitions> + <ModifyPartition wcm:action="add"> + <Active>true</Active> + <Format>NTFS</Format> + <Label>boot</Label> + <Order>1</Order> + <PartitionID>1</PartitionID> + </ModifyPartition> + <ModifyPartition wcm:action="add"> + <Format>NTFS</Format> + <Label>Windows 2016</Label> + <Letter>C</Letter> + <Order>2</Order> + <PartitionID>2</PartitionID> + </ModifyPartition> + </ModifyPartitions> + <DiskID>0</DiskID> + <WillWipeDisk>true</WillWipeDisk> + </Disk> + </DiskConfiguration> + <ImageInstall> + <OSImage> + <InstallFrom> + <MetaData wcm:action="add"> + <Key>/IMAGE/NAME </Key> + <Value>Windows Server 2016 SERVERSTANDARDCORE</Value> + </MetaData> + </InstallFrom> + <InstallTo> + <DiskID>0</DiskID> + <PartitionID>2</PartitionID> + </InstallTo> + </OSImage> + </ImageInstall> + <UserData> + <!-- Product Key from http://technet.microsoft.com/en-us/library/jj612867.aspx --> + <ProductKey> + <!-- Do not uncomment the Key element if you are using trial ISOs --> + <!-- You must uncomment the Key element (and optionally insert your own key) if you are using retail or volume license ISOs --> + <!--<Key>D2N9P-3P6X9-2R39C-7RTCD-MDVJX</Key>--> + <WillShowUI>OnError</WillShowUI> + </ProductKey> + <AcceptEula>true</AcceptEula> + <FullName>Vagrant</FullName> + <Organization>Vagrant</Organization> + </UserData> + </component> + </settings> + <settings pass="specialize"> + <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> + <OEMInformation> + <HelpCustomized>false</HelpCustomized> + </OEMInformation> + <ComputerName>vagrant-2016</ComputerName> + <TimeZone>Pacific Standard Time</TimeZone> + <RegisteredOwner/> + </component> + <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-ServerManager-SvrMgrNc" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> + <DoNotOpenServerManagerAtLogon>true</DoNotOpenServerManagerAtLogon> + </component> + <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-IE-ESC" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> + <IEHardenAdmin>false</IEHardenAdmin> + <IEHardenUser>false</IEHardenUser> + </component> + <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-OutOfBoxExperience" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> + <DoNotOpenInitialConfigurationTasksAtLogon>true</DoNotOpenInitialConfigurationTasksAtLogon> + </component> + <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Security-SPP-UX" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> + <SkipAutoActivation>true</SkipAutoActivation> + </component> + </settings> + <settings pass="oobeSystem"> + <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> + <AutoLogon> + <Password> + <Value>vagrant</Value> + <PlainText>true</PlainText> + </Password> + <Enabled>true</Enabled> + <Username>vagrant</Username> + </AutoLogon> + <FirstLogonCommands> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c powershell -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force"</CommandLine> + <Description>Set Execution Policy 64 Bit</Description> + <Order>1</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>C:\Windows\SysWOW64\cmd.exe /c powershell -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force"</CommandLine> + <Description>Set Execution Policy 32 Bit</Description> + <Order>2</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\disable-winrm.ps1</CommandLine> + <Description>Disable WinRM</Description> + <Order>3</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v HideFileExt /t REG_DWORD /d 0 /f</CommandLine> + <Order>4</Order> + <Description>Show file extensions in Explorer</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\Console /v QuickEdit /t REG_DWORD /d 1 /f</CommandLine> + <Order>5</Order> + <Description>Enable QuickEdit mode</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v Start_ShowRun /t REG_DWORD /d 1 /f</CommandLine> + <Order>6</Order> + <Description>Show Run command in Start Menu</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v StartMenuAdminTools /t REG_DWORD /d 1 /f</CommandLine> + <Order>7</Order> + <Description>Show Administrative Tools in Start Menu</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKLM\SYSTEM\CurrentControlSet\Control\Power\ /v HibernateFileSizePercent /t REG_DWORD /d 0 /f</CommandLine> + <Order>8</Order> + <Description>Zero Hibernation File</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKLM\SYSTEM\CurrentControlSet\Control\Power\ /v HibernateEnabled /t REG_DWORD /d 0 /f</CommandLine> + <Order>9</Order> + <Description>Disable Hibernation Mode</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c wmic useraccount where "name='vagrant'" set PasswordExpires=FALSE</CommandLine> + <Order>10</Order> + <Description>Disable password expiration for vagrant user</Description> + </SynchronousCommand> + <!-- WITHOUT WINDOWS UPDATES --> + <!-- + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\enable-winrm.ps1</CommandLine> + <Description>Enable WinRM</Description> + <Order>99</Order> + </SynchronousCommand> + --> + <!-- END WITHOUT WINDOWS UPDATES --> + <!-- WITH WINDOWS UPDATES --> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c a:\microsoft-updates.bat</CommandLine> + <Order>98</Order> + <Description>Enable Microsoft Updates</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\disable-screensaver.ps1</CommandLine> + <Description>Disable Screensaver</Description> + <Order>99</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\win-updates.ps1</CommandLine> + <Description>Install Windows Updates</Description> + <Order>100</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <!-- END WITH WINDOWS UPDATES --> + </FirstLogonCommands> + <OOBE> + <HideEULAPage>true</HideEULAPage> + <HideLocalAccountScreen>true</HideLocalAccountScreen> + <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen> + <HideOnlineAccountScreens>true</HideOnlineAccountScreens> + <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE> + <NetworkLocation>Home</NetworkLocation> + <ProtectYourPC>1</ProtectYourPC> + </OOBE> + <UserAccounts> + <AdministratorPassword> + <Value>vagrant</Value> + <PlainText>true</PlainText> + </AdministratorPassword> + <LocalAccounts> + <LocalAccount wcm:action="add"> + <Password> + <Value>vagrant</Value> + <PlainText>true</PlainText> + </Password> + <Group>administrators</Group> + <DisplayName>Vagrant</DisplayName> + <Name>vagrant</Name> + <Description>Vagrant User</Description> + </LocalAccount> + </LocalAccounts> + </UserAccounts> + <RegisteredOwner/> + </component> + </settings> + <settings pass="offlineServicing"> + <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-LUA-Settings" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> + <EnableLUA>false</EnableLUA> + </component> + </settings> + <cpi:offlineImage xmlns:cpi="urn:schemas-microsoft-com:cpi" cpi:source="wim:c:/wim/install.wim#Windows Server 2016 SERVERSTANDARD"/> +</unattend> diff --git a/Packer/floppy/PinTo10.exe b/Packer/floppy/PinTo10.exe new file mode 100644 index 0000000..5b24f15 Binary files /dev/null and b/Packer/floppy/PinTo10.exe differ diff --git a/Packer/floppy/ReadMe.txt b/Packer/floppy/ReadMe.txt new file mode 100755 index 0000000..bcc8dad --- /dev/null +++ b/Packer/floppy/ReadMe.txt @@ -0,0 +1,38 @@ +: Release v1.2 - Stuart Pearson 16th Nov 2015 +: +: Command line tool to pin and unpin exe / lnk files to the Windows 10 taskbar and start menu. +: +: PinTo10 is a command line tool to pin and unpin .exe or .lnk files to or from the Windows 10 taskbar and start menu. +: With it you can pin or unpin up to 10 different shortcuts to either the taskbar or start menu in one run of the command. +: It replaces functionality that Microsoft have removed from their Windows 10 scripting interface. +: +: The exe needs to be run with at least one pair of switches specified for each function to Pin / Unpin to Taskbar / Start Menu... +: +: To pin an application or shortcut to the taskbar (replace XX with 01-10)... +: /PTFOLXX: Followed by the folder containing the file you want to pin. +: /PTFILEXX: Followed by the name of the file you want to pin. +: +: To unpin an application or shortcut to the taskbar (replace XX with 01-10)... +: /UTFOLXX: Followed by the folder containing the file you want to unpin. +: /UTFILEXX: Followed by the name of the file you want to unpin. + +: To pin an application or shortcut to the start menu (replace XX with 01-10)... +: /PSFOLXX: Followed by the folder containing the file you want to pin. +: /PSFILEXX: Followed by the name of the file you want to pin. + +: To unpin an application or shortcut to the start menu (replace XX with 01-10)... +: /USFOLXX: Followed by the folder containing the file you want to unpin. +: /USFILEXX: Followed by the name of the file you want to unpin. + + +: Example for pinning two shortcuts to the taskbar... +PinTo10.exe /PTFOL01:'%USERPROFILE:%\Desktop' /PTFILE01:'Word 2016.lnk' /PTFOL02:'%USERPROFILE:%\Desktop' /PTFILE02:'Excel 2016.lnk' + +: Example for unpinning a file to the taskbar... +PinTo10.exe /UTFOL01:'C\Windows' /UTFILE01:'notepad.exe' + +: Example for pinning a file to the start menu... +PinTo10.exe /PSFOL01:'C\Windows' /PSFILE01:'notepad.exe' + +: Example for unpinning a file from the start menu... +PinTo10.exe /USFOL01:'%USERPROFILE:%\Desktop' /USFILE01:'Word 2016.lnk' \ No newline at end of file diff --git a/Packer/floppy/WindowsPowershell.lnk b/Packer/floppy/WindowsPowershell.lnk new file mode 100644 index 0000000..74db524 Binary files /dev/null and b/Packer/floppy/WindowsPowershell.lnk differ diff --git a/Packer/scripts/.gitignore b/Packer/scripts/.gitignore new file mode 100755 index 0000000..e4fe1a6 --- /dev/null +++ b/Packer/scripts/.gitignore @@ -0,0 +1,3 @@ +*.exe +*.msi +*.msu \ No newline at end of file diff --git a/Packer/scripts/MakeWindows10GreatAgain.ps1 b/Packer/scripts/MakeWindows10GreatAgain.ps1 new file mode 100644 index 0000000..432e583 --- /dev/null +++ b/Packer/scripts/MakeWindows10GreatAgain.ps1 @@ -0,0 +1,21 @@ +# Import the registry keys +Write-Host "Making Windows 10 Great again" +Write-Host "Importing registry keys..." +regedit /s a:\MakeWindows10GreatAgain.reg + +# Install Powershell Help items +Write-Host "Updating Powershell Help Library..." +Update-Help + +# Remove OneDrive from the System +Write-Host "Removing OneDrive..." +$onedrive = Get-Process onedrive -ErrorAction SilentlyContinue +if ($onedrive) { + taskkill /f /im OneDrive.exe +} +c:\Windows\SysWOW64\OneDriveSetup.exe /uninstall + +# Disable SMBv1 +Write-Host "Disabling SMBv1" +Set-SmbServerConfiguration -EnableSMB1Protocol $false -Confirm:$false + diff --git a/Packer/scripts/MakeWindows10GreatAgain.reg b/Packer/scripts/MakeWindows10GreatAgain.reg new file mode 100644 index 0000000..503d399 --- /dev/null +++ b/Packer/scripts/MakeWindows10GreatAgain.reg @@ -0,0 +1,45 @@ +Windows Registry Editor Version 5.00 + +# Disable Cortana (Windows search still remains) +[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search] +"AllowCortana"=dword:00000000 + +# Disable Notification Center +[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer] +"DisableNotificationCenter"=dword:00000001 + +# Don't reboot when users are logged in for Windows updates +[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU] +"NoAutoRebootWithLoggedOnUsers"=dword:00000001 + +# Disable Microsoft.com accounts +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] +"NoConnectedUser"=dword:00000003 + +# Show all file extensions +[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] +"HideFileExt"=dword:00000000 + +# Set explorer to open to "This PC" for new windows +[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced] +"LaunchTo"=dword:00000001 + +# Show hidden files (not including OS files) +[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced] +"Hidden"=dword:00000001 + +# Show "This PC" on Desktop +# Created by: Shawn Brink +# http://www.tenforums.com +[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel] +"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"=dword:00000000 + +[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel] +"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"=dword:00000000 + +[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu] +"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"=dword:00000000 + +# Enable Developer Mode (prerequisite for Linux subsystem) +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock] +"AllowDevelopmentWithoutDevLicense"=dword:00000001 diff --git a/Packer/scripts/chef.bat b/Packer/scripts/chef.bat new file mode 100755 index 0000000..a96cb2b --- /dev/null +++ b/Packer/scripts/chef.bat @@ -0,0 +1,6 @@ +if not exist "C:\Windows\Temp\chef.msi" ( + powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://www.getchef.com/chef/install.msi', 'C:\Windows\Temp\chef.msi')" <NUL +) + +msiexec /qb /i C:\Windows\Temp\chef.msi +powershell -Command "Start-Sleep 1" <NUL \ No newline at end of file diff --git a/Packer/scripts/chocolatey.bat b/Packer/scripts/chocolatey.bat new file mode 100755 index 0000000..f37575b --- /dev/null +++ b/Packer/scripts/chocolatey.bat @@ -0,0 +1 @@ +powershell -NoProfile -ExecutionPolicy unrestricted -Command "iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))" <NUL diff --git a/Packer/scripts/chocopacks.bat b/Packer/scripts/chocopacks.bat new file mode 100755 index 0000000..5090c25 --- /dev/null +++ b/Packer/scripts/chocopacks.bat @@ -0,0 +1,6 @@ +:: Ensure C:\Chocolatey\bin is on the path +set /p PATH=<C:\Windows\Temp\PATH + +:: Install all the things; for example: +cmd /c choco install 7zip +cmd /c choco install notepadplusplus \ No newline at end of file diff --git a/Packer/scripts/compact.bat b/Packer/scripts/compact.bat new file mode 100755 index 0000000..d67c864 --- /dev/null +++ b/Packer/scripts/compact.bat @@ -0,0 +1,39 @@ +if "%PACKER_BUILDER_TYPE:~0,6%"=="hyperv" ( + echo "Skip compact steps in Hyper-V build." + goto :eof +) +if not exist "C:\Windows\Temp\7z920-x64.msi" ( + powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://www.7-zip.org/a/7z920-x64.msi', 'C:\Windows\Temp\7z920-x64.msi')" <NUL +) +msiexec /qb /i C:\Windows\Temp\7z920-x64.msi + +if not exist "C:\Windows\Temp\ultradefrag.zip" ( + powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://downloads.sourceforge.net/project/ultradefrag/stable-release/6.1.0/ultradefrag-portable-6.1.0.bin.amd64.zip', 'C:\Windows\Temp\ultradefrag.zip')" <NUL +) + +if not exist "C:\Windows\Temp\ultradefrag-portable-6.1.0.amd64\udefrag.exe" ( + cmd /c ""C:\Program Files\7-Zip\7z.exe" x C:\Windows\Temp\ultradefrag.zip -oC:\Windows\Temp" +) + +if not exist "C:\Windows\Temp\SDelete.zip" ( + powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://download.sysinternals.com/files/SDelete.zip', 'C:\Windows\Temp\SDelete.zip')" <NUL + powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://vagrantboxes.blob.core.windows.net/box/sdelete/v1.6.1/sdelete.exe', 'C:\Windows\Temp\sdelete.exe')" <NUL +) + +if not exist "C:\Windows\Temp\sdelete.exe" ( + cmd /c ""C:\Program Files\7-Zip\7z.exe" x C:\Windows\Temp\SDelete.zip -oC:\Windows\Temp" +) + +msiexec /qb /x C:\Windows\Temp\7z920-x64.msi + +net stop wuauserv +rmdir /S /Q C:\Windows\SoftwareDistribution\Download +mkdir C:\Windows\SoftwareDistribution\Download +net start wuauserv + +if "%PACKER_BUILDER_TYPE%" neq "hyperv-iso" ( + cmd /c C:\Windows\Temp\ultradefrag-portable-6.1.0.amd64\udefrag.exe --optimize --repeat C: + + cmd /c %SystemRoot%\System32\reg.exe ADD HKCU\Software\Sysinternals\SDelete /v EulaAccepted /t REG_DWORD /d 1 /f + cmd /c C:\Windows\Temp\sdelete.exe -q -z C: +) diff --git a/Packer/scripts/compile-dotnet-assemblies.bat b/Packer/scripts/compile-dotnet-assemblies.bat new file mode 100755 index 0000000..14f81aa --- /dev/null +++ b/Packer/scripts/compile-dotnet-assemblies.bat @@ -0,0 +1,15 @@ +::http://support.microsoft.com/kb/2570538 +::http://robrelyea.wordpress.com/2007/07/13/may-be-helpful-ngen-exe-executequeueditems/ + +if "%PROCESSOR_ARCHITECTURE%"=="AMD64" goto 64BIT + +%windir%\microsoft.net\framework\v4.0.30319\ngen.exe update /force /queue +%windir%\microsoft.net\framework\v4.0.30319\ngen.exe executequeueditems + +exit /b + +:64BIT +%windir%\microsoft.net\framework\v4.0.30319\ngen.exe update /force /queue +%windir%\microsoft.net\framework64\v4.0.30319\ngen.exe update /force /queue +%windir%\microsoft.net\framework\v4.0.30319\ngen.exe executequeueditems +%windir%\microsoft.net\framework64\v4.0.30319\ngen.exe executequeueditems \ No newline at end of file diff --git a/Packer/scripts/create-domain.ps1 b/Packer/scripts/create-domain.ps1 new file mode 100755 index 0000000..d977e14 --- /dev/null +++ b/Packer/scripts/create-domain.ps1 @@ -0,0 +1,39 @@ +if ((gwmi win32_computersystem).partofdomain -eq $false) { + + Write-Host 'Creating domain controller' + # Disable password complexity policy + secedit /export /cfg C:\secpol.cfg + (gc C:\secpol.cfg).replace("PasswordComplexity = 1", "PasswordComplexity = 0") | Out-File C:\secpol.cfg + secedit /configure /db C:\Windows\security\local.sdb /cfg C:\secpol.cfg /areas SECURITYPOLICY + rm -force C:\secpol.cfg -confirm:$false + + # Set administrator password + $computerName = $env:COMPUTERNAME + $adminPassword = "vagrant" + $adminUser = [ADSI] "WinNT://$computerName/Administrator,User" + $adminUser.SetPassword($adminPassword) + + $PlainPassword = "vagrant" # "P@ssw0rd" + $SecurePassword = $PlainPassword | ConvertTo-SecureString -AsPlainText -Force + + # Windows Server 2012 R2 + Install-WindowsFeature AD-domain-services + Import-Module ADDSDeployment + Install-ADDSForest ` + -SafeModeAdministratorPassword $SecurePassword ` + -CreateDnsDelegation:$false ` + -DatabasePath "C:\Windows\NTDS" ` + -DomainMode "Win2012" ` + -DomainName "windomain.local" ` + -DomainNetbiosName "WINDOMAIN" ` + -ForestMode "Win2012" ` + -InstallDns:$true ` + -LogPath "C:\Windows\NTDS" ` + -NoRebootOnCompletion:$true ` + -SysvolPath "C:\Windows\SYSVOL" ` + -Force:$true + + $newDNSServers = "8.8.8.8", "4.4.4.4" + $adapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object {$_.IPAddress -eq "10.0.2.15"} + $adapters | ForEach-Object {$_.SetDNSServerSearchOrder($newDNSServers)} +} diff --git a/Packer/scripts/debloat-windows.ps1 b/Packer/scripts/debloat-windows.ps1 new file mode 100755 index 0000000..530ee25 --- /dev/null +++ b/Packer/scripts/debloat-windows.ps1 @@ -0,0 +1,27 @@ +if ($env:PACKER_BUILDER_TYPE -And $($env:PACKER_BUILDER_TYPE).startsWith("hyperv")) { + Write-Host Skip debloat steps in Hyper-V build. +} else { + Write-Host Downloading debloat zip + $url="https://github.com/StefanScherer/Debloat-Windows-10/archive/master.zip" + (New-Object System.Net.WebClient).DownloadFile($url, "$env:TEMP\debloat.zip") + Expand-Archive -Path $env:TEMP\debloat.zip -DestinationPath $env:TEMP -Force + + #Write-Host Disable scheduled tasks + #. $env:TEMP\Debloat-Windows-10-master\utils\disable-scheduled-tasks.ps1 + #Write-Host Block telemetry + #. $env:TEMP\Debloat-Windows-10-master\scripts\block-telemetry.ps1 + #Write-Host Disable services + #. $env:TEMP\Debloat-Windows-10-master\scripts\disable-services.ps1 + Write-host Disable Windows Defender + #. $env:TEMP\Debloat-Windows-10-master\scripts\disable-windows-defender.ps1 + Uninstall-WindowsFeature Windows-Defender-Features + Write-host Optimize Windows Update + . $env:TEMP\Debloat-Windows-10-master\scripts\optimize-windows-update.ps1 + #Write-host Disable Windows Update + #Set-Service wuauserv -StartupType Disabled + #Write-Host Remove OneDrive + #. $env:TEMP\Debloat-Windows-10-master\scripts\remove-onedrive.ps1 + + rm $env:TEMP\debloat.zip + rm -recurse $env:TEMP\Debloat-Windows-10-master +} diff --git a/Packer/scripts/dis-updates.bat b/Packer/scripts/dis-updates.bat new file mode 100755 index 0000000..3861c1e --- /dev/null +++ b/Packer/scripts/dis-updates.bat @@ -0,0 +1,19 @@ +rem http://www.windows-commandline.com/disable-automatic-updates-command-line/ +reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v AUOptions /t REG_DWORD /d 1 /f + +rem remove optional WSUS server settings +reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /f + +rem even harder, disable windows update service +rem sc config wuauserv start= disabled +rem net stop wuauserv + +if exist C:\Windows\Temp\win-updates.log ( + echo Show Windows Updates log file C:\Windows\Temp\win-updates.log + dir C:\Windows\Temp\win-updates.log + type C:\Windows\Temp\win-updates.log + rem output of type command is not fully shown in packer/ssh session, so try PowerShell + rem but it will hang if log file is about 22 KByte + rem powershell -command "Get-Content C:\Windows\Temp\win-updates.log" + echo End of Windows Updates log file C:\Windows\Temp\win-updates.log +) diff --git a/Packer/scripts/dis-updates.ps1 b/Packer/scripts/dis-updates.ps1 new file mode 100755 index 0000000..157c07e --- /dev/null +++ b/Packer/scripts/dis-updates.ps1 @@ -0,0 +1,30 @@ +<# +.SYNOPSIS + Disables automatic windows updates +.DESCRIPTION + Disables checking for and applying Windows Updates (does not prevent updates from being applied manually or being pushed down) + Run on the machine that updates need disabling on. +.PARAMETER <paramName> + None +.EXAMPLE + ./Disable-WindowsUpdates.ps1 +#> +$RunningAsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") +if ($RunningAsAdmin) +{ + + $Updates = (New-Object -ComObject "Microsoft.Update.AutoUpdate").Settings + + if ($Updates.ReadOnly -eq $True) { Write-Error "Cannot update Windows Update settings due to GPO restrictions." } + + else { + $Updates.NotificationLevel = 1 #Disabled + $Updates.Save() + $Updates.Refresh() + Write-Output "Automatic Windows Updates disabled." + } +} + +else +{ Write-Warning "Must be executed in Administrator level shell." + Write-Warning "Script Cancelled!" } diff --git a/Packer/scripts/disable-auto-logon.bat b/Packer/scripts/disable-auto-logon.bat new file mode 100755 index 0000000..b3e8c04 --- /dev/null +++ b/Packer/scripts/disable-auto-logon.bat @@ -0,0 +1 @@ +reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /d 0 /f \ No newline at end of file diff --git a/Packer/scripts/disable-screensaver.ps1 b/Packer/scripts/disable-screensaver.ps1 new file mode 100755 index 0000000..14426b4 --- /dev/null +++ b/Packer/scripts/disable-screensaver.ps1 @@ -0,0 +1,4 @@ +Write-Host "Disabling Screensaver" +Set-ItemProperty "HKCU:\Control Panel\Desktop" -Name ScreenSaveActive -Value 0 -Type DWord +& powercfg -x -monitor-timeout-ac 0 +& powercfg -x -monitor-timeout-dc 0 diff --git a/Packer/scripts/disable-tasks.bat b/Packer/scripts/disable-tasks.bat new file mode 100755 index 0000000..64a38de --- /dev/null +++ b/Packer/scripts/disable-tasks.bat @@ -0,0 +1,2 @@ +schtasks /End /TN "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" +schtasks /Change /TN "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /DISABLE diff --git a/Packer/scripts/disable-winrm.ps1 b/Packer/scripts/disable-winrm.ps1 new file mode 100755 index 0000000..1ce9273 --- /dev/null +++ b/Packer/scripts/disable-winrm.ps1 @@ -0,0 +1,8 @@ +netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new enable=yes action=block +netsh advfirewall firewall set rule group="Windows Remote Management" new enable=yes +$winrmService = Get-Service -Name WinRM +if ($winrmService.Status -eq "Running"){ + Disable-PSRemoting -Force +} +Stop-Service winrm +Set-Service -Name winrm -StartupType Disabled diff --git a/Packer/scripts/docker/10/install-containers-feature.ps1 b/Packer/scripts/docker/10/install-containers-feature.ps1 new file mode 100755 index 0000000..2105357 --- /dev/null +++ b/Packer/scripts/docker/10/install-containers-feature.ps1 @@ -0,0 +1,6 @@ +# https://msdn.microsoft.com/de-de/virtualization/windowscontainers/quick_start/quick_start_windows_10 +Write-Host "Install Containers feature" +Enable-WindowsOptionalFeature -Online -FeatureName containers -All -NoRestart +Write-Host "Install Hyper-V feature" +Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All -NoRestart +sc.exe config winrm start= delayed-auto diff --git a/Packer/scripts/docker/10/install-docker.ps1 b/Packer/scripts/docker/10/install-docker.ps1 new file mode 100755 index 0000000..aff5939 --- /dev/null +++ b/Packer/scripts/docker/10/install-docker.ps1 @@ -0,0 +1,13 @@ +Set-ExecutionPolicy Bypass -scope Process +New-Item -Type Directory -Path "$($env:ProgramFiles)\docker" +# wget -outfile $env:TEMP\docker-17.03.0-ce.zip "https://dockermsft.blob.core.windows.net/dockercontainer/docker-1-13-1.zip" +Write-Host "Downloading docker ..." +wget -outfile $env:TEMP\docker-17.03.0-ce.zip "https://get.docker.com/builds/Windows/x86_64/docker-17.03.0-ce.zip" +Expand-Archive -Path $env:TEMP\docker-17.03.0-ce.zip -DestinationPath $env:TEMP -Force +copy $env:TEMP\docker\*.exe $env:ProgramFiles\docker +Remove-Item $env:TEMP\docker-17.03.0-ce.zip +[Environment]::SetEnvironmentVariable("Path", $env:Path + ";$($env:ProgramFiles)\docker", [EnvironmentVariableTarget]::Machine) +$env:Path = $env:Path + ";$($env:ProgramFiles)\docker" +Write-Host "Registering docker service ..." +. dockerd --register-service -H npipe:// -H 0.0.0.0:2375 -G docker +Start-Service Docker diff --git a/Packer/scripts/docker/2016/install-containers-feature.ps1 b/Packer/scripts/docker/2016/install-containers-feature.ps1 new file mode 100755 index 0000000..e721672 --- /dev/null +++ b/Packer/scripts/docker/2016/install-containers-feature.ps1 @@ -0,0 +1,9 @@ +Write-Host "Install Containers feature" +Install-WindowsFeature -Name Containers + +if ((GWMI Win32_Processor).VirtualizationFirmwareEnabled[0] -and (GWMI Win32_Processor).SecondLevelAddressTranslationExtensions[0]) { + Write-Host "Install Hyper-V feature" + Install-WindowsFeature -Name Hyper-V -IncludeManagementTools +} else { + Write-Host "Skipping installation of Hyper-V feature" +} diff --git a/Packer/scripts/docker/2016/install-docker.ps1 b/Packer/scripts/docker/2016/install-docker.ps1 new file mode 100755 index 0000000..1457d8d --- /dev/null +++ b/Packer/scripts/docker/2016/install-docker.ps1 @@ -0,0 +1,12 @@ +$ProgressPreference = 'SilentlyContinue' + +Set-ExecutionPolicy Bypass -scope Process +New-Item -Type Directory -Path "$($env:ProgramFiles)\docker" +wget -outfile $env:TEMP\docker-17-03-0-ee.zip "https://dockermsft.blob.core.windows.net/dockercontainer/docker-17-03-0-ee.zip" +Expand-Archive -Path $env:TEMP\docker-17-03-0-ee.zip -DestinationPath $env:TEMP -Force +copy $env:TEMP\docker\*.exe $env:ProgramFiles\docker +Remove-Item $env:TEMP\docker-17-03-0-ee.zip +[Environment]::SetEnvironmentVariable("Path", $env:Path + ";$($env:ProgramFiles)\docker", [EnvironmentVariableTarget]::Machine) +$env:Path = $env:Path + ";$($env:ProgramFiles)\docker" +. dockerd --register-service -H npipe:// -H 0.0.0.0:2375 -G docker +Start-Service docker diff --git a/Packer/scripts/docker/add-docker-group.ps1 b/Packer/scripts/docker/add-docker-group.ps1 new file mode 100755 index 0000000..f0a1324 --- /dev/null +++ b/Packer/scripts/docker/add-docker-group.ps1 @@ -0,0 +1,5 @@ +Write-Host Creating group docker +net localgroup docker /add +$username = $env:USERNAME +Write-Host Adding user $username to group docker +net localgroup docker $username /add diff --git a/Packer/scripts/docker/disable-windows-defender.ps1 b/Packer/scripts/docker/disable-windows-defender.ps1 new file mode 100755 index 0000000..56cefb3 --- /dev/null +++ b/Packer/scripts/docker/disable-windows-defender.ps1 @@ -0,0 +1 @@ +Set-MpPreference -DisableRealtimeMonitoring $true \ No newline at end of file diff --git a/Packer/scripts/docker/docker-pull-async.ps1 b/Packer/scripts/docker/docker-pull-async.ps1 new file mode 100755 index 0000000..880ee58 --- /dev/null +++ b/Packer/scripts/docker/docker-pull-async.ps1 @@ -0,0 +1,16 @@ +function DockerPull { + Param ([string]$image) + + Write-Host Installing $image ... + $j = Start-Job -ScriptBlock { docker pull $args[0] } -ArgumentList $image + while ( $j.JobStateInfo.state -ne "Completed" -And $j.JobStateInfo.state -ne "Failed" ) { + Write-Host $j.JobStateInfo.state + Start-Sleep 10 + } + + $results = Receive-Job -Job $j + $results +} + +DockerPull microsoft/windowsservercore +DockerPull microsoft/nanoserver diff --git a/Packer/scripts/docker/enable-winrm.ps1 b/Packer/scripts/docker/enable-winrm.ps1 new file mode 100755 index 0000000..78f833e --- /dev/null +++ b/Packer/scripts/docker/enable-winrm.ps1 @@ -0,0 +1,21 @@ +Enable-PSRemoting -Force +winrm quickconfig -q +winrm quickconfig -transport:http +winrm set winrm/config '@{MaxTimeoutms="1800000"}' +winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="800"}' +winrm set winrm/config/service '@{AllowUnencrypted="true"}' +winrm set winrm/config/service/auth '@{Basic="true"}' +winrm set winrm/config/client/auth '@{Basic="true"}' +winrm set winrm/config/listener?Address=*+Transport=HTTP '@{Port="5985"}' + +if (Test-Path A:\install-containers-feature.ps1) { + . A:\install-containers-feature.ps1 +} + +Stop-Service winrm +. sc.exe config winrm start= delayed-auto + +netsh advfirewall firewall set rule group="Windows Remote Administration" new enable=yes +netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new enable=yes action=allow + +Restart-Computer diff --git a/Packer/scripts/docker/open-docker-insecure-port.ps1 b/Packer/scripts/docker/open-docker-insecure-port.ps1 new file mode 100755 index 0000000..971faab --- /dev/null +++ b/Packer/scripts/docker/open-docker-insecure-port.ps1 @@ -0,0 +1,6 @@ +Write-Host "WARNING: DO NOT USE DOCKER IN PRODUCTION WITHOUT TLS" +Write-Host "Opening Docker insecure port 2375" + +if (!(Get-NetFirewallRule | where {$_.Name -eq "Dockerinsecure2375"})) { + New-NetFirewallRule -Name "Dockerinsecure2375" -DisplayName "Docker insecure on TCP/2375" -Protocol tcp -LocalPort 2375 -Action Allow -Enabled True +} diff --git a/Packer/scripts/docker/remove-docker-key-json.ps1 b/Packer/scripts/docker/remove-docker-key-json.ps1 new file mode 100755 index 0000000..b3fb911 --- /dev/null +++ b/Packer/scripts/docker/remove-docker-key-json.ps1 @@ -0,0 +1,9 @@ +# Do not restart Docker as it creates the key.json with an unique ID +# This should not exist in the Vagrant basebox so you can spin up +# multiple Vagrant boxes for a Docker swarm etc. + +Write-Host "Stopping Docker" +Stop-Service docker + +Write-Host "Removing key.json to recreate key.json on first vagrant up" +rm C:\ProgramData\docker\config\key.json diff --git a/Packer/scripts/enable-rdp.bat b/Packer/scripts/enable-rdp.bat new file mode 100755 index 0000000..f7dcaab --- /dev/null +++ b/Packer/scripts/enable-rdp.bat @@ -0,0 +1,2 @@ +netsh advfirewall firewall add rule name="Open Port 3389" dir=in action=allow protocol=TCP localport=3389 +reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f diff --git a/Packer/scripts/enable-remote-desktop.bat b/Packer/scripts/enable-remote-desktop.bat new file mode 100755 index 0000000..3f507b4 --- /dev/null +++ b/Packer/scripts/enable-remote-desktop.bat @@ -0,0 +1,14 @@ +rem from http://networkerslog.blogspot.de/2013/09/how-to-enable-remote-desktop-remotely.html + +rem 1) Enable Remote Desktop +rem set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -Value 0 +reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f + +rem 2) Allow incoming RDP on firewall +rem Enable-NetFirewallRule -DisplayGroup "Remote Desktop" +netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes + +rem 3) Enable secure RDP authentication +rem set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 0 +reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "UserAuthentication" /t REG_DWORD /d 0 /f + diff --git a/Packer/scripts/enable-uac.bat b/Packer/scripts/enable-uac.bat new file mode 100755 index 0000000..27b4fca --- /dev/null +++ b/Packer/scripts/enable-uac.bat @@ -0,0 +1 @@ +reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 1 /f diff --git a/Packer/scripts/enable-winrm.bat b/Packer/scripts/enable-winrm.bat new file mode 100755 index 0000000..8b59e01 --- /dev/null +++ b/Packer/scripts/enable-winrm.bat @@ -0,0 +1,2 @@ +rem Enable-NetFirewallRule for WinRM +netsh advfirewall firewall add rule name="Port 5985" dir=in action=allow protocol=TCP localport=5985 diff --git a/Packer/scripts/enable-winrm.ps1 b/Packer/scripts/enable-winrm.ps1 new file mode 100755 index 0000000..c0c7587 --- /dev/null +++ b/Packer/scripts/enable-winrm.ps1 @@ -0,0 +1,13 @@ +Enable-PSRemoting -Force +winrm quickconfig -q +winrm quickconfig -transport:http +winrm set winrm/config '@{MaxTimeoutms="1800000"}' +winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="800"}' +winrm set winrm/config/service '@{AllowUnencrypted="true"}' +winrm set winrm/config/service/auth '@{Basic="true"}' +winrm set winrm/config/client/auth '@{Basic="true"}' +winrm set winrm/config/listener?Address=*+Transport=HTTP '@{Port="5985"}' +netsh advfirewall firewall set rule group="Windows Remote Administration" new enable=yes +netsh advfirewall firewall set rule name="Windows Remote Management (HTTP-In)" new enable=yes action=allow +Set-Service winrm -startuptype "auto" +Restart-Service winrm diff --git a/Packer/scripts/fixnetwork.ps1 b/Packer/scripts/fixnetwork.ps1 new file mode 100755 index 0000000..7433079 --- /dev/null +++ b/Packer/scripts/fixnetwork.ps1 @@ -0,0 +1,23 @@ +# You cannot enable Windows PowerShell Remoting on network connections that are set to Public +# Spin through all the network locations and if they are set to Public, set them to Private +# using the INetwork interface: +# http://msdn.microsoft.com/en-us/library/windows/desktop/aa370750(v=vs.85).aspx +# For more info, see: +# http://blogs.msdn.com/b/powershell/archive/2009/04/03/setting-network-location-to-private.aspx + +# Network location feature was only introduced in Windows Vista - no need to bother with this +# if the operating system is older than Vista +if([environment]::OSVersion.version.Major -lt 6) { return } + +# You cannot change the network location if you are joined to a domain, so abort +if(1,3,4,5 -contains (Get-WmiObject win32_computersystem).DomainRole) { return } + +# Get network connections +$networkListManager = [Activator]::CreateInstance([Type]::GetTypeFromCLSID([Guid]"{DCB00C01-570F-4A9B-8D69-199FDBA5723B}")) +$connections = $networkListManager.GetNetworkConnections() + +$connections |foreach { + Write-Host $_.GetNetwork().GetName()"category was previously set to"$_.GetNetwork().GetCategory() + $_.GetNetwork().SetCategory(1) + Write-Host $_.GetNetwork().GetName()"changed to category"$_.GetNetwork().GetCategory() +} diff --git a/Packer/scripts/hotfix-KB2552055.bat b/Packer/scripts/hotfix-KB2552055.bat new file mode 100755 index 0000000..49369d5 --- /dev/null +++ b/Packer/scripts/hotfix-KB2552055.bat @@ -0,0 +1,23 @@ +@echo off +:: Windows 7 / Windows 2008 R2 require KB2552055 hotfix +:: This fixes a problem with wrong exitcode 0 instead of custom exitcode in PowerShell 2.0 +setlocal +if defined ProgramFiles(x86) ( + set link=http://hotfixv4.microsoft.com/Windows%%207/Windows%%20Server2008%%20R2%%20SP1/sp2/Fix373932/7600/free/438167_intl_x64_zip.exe + set msufilename=%TEMP%\Windows6.1-KB2552055-x64.msu +) else ( + set link=http://hotfixv4.microsoft.com/Windows%%207/Windows%%20Server2008%%20R2%%20SP1/sp2/Fix373932/7600/free/438164_intl_i386_zip.exe + set msufilename=%TEMP%\Windows6.1-KB2552055-x86.msu +) +set zipfilename=%TEMP%\KB2552055.zip + +echo Downloading Hotfix 2552055 +powershell -Command "(New-Object System.Net.WebClient).DownloadFile('%link%', '%zipfilename%')" <NUL +echo Extracting Hotfix 2552055 +powershell -Command "(New-Object -com Shell.Application).NameSpace('%TEMP%').CopyHere((New-Object -Com Shell.Application).NameSpace('%zipfilename%').items())" <NUL +echo Installing Hotfix 2552055 +wusa %msufilename% /quiet /norestart + +echo Cleanup Hotfix temp files +del /Q %msufilename% +del /Q %zipfilename% diff --git a/Packer/scripts/hotfix-KB2842230.bat b/Packer/scripts/hotfix-KB2842230.bat new file mode 100755 index 0000000..9964c2a --- /dev/null +++ b/Packer/scripts/hotfix-KB2842230.bat @@ -0,0 +1,20 @@ +:: Windows 8 / Windows 2012 require KB2842230 hotfix +:: The Windows Remote Management (WinRM) service does not use the customized value of the MaxMemoryPerShellMB quota. +:: Instead, the WinRM service uses the default value, which is 150 MB. +:: http://hotfixv4.microsoft.com/Windows%208%20RTM/nosp/Fix452763/9200/free/463941_intl_x64_zip.exe + +@echo off +set hotfix="C:\Windows\Temp\Windows8-RT-KB2842230-x64.msu" +if not exist %hotfix% goto :eof + +:: get windows version +for /f "tokens=2 delims=[]" %%G in ('ver') do (set _version=%%G) +for /f "tokens=2,3,4 delims=. " %%G in ('echo %_version%') do (set _major=%%G& set _minor=%%H& set _build=%%I) + +:: 6.2 or 6.3 +if %_major% neq 6 goto :eof +if %_minor% lss 2 goto :eof +if %_minor% gtr 3 goto :eof + +@echo on +start /wait wusa "%hotfix%" /quiet /norestart \ No newline at end of file diff --git a/Packer/scripts/installnet4.bat b/Packer/scripts/installnet4.bat new file mode 100755 index 0000000..e549c20 --- /dev/null +++ b/Packer/scripts/installnet4.bat @@ -0,0 +1,2 @@ +powershell -NoProfile -ExecutionPolicy unrestricted -Command "(New-Object System.Net.WebClient).DownloadFile('http://download.microsoft.com/download/5/6/2/562A10F9-C9F4-4313-A044-9C94E0A8FAC8/dotNetFx40_Client_x86_x64.exe', 'C:\Windows\Temp\dotNetFx40.exe')" <NUL +C:\Windows\Temp\dotNetFx40.exe /q /norestart /repair diff --git a/Packer/scripts/microsoft-updates.bat b/Packer/scripts/microsoft-updates.bat new file mode 100755 index 0000000..edb849f --- /dev/null +++ b/Packer/scripts/microsoft-updates.bat @@ -0,0 +1,12 @@ +net stop wuauserv + +reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v EnableFeaturedSoftware /t REG_DWORD /d 1 /f + +reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v IncludeRecommendedUpdates /t REG_DWORD /d 1 /f + +echo Set ServiceManager = CreateObject("Microsoft.Update.ServiceManager") > A:\temp.vbs +echo Set NewUpdateService = ServiceManager.AddService2("7971f918-a847-4430-9279-4a52d1efe18d",7,"") >> A:\temp.vbs + +cscript A:\temp.vbs + +net start wuauserv diff --git a/Packer/scripts/openssh.ps1 b/Packer/scripts/openssh.ps1 new file mode 100755 index 0000000..3b1ffd6 --- /dev/null +++ b/Packer/scripts/openssh.ps1 @@ -0,0 +1,88 @@ +param ( + [switch]$AutoStart = $false +) + +Write-Output "AutoStart: $AutoStart" +$is_64bit = [IntPtr]::size -eq 8 + +# setup openssh +$ssh_download_url = "http://www.mls-software.com/files/setupssh-7.1p1-1.exe" + +if (!(Test-Path "C:\Program Files\OpenSSH\bin\ssh.exe")) { + Write-Output "Downloading $ssh_download_url" + (New-Object System.Net.WebClient).DownloadFile($ssh_download_url, "C:\Windows\Temp\openssh.exe") + + # initially set the port to 2222 so that there is not a race + # condition in which packer connects to SSH before we can disable the service + Start-Process "C:\Windows\Temp\openssh.exe" "/S /port=2222 /privsep=1 /password=D@rj33l1ng" -NoNewWindow -Wait +} + +Stop-Service "OpenSSHd" -Force + +# ensure vagrant can log in +Write-Output "Setting vagrant user file permissions" +New-Item -ItemType Directory -Force -Path "C:\Users\vagrant\.ssh" +C:\Windows\System32\icacls.exe "C:\Users\vagrant" /grant "vagrant:(OI)(CI)F" +C:\Windows\System32\icacls.exe "C:\Program Files\OpenSSH\bin" /grant "vagrant:(OI)RX" +C:\Windows\System32\icacls.exe "C:\Program Files\OpenSSH\usr\sbin" /grant "vagrant:(OI)RX" + +Write-Output "Setting SSH home directories" + (Get-Content "C:\Program Files\OpenSSH\etc\passwd") | + Foreach-Object { $_ -replace '/home/(\w+)', '/cygdrive/c/Users/$1' } | + Set-Content 'C:\Program Files\OpenSSH\etc\passwd' + +# disabled for vcloud to make vagrant-serverspec work +# Set shell to /bin/sh to return exit status +# $passwd_file = Get-Content 'C:\Program Files\OpenSSH\etc\passwd' +# $passwd_file = $passwd_file -replace '/bin/bash', '/bin/sh' +# Set-Content 'C:\Program Files\OpenSSH\etc\passwd' $passwd_file + +# fix opensshd to not be strict +Write-Output "Setting OpenSSH to be non-strict" +$sshd_config = Get-Content "C:\Program Files\OpenSSH\etc\sshd_config" +$sshd_config = $sshd_config -replace 'StrictModes yes', 'StrictModes no' +$sshd_config = $sshd_config -replace '#PubkeyAuthentication yes', 'PubkeyAuthentication yes' +$sshd_config = $sshd_config -replace '#PermitUserEnvironment no', 'PermitUserEnvironment yes' +# disable the use of DNS to speed up the time it takes to establish a connection +$sshd_config = $sshd_config -replace '#UseDNS yes', 'UseDNS no' +# disable the login banner +$sshd_config = $sshd_config -replace 'Banner /etc/banner.txt', '#Banner /etc/banner.txt' +# next time OpenSSH starts have it listen on th eproper port +$sshd_config = $sshd_config -replace 'Port 2222', "Port 22" +Set-Content "C:\Program Files\OpenSSH\etc\sshd_config" $sshd_config + +Write-Output "Removing ed25519 key as Vagrant net-ssh 2.9.1 does not support it" +Remove-Item -Force -ErrorAction SilentlyContinue "C:\Program Files\OpenSSH\etc\ssh_host_ed25519_key" +Remove-Item -Force -ErrorAction SilentlyContinue "C:\Program Files\OpenSSH\etc\ssh_host_ed25519_key.pub" + +# use c:\Windows\Temp as /tmp location +Write-Output "Setting temp directory location" +Remove-Item -Recurse -Force -ErrorAction SilentlyContinue "C:\Program Files\OpenSSH\tmp" +C:\Program` Files\OpenSSH\bin\junction.exe /accepteula "C:\Program Files\OpenSSH\tmp" "C:\Windows\Temp" +C:\Windows\System32\icacls.exe "C:\Windows\Temp" /grant "vagrant:(OI)(CI)F" + +# add 64 bit environment variables missing from SSH +Write-Output "Setting SSH environment" +$sshenv = "TEMP=C:\Windows\Temp" +if ($is_64bit) { + $env_vars = "ProgramFiles(x86)=C:\Program Files (x86)", ` + "ProgramW6432=C:\Program Files", ` + "CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files", ` + "CommonProgramW6432=C:\Program Files\Common Files" + $sshenv = $sshenv + "`r`n" + ($env_vars -join "`r`n") +} +Set-Content C:\Users\vagrant\.ssh\environment $sshenv + +# record the path for provisioners (without the newline) +Write-Output "Recording PATH for provisioners" +Set-Content C:\Windows\Temp\PATH ([byte[]][char[]] $env:PATH) -Encoding Byte + +# configure firewall +Write-Output "Configuring firewall" +netsh advfirewall firewall add rule name="SSHD" dir=in action=allow service=OpenSSHd enable=yes +netsh advfirewall firewall add rule name="SSHD" dir=in action=allow program="C:\Program Files\OpenSSH\usr\sbin\sshd.exe" enable=yes +netsh advfirewall firewall add rule name="ssh" dir=in action=allow protocol=TCP localport=22 + +if ($AutoStart -eq $true) { + Start-Service "OpenSSHd" +} diff --git a/Packer/scripts/oracle-cert.cer b/Packer/scripts/oracle-cert.cer new file mode 100755 index 0000000..abb6ee6 Binary files /dev/null and b/Packer/scripts/oracle-cert.cer differ diff --git a/Packer/scripts/pin-powershell.bat b/Packer/scripts/pin-powershell.bat new file mode 100755 index 0000000..2cd1cf2 --- /dev/null +++ b/Packer/scripts/pin-powershell.bat @@ -0,0 +1,4 @@ +rem https://connect.microsoft.com/PowerShell/feedback/details/1609288/pin-to-taskbar-no-longer-working-in-windows-10 +copy "A:\WindowsPowerShell.lnk" "%TEMP%\Windows PowerShell.lnk" +A:\PinTo10.exe /PTFOL01:'%TEMP%' /PTFILE01:'Windows PowerShell.lnk' +exit /b 0 diff --git a/Packer/scripts/puppet-enterprise.bat b/Packer/scripts/puppet-enterprise.bat new file mode 100755 index 0000000..893cc5e --- /dev/null +++ b/Packer/scripts/puppet-enterprise.bat @@ -0,0 +1,10 @@ +if not exist "C:\Windows\Temp\puppet.msi" ( + powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://pm.puppetlabs.com/puppet-enterprise/3.0.1/puppet-enterprise-3.0.1.msi', 'C:\Windows\Temp\puppet.msi')" <NUL +) + +:: http://docs.puppetlabs.com/pe/latest/install_windows.html +msiexec /qn /i C:\Windows\Temp\puppet.msi /log C:\Windows\Temp\puppet.log + +<nul set /p ".=;C:\Program Files (x86)\Puppet Labs\Puppet Enterprise\bin" >> C:\Windows\Temp\PATH +set /p PATH=<C:\Windows\Temp\PATH +setx PATH "%PATH%" /m \ No newline at end of file diff --git a/Packer/scripts/puppet.bat b/Packer/scripts/puppet.bat new file mode 100755 index 0000000..8069862 --- /dev/null +++ b/Packer/scripts/puppet.bat @@ -0,0 +1,10 @@ +if not exist "C:\Windows\Temp\puppet.msi" ( + powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://downloads.puppetlabs.com/windows/puppet-3.6.2.msi', 'C:\Windows\Temp\puppet.msi')" <NUL +) + +:: http://docs.puppetlabs.com/pe/latest/install_windows.html +msiexec /qn /i C:\Windows\Temp\puppet.msi /log C:\Windows\Temp\puppet.log + +<nul set /p ".=;C:\Program Files (x86)\Puppet Labs\Puppet\bin" >> C:\Windows\Temp\PATH +set /p PATH=<C:\Windows\Temp\PATH +setx PATH "%PATH%" /m diff --git a/Packer/scripts/rearm-windows.ps1 b/Packer/scripts/rearm-windows.ps1 new file mode 100644 index 0000000..2f68a9f --- /dev/null +++ b/Packer/scripts/rearm-windows.ps1 @@ -0,0 +1,8 @@ +# Replaces "slmgr.vbs /rearm" +# https://powershell.org/forums/topic/run-command-quietly-start-process/ +# https://msdn.microsoft.com/en-us/library/ee957713(v=vs.85).aspx + +Write-Host "Resetting the Windows evaluation timer" + +$x = Get-WmiObject SoftwarelicensingService +$x.ReArmWindows() diff --git a/Packer/scripts/rsync.bat b/Packer/scripts/rsync.bat new file mode 100755 index 0000000..db7e684 --- /dev/null +++ b/Packer/scripts/rsync.bat @@ -0,0 +1,19 @@ +rem install rsync +if not exist "C:\Windows\Temp\7z920-x64.msi" ( + powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://www.7-zip.org/a/7z920-x64.msi', 'C:\Windows\Temp\7z920-x64.msi')" <NUL +) +msiexec /qb /i C:\Windows\Temp\7z920-x64.msi + +pushd C:\Windows\Temp +powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://mirrors.kernel.org/sourceware/cygwin/x86_64/release/rsync/rsync-3.1.0-1.tar.xz', 'C:\Windows\Temp\rsync-3.1.0-1.tar.xz')" <NUL +cmd /c ""C:\Program Files\7-Zip\7z.exe" x rsync-3.1.0-1.tar.xz" +cmd /c ""C:\Program Files\7-Zip\7z.exe" x rsync-3.1.0-1.tar" +copy /Y usr\bin\rsync.exe "C:\Program Files\OpenSSH\bin\rsync.exe" +rmdir /s /q usr +del rsync-3.1.0-1.tar +popd + +msiexec /qb /x C:\Windows\Temp\7z920-x64.msi + +rem make symlink for c:/vagrant share +mklink /D "C:\Program Files\OpenSSH\vagrant" "C:\vagrant" diff --git a/Packer/scripts/salt.bat b/Packer/scripts/salt.bat new file mode 100755 index 0000000..1edddf6 --- /dev/null +++ b/Packer/scripts/salt.bat @@ -0,0 +1,11 @@ +if not exist "C:\Windows\Temp\salt64.exe" ( + powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://docs.saltstack.com/downloads/Salt-Minion-2014.1.3-1-AMD64-Setup.exe', 'C:\Windows\Temp\salt64.exe')" <NUL +) + +:: http://docs.saltstack.com/en/latest/topics/installation/windows.html +c:\windows\temp\salt64.exe /S +:: /master=<yoursaltmaster> /minion-name=<thisminionname> + +<nul set /p ".=;C:\salt" >> C:\Windows\Temp\PATH +set /p PATH=<C:\Windows\Temp\PATH +setx PATH "%PATH%" /m diff --git a/Packer/scripts/set-powerplan.ps1 b/Packer/scripts/set-powerplan.ps1 new file mode 100755 index 0000000..65ee32c --- /dev/null +++ b/Packer/scripts/set-powerplan.ps1 @@ -0,0 +1,7 @@ +Try { + $HighPerf = powercfg -l | %{if($_.contains("High performance")) {$_.split()[3]}} + $CurrPlan = $(powercfg -getactivescheme).split()[3] + if ($CurrPlan -ne $HighPerf) {powercfg -setactive $HighPerf} +} Catch { + Write-Warning -Message "Unable to set power plan to high performance" +} diff --git a/Packer/scripts/set-winrm-automatic.bat b/Packer/scripts/set-winrm-automatic.bat new file mode 100755 index 0000000..fba5809 --- /dev/null +++ b/Packer/scripts/set-winrm-automatic.bat @@ -0,0 +1,2 @@ +echo Set WinRM start type to auto +sc config winrm start= auto diff --git a/Packer/scripts/sysprep.bat b/Packer/scripts/sysprep.bat new file mode 100644 index 0000000..4f2e49b --- /dev/null +++ b/Packer/scripts/sysprep.bat @@ -0,0 +1,2 @@ +net stop tiledatamodelsvc +c:\windows\system32\sysprep\sysprep.exe /generalize /oobe /shutdown /unattend:a:\unattend.xml diff --git a/Packer/scripts/uac-enable.bat b/Packer/scripts/uac-enable.bat new file mode 100755 index 0000000..278ac00 --- /dev/null +++ b/Packer/scripts/uac-enable.bat @@ -0,0 +1 @@ +reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f /v EnableLUA /t REG_DWORD /d 1 diff --git a/Packer/scripts/unattend.xml b/Packer/scripts/unattend.xml new file mode 100755 index 0000000..f3a6c2d --- /dev/null +++ b/Packer/scripts/unattend.xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding="utf-8"?> +<unattend xmlns="urn:schemas-microsoft-com:unattend"> + <settings pass="generalize"> + <component name="Microsoft-Windows-Security-SPP" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <SkipRearm>0</SkipRearm> + </component> + <!-- + <component name="Microsoft-Windows-PnpSysprep" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <PersistAllDeviceInstalls>false</PersistAllDeviceInstalls> + <DoNotCleanUpNonPresentDevices>false</DoNotCleanUpNonPresentDevices> + </component> + --> + </settings> + <settings pass="oobeSystem"> + <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <OOBE> + <HideEULAPage>true</HideEULAPage> + <ProtectYourPC>3</ProtectYourPC> + <NetworkLocation>Work</NetworkLocation> + <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE> + <SkipUserOOBE>true</SkipUserOOBE> + <SkipMachineOOBE>true</SkipMachineOOBE> + </OOBE> + <AutoLogon> + <Password> + <Value>vagrant</Value> + <PlainText>true</PlainText> + </Password> + <Enabled>true</Enabled> + <LogonCount>1</LogonCount> + <Username>vagrant</Username> + </AutoLogon> + </component> + </settings> + <settings pass="specialize"> + <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <ComputerName>vagrant-2012</ComputerName> + <CopyProfile>false</CopyProfile> + </component> + </settings> +</unattend> diff --git a/Packer/scripts/vagrant-ssh.bat b/Packer/scripts/vagrant-ssh.bat new file mode 100755 index 0000000..9f61deb --- /dev/null +++ b/Packer/scripts/vagrant-ssh.bat @@ -0,0 +1,6 @@ +:: vagrant public key +if exist a:\vagrant.pub ( + copy a:\vagrant.pub C:\Users\vagrant\.ssh\authorized_keys +) else ( + powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/mitchellh/vagrant/master/keys/vagrant.pub', 'C:\Users\vagrant\.ssh\authorized_keys')" <NUL +) diff --git a/Packer/scripts/vm-guest-tools.bat b/Packer/scripts/vm-guest-tools.bat new file mode 100755 index 0000000..18891bc --- /dev/null +++ b/Packer/scripts/vm-guest-tools.bat @@ -0,0 +1,63 @@ +if not exist "C:\Windows\Temp\7z920-x64.msi" ( + powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://www.7-zip.org/a/7z920-x64.msi', 'C:\Windows\Temp\7z920-x64.msi')" <NUL +) +msiexec /qb /i C:\Windows\Temp\7z920-x64.msi + +if "%PACKER_BUILDER_TYPE%" equ "vmware-iso" goto :vmware +if "%PACKER_BUILDER_TYPE%" equ "virtualbox-iso" goto :virtualbox +if "%PACKER_BUILDER_TYPE%" equ "parallels-iso" goto :parallels +goto :done + +:vmware + +if exist "C:\Users\vagrant\windows.iso" ( + move /Y C:\Users\vagrant\windows.iso C:\Windows\Temp +) + +if not exist "C:\Windows\Temp\windows.iso" ( + powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://softwareupdate.vmware.com/cds/vmw-desktop/ws/12.5.7/5813279/windows/packages/tools-windows.tar', 'C:\Windows\Temp\vmware-tools.tar')" <NUL + cmd /c ""C:\Program Files\7-Zip\7z.exe" x C:\Windows\Temp\vmware-tools.tar -oC:\Windows\Temp" + FOR /r "C:\Windows\Temp" %%a in (VMware-tools-windows-*.iso) DO REN "%%~a" "windows.iso" + rd /S /Q "C:\Program Files (x86)\VMWare" +) + +cmd /c ""C:\Program Files\7-Zip\7z.exe" x "C:\Windows\Temp\windows.iso" -oC:\Windows\Temp\VMWare" +cmd /c C:\Windows\Temp\VMWare\setup.exe /S /v"/qn REBOOT=R\" + +rd /Q "C:\Windows\Temp\vmware-tools.tar" +rd /Q "C:\Windows\Temp\windows.iso" +rd /S /Q "C:\Windows\Temp\VMware" +goto :done + +:virtualbox + +:: There needs to be Oracle CA (Certificate Authority) certificates installed in order +:: to prevent user intervention popups which will undermine a silent installation. +cmd /c certutil -addstore -f "TrustedPublisher" A:\oracle-cert.cer + +if exist "C:\Users\vagrant\VBoxGuestAdditions.iso" ( + move /Y C:\Users\vagrant\VBoxGuestAdditions.iso C:\Windows\Temp +) + +if not exist "C:\Windows\Temp\VBoxGuestAdditions.iso" ( + powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://download.virtualbox.org/virtualbox/5.1.28/VBoxGuestAdditions_5.1.28.iso', 'C:\Windows\Temp\VBoxGuestAdditions.iso')" <NUL +) + +cmd /c ""C:\Program Files\7-Zip\7z.exe" x C:\Windows\Temp\VBoxGuestAdditions.iso -oC:\Windows\Temp\virtualbox" +certutil -addstore -f "TrustedPublisher" C:\Windows\Temp\virtualbox\cert\vbox-sha256-r3.cer +certutil -addstore -f "TrustedPublisher" C:\Windows\Temp\virtualbox\cert\vbox-sha256.cer +certutil -addstore -f "TrustedPublisher" C:\Windows\Temp\virtualbox\cert\vbox-sha1.cer +cmd /c C:\Windows\Temp\virtualbox\VBoxWindowsAdditions.exe /S +rd /S /Q "C:\Windows\Temp\virtualbox" +goto :done + +:parallels +if exist "C:\Users\vagrant\prl-tools-win.iso" ( + move /Y C:\Users\vagrant\prl-tools-win.iso C:\Windows\Temp + cmd /C "C:\Program Files\7-Zip\7z.exe" x C:\Windows\Temp\prl-tools-win.iso -oC:\Windows\Temp\parallels + cmd /C C:\Windows\Temp\parallels\PTAgent.exe /install_silent + rd /S /Q "C:\Windows\Temp\parallels" +) + +:done +msiexec /qb /x C:\Windows\Temp\7z920-x64.msi diff --git a/Packer/scripts/wait-for-desktop-file.ps1 b/Packer/scripts/wait-for-desktop-file.ps1 new file mode 100755 index 0000000..e166afe --- /dev/null +++ b/Packer/scripts/wait-for-desktop-file.ps1 @@ -0,0 +1,15 @@ +# for debugging +# wait until a file has been removed from desktop +$file = "C:\users\vagrant\Desktop\delete-to-continue.txt" + +if (-Not (Test-Path $file)) { + Write-Host "Remove me" | Out-File $file +} + +Write-Host "Wait until someone removes $file" + +while (Test-Path $file) { + Sleep 1 +} + +Write-Host "Done waiting!" diff --git a/Packer/scripts/win-updates.ps1 b/Packer/scripts/win-updates.ps1 new file mode 100755 index 0000000..e901553 --- /dev/null +++ b/Packer/scripts/win-updates.ps1 @@ -0,0 +1,238 @@ +param($global:RestartRequired=0, + $global:MoreUpdates=0, + $global:MaxCycles=5, + $MaxUpdatesPerCycle=500, + $BeginWithRestart=0) + +$Logfile = "C:\Windows\Temp\win-updates.log" + +function LogWrite { + Param ([string]$logstring) + $now = Get-Date -format s + Add-Content $Logfile -value "$now $logstring" + Write-Host $logstring +} + +function Check-ContinueRestartOrEnd() { + $RegistryKey = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" + $RegistryEntry = "InstallWindowsUpdates" + switch ($global:RestartRequired) { + 0 { + $prop = (Get-ItemProperty $RegistryKey).$RegistryEntry + if ($prop) { + LogWrite "Restart Registry Entry Exists - Removing It" + Remove-ItemProperty -Path $RegistryKey -Name $RegistryEntry -ErrorAction SilentlyContinue + } + + LogWrite "No Restart Required" + Check-WindowsUpdates + + if (($global:MoreUpdates -eq 1) -and ($script:Cycles -le $global:MaxCycles)) { + Install-WindowsUpdates + } elseif ($script:Cycles -gt $global:MaxCycles) { + LogWrite "Exceeded Cycle Count - Stopping" + Invoke-Expression "a:\enable-winrm.ps1" + } else { + LogWrite "Done Installing Windows Updates" + Invoke-Expression "a:\enable-winrm.ps1" + } + } + 1 { + $prop = (Get-ItemProperty $RegistryKey).$RegistryEntry + if (-not $prop) { + LogWrite "Restart Registry Entry Does Not Exist - Creating It" + Set-ItemProperty -Path $RegistryKey -Name $RegistryEntry -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File $($script:ScriptPath) -MaxUpdatesPerCycle $($MaxUpdatesPerCycle)" + } else { + LogWrite "Restart Registry Entry Exists Already" + } + + LogWrite "Restart Required - Restarting..." + Restart-Computer + } + default { + LogWrite "Unsure If A Restart Is Required" + break + } + } +} + +function Install-WindowsUpdates() { + $script:Cycles++ + LogWrite "Evaluating Available Updates with limit of $($MaxUpdatesPerCycle):" + $UpdatesToDownload = New-Object -ComObject 'Microsoft.Update.UpdateColl' + $script:i = 0; + $CurrentUpdates = $SearchResult.Updates + while($script:i -lt $CurrentUpdates.Count -and $script:CycleUpdateCount -lt $MaxUpdatesPerCycle) { + $Update = $CurrentUpdates.Item($script:i) + if (($Update -ne $null) -and (!$Update.IsDownloaded)) { + [bool]$addThisUpdate = $false + if ($Update.InstallationBehavior.CanRequestUserInput) { + LogWrite "> Skipping: $($Update.Title) because it requires user input" + } else { + if (!($Update.EulaAccepted)) { + LogWrite "> Note: $($Update.Title) has a license agreement that must be accepted. Accepting the license." + $Update.AcceptEula() + [bool]$addThisUpdate = $true + $script:CycleUpdateCount++ + } else { + [bool]$addThisUpdate = $true + $script:CycleUpdateCount++ + } + } + + if ([bool]$addThisUpdate) { + LogWrite "Adding: $($Update.Title)" + $UpdatesToDownload.Add($Update) |Out-Null + } + } + $script:i++ + } + + if ($UpdatesToDownload.Count -eq 0) { + LogWrite "No Updates To Download..." + } else { + LogWrite 'Downloading Updates...' + $ok = 0; + while (! $ok) { + try { + $Downloader = $UpdateSession.CreateUpdateDownloader() + $Downloader.Updates = $UpdatesToDownload + $Downloader.Download() + $ok = 1; + } catch { + LogWrite $_.Exception | Format-List -force + LogWrite "Error downloading updates. Retrying in 30s." + $script:attempts = $script:attempts + 1 + Start-Sleep -s 30 + } + } + } + + $UpdatesToInstall = New-Object -ComObject 'Microsoft.Update.UpdateColl' + [bool]$rebootMayBeRequired = $false + LogWrite 'The following updates are downloaded and ready to be installed:' + foreach ($Update in $SearchResult.Updates) { + if (($Update.IsDownloaded)) { + LogWrite "> $($Update.Title)" + $UpdatesToInstall.Add($Update) |Out-Null + + if ($Update.InstallationBehavior.RebootBehavior -gt 0){ + [bool]$rebootMayBeRequired = $true + } + } + } + + if ($UpdatesToInstall.Count -eq 0) { + LogWrite 'No updates available to install...' + $global:MoreUpdates=0 + $global:RestartRequired=0 + Invoke-Expression "a:\enable-winrm.ps1" + break + } + + if ($rebootMayBeRequired) { + LogWrite 'These updates may require a reboot' + $global:RestartRequired=1 + } + + LogWrite 'Installing updates...' + + $Installer = $script:UpdateSession.CreateUpdateInstaller() + $Installer.Updates = $UpdatesToInstall + $InstallationResult = $Installer.Install() + + LogWrite "Installation Result: $($InstallationResult.ResultCode)" + LogWrite "Reboot Required: $($InstallationResult.RebootRequired)" + LogWrite 'Listing of updates installed and individual installation results:' + if ($InstallationResult.RebootRequired) { + $global:RestartRequired=1 + } else { + $global:RestartRequired=0 + } + + for($i=0; $i -lt $UpdatesToInstall.Count; $i++) { + New-Object -TypeName PSObject -Property @{ + Title = $UpdatesToInstall.Item($i).Title + Result = $InstallationResult.GetUpdateResult($i).ResultCode + } + LogWrite "Item: " $UpdatesToInstall.Item($i).Title + LogWrite "Result: " $InstallationResult.GetUpdateResult($i).ResultCode; + } + + Check-ContinueRestartOrEnd +} + +function Check-WindowsUpdates() { + LogWrite "Checking For Windows Updates" + $Username = $env:USERDOMAIN + "\" + $env:USERNAME + + New-EventLog -Source $ScriptName -LogName 'Windows Powershell' -ErrorAction SilentlyContinue + + $Message = "Script: " + $ScriptPath + "`nScript User: " + $Username + "`nStarted: " + (Get-Date).toString() + + Write-EventLog -LogName 'Windows Powershell' -Source $ScriptName -EventID "104" -EntryType "Information" -Message $Message + LogWrite $Message + + $script:UpdateSearcher = $script:UpdateSession.CreateUpdateSearcher() + $script:successful = $FALSE + $script:attempts = 0 + $script:maxAttempts = 12 + while(-not $script:successful -and $script:attempts -lt $script:maxAttempts) { + try { + $script:SearchResult = $script:UpdateSearcher.Search("IsInstalled=0 and Type='Software' and IsHidden=0") + $script:successful = $TRUE + } catch { + LogWrite $_.Exception | Format-List -force + LogWrite "Search call to UpdateSearcher was unsuccessful. Retrying in 10s." + $script:attempts = $script:attempts + 1 + Start-Sleep -s 10 + } + } + + if ($SearchResult.Updates.Count -ne 0) { + $Message = "There are " + $SearchResult.Updates.Count + " more updates." + LogWrite $Message + try { + for($i=0; $i -lt $script:SearchResult.Updates.Count; $i++) { + LogWrite $script:SearchResult.Updates.Item($i).Title + LogWrite $script:SearchResult.Updates.Item($i).Description + LogWrite $script:SearchResult.Updates.Item($i).RebootRequired + LogWrite $script:SearchResult.Updates.Item($i).EulaAccepted + } + $global:MoreUpdates=1 + } catch { + LogWrite $_.Exception | Format-List -force + LogWrite "Showing SearchResult was unsuccessful. Rebooting." + $global:RestartRequired=1 + $global:MoreUpdates=0 + Check-ContinueRestartOrEnd + LogWrite "Show never happen to see this text!" + Restart-Computer + } + } else { + LogWrite 'There are no applicable updates' + $global:RestartRequired=0 + $global:MoreUpdates=0 + } +} + +$script:ScriptName = $MyInvocation.MyCommand.ToString() +$script:ScriptPath = $MyInvocation.MyCommand.Path +$script:UpdateSession = New-Object -ComObject 'Microsoft.Update.Session' +$script:UpdateSession.ClientApplicationID = 'Packer Windows Update Installer' +$script:UpdateSearcher = $script:UpdateSession.CreateUpdateSearcher() +$script:SearchResult = New-Object -ComObject 'Microsoft.Update.UpdateColl' +$script:Cycles = 0 +$script:CycleUpdateCount = 0 + +if ($BeginWithRestart) { + $global:RestartRequired = 1 + Check-ContinueRestartOrEnd +} + +Check-WindowsUpdates +if ($global:MoreUpdates -eq 1) { + Install-WindowsUpdates +} else { + Check-ContinueRestartOrEnd +} diff --git a/Packer/vagrantfile-windows_10.template b/Packer/vagrantfile-windows_10.template new file mode 100755 index 0000000..fcd5e6a --- /dev/null +++ b/Packer/vagrantfile-windows_10.template @@ -0,0 +1,58 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +Vagrant.require_version ">= 1.6.2" + +Vagrant.configure("2") do |config| + config.vm.define "vagrant-windows-10-preview" + config.vm.box = "windows_10_preview" + config.vm.communicator = "winrm" + + # Admin user name and password + config.winrm.username = "vagrant" + config.winrm.password = "vagrant" + + config.vm.guest = :windows + config.windows.halt_timeout = 15 + + config.vm.network :forwarded_port, guest: 3389, host: 3389, id: "rdp", auto_correct: true + config.vm.network :forwarded_port, guest: 22, host: 2222, id: "ssh", auto_correct: true + + config.vm.provider :virtualbox do |v, override| + #v.gui = true + v.customize ["modifyvm", :id, "--memory", 2048] + v.customize ["modifyvm", :id, "--cpus", 2] + v.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ] + end + + config.vm.provider :vmware_fusion do |v, override| + v.gui = true + v.vmx["memsize"] = "2048" + v.vmx["numvcpus"] = "2" + v.vmx["ethernet0.virtualDev"] = "vmxnet3" + v.vmx["RemoteDisplay.vnc.enabled"] = "false" + v.vmx["RemoteDisplay.vnc.port"] = "5900" + v.vmx["scsi0.virtualDev"] = "lsisas1068" + v.vmx["gui.fitguestusingnativedisplayresolution"] = "TRUE" + v.vmx["mks.enable3d"] = "TRUE" + v.vmx["mks.forceDiscreteGPU"] = "TRUE" + v.vmx["gui.fullscreenatpoweron"] = "TRUE" + v.vmx["gui.viewmodeatpoweron"] = "fullscreen" + v.vmx["gui.lastPoweredViewMode"] = "fullscreen" + v.vmx["sound.startconnected"] = "FALSE" + v.vmx["sound.present"] = "FALSE" + v.vmx["sound.autodetect"] = "TRUE" + v.enable_vmrun_ip_lookup = false + end + + config.vm.provider :vmware_workstation do |v, override| + v.gui = true + v.vmx["memsize"] = "2048" + v.vmx["numvcpus"] = "2" + v.vmx["ethernet0.virtualDev"] = "vmxnet3" + v.vmx["RemoteDisplay.vnc.enabled"] = "false" + v.vmx["RemoteDisplay.vnc.port"] = "5900" + v.vmx["scsi0.virtualDev"] = "lsisas1068" + v.enable_vmrun_ip_lookup = false + end +end diff --git a/Packer/vagrantfile-windows_2016.template b/Packer/vagrantfile-windows_2016.template new file mode 100755 index 0000000..2ee6792 --- /dev/null +++ b/Packer/vagrantfile-windows_2016.template @@ -0,0 +1,49 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +Vagrant.require_version ">= 1.6.2" + +Vagrant.configure("2") do |config| + config.vm.define "vagrant-windows-2016" + config.vm.box = "windows_2016" + config.vm.communicator = "winrm" + + # Admin user name and password + config.winrm.username = "vagrant" + config.winrm.password = "vagrant" + + config.vm.guest = :windows + config.windows.halt_timeout = 15 + + config.vm.network :forwarded_port, guest: 3389, host: 3389, id: "rdp", auto_correct: true + config.vm.network :forwarded_port, guest: 22, host: 2222, id: "ssh", auto_correct: true + + config.vm.provider :virtualbox do |v, override| + #v.gui = true + v.customize ["modifyvm", :id, "--memory", 2048] + v.customize ["modifyvm", :id, "--cpus", 2] + v.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ] + end + + config.vm.provider :vmware_fusion do |v, override| + #v.gui = true + v.vmx["memsize"] = "2048" + v.vmx["numvcpus"] = "2" + v.vmx["ethernet0.virtualDev"] = "vmxnet3" + v.vmx["RemoteDisplay.vnc.enabled"] = "false" + v.vmx["RemoteDisplay.vnc.port"] = "5900" + v.vmx["scsi0.virtualDev"] = "lsisas1068" + v.enable_vmrun_ip_lookup = false + end + + config.vm.provider :vmware_workstation do |v, override| + #v.gui = true + v.vmx["memsize"] = "2048" + v.vmx["numvcpus"] = "2" + v.vmx["ethernet0.virtualDev"] = "vmxnet3" + v.vmx["RemoteDisplay.vnc.enabled"] = "false" + v.vmx["RemoteDisplay.vnc.port"] = "5900" + v.vmx["scsi0.virtualDev"] = "lsisas1068" + v.enable_vmrun_ip_lookup = false + end +end diff --git a/Packer/windows_10.json b/Packer/windows_10.json new file mode 100644 index 0000000..bb691d9 --- /dev/null +++ b/Packer/windows_10.json @@ -0,0 +1,179 @@ +{ + "builders": [ + { + "type": "hyperv-iso", + "vm_name":"windows_10", + "iso_url": "{{user `iso_url`}}", + "iso_checksum_type": "{{user `iso_checksum_type`}}", + "iso_checksum": "{{user `iso_checksum`}}", + "boot_wait": "6m", + "communicator":"winrm", + "winrm_username": "vagrant", + "winrm_password": "vagrant", + "winrm_timeout" : "4h", + "ram_size": "2048", + "cpu": "2", + "switch_name": "{{user `switch_name`}}", + "guest_additions_mode": "none", + "shutdown_command": "shutdown /s /t 10 /f /d p:4:1 /c \"Packer Shutdown\"", + "disk_size": "{{user `disk_size`}}", + "floppy_files": [ + "{{user `autounattend`}}", + "./floppy/WindowsPowershell.lnk", + "./floppy/PinTo10.exe", + "./scripts/fixnetwork.ps1", + "./scripts/MakeWindows10GreatAgain.ps1", + "./scripts/MakeWindows10GreatAgain.reg", + "./scripts/rearm-windows.ps1", + "./scripts/disable-screensaver.ps1", + "./scripts/disable-winrm.ps1", + "./scripts/enable-winrm.ps1", + "./scripts/microsoft-updates.bat", + "./scripts/win-updates.ps1" + ] + }, + { + "type": "vmware-iso", + "vm_name":"windows_10", + "communicator": "winrm", + "iso_url": "{{user `iso_url`}}", + "iso_checksum_type": "{{user `iso_checksum_type`}}", + "iso_checksum": "{{user `iso_checksum`}}", + "headless": false, + "boot_wait": "6m", + "boot_command": "", + "winrm_username": "vagrant", + "winrm_password": "vagrant", + "winrm_timeout": "2h", + "shutdown_command": "shutdown /s /t 10 /f /d p:4:1 /c \"Packer Shutdown\"", + "guest_os_type": "windows9-64", + "disk_size": "{{user `disk_size`}}", + "vnc_port_min": 5900, + "vnc_port_max": 5980, + "version": 11, + "floppy_files": [ + "{{user `autounattend`}}", + "./floppy/WindowsPowershell.lnk", + "./floppy/PinTo10.exe", + "./scripts/fixnetwork.ps1", + "./scripts/MakeWindows10GreatAgain.ps1", + "./scripts/MakeWindows10GreatAgain.reg", + "./scripts/rearm-windows.ps1", + "./scripts/disable-screensaver.ps1", + "./scripts/disable-winrm.ps1", + "./scripts/enable-winrm.ps1", + "./scripts/microsoft-updates.bat", + "./scripts/win-updates.ps1" + ], + "vmx_data": { + "RemoteDisplay.vnc.enabled": "false", + "RemoteDisplay.vnc.port": "5900", + "memsize": "2048", + "numvcpus": "2", + "scsi0.virtualDev": "lsisas1068" + } + }, + { + "type": "virtualbox-iso", + "vm_name":"windows_10", + "communicator": "winrm", + "iso_url": "{{user `iso_url`}}", + "iso_checksum_type": "{{user `iso_checksum_type`}}", + "iso_checksum": "{{user `iso_checksum`}}", + "headless": false, + "boot_wait": "6m", + "boot_command": "", + "winrm_username": "vagrant", + "winrm_password": "vagrant", + "winrm_timeout": "2h", + "shutdown_command": "shutdown /s /t 10 /f /d p:4:1 /c \"Packer Shutdown\"", + "guest_os_type": "Windows81_64", + "guest_additions_mode": "disable", + "disk_size": "{{user `disk_size`}}", + "floppy_files": [ + "{{user `autounattend`}}", + "./floppy/WindowsPowershell.lnk", + "./floppy/PinTo10.exe", + "./scripts/fixnetwork.ps1", + "./scripts/MakeWindows10GreatAgain.ps1", + "./scripts/MakeWindows10GreatAgain.reg", + "./scripts/rearm-windows.ps1", + "./scripts/disable-screensaver.ps1", + "./scripts/disable-winrm.ps1", + "./scripts/enable-winrm.ps1", + "./scripts/microsoft-updates.bat", + "./scripts/win-updates.ps1", + "./scripts/oracle-cert.cer" + ], + "vboxmanage": [ + [ + "modifyvm", + "{{.Name}}", + "--memory", + "2048" + ], + [ + "modifyvm", + "{{.Name}}", + "--cpus", + "2" + ] + ] + } + ], + "provisioners": [ + { + "type": "windows-shell", + "remote_path": "/tmp/script.bat", + "execute_command": "{{ .Vars }} cmd /c \"{{ .Path }}\"", + "scripts": [ + "./scripts/vm-guest-tools.bat", + "./scripts/enable-rdp.bat" + ] + }, + { + "type": "powershell", + "scripts": [ + "./scripts/debloat-windows.ps1", + "./scripts/MakeWindows10GreatAgain.ps1", + "./scripts/rearm-windows.ps1" + ] + }, + { + "type": "windows-restart" + }, + { + "type": "powershell", + "scripts": [ + "./scripts/set-powerplan.ps1", + "./scripts/docker/disable-windows-defender.ps1" + ] + }, + { + "type": "windows-shell", + "remote_path": "/tmp/script.bat", + "execute_command": "{{ .Vars }} cmd /c \"{{ .Path }}\"", + "scripts": [ + "./scripts/pin-powershell.bat", + "./scripts/compile-dotnet-assemblies.bat", + "./scripts/set-winrm-automatic.bat", + "./scripts/compact.bat" + ] + } + ], + "post-processors": [ + { + "type": "vagrant", + "keep_input_artifact": false, + "output": "windows_10_{{.Provider}}.box", + "vagrantfile_template": "vagrantfile-windows_10.template" + } + ], + "variables": { + "iso_url": "http://care.dlservice.microsoft.com/dl/download/B/8/B/B8B452EC-DD2D-4A8F-A88C-D2180C177624/15063.0.170317-1834.RS2_RELEASE_CLIENTENTERPRISEEVAL_OEMRET_X64FRE_EN-US.ISO", + "iso_checksum_type": "sha1", + "iso_checksum": "6c60f91bf0ad7b20f469ab8f80863035c517f34f", + "autounattend": "./answer_files/10/Autounattend.xml", + "disk_size": "61440" + } +} diff --git a/Packer/windows_2016.json b/Packer/windows_2016.json new file mode 100644 index 0000000..2785ceb --- /dev/null +++ b/Packer/windows_2016.json @@ -0,0 +1,166 @@ +{ + "builders": [ + { + "vm_name":"WindowsServer2016", + "type": "hyperv-iso", + "disk_size": 41440, + "boot_wait": "0s", + "guest_additions_mode":"disable", + "iso_url": "{{user `iso_url`}}", + "iso_checksum_type": "{{user `iso_checksum_type`}}", + "iso_checksum": "{{user `iso_checksum`}}", + "floppy_files": [ + "{{user `autounattend`}}", + "./floppy/WindowsPowershell.lnk", + "./floppy/PinTo10.exe", + "./scripts/unattend.xml", + "./scripts/sysprep.bat", + "./scripts/disable-screensaver.ps1", + "./scripts/disable-winrm.ps1", + "./scripts/enable-winrm.ps1", + "./scripts/microsoft-updates.bat", + "./scripts/win-updates.ps1" + ], + "communicator":"winrm", + "winrm_username": "vagrant", + "winrm_password": "vagrant", + "winrm_timeout" : "2h", + "shutdown_command": "a:/sysprep.bat", + "ram_size": 2048, + "cpu": 2, + "switch_name":"{{user `hyperv_switchname`}}", + "enable_secure_boot":true + }, + { + "type": "vmware-iso", + "communicator": "winrm", + "iso_url": "{{user `iso_url`}}", + "iso_checksum_type": "{{user `iso_checksum_type`}}", + "iso_checksum": "{{user `iso_checksum`}}", + "headless": false, + "boot_wait": "2m", + "winrm_username": "vagrant", + "winrm_password": "vagrant", + "winrm_timeout": "2h", + "shutdown_timeout": "2h", + "shutdown_command": "a:/sysprep.bat", + "guest_os_type": "windows8srv-64", + "disk_size": 61440, + "vnc_port_min": 5900, + "vnc_port_max": 5980, + "version": 11, + "floppy_files": [ + "{{user `autounattend`}}", + "./floppy/WindowsPowershell.lnk", + "./floppy/PinTo10.exe", + "./scripts/unattend.xml", + "./scripts/sysprep.bat", + "./scripts/disable-screensaver.ps1", + "./scripts/disable-winrm.ps1", + "./scripts/enable-winrm.ps1", + "./scripts/microsoft-updates.bat", + "./scripts/win-updates.ps1" + ], + "vmx_data": { + "RemoteDisplay.vnc.enabled": "false", + "RemoteDisplay.vnc.port": "5900", + "memsize": "2048", + "numvcpus": "2", + "scsi0.virtualDev": "lsisas1068" + } + }, + { + "type": "virtualbox-iso", + "communicator": "winrm", + "iso_url": "{{user `iso_url`}}", + "iso_checksum_type": "{{user `iso_checksum_type`}}", + "iso_checksum": "{{user `iso_checksum`}}", + "headless": false, + "boot_wait": "2m", + "winrm_username": "vagrant", + "winrm_password": "vagrant", + "winrm_timeout": "2h", + "shutdown_command": "a:/sysprep.bat", + "guest_os_type": "Windows2012_64", + "guest_additions_mode": "disable", + "disk_size": 61440, + "floppy_files": [ + "{{user `autounattend`}}", + "./floppy/WindowsPowershell.lnk", + "./floppy/PinTo10.exe", + "./scripts/unattend.xml", + "./scripts/sysprep.bat", + "./scripts/disable-screensaver.ps1", + "./scripts/disable-winrm.ps1", + "./scripts/enable-winrm.ps1", + "./scripts/microsoft-updates.bat", + "./scripts/win-updates.ps1", + "./scripts/oracle-cert.cer" + ], + "vboxmanage": [ + [ + "modifyvm", + "{{.Name}}", + "--memory", + "2048" + ], + [ + "modifyvm", + "{{.Name}}", + "--cpus", + "2" + ] + ] + } + ], + "provisioners": [ + { + "type": "windows-shell", + "execute_command": "{{ .Vars }} cmd /c \"{{ .Path }}\"", + "scripts": [ + "./scripts/vm-guest-tools.bat", + "./scripts/enable-rdp.bat" + ] + }, + { + "type": "powershell", + "scripts": [ + "./scripts/debloat-windows.ps1" + ] + }, + { + "type": "windows-restart" + }, + { + "type": "windows-shell", + "execute_command": "{{ .Vars }} cmd /c \"{{ .Path }}\"", + "scripts": [ + "./scripts/pin-powershell.bat", + "./scripts/set-winrm-automatic.bat", + "./scripts/compile-dotnet-assemblies.bat", + "./scripts/uac-enable.bat", + "./scripts/compact.bat" + ] + }, + { + "type": "file", + "source": "./answer_files/2016/Autounattend_sysprep.xml", + "destination": "c:/Windows/Temp/Autounattend_sysprep.xml" + } + ], + "post-processors": [ + { + "type": "vagrant", + "keep_input_artifact": false, + "output": "windows_2016_{{.Provider}}.box", + "vagrantfile_template": "vagrantfile-windows_2016.template" + } + ], + "variables": { + "iso_url": "http://care.dlservice.microsoft.com/dl/download/1/4/9/149D5452-9B29-4274-B6B3-5361DBDA30BC/14393.0.161119-1705.RS1_REFRESH_SERVER_EVAL_X64FRE_EN-US.ISO", + "iso_checksum_type": "md5", + "iso_checksum": "70721288BBCDFE3239D8F8C0FAE55F1F", + "autounattend": "./answer_files/2016/Autounattend.xml", + "hyperv_switchname": "{{env `hyperv_switchname`}}" + } +} diff --git a/README.md b/README.md new file mode 100644 index 0000000..76de627 --- /dev/null +++ b/README.md @@ -0,0 +1,206 @@ +# Detection Lab + +## Purpose +This lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts. + +Read more about Detection Lab on Medium here: + +NOTE: This lab has not been hardened in any way and runs with default vagrant credentials. Please do not connect or bridge it to any networks you care about. This lab is deliberately designed to be insecure; the primary purpose of it is to provide visibility and introspection into each host. + +## Primary Lab Features: +* Splunk forwarders are pre-installed and all indexes are pre-created. Technology add-ons for Windows are also preconfigured. +* A custom Windows auditing configuration is set via GPO to include command line process auditing and additional OS-level logging +* [Palantir's Windows Event Forwarding](http://github.com/palantir/windows-event-forwarding) subscriptions and custom channels are implemented +* Powershell transcript logging is enabled. All logs are saved to `\\wef\pslogs` +* osquery comes installed on each host and is pre-configured to connect to a [Fleet](https://kolide.co/fleet) server via TLS. Fleet is preconfigured with the configuration from [Palantir's osquery Configuration](https://github.com/palantir/osquery-configuration) +* Sysmon is installed and configured using SwiftOnSecurity’s open-sourced configuration +* All autostart items are logged to Windows Event Logs via [AutorunsToWinEventLog](https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog) +* SMBv1 Auditing is enabled + +## Requirements +* 55GB+ of free disk space +* Packer 1.0.0 or newer +* Vagrant 1.9.2 or newer +* Virtualbox or VMWare Fusion/Workstation + +This lab has been successfully tested on: + +OS | Vagrant | Packer | Provider +---|---------|--------|----------- +OSX 10.12.4 | 1.9.3 | 1.0.0 | Virtualbox (5.1.14) +OSX 10.12.6 | 2.0.1 | 1.1.2 | Virtualbox (5.1.30) +OSX 10.12.4 | 1.9.2 | 1.0.0 | VMWare Fusion (8.5.6) +OSX 10.12.5 | 1.9.3 | 1.0.0 | VMWare Fusion (8.5.8) +OSX 10.12.6 | 2.0.1 | 1.1.3 | VMWare Fusion (8.5.9) + +**Known Bad Versions:** +* Packer 1.1.2 will fail to build VMWare-ISOs correctly due to [this issue](https://github.com/hashicorp/packer/issues/5622). + +--- + +## Quickstart +1. Determine which Vagrant provider you want to use. + * Note: Virtualbox is free, the [VMWare vagrant plugin](https://www.vagrantup.com/vmware/#buy-now) is $80. +2. `cd` to the Packer directory and build the Windows 10 and Windows Server 2016 boxes using the commands below. Each build will take about 1 hour. As far as I know, you can only build one box at a time. + +``` +$ cd detectionlab/Packer +$ packer build --only=[vmware|virtualbox]-iso windows_10.json +$ packer build --only=[vmware|virtualbox]-iso windows_2016.json +``` +3. Once both boxes have built successfully, move the resulting boxes (.box files) in the Packer folder to the Boxes folder: + + `mv *.box ../Boxes` + +4. cd into the Vagrant directory: `cd ../Vagrant` +5. Install the Vagrant-Reload plugin: `vagrant plugin install vagrant-reload` + +6. Ensure you are in the Vagrant folrder and run `vagrant up`. This command will do the following: + * Provision the logger host. This host will run the [Fleet](https://kolide.co/fleet) osquery manager and a fully featured pre-configured Splunk instance. + * Provision the DC host and configure it as a Domain Controller + * Provision the WEF host and configure it as a Windows Event Collector in the Servers OU + * Provision the Win10 host and configure it as a computer in the Workstations OU + +7. Navigate to https://192.168.38.5:8000 in a browser to access the Splunk instance on logger. Default credentials are admin:changeme (you will have the option to change them on the next screen) +8. Navigate to https://192.168.38.5:8412 in a browser to access the Fleet server on logger. Default credentials are admin:admin123#. Query packs are pre-configured with queries from [palantir/osquery-configuration](https://github.com/palantir/osquery-configuration). + +## Basic Vagrant Usage +Vagrant commands must be run from the "Vagrant" folder. + +* Bring up all Detection Lab hosts: `vagrant up` (optional `--provider=[virtualbox|vmware_fusion|vmware_workstation]`) +* Bring up a specific host: `vagrant up <hostname>` +* Restart a specific host: `vagrant reload <hostname>` +* Restart a specific host and re-run the provision process: `vagrant reload <hostname> --provision` +* Destroy a specific host `vagrant destroy <hostname>` +* Destroy the entire Detection Lab environment: `vagrant destroy` (Adding `-f` forces it without a prompt) +* SSH into a host (only works with Logger): `vagrant ssh logger` +* Check the status of each host: `vagrant status` +* Suspend the lab environment: `vagrant suspend` +* Resume the lab environment: `vagrant resume` + +--- + +## Lab Information +* Domain Name: windomain.local +* Admininstrator login: vagrant:vagrant +* Fleet login: admin:admin123# +* Splunk login: admin:changeme + +## Lab Hosts +* DC - Windows 2016 Domain Controller + * WEF Server Configuration GPO + * Powershell logging GPO + * Enhanced Windows Auditing policy GPO + * Sysmon + * osquery + * Splunk Universal Forwarder (Forwards Sysmon & osquery) + * Sysinternals Tools +* WEF - Windows 2016 Server + * Windows Event Collector + * Windows Event Subscription Creation + * Powershell transcription logging share + * Sysmon + * osquery + * Splunk Universal Forwarder (Forwards WinEventLog & Powershell & Sysmon & osquery) + * Sysinternals tools +* Win10 - Windows 10 Workstation + * Simulates employee workstation + * Sysmon + * osquery + * Splunk Universal Forwarder (Forwards Sysmon & osquery) + * Sysinternals Tools +* Logger - Ubuntu 16.04 + * Splunk Enterprise + * Fleet osquery Manager + +## Splunk Indexes +Index Name | Description +-----------|------------ +osquery | osquery/Fleet result logs +osquery-status | osquery/fleet INFO/WARN/ERROR logs +powershell | Powershell transcription logs +sysmon | Logs from the Sysmon service +wineventlog | Windows Event Logs + +## Installed Tools on Windows + * Sysmon + * osquery + * AutorunsToWinEventLog + * Process Monitor + * Process Explorer + * PsExec + * TCPView + * Google Chrome + * Atom editor + * WinRar + * Mimikatz + +## Applied GPOs +* [Custom Event Channel Permissions](http://htmlpreview.github.io/?https://github.com/clong/detectionlab/blob/master/Vagrant/resources/GPO/reports/Custom Event Channel Permissions.htm) +* [Default Domain Controllers Policy](http://htmlpreview.github.io/?https://github.com/clong/detectionlab/blob/master/Vagrant/resources/GPO/reports/Default Domain Controllers Policy.htm) +* [Default Domain Policy](http://htmlpreview.github.io/?https://github.com/clong/detectionlab/blob/master/Vagrant/resources/GPO/reports/Default Domain Policy.htm) +* [Domain Controllers Enhanced Auditing Policy](http://htmlpreview.github.io/?https://github.com/clong/detectionlab/blob/master/Vagrant/resources/GPO/reports/Domain Controllers Enhanced Auditing Policy.htm) +* [Powershell Logging](http://htmlpreview.github.io/?https://github.com/clong/detectionlab/blob/master/Vagrant/resources/GPO/reports/Powershell Logging.htm) +* [Servers Enhanced Auditing Policy](http://htmlpreview.github.io/?https://github.com/clong/detectionlab/blob/master/Vagrant/resources/GPO/reports/Servers Enhanced Auditing Policy.htm) +* [Windows Event Forwarding Server](http://htmlpreview.github.io/?https://github.com/clong/detectionlab/blob/master/Vagrant/resources/GPO/reports/Windows Event Forwarding Server.htm) +* [Workstations Enhanced Auditing Policy](http://htmlpreview.github.io/?https://github.com/clong/detectionlab/blob/master/Vagrant/resources/GPO/reports/Workstations Enhanced Auditing Policy.htm) + +## Known Issues and Workarounds + +Vagrant has been particularly flaky with VMWare and I encountered many issues while testing. However, most of the issues are easily resolved. + +--- + +**Issue:** Vagrant reports: `Message: HTTPClient::KeepAliveDisconnected:` while provisioning. +**Workaround:** Run `$ vagrant reload <hostname> --provision` + +--- + +**Issue:** `Vagrant timed out while attempting to connect via WinRM` after Win10 host joins the domain. +**Workaround** Documented in [#21](https://github.com/clong/detectionlab/issues/21). Just run `$ vagrant reload win10 --provision` + +--- + +**Issue:** Vagrant is unable to forward a port for you +**Workaround:** Documented in [#11](https://github.com/clong/detectionlab/issues/11). There are a few possibilities: +1. Try a `vagrant reload <hostname> --provision`. For whatever reason `vagrant up` doesn't fix conflicts but reload does. +2. Check if something is legitimately occupying the port via `sudo lsof -n -iTCP:<port_number>` +3. Follow the instructions from this comment: https://github.com/hashicorp/vagrant/issues/8130#issuecomment-272963103 + +--- + +**Issue:** Fleet server becomes unreachable after VM is suspended and resumed + +**Workaround:** Documented in [#22](https://github.com/clong/detectionlab/issues/22). The following commands should make it reachable without deleting data: +``` +$ docker stop $(docker ps -aq) +$ service docker restart +$ cd /home/vagrant/kolide-quickstart +$ docker-compose up -d +``` + +--- + +## Contributing +Please do all of your development in a feature branch on your own fork of detectionlab. +Requests for tools and features will be reviewed on a case by case basis, but I will always accept fixes and improvements. + +## Credits/Resources +A sizable percentage of this code was borrowed and adapted from [Stefan Scherer](https://twitter.com/stefscherer)'s [packer-windows](https://github.com/StefanScherer/packer-windows) and [adfs2](https://github.com/StefanScherer/adfs2) Github repos. A huge thanks to him for building the foundation that allowed me to design this lab environment. + +# Acknowledgements +* [Splunk](https://www.splunk.com) +* [osquery](https://osquery.io) +* [Fleet](https://kolide.co/fleet) +* [Windows Event Forwarding for Network Defense](https://medium.com/@palantir/windows-event-forwarding-for-network-defense-cb208d5ff86f) +* [palantir/windows-event-forwarding](http://github.com/palantir/windows-event-forwarding) +* [osquery Across the Enterprise](https://medium.com/@palantir/osquery-across-the-enterprise-3c3c9d13ec55) +* [palantir/osquery-configuration](https://github.com/palantir/osquery-configuration) +* [Configure Event Log Forwarding in Windows Server 2012 R2](https://www.petri.com/configure-event-log-forwarding-windows-server-2012-r2) +* [Monitoring what matters — Windows Event Forwarding for everyone](https://blogs.technet.microsoft.com/jepayne/2015/11/23/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem/) +* [Use Windows Event Forwarding to help with intrusion detection](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/use-windows-event-forwarding-to-assist-in-instrusion-detection) +* [The Windows Event Forwarding Survival Guide](https://hackernoon.com/the-windows-event-forwarding-survival-guide-2010db7a68c4) +* [PowerShell ♥ the Blue Team](https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/) +* [Autoruns](https://www.microsoftpressstore.com/articles/article.aspx?p=2762082) +* [TA-microsoft-sysmon](https://github.com/splunk/TA-microsoft-sysmon) +* [SwiftOnSecurity - Sysmon Config](https://github.com/SwiftOnSecurity/sysmon-config) diff --git a/Vagrant/Vagrantfile b/Vagrant/Vagrantfile new file mode 100644 index 0000000..1d67835 --- /dev/null +++ b/Vagrant/Vagrantfile @@ -0,0 +1,165 @@ +Vagrant.configure("2") do |config| + + config.vm.define "logger" do |cfg| + cfg.vm.box = "bento/ubuntu-16.04" + cfg.vm.hostname = "logger" + config.vm.provision :shell, path: "bootstrap.sh" + cfg.vm.network :private_network, ip: "192.168.38.5", gateway: "192.168.38.1", dns: "8.8.8.8" + config.vm.network :forwarded_port, guest: 8000, host: 8000 + config.vm.network :forwarded_port, guest: 8412, host: 8412 + + cfg.vm.provider "vmware_fusion" do |v, override| + v.memory = 2048 + v.cpus = 1 + v.gui = true + end + + cfg.vm.provider "virtualbox" do |vb, override| + vb.gui = true + vb.customize ["modifyvm", :id, "--memory", 2048] + vb.customize ["modifyvm", :id, "--cpus", 1] + vb.customize ["modifyvm", :id, "--vram", "32"] + vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"] + vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ] + end + end + + config.vm.define "dc" do |cfg| + cfg.vm.box = "../Boxes/windows_2016_virtualbox.box" + cfg.vm.hostname = "dc" + + # use the plaintext WinRM transport and force it to use basic authentication. + # NB this is needed because the default negotiate transport stops working + # after the domain controller is installed. + # see https://groups.google.com/forum/#!topic/vagrant-up/sZantuCM0q4 + cfg.winrm.transport = :plaintext + cfg.winrm.basic_auth_only = true + + cfg.vm.communicator = "winrm" + cfg.vm.network :forwarded_port, guest: 5985, host: 5985, id: "winrm", auto_correct: true + cfg.vm.network :forwarded_port, guest: 22, host: 2222, id: "ssh", auto_correct: true + cfg.vm.network :forwarded_port, guest: 3389, host: 3389, id: "rdp", auto_correct: true + cfg.vm.network :private_network, ip: "192.168.38.2", gateway: "192.168.38.1" + + cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "192.168.38.2" + cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false + cfg.vm.provision "reload" + cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: true + cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: true + cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: true + cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: true + cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: true + cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: true + cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: true + cfg.vm.provision "shell", path: "scripts/configure-ou.ps1", privileged: true + cfg.vm.provision "shell", path: "scripts/configure-wef-gpo.ps1", privileged: true + cfg.vm.provision "shell", path: "scripts/configure-powershelllogging.ps1", privileged: true + cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: true + cfg.vm.provision "shell", path: "scripts/configure-AuditingPolicyGPOs.ps1", privileged: true + cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: true + + cfg.vm.provider "vmware_fusion" do |v, override| + override.vm.box = "../Boxes/windows_2016_vmware.box" + v.memory = 2048 + v.cpus = 1 + v.gui = true + end + + cfg.vm.provider "virtualbox" do |vb, override| + vb.gui = true + vb.customize ["modifyvm", :id, "--memory", 2048] + vb.customize ["modifyvm", :id, "--cpus", 1] + vb.customize ["modifyvm", :id, "--vram", "32"] + vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"] + vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ] + end + end + + config.vm.define "wef" do |cfg| + cfg.vm.box = "../Boxes/windows_2016_virtualbox.box" + cfg.vm.hostname = "wef" + + cfg.vm.communicator = "winrm" + cfg.vm.network :forwarded_port, guest: 5985, host: 5986, id: "winrm", auto_correct: true + cfg.vm.network :forwarded_port, guest: 22, host: 2223, id: "ssh", auto_correct: true + cfg.vm.network :forwarded_port, guest: 3389, host: 3390, id: "rdp", auto_correct: true + cfg.vm.network :private_network, ip: "192.168.38.3", gateway: "192.168.38.1", dns: "192.168.38.2" + + cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.3 -dns 192.168.38.2" + cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false + cfg.vm.provision "reload" + cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false + cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: true + cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: true + cfg.vm.provision "shell", path: "scripts/install-wefsubscriptions.ps1", privileged: true + cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: true + cfg.vm.provision "shell", path: "scripts/install-windows_ta.ps1", privileged: true + cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: true + cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: true + cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: true + cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: true + cfg.vm.provision "shell", path: "scripts/configure-pslogstranscriptsshare.ps1", privileged: true + cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: true + cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: true + + cfg.vm.provider "vmware_fusion" do |v, override| + override.vm.box = "../Boxes/windows_2016_vmware.box" + v.memory = 2048 + v.cpus = 1 + v.gui = true + end + + cfg.vm.provider "virtualbox" do |vb, override| + vb.gui = true + vb.customize ["modifyvm", :id, "--memory", 2048] + vb.customize ["modifyvm", :id, "--cpus", 1] + vb.customize ["modifyvm", :id, "--vram", "32"] + vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"] + vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ] + end + end + + config.vm.define "win10" do |cfg| + cfg.vm.box = "../Boxes/windows_10_virtualbox.box" + cfg.vm.hostname = "win10" + + cfg.vm.communicator = "winrm" + cfg.vm.network :forwarded_port, guest: 5985, host: 5987, id: "winrm", auto_correct: true + cfg.vm.network :forwarded_port, guest: 22, host: 2224, id: "ssh", auto_correct: true + cfg.vm.network :forwarded_port, guest: 3389, host: 3391, id: "rdp", auto_correct: true + cfg.vm.network :private_network, ip: "192.168.38.4", gateway: "192.168.38.1", dns: "192.168.38.2" + + cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.4 -dns 192.168.38.2" + cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false + cfg.vm.provision "reload" + cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false + + cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: true + cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: true + cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: true + cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: true + cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: true + cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: true + cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: true + + cfg.vm.provider "vmware_fusion" do |v, override| + override.vm.box = "../Boxes/windows_10_vmware.box" + v.vmx["gui.fullscreenatpoweron"] = "FALSE" + v.vmx["gui.viewModeAtPowerOn"] = "windowed" + v.vmx["gui.fitguestusingnativedisplayresolution"] = "FALSE" + v.memory = 2048 + v.cpus = 1 + v.gui = true + end + + cfg.vm.provider "virtualbox" do |vb, override| + vb.gui = true + vb.customize ["modifyvm", :id, "--memory", 2048] + vb.customize ["modifyvm", :id, "--cpus", 1] + vb.customize ["modifyvm", :id, "--vram", "32"] + vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"] + vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ] + end + end +end diff --git a/Vagrant/bootstrap.sh b/Vagrant/bootstrap.sh new file mode 100644 index 0000000..d84c9b3 --- /dev/null +++ b/Vagrant/bootstrap.sh @@ -0,0 +1,111 @@ +#! /bin/bash + +# Install prerequisites and useful tools +apt-get update +apt-get install -y jq whois build-essential git docker docker-compose unzip + +# Install Golang v1.8 +wget https://storage.googleapis.com/golang/go1.8.linux-amd64.tar.gz +tar -xvf go1.8.linux-amd64.tar.gz +mv go /usr/local +mkdir /home/vagrant/.go +chown vagrant:vagrant /home/vagrant/.go +mkdir /root/.go +echo 'export GOPATH=$HOME/.go' >> /home/vagrant/.bashrc +echo 'export GOROOT=/usr/local/go' >> /home/vagrant/.bashrc +echo 'export GOPATH=$HOME/.go' >> /root/.bashrc +echo '/home/vagrant/.bashrc' >> /root/.bashrc +source ~/.bashrc +sudo update-alternatives --install "/usr/bin/go" "go" "/usr/local/go/bin/go" 0 +sudo update-alternatives --set go /usr/local/go/bin/go +/usr/bin/go get -u github.com/howeyc/gopass + +# Check if Splunk is already installed +if [ -f "/opt/splunk/bin/splunk" ] + then echo "Splunk is already installed" +else + # Get Splunk.com into the DNS cache. Sometimes resolution randomly fails during wget below + dig @8.8.8.8 splunk.com + # Download Splunk + wget --progress=bar:force -O splunk-7.0.1-2b5b15c4ee89-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.0.1&product=splunk&filename=splunk-7.0.1-2b5b15c4ee89-linux-2.6-amd64.deb&wget=true' + dpkg -i splunk-7.0.1-2b5b15c4ee89-linux-2.6-amd64.deb + /opt/splunk/bin/splunk start --accept-license + /opt/splunk/bin/splunk add index wineventlog -auth 'admin:changeme' + /opt/splunk/bin/splunk add index osquery -auth 'admin:changeme' + /opt/splunk/bin/splunk add index osquery-status -auth 'admin:changeme' + /opt/splunk/bin/splunk add index sysmon -auth 'admin:changeme' + /opt/splunk/bin/splunk add index powershell -auth 'admin:changeme' + /opt/splunk/bin/splunk install app /vagrant/resources/splunk_forwarder/splunk-add-on-for-microsoft-windows_483.tgz -auth 'admin:changeme' + /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/add-on-for-microsoft-sysmon_600.tgz -auth 'admin:changeme' + # Add a Splunk TCP input on port 9997 + echo -e "[splunktcp://9997]\nconnection_host = ip" > /opt/splunk/etc/apps/search/local/inputs.conf + # Add props.conf and transforms.conf + cp /vagrant/resources/splunk_server/props.conf /opt/splunk/etc/apps/search/local/ + cp /vagrant/resources/splunk_server/transforms.conf /opt/splunk/etc/apps/search/local/ + # Skip Splunk Tour and Change Password Dialog + touch /opt/splunk/etc/.ui_login + # Enable SSL Login for Splunk + echo '[settings] + enableSplunkWebSSL = true' > /opt/splunk/etc/system/local/web.conf + # Reboot Splunk to make changes take effect + /opt/splunk/bin/splunk restart + /opt/splunk/bin/splunk enable boot-start +fi + +# Install Fleet +echo -e "\n127.0.0.1 kolide" >> /etc/hosts +git clone https://github.com/kolide/kolide-quickstart.git +cd kolide-quickstart +cp /vagrant/resources/fleet/server.* . +sed -i 's/ -it//g' demo.sh +./demo.sh up simple +# Set the enrollment secret to match what we deploy to Windows hosts +docker run --rm --network=kolidequickstart_default mysql:5.7 mysql -h mysql -u kolide --password=kolide -e 'update app_configs set osquery_enroll_secret = "enrollmentsecret" where id=1;' --batch kolide +echo "Updated enrollment secret" +cd /home/vagrant + +# Import Palantir osquery configs into Fleet +echo "Downloading Palantir configs" +git clone https://github.com/palantir/osquery-configuration.git +git clone https://github.com/kolide/configimporter.git +cd configimporter +go build +cd /home/vagrant + +# Modify the config to work with config importer +cat /home/vagrant/osquery-configuration/Endpoints/Windows/osquery.conf | sed 's#packs/#../packs/#g' | grep -v unwanted-chrome-extensions | grep -v security-tooling-checks | grep -v performance-metrics > /home/vagrant/osquery-configuration/Endpoints/Windows/osquery_to_import.conf +# Install configimporter +echo "Installing configimporter" +echo "Sleeping for 5" +sleep 5 +export CONFIGIMPORTER_PASSWORD='admin123#' +cd /home/vagrant/osquery-configuration/Endpoints/Windows/ +# Fleet requires you to login before importing packs +# Login +curl 'https://192.168.38.5:8412/api/v1/kolide/login' -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/login' -H 'authority: 192.168.38.5:8412' --data-binary '{"username":"admin","password":"admin123#"}' --compressed --insecure +sleep 1 +curl 'https://192.168.38.5:8412/setup' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H 'upgrade-insecure-requests: 1' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8' -H 'authority: 192.168.38.5:8412' --compressed --insecure +sleep 1 +# Setup organization name and email address +curl 'https://192.168.38.5:8412/api/v1/setup' -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/setup' -H 'authority: 192.168.38.5:8412' --data-binary '{"kolide_server_url":"https://192.168.38.5:8412","org_info":{"org_name":"detectionlab"},"admin":{"admin":true,"email":"example@example.com","password":"admin123#","password_confirmation":"admin123#","username":"admin"}}' --compressed --insecure +sleep 3 +# Import all Windows configs +/home/vagrant/configimporter/configimporter -host https://localhost:8412 -user 'admin' -config osquery_to_import.conf + +# Get auth token +TOKEN=$(curl 'https://192.168.38.5:8412/api/v1/kolide/login' -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/login' -H 'authority: 192.168.38.5:8412' --data-binary '{"username":"admin","password":"admin123#"}' --compressed --insecure | grep token | cut -d '"' -f 4) +# Set all packs to be targeted to Windows hosts +curl 'https://192.168.38.5:8412/api/v1/kolide/packs/1' -X PATCH -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/packs/3/edit' -H 'authority: 192.168.38.5:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure +sleep 1 +curl 'https://192.168.38.5:8412/api/v1/kolide/packs/2' -X PATCH -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/packs/3/edit' -H 'authority: 192.168.38.5:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure +sleep 1 +curl 'https://192.168.38.5:8412/api/v1/kolide/packs/3' -X PATCH -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/packs/3/edit' -H 'authority: 192.168.38.5:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure +sleep 1 +curl 'https://192.168.38.5:8412/api/v1/kolide/packs/4' -X PATCH -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/packs/3/edit' -H 'authority: 192.168.38.5:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure +sleep 1 +curl 'https://192.168.38.5:8412/api/v1/kolide/packs/5' -X PATCH -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/packs/3/edit' -H 'authority: 192.168.38.5:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"label_ids":[10]}' --compressed --insecure +# Rename primary pack +curl 'https://192.168.38.5:8412/api/v1/kolide/packs/5' -X PATCH -H 'origin: https://192.168.38.5:8412' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9' -H "authorization: Bearer $TOKEN" -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://192.168.38.5:8412/packs/5/edit' -H 'authority: 192.168.38.5:8412' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36' --data-binary '{"name":"windows-pack"}' --compressed --insecure +# Add Splunk monitors for Fleet +/opt/splunk/bin/splunk add monitor "/home/vagrant/kolide-quickstart/osquery_result" -index osquery -sourcetype 'osquery:json' -auth 'admin:changeme' +/opt/splunk/bin/splunk add monitor "/home/vagrant/kolide-quickstart/osquery_status" -index osquery-status -sourcetype 'osquery:status' -auth 'admin:changeme' diff --git a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/manifest.xml b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/manifest.xml new file mode 100644 index 0000000..9b40820 --- /dev/null +++ b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/manifest.xml @@ -0,0 +1 @@ +<Backups xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" xmlns:mfst="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" mfst:version="1.0"><BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{83A705FC-7072-4EC3-A9BA-4AA571570D31}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{39471c5e-04d5-4275-bf10-47653a177887}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2017-07-26T19:39:58]]></BackupTime><ID><![CDATA[{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Domain Controllers Enhanced Auditing Policy]]></GPODisplayName></BackupInst></Backups> \ No newline at end of file diff --git a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/Backup.xml b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/Backup.xml new file mode 100644 index 0000000..42ad845 --- /dev/null +++ b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/Backup.xml @@ -0,0 +1,20 @@ +<?xml version="1.0" encoding="utf-8"?><!-- Copyright (c) Microsoft Corporation. All rights reserved. --><GroupPolicyBackupScheme bkp:version="2.0" bkp:type="GroupPolicyBackupTemplate" xmlns:bkp="http://www.microsoft.com/GroupPolicy/GPOOperations" xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations"> + <GroupPolicyObject><SecurityGroups><Group><Sid/><SamAccountName><![CDATA[Event Log Readers]]></SamAccountName><Type><![CDATA[Unknown]]></Type><NetBIOSDomainName/><DnsDomainName/><UPN/></Group><Group><Sid/><SamAccountName><![CDATA[NETWORK SERVICE]]></SamAccountName><Type><![CDATA[Unknown]]></Type><NetBIOSDomainName/><DnsDomainName/><UPN/></Group><Group><Sid><![CDATA[S-1-5-21-2099590610-328841986-2664697228-11659]]></Sid><SamAccountName/><Type><![CDATA[Unknown]]></Type><NetBIOSDomainName/><DnsDomainName/><UPN/></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-3516590555-2060695796-1367554519-1000]]></Sid><SamAccountName><![CDATA[vagrant]]></SamAccountName><Type><![CDATA[User]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[vagrant@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-3516590555-2060695796-1367554519-519]]></Sid><SamAccountName><![CDATA[Enterprise Admins]]></SamAccountName><Type><![CDATA[UniversalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Enterprise Admins@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-3516590555-2060695796-1367554519-512]]></Sid><SamAccountName><![CDATA[Domain Admins]]></SamAccountName><Type><![CDATA[GlobalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Domain Admins@windomain.local]]></UPN></Group></SecurityGroups><FilePaths/><GroupPolicyCoreSettings><ID><![CDATA[{83A705FC-7072-4EC3-A9BA-4AA571570D31}]]></ID><Domain><![CDATA[windomain.local]]></Domain><SecurityDescriptor>01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 db e9 9a d1 f4 b8 d3 7a d7 39 83 51 e8 03 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 db e9 9a d1 f4 b8 d3 7a d7 39 83 51 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 db e9 9a d1 f4 b8 d3 7a d7 39 83 51 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00</SecurityDescriptor><DisplayName><![CDATA[Domain Controllers Enhanced Auditing Policy]]></DisplayName><Options><![CDATA[1]]></Options><UserVersionNumber><![CDATA[65537]]></UserVersionNumber><MachineVersionNumber><![CDATA[1703962]]></MachineVersionNumber><MachineExtensionGuids><![CDATA[[{00000000-0000-0000-0000-000000000000}{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{B05566AC-FE9C-4368-BE01-7A4CBB6CBA11}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B087BE9D-ED37-454F-AF9C-04291E351182}{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}]]]></MachineExtensionGuids><UserExtensionGuids/><WMIFilter/></GroupPolicyCoreSettings> + <GroupPolicyExtension bkp:ID="{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" bkp:DescName="Registry"> + <FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\registry.pol" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\registry.pol" bkp:Location="DomainSysvol\GPO\Machine\registry.pol"/> + + <FSObjectFile bkp:Path="%GPO_FSPATH%\Adm\*.*" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Adm\*.*"/> + </GroupPolicyExtension> + + + + + <GroupPolicyExtension bkp:ID="{827D319E-6EAC-11D2-A4EA-00C04F79F83A}" bkp:DescName="Security"> + <FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\SecEdit\GptTmpl.inf" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf" bkp:ReEvaluateFunction="SecurityValidateSettings" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf"/> + </GroupPolicyExtension> + + + + + <GroupPolicyExtension bkp:ID="{F15C46CD-82A0-4C2D-A210-5D0D3182A418}" bkp:DescName="Unknown Extension"><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Applications" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\Applications" bkp:Location="DomainSysvol\GPO\Machine\Applications"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\comment.cmtx" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\comment.cmtx" bkp:Location="DomainSysvol\GPO\Machine\comment.cmtx"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\microsoft" bkp:Location="DomainSysvol\GPO\Machine\microsoft"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\microsoft\windows nt" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\Audit" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\microsoft\windows nt\Audit" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\Audit"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\Audit\audit.csv" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\microsoft\windows nt\Audit\audit.csv" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\SecEdit" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\microsoft\windows nt\SecEdit" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\Preferences" bkp:Location="DomainSysvol\GPO\Machine\Preferences"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences\Registry" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\Preferences\Registry" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Registry"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\Preferences\Registry\Registry.xml" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\Preferences\Registry\Registry.xml" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Registry\Registry.xml"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\Scripts" bkp:Location="DomainSysvol\GPO\Machine\Scripts"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Shutdown" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\Scripts\Shutdown" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Shutdown"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Startup" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\Scripts\Startup" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Startup"/></GroupPolicyExtension></GroupPolicyObject> +</GroupPolicyBackupScheme> \ No newline at end of file diff --git a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/DomainSysvol/GPO/Machine/Preferences/Registry/Registry.xml b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/DomainSysvol/GPO/Machine/Preferences/Registry/Registry.xml new file mode 100644 index 0000000..d4de684 --- /dev/null +++ b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/DomainSysvol/GPO/Machine/Preferences/Registry/Registry.xml @@ -0,0 +1,3 @@ +<?xml version="1.0" encoding="utf-8"?> +<RegistrySettings clsid="{A3CCFC41-DFDB-43a5-8D26-0FE8B954DA51}"><Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="RestrictRemoteSamEventThrottlingWindow" status="RestrictRemoteSamEventThrottlingWindow" image="7" changed="2017-07-26 04:57:18" uid="{D232208A-0CBB-4FA1-BE41-D8A402116908}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SYSTEM\CurrentControlSet\Control\Lsa" name="RestrictRemoteSamEventThrottlingWindow" type="REG_SZ" value="0"/></Registry> +</RegistrySettings> diff --git a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/DomainSysvol/GPO/Machine/comment.cmtx b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/DomainSysvol/GPO/Machine/comment.cmtx new file mode 100644 index 0000000..56c734f --- /dev/null +++ b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/DomainSysvol/GPO/Machine/comment.cmtx @@ -0,0 +1,12 @@ +<?xml version='1.0' encoding='utf-8'?> +<policyComments xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://www.microsoft.com/GroupPolicy/CommentDefinitions"> + <policyNamespaces> + <using prefix="ns0" namespace="Microsoft.Policies.WindowsRemoteManagement"></using> + </policyNamespaces> + <comments> + <admTemplate></admTemplate> + </comments> + <resources minRequiredRevision="1.0"> + <stringTable></stringTable> + </resources> +</policyComments> \ No newline at end of file diff --git a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/DomainSysvol/GPO/Machine/microsoft/windows nt/Audit/audit.csv b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/DomainSysvol/GPO/Machine/microsoft/windows nt/Audit/audit.csv new file mode 100644 index 0000000..45b7eed --- /dev/null +++ b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/DomainSysvol/GPO/Machine/microsoft/windows nt/Audit/audit.csv @@ -0,0 +1,38 @@ +Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value +,System,Audit Credential Validation,{0cce923f-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Kerberos Authentication Service,{0cce9242-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Kerberos Service Ticket Operations,{0cce9240-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Other Account Logon Events,{0cce9241-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Computer Account Management,{0cce9236-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Distribution Group Management,{0cce9238-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Other Account Management Events,{0cce923a-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Security Group Management,{0cce9237-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit User Account Management,{0cce9235-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit DPAPI Activity,{0cce922d-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit PNP Activity,{0cce9248-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Process Creation,{0cce922b-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Process Termination,{0cce922c-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Detailed Directory Service Replication,{0cce923e-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Directory Service Access,{0cce923b-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Directory Service Changes,{0cce923c-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Directory Service Replication,{0cce923d-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Account Lockout,{0cce9217-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit User / Device Claims,{0cce9247-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Group Membership,{0cce9249-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Logoff,{0cce9216-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Logon,{0cce9215-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Other Logon/Logoff Events,{0cce921c-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Special Logon,{0cce921b-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Detailed File Share,{0cce9244-69ae-11d9-bed3-505054503030},Failure,,2 +,System,Audit File Share,{0cce9224-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit File System,{0cce921d-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Filtering Platform Connection,{0cce9226-69ae-11d9-bed3-505054503030},Failure,,2 +,System,Audit Kernel Object,{0cce921f-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Removable Storage,{0cce9245-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Audit Policy Change,{0cce922f-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Authentication Policy Change,{0cce9230-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit MPSSVC Rule-Level Policy Change,{0cce9232-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit IPsec Driver,{0cce9213-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Security State Change,{0cce9210-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Security System Extension,{0cce9211-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit System Integrity,{0cce9212-69ae-11d9-bed3-505054503030},Success and Failure,,3 diff --git a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf new file mode 100644 index 0000000..f44ee35 Binary files /dev/null and b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf differ diff --git a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/DomainSysvol/GPO/Machine/registry.pol b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/DomainSysvol/GPO/Machine/registry.pol new file mode 100644 index 0000000..259df54 Binary files /dev/null and b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/DomainSysvol/GPO/Machine/registry.pol differ diff --git a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/bkupInfo.xml b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/bkupInfo.xml new file mode 100644 index 0000000..3418a56 --- /dev/null +++ b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/bkupInfo.xml @@ -0,0 +1 @@ +<BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{83A705FC-7072-4EC3-A9BA-4AA571570D31}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{39471c5e-04d5-4275-bf10-47653a177887}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2017-07-26T19:39:58]]></BackupTime><ID><![CDATA[{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Domain Controllers Enhanced Auditing Policy]]></GPODisplayName></BackupInst> diff --git a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/gpreport.xml b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/gpreport.xml new file mode 100644 index 0000000..e187877 Binary files /dev/null and b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/gpreport.xml differ diff --git a/Vagrant/resources/GPO/Servers_Enhanced_Auditing_Policy/manifest.xml b/Vagrant/resources/GPO/Servers_Enhanced_Auditing_Policy/manifest.xml new file mode 100644 index 0000000..4e21e85 --- /dev/null +++ b/Vagrant/resources/GPO/Servers_Enhanced_Auditing_Policy/manifest.xml @@ -0,0 +1 @@ +<Backups xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" xmlns:mfst="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" mfst:version="1.0"><BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{E1359F60-FACE-461A-9C5D-D1DF07E51A79}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{39471c5e-04d5-4275-bf10-47653a177887}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2017-07-26T19:30:11]]></BackupTime><ID><![CDATA[{E471372E-9280-47FB-963A-7B2A75182ACC}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Servers Enhanced Auditing Policy]]></GPODisplayName></BackupInst></Backups> \ No newline at end of file diff --git a/Vagrant/resources/GPO/Servers_Enhanced_Auditing_Policy/{E471372E-9280-47FB-963A-7B2A75182ACC}/Backup.xml b/Vagrant/resources/GPO/Servers_Enhanced_Auditing_Policy/{E471372E-9280-47FB-963A-7B2A75182ACC}/Backup.xml new file mode 100644 index 0000000..8408272 --- /dev/null +++ b/Vagrant/resources/GPO/Servers_Enhanced_Auditing_Policy/{E471372E-9280-47FB-963A-7B2A75182ACC}/Backup.xml @@ -0,0 +1,20 @@ +<?xml version="1.0" encoding="utf-8"?><!-- Copyright (c) Microsoft Corporation. All rights reserved. --><GroupPolicyBackupScheme bkp:version="2.0" bkp:type="GroupPolicyBackupTemplate" xmlns:bkp="http://www.microsoft.com/GroupPolicy/GPOOperations" xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations"> + <GroupPolicyObject><SecurityGroups><Group><Sid/><SamAccountName><![CDATA[Event Log Readers]]></SamAccountName><Type><![CDATA[Unknown]]></Type><NetBIOSDomainName/><DnsDomainName/><UPN/></Group><Group><Sid/><SamAccountName><![CDATA[NETWORK SERVICE]]></SamAccountName><Type><![CDATA[Unknown]]></Type><NetBIOSDomainName/><DnsDomainName/><UPN/></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-3516590555-2060695796-1367554519-1000]]></Sid><SamAccountName><![CDATA[vagrant]]></SamAccountName><Type><![CDATA[User]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[vagrant@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-3516590555-2060695796-1367554519-519]]></Sid><SamAccountName><![CDATA[Enterprise Admins]]></SamAccountName><Type><![CDATA[UniversalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Enterprise Admins@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-3516590555-2060695796-1367554519-512]]></Sid><SamAccountName><![CDATA[Domain Admins]]></SamAccountName><Type><![CDATA[GlobalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Domain Admins@windomain.local]]></UPN></Group></SecurityGroups><FilePaths/><GroupPolicyCoreSettings><ID><![CDATA[{E1359F60-FACE-461A-9C5D-D1DF07E51A79}]]></ID><Domain><![CDATA[windomain.local]]></Domain><SecurityDescriptor>01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 db e9 9a d1 f4 b8 d3 7a d7 39 83 51 e8 03 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 db e9 9a d1 f4 b8 d3 7a d7 39 83 51 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 db e9 9a d1 f4 b8 d3 7a d7 39 83 51 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00</SecurityDescriptor><DisplayName><![CDATA[Servers Enhanced Auditing Policy]]></DisplayName><Options><![CDATA[1]]></Options><UserVersionNumber><![CDATA[65537]]></UserVersionNumber><MachineVersionNumber><![CDATA[1376277]]></MachineVersionNumber><MachineExtensionGuids><![CDATA[[{00000000-0000-0000-0000-000000000000}{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{B05566AC-FE9C-4368-BE01-7A4CBB6CBA11}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B087BE9D-ED37-454F-AF9C-04291E351182}{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}][{F3CCC681-B74C-4060-9F26-CD84525DCA2A}{0F3F3735-573D-9804-99E4-AB2A69BA5FD4}]]]></MachineExtensionGuids><UserExtensionGuids/><WMIFilter/></GroupPolicyCoreSettings> + <GroupPolicyExtension bkp:ID="{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" bkp:DescName="Registry"> + <FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\registry.pol" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\registry.pol" bkp:Location="DomainSysvol\GPO\Machine\registry.pol"/> + + <FSObjectFile bkp:Path="%GPO_FSPATH%\Adm\*.*" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Adm\*.*"/> + </GroupPolicyExtension> + + + + + <GroupPolicyExtension bkp:ID="{827D319E-6EAC-11D2-A4EA-00C04F79F83A}" bkp:DescName="Security"> + <FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\SecEdit\GptTmpl.inf" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf" bkp:ReEvaluateFunction="SecurityValidateSettings" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf"/> + </GroupPolicyExtension> + + + + + <GroupPolicyExtension bkp:ID="{F15C46CD-82A0-4C2D-A210-5D0D3182A418}" bkp:DescName="Unknown Extension"><FSObjectDir bkp:Path="%GPO_FSPATH%\Cadm" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Cadm" bkp:Location="DomainSysvol\GPO\Cadm"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Applications" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\Applications" bkp:Location="DomainSysvol\GPO\Machine\Applications"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\comment.cmtx" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\comment.cmtx" bkp:Location="DomainSysvol\GPO\Machine\comment.cmtx"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\microsoft" bkp:Location="DomainSysvol\GPO\Machine\microsoft"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\microsoft\windows nt" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\Audit" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\microsoft\windows nt\Audit" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\Audit"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\Audit\audit.csv" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\microsoft\windows nt\Audit\audit.csv" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\SecEdit" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\microsoft\windows nt\SecEdit" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\Preferences" bkp:Location="DomainSysvol\GPO\Machine\Preferences"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences\Registry" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\Preferences\Registry" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Registry"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\Preferences\Registry\Registry.xml" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\Preferences\Registry\Registry.xml" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Registry\Registry.xml"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences\Services" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\Preferences\Services" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Services"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\Scripts" bkp:Location="DomainSysvol\GPO\Machine\Scripts"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Shutdown" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\Scripts\Shutdown" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Shutdown"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Startup" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{E1359F60-FACE-461A-9C5D-D1DF07E51A79}\Machine\Scripts\Startup" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Startup"/></GroupPolicyExtension></GroupPolicyObject> +</GroupPolicyBackupScheme> \ No newline at end of file diff --git a/Vagrant/resources/GPO/Servers_Enhanced_Auditing_Policy/{E471372E-9280-47FB-963A-7B2A75182ACC}/DomainSysvol/GPO/Machine/Preferences/Registry/Registry.xml b/Vagrant/resources/GPO/Servers_Enhanced_Auditing_Policy/{E471372E-9280-47FB-963A-7B2A75182ACC}/DomainSysvol/GPO/Machine/Preferences/Registry/Registry.xml new file mode 100644 index 0000000..9ce8668 --- /dev/null +++ b/Vagrant/resources/GPO/Servers_Enhanced_Auditing_Policy/{E471372E-9280-47FB-963A-7B2A75182ACC}/DomainSysvol/GPO/Machine/Preferences/Registry/Registry.xml @@ -0,0 +1,3 @@ +<?xml version="1.0" encoding="utf-8"?> +<RegistrySettings clsid="{A3CCFC41-DFDB-43a5-8D26-0FE8B954DA51}"><Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="RestrictRemoteSamEventThrottlingWindow" status="RestrictRemoteSamEventThrottlingWindow" image="12" changed="2017-03-28 20:28:29" uid="{7E71B8A5-03A7-456C-9CC9-941C1045C0E1}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SYSTEM\CurrentControlSet\Control\Lsa" name="RestrictRemoteSamEventThrottlingWindow" type="REG_DWORD" value="00000000"/></Registry> +</RegistrySettings> diff --git a/Vagrant/resources/GPO/Servers_Enhanced_Auditing_Policy/{E471372E-9280-47FB-963A-7B2A75182ACC}/DomainSysvol/GPO/Machine/comment.cmtx b/Vagrant/resources/GPO/Servers_Enhanced_Auditing_Policy/{E471372E-9280-47FB-963A-7B2A75182ACC}/DomainSysvol/GPO/Machine/comment.cmtx new file mode 100644 index 0000000..56c734f --- /dev/null +++ b/Vagrant/resources/GPO/Servers_Enhanced_Auditing_Policy/{E471372E-9280-47FB-963A-7B2A75182ACC}/DomainSysvol/GPO/Machine/comment.cmtx @@ -0,0 +1,12 @@ +<?xml version='1.0' encoding='utf-8'?> +<policyComments xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://www.microsoft.com/GroupPolicy/CommentDefinitions"> + <policyNamespaces> + <using prefix="ns0" namespace="Microsoft.Policies.WindowsRemoteManagement"></using> + </policyNamespaces> + <comments> + <admTemplate></admTemplate> + </comments> + <resources minRequiredRevision="1.0"> + <stringTable></stringTable> + </resources> +</policyComments> \ No newline at end of file diff --git a/Vagrant/resources/GPO/Servers_Enhanced_Auditing_Policy/{E471372E-9280-47FB-963A-7B2A75182ACC}/DomainSysvol/GPO/Machine/microsoft/windows nt/Audit/audit.csv b/Vagrant/resources/GPO/Servers_Enhanced_Auditing_Policy/{E471372E-9280-47FB-963A-7B2A75182ACC}/DomainSysvol/GPO/Machine/microsoft/windows nt/Audit/audit.csv new file mode 100644 index 0000000..08a13ed --- /dev/null +++ b/Vagrant/resources/GPO/Servers_Enhanced_Auditing_Policy/{E471372E-9280-47FB-963A-7B2A75182ACC}/DomainSysvol/GPO/Machine/microsoft/windows nt/Audit/audit.csv @@ -0,0 +1,33 @@ +Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value +,System,Audit Credential Validation,{0cce923f-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Other Account Logon Events,{0cce9241-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Security Group Management,{0cce9237-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit User Account Management,{0cce9235-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit DPAPI Activity,{0cce922d-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit PNP Activity,{0cce9248-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Process Creation,{0cce922b-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Process Termination,{0cce922c-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Account Lockout,{0cce9217-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit User / Device Claims,{0cce9247-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Group Membership,{0cce9249-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Logoff,{0cce9216-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Logon,{0cce9215-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Other Logon/Logoff Events,{0cce921c-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Special Logon,{0cce921b-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Detailed File Share,{0cce9244-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit File Share,{0cce9224-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit File System,{0cce921d-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Filtering Platform Connection,{0cce9226-69ae-11d9-bed3-505054503030},Failure,,2 +,System,Audit Other Object Access Events,{0cce9227-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Registry,{0cce921e-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Removable Storage,{0cce9245-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Audit Policy Change,{0cce922f-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Authentication Policy Change,{0cce9230-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit MPSSVC Rule-Level Policy Change,{0cce9232-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Other Policy Change Events,{0cce9234-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Non Sensitive Privilege Use,{0cce9229-69ae-11d9-bed3-505054503030},Failure,,2 +,System,Audit Sensitive Privilege Use,{0cce9228-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Other System Events,{0cce9214-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Security State Change,{0cce9210-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Security System Extension,{0cce9211-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit System Integrity,{0cce9212-69ae-11d9-bed3-505054503030},Success and Failure,,3 diff --git a/Vagrant/resources/GPO/Servers_Enhanced_Auditing_Policy/{E471372E-9280-47FB-963A-7B2A75182ACC}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf b/Vagrant/resources/GPO/Servers_Enhanced_Auditing_Policy/{E471372E-9280-47FB-963A-7B2A75182ACC}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf new file mode 100644 index 0000000..e0373dc Binary files /dev/null and b/Vagrant/resources/GPO/Servers_Enhanced_Auditing_Policy/{E471372E-9280-47FB-963A-7B2A75182ACC}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf differ diff --git a/Vagrant/resources/GPO/Servers_Enhanced_Auditing_Policy/{E471372E-9280-47FB-963A-7B2A75182ACC}/DomainSysvol/GPO/Machine/registry.pol b/Vagrant/resources/GPO/Servers_Enhanced_Auditing_Policy/{E471372E-9280-47FB-963A-7B2A75182ACC}/DomainSysvol/GPO/Machine/registry.pol new file mode 100644 index 0000000..6760c76 Binary files /dev/null and b/Vagrant/resources/GPO/Servers_Enhanced_Auditing_Policy/{E471372E-9280-47FB-963A-7B2A75182ACC}/DomainSysvol/GPO/Machine/registry.pol differ diff --git a/Vagrant/resources/GPO/Servers_Enhanced_Auditing_Policy/{E471372E-9280-47FB-963A-7B2A75182ACC}/bkupInfo.xml b/Vagrant/resources/GPO/Servers_Enhanced_Auditing_Policy/{E471372E-9280-47FB-963A-7B2A75182ACC}/bkupInfo.xml new file mode 100644 index 0000000..b80e1b2 --- /dev/null +++ b/Vagrant/resources/GPO/Servers_Enhanced_Auditing_Policy/{E471372E-9280-47FB-963A-7B2A75182ACC}/bkupInfo.xml @@ -0,0 +1 @@ +<BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{E1359F60-FACE-461A-9C5D-D1DF07E51A79}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{39471c5e-04d5-4275-bf10-47653a177887}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2017-07-26T19:30:11]]></BackupTime><ID><![CDATA[{E471372E-9280-47FB-963A-7B2A75182ACC}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Servers Enhanced Auditing Policy]]></GPODisplayName></BackupInst> diff --git a/Vagrant/resources/GPO/Servers_Enhanced_Auditing_Policy/{E471372E-9280-47FB-963A-7B2A75182ACC}/gpreport.xml b/Vagrant/resources/GPO/Servers_Enhanced_Auditing_Policy/{E471372E-9280-47FB-963A-7B2A75182ACC}/gpreport.xml new file mode 100644 index 0000000..350ef84 Binary files /dev/null and b/Vagrant/resources/GPO/Servers_Enhanced_Auditing_Policy/{E471372E-9280-47FB-963A-7B2A75182ACC}/gpreport.xml differ diff --git a/Vagrant/resources/GPO/Workstations_Enhanced_Auditing_Policy/manifest.xml b/Vagrant/resources/GPO/Workstations_Enhanced_Auditing_Policy/manifest.xml new file mode 100644 index 0000000..5a1afad --- /dev/null +++ b/Vagrant/resources/GPO/Workstations_Enhanced_Auditing_Policy/manifest.xml @@ -0,0 +1 @@ +<Backups xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" xmlns:mfst="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" mfst:version="1.0"><BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{EC31A138-BD53-40CE-A368-0ED65005F02E}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{39471c5e-04d5-4275-bf10-47653a177887}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2017-07-26T19:35:10]]></BackupTime><ID><![CDATA[{1CC39F6D-972E-4E7F-A5BD-AEB9C0B1083F}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Workstations Enhanced Auditing Policy]]></GPODisplayName></BackupInst></Backups> \ No newline at end of file diff --git a/Vagrant/resources/GPO/Workstations_Enhanced_Auditing_Policy/{1CC39F6D-972E-4E7F-A5BD-AEB9C0B1083F}/Backup.xml b/Vagrant/resources/GPO/Workstations_Enhanced_Auditing_Policy/{1CC39F6D-972E-4E7F-A5BD-AEB9C0B1083F}/Backup.xml new file mode 100644 index 0000000..f887999 --- /dev/null +++ b/Vagrant/resources/GPO/Workstations_Enhanced_Auditing_Policy/{1CC39F6D-972E-4E7F-A5BD-AEB9C0B1083F}/Backup.xml @@ -0,0 +1,20 @@ +<?xml version="1.0" encoding="utf-8"?><!-- Copyright (c) Microsoft Corporation. All rights reserved. --><GroupPolicyBackupScheme bkp:version="2.0" bkp:type="GroupPolicyBackupTemplate" xmlns:bkp="http://www.microsoft.com/GroupPolicy/GPOOperations" xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations"> + <GroupPolicyObject><SecurityGroups><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-3516590555-2060695796-1367554519-1000]]></Sid><SamAccountName><![CDATA[vagrant]]></SamAccountName><Type><![CDATA[User]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[vagrant@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-3516590555-2060695796-1367554519-519]]></Sid><SamAccountName><![CDATA[Enterprise Admins]]></SamAccountName><Type><![CDATA[UniversalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Enterprise Admins@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-3516590555-2060695796-1367554519-512]]></Sid><SamAccountName><![CDATA[Domain Admins]]></SamAccountName><Type><![CDATA[GlobalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Domain Admins@windomain.local]]></UPN></Group></SecurityGroups><FilePaths/><GroupPolicyCoreSettings><ID><![CDATA[{EC31A138-BD53-40CE-A368-0ED65005F02E}]]></ID><Domain><![CDATA[windomain.local]]></Domain><SecurityDescriptor>01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 db e9 9a d1 f4 b8 d3 7a d7 39 83 51 e8 03 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 db e9 9a d1 f4 b8 d3 7a d7 39 83 51 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 db e9 9a d1 f4 b8 d3 7a d7 39 83 51 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00</SecurityDescriptor><DisplayName><![CDATA[Workstations Enhanced Auditing Policy]]></DisplayName><Options><![CDATA[1]]></Options><UserVersionNumber><![CDATA[65537]]></UserVersionNumber><MachineVersionNumber><![CDATA[1245203]]></MachineVersionNumber><MachineExtensionGuids><![CDATA[[{00000000-0000-0000-0000-000000000000}{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{B05566AC-FE9C-4368-BE01-7A4CBB6CBA11}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B087BE9D-ED37-454F-AF9C-04291E351182}{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}][{F3CCC681-B74C-4060-9F26-CD84525DCA2A}{0F3F3735-573D-9804-99E4-AB2A69BA5FD4}]]]></MachineExtensionGuids><UserExtensionGuids/><WMIFilter/></GroupPolicyCoreSettings> + <GroupPolicyExtension bkp:ID="{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" bkp:DescName="Registry"> + <FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\registry.pol" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\registry.pol" bkp:Location="DomainSysvol\GPO\Machine\registry.pol"/> + + <FSObjectFile bkp:Path="%GPO_FSPATH%\Adm\*.*" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Adm\*.*"/> + </GroupPolicyExtension> + + + + + <GroupPolicyExtension bkp:ID="{827D319E-6EAC-11D2-A4EA-00C04F79F83A}" bkp:DescName="Security"> + <FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\SecEdit\GptTmpl.inf" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf" bkp:ReEvaluateFunction="SecurityValidateSettings" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf"/> + </GroupPolicyExtension> + + + + + <GroupPolicyExtension bkp:ID="{F15C46CD-82A0-4C2D-A210-5D0D3182A418}" bkp:DescName="Unknown Extension"><FSObjectDir bkp:Path="%GPO_FSPATH%\Cadm" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Cadm" bkp:Location="DomainSysvol\GPO\Cadm"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Applications" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\Applications" bkp:Location="DomainSysvol\GPO\Machine\Applications"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\comment.cmtx" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\comment.cmtx" bkp:Location="DomainSysvol\GPO\Machine\comment.cmtx"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\microsoft" bkp:Location="DomainSysvol\GPO\Machine\microsoft"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\microsoft\windows nt" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\Audit" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\microsoft\windows nt\Audit" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\Audit"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\Audit\audit.csv" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\microsoft\windows nt\Audit\audit.csv" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\SecEdit" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\microsoft\windows nt\SecEdit" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\Preferences" bkp:Location="DomainSysvol\GPO\Machine\Preferences"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences\Registry" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\Preferences\Registry" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Registry"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\Preferences\Registry\Registry.xml" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\Preferences\Registry\Registry.xml" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Registry\Registry.xml"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\Scripts" bkp:Location="DomainSysvol\GPO\Machine\Scripts"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Shutdown" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\Scripts\Shutdown" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Shutdown"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Startup" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{EC31A138-BD53-40CE-A368-0ED65005F02E}\Machine\Scripts\Startup" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Startup"/></GroupPolicyExtension></GroupPolicyObject> +</GroupPolicyBackupScheme> \ No newline at end of file diff --git a/Vagrant/resources/GPO/Workstations_Enhanced_Auditing_Policy/{1CC39F6D-972E-4E7F-A5BD-AEB9C0B1083F}/DomainSysvol/GPO/Machine/Preferences/Registry/Registry.xml b/Vagrant/resources/GPO/Workstations_Enhanced_Auditing_Policy/{1CC39F6D-972E-4E7F-A5BD-AEB9C0B1083F}/DomainSysvol/GPO/Machine/Preferences/Registry/Registry.xml new file mode 100644 index 0000000..3aafedf --- /dev/null +++ b/Vagrant/resources/GPO/Workstations_Enhanced_Auditing_Policy/{1CC39F6D-972E-4E7F-A5BD-AEB9C0B1083F}/DomainSysvol/GPO/Machine/Preferences/Registry/Registry.xml @@ -0,0 +1,3 @@ +<?xml version="1.0" encoding="utf-8"?> +<RegistrySettings clsid="{A3CCFC41-DFDB-43a5-8D26-0FE8B954DA51}"><Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="RestrictRemoteSamEventThrottlingWindow" status="RestrictRemoteSamEventThrottlingWindow" image="12" bypassErrors="1" changed="2017-03-28 18:23:06" uid="{C6860994-A627-43A9-A8E9-433B483C697C}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SYSTEM\CurrentControlSet\Control\Lsa" name="RestrictRemoteSamEventThrottlingWindow" type="REG_DWORD" value="00000000"/></Registry> +</RegistrySettings> diff --git a/Vagrant/resources/GPO/Workstations_Enhanced_Auditing_Policy/{1CC39F6D-972E-4E7F-A5BD-AEB9C0B1083F}/DomainSysvol/GPO/Machine/comment.cmtx b/Vagrant/resources/GPO/Workstations_Enhanced_Auditing_Policy/{1CC39F6D-972E-4E7F-A5BD-AEB9C0B1083F}/DomainSysvol/GPO/Machine/comment.cmtx new file mode 100644 index 0000000..56c734f --- /dev/null +++ b/Vagrant/resources/GPO/Workstations_Enhanced_Auditing_Policy/{1CC39F6D-972E-4E7F-A5BD-AEB9C0B1083F}/DomainSysvol/GPO/Machine/comment.cmtx @@ -0,0 +1,12 @@ +<?xml version='1.0' encoding='utf-8'?> +<policyComments xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://www.microsoft.com/GroupPolicy/CommentDefinitions"> + <policyNamespaces> + <using prefix="ns0" namespace="Microsoft.Policies.WindowsRemoteManagement"></using> + </policyNamespaces> + <comments> + <admTemplate></admTemplate> + </comments> + <resources minRequiredRevision="1.0"> + <stringTable></stringTable> + </resources> +</policyComments> \ No newline at end of file diff --git a/Vagrant/resources/GPO/Workstations_Enhanced_Auditing_Policy/{1CC39F6D-972E-4E7F-A5BD-AEB9C0B1083F}/DomainSysvol/GPO/Machine/microsoft/windows nt/Audit/audit.csv b/Vagrant/resources/GPO/Workstations_Enhanced_Auditing_Policy/{1CC39F6D-972E-4E7F-A5BD-AEB9C0B1083F}/DomainSysvol/GPO/Machine/microsoft/windows nt/Audit/audit.csv new file mode 100644 index 0000000..08a13ed --- /dev/null +++ b/Vagrant/resources/GPO/Workstations_Enhanced_Auditing_Policy/{1CC39F6D-972E-4E7F-A5BD-AEB9C0B1083F}/DomainSysvol/GPO/Machine/microsoft/windows nt/Audit/audit.csv @@ -0,0 +1,33 @@ +Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value +,System,Audit Credential Validation,{0cce923f-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Other Account Logon Events,{0cce9241-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Security Group Management,{0cce9237-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit User Account Management,{0cce9235-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit DPAPI Activity,{0cce922d-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit PNP Activity,{0cce9248-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Process Creation,{0cce922b-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Process Termination,{0cce922c-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Account Lockout,{0cce9217-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit User / Device Claims,{0cce9247-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Group Membership,{0cce9249-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Logoff,{0cce9216-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Logon,{0cce9215-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Other Logon/Logoff Events,{0cce921c-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Special Logon,{0cce921b-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Detailed File Share,{0cce9244-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit File Share,{0cce9224-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit File System,{0cce921d-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Filtering Platform Connection,{0cce9226-69ae-11d9-bed3-505054503030},Failure,,2 +,System,Audit Other Object Access Events,{0cce9227-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Registry,{0cce921e-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Removable Storage,{0cce9245-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Audit Policy Change,{0cce922f-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Authentication Policy Change,{0cce9230-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit MPSSVC Rule-Level Policy Change,{0cce9232-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Other Policy Change Events,{0cce9234-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Non Sensitive Privilege Use,{0cce9229-69ae-11d9-bed3-505054503030},Failure,,2 +,System,Audit Sensitive Privilege Use,{0cce9228-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Other System Events,{0cce9214-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Security State Change,{0cce9210-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Security System Extension,{0cce9211-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit System Integrity,{0cce9212-69ae-11d9-bed3-505054503030},Success and Failure,,3 diff --git a/Vagrant/resources/GPO/Workstations_Enhanced_Auditing_Policy/{1CC39F6D-972E-4E7F-A5BD-AEB9C0B1083F}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf b/Vagrant/resources/GPO/Workstations_Enhanced_Auditing_Policy/{1CC39F6D-972E-4E7F-A5BD-AEB9C0B1083F}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf new file mode 100644 index 0000000..91061e3 Binary files /dev/null and b/Vagrant/resources/GPO/Workstations_Enhanced_Auditing_Policy/{1CC39F6D-972E-4E7F-A5BD-AEB9C0B1083F}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf differ diff --git a/Vagrant/resources/GPO/Workstations_Enhanced_Auditing_Policy/{1CC39F6D-972E-4E7F-A5BD-AEB9C0B1083F}/DomainSysvol/GPO/Machine/registry.pol b/Vagrant/resources/GPO/Workstations_Enhanced_Auditing_Policy/{1CC39F6D-972E-4E7F-A5BD-AEB9C0B1083F}/DomainSysvol/GPO/Machine/registry.pol new file mode 100644 index 0000000..54d8bbc Binary files /dev/null and b/Vagrant/resources/GPO/Workstations_Enhanced_Auditing_Policy/{1CC39F6D-972E-4E7F-A5BD-AEB9C0B1083F}/DomainSysvol/GPO/Machine/registry.pol differ diff --git a/Vagrant/resources/GPO/Workstations_Enhanced_Auditing_Policy/{1CC39F6D-972E-4E7F-A5BD-AEB9C0B1083F}/bkupInfo.xml b/Vagrant/resources/GPO/Workstations_Enhanced_Auditing_Policy/{1CC39F6D-972E-4E7F-A5BD-AEB9C0B1083F}/bkupInfo.xml new file mode 100644 index 0000000..e13f2e1 --- /dev/null +++ b/Vagrant/resources/GPO/Workstations_Enhanced_Auditing_Policy/{1CC39F6D-972E-4E7F-A5BD-AEB9C0B1083F}/bkupInfo.xml @@ -0,0 +1 @@ +<BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{EC31A138-BD53-40CE-A368-0ED65005F02E}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{39471c5e-04d5-4275-bf10-47653a177887}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2017-07-26T19:35:10]]></BackupTime><ID><![CDATA[{1CC39F6D-972E-4E7F-A5BD-AEB9C0B1083F}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Workstations Enhanced Auditing Policy]]></GPODisplayName></BackupInst> diff --git a/Vagrant/resources/GPO/Workstations_Enhanced_Auditing_Policy/{1CC39F6D-972E-4E7F-A5BD-AEB9C0B1083F}/gpreport.xml b/Vagrant/resources/GPO/Workstations_Enhanced_Auditing_Policy/{1CC39F6D-972E-4E7F-A5BD-AEB9C0B1083F}/gpreport.xml new file mode 100644 index 0000000..417c50e Binary files /dev/null and b/Vagrant/resources/GPO/Workstations_Enhanced_Auditing_Policy/{1CC39F6D-972E-4E7F-A5BD-AEB9C0B1083F}/gpreport.xml differ diff --git a/Vagrant/resources/GPO/powershell_logging/manifest.xml b/Vagrant/resources/GPO/powershell_logging/manifest.xml new file mode 100755 index 0000000..a81b751 --- /dev/null +++ b/Vagrant/resources/GPO/powershell_logging/manifest.xml @@ -0,0 +1 @@ +<Backups xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" xmlns:mfst="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" mfst:version="1.0"><BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{52384B72-F463-4CF8-8432-C2E23FFC87C6}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{c9281a25-16b6-4f99-961e-281acbc19af8}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2017-04-20T00:41:04]]></BackupTime><ID><![CDATA[{44CF152B-475A-4217-A590-57C8BFA9B48F}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Powershell Logging]]></GPODisplayName></BackupInst></Backups> \ No newline at end of file diff --git a/Vagrant/resources/GPO/powershell_logging/{44CF152B-475A-4217-A590-57C8BFA9B48F}/Backup.xml b/Vagrant/resources/GPO/powershell_logging/{44CF152B-475A-4217-A590-57C8BFA9B48F}/Backup.xml new file mode 100755 index 0000000..4178eb4 --- /dev/null +++ b/Vagrant/resources/GPO/powershell_logging/{44CF152B-475A-4217-A590-57C8BFA9B48F}/Backup.xml @@ -0,0 +1,18 @@ +<?xml version="1.0" encoding="utf-8"?><!-- Copyright (c) Microsoft Corporation. All rights reserved. --><GroupPolicyBackupScheme bkp:version="2.0" bkp:type="GroupPolicyBackupTemplate" xmlns:bkp="http://www.microsoft.com/GroupPolicy/GPOOperations" xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations"> + <GroupPolicyObject><SecurityGroups><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-4167842404-2528019904-656423439-1000]]></Sid><SamAccountName><![CDATA[vagrant]]></SamAccountName><Type><![CDATA[User]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[vagrant@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-4167842404-2528019904-656423439-519]]></Sid><SamAccountName><![CDATA[Enterprise Admins]]></SamAccountName><Type><![CDATA[UniversalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Enterprise Admins@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-4167842404-2528019904-656423439-512]]></Sid><SamAccountName><![CDATA[Domain Admins]]></SamAccountName><Type><![CDATA[GlobalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Domain Admins@windomain.local]]></UPN></Group></SecurityGroups><FilePaths/><GroupPolicyCoreSettings><ID><![CDATA[{52384B72-F463-4CF8-8432-C2E23FFC87C6}]]></ID><Domain><![CDATA[windomain.local]]></Domain><SecurityDescriptor>01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 64 3a 6c f8 c0 85 ae 96 0f 3a 20 27 e8 03 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 64 3a 6c f8 c0 85 ae 96 0f 3a 20 27 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 64 3a 6c f8 c0 85 ae 96 0f 3a 20 27 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00</SecurityDescriptor><DisplayName><![CDATA[Powershell Logging]]></DisplayName><Options><![CDATA[0]]></Options><UserVersionNumber><![CDATA[0]]></UserVersionNumber><MachineVersionNumber><![CDATA[131074]]></MachineVersionNumber><MachineExtensionGuids><![CDATA[[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}]]]></MachineExtensionGuids><UserExtensionGuids/><WMIFilter/></GroupPolicyCoreSettings> + <GroupPolicyExtension bkp:ID="{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" bkp:DescName="Registry"> + <FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\registry.pol" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{52384B72-F463-4CF8-8432-C2E23FFC87C6}\Machine\registry.pol" bkp:Location="DomainSysvol\GPO\Machine\registry.pol"/> + + <FSObjectFile bkp:Path="%GPO_FSPATH%\Adm\*.*" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{52384B72-F463-4CF8-8432-C2E23FFC87C6}\Adm\*.*"/> + </GroupPolicyExtension> + + + + + + + + + + <GroupPolicyExtension bkp:ID="{F15C46CD-82A0-4C2D-A210-5D0D3182A418}" bkp:DescName="Unknown Extension"><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\comment.cmtx" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{52384B72-F463-4CF8-8432-C2E23FFC87C6}\Machine\comment.cmtx" bkp:Location="DomainSysvol\GPO\Machine\comment.cmtx"/></GroupPolicyExtension></GroupPolicyObject> +</GroupPolicyBackupScheme> \ No newline at end of file diff --git a/Vagrant/resources/GPO/powershell_logging/{44CF152B-475A-4217-A590-57C8BFA9B48F}/DomainSysvol/GPO/Machine/comment.cmtx b/Vagrant/resources/GPO/powershell_logging/{44CF152B-475A-4217-A590-57C8BFA9B48F}/DomainSysvol/GPO/Machine/comment.cmtx new file mode 100755 index 0000000..01ed45b --- /dev/null +++ b/Vagrant/resources/GPO/powershell_logging/{44CF152B-475A-4217-A590-57C8BFA9B48F}/DomainSysvol/GPO/Machine/comment.cmtx @@ -0,0 +1,12 @@ +<?xml version='1.0' encoding='utf-8'?> +<policyComments xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://www.microsoft.com/GroupPolicy/CommentDefinitions"> + <policyNamespaces> + <using prefix="ns0" namespace="Microsoft.Policies.PowerShell"></using> + </policyNamespaces> + <comments> + <admTemplate></admTemplate> + </comments> + <resources minRequiredRevision="1.0"> + <stringTable></stringTable> + </resources> +</policyComments> \ No newline at end of file diff --git a/Vagrant/resources/GPO/powershell_logging/{44CF152B-475A-4217-A590-57C8BFA9B48F}/DomainSysvol/GPO/Machine/registry.pol b/Vagrant/resources/GPO/powershell_logging/{44CF152B-475A-4217-A590-57C8BFA9B48F}/DomainSysvol/GPO/Machine/registry.pol new file mode 100755 index 0000000..8b18c87 Binary files /dev/null and b/Vagrant/resources/GPO/powershell_logging/{44CF152B-475A-4217-A590-57C8BFA9B48F}/DomainSysvol/GPO/Machine/registry.pol differ diff --git a/Vagrant/resources/GPO/powershell_logging/{44CF152B-475A-4217-A590-57C8BFA9B48F}/bkupInfo.xml b/Vagrant/resources/GPO/powershell_logging/{44CF152B-475A-4217-A590-57C8BFA9B48F}/bkupInfo.xml new file mode 100755 index 0000000..e697d6e --- /dev/null +++ b/Vagrant/resources/GPO/powershell_logging/{44CF152B-475A-4217-A590-57C8BFA9B48F}/bkupInfo.xml @@ -0,0 +1 @@ +<BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{52384B72-F463-4CF8-8432-C2E23FFC87C6}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{c9281a25-16b6-4f99-961e-281acbc19af8}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2017-04-20T00:41:04]]></BackupTime><ID><![CDATA[{44CF152B-475A-4217-A590-57C8BFA9B48F}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Powershell Logging]]></GPODisplayName></BackupInst> diff --git a/Vagrant/resources/GPO/powershell_logging/{44CF152B-475A-4217-A590-57C8BFA9B48F}/gpreport.xml b/Vagrant/resources/GPO/powershell_logging/{44CF152B-475A-4217-A590-57C8BFA9B48F}/gpreport.xml new file mode 100755 index 0000000..6058589 Binary files /dev/null and b/Vagrant/resources/GPO/powershell_logging/{44CF152B-475A-4217-A590-57C8BFA9B48F}/gpreport.xml differ diff --git a/Vagrant/resources/GPO/reports/Custom Event Channel Permissions.htm b/Vagrant/resources/GPO/reports/Custom Event Channel Permissions.htm new file mode 100644 index 0000000..7db032b Binary files /dev/null and b/Vagrant/resources/GPO/reports/Custom Event Channel Permissions.htm differ diff --git a/Vagrant/resources/GPO/reports/Default Domain Controllers Policy.htm b/Vagrant/resources/GPO/reports/Default Domain Controllers Policy.htm new file mode 100644 index 0000000..e50193d Binary files /dev/null and b/Vagrant/resources/GPO/reports/Default Domain Controllers Policy.htm differ diff --git a/Vagrant/resources/GPO/reports/Default Domain Policy.htm b/Vagrant/resources/GPO/reports/Default Domain Policy.htm new file mode 100644 index 0000000..fd3d0bb Binary files /dev/null and b/Vagrant/resources/GPO/reports/Default Domain Policy.htm differ diff --git a/Vagrant/resources/GPO/reports/Domain Controllers Enhanced Auditing Policy.htm b/Vagrant/resources/GPO/reports/Domain Controllers Enhanced Auditing Policy.htm new file mode 100644 index 0000000..86c1874 Binary files /dev/null and b/Vagrant/resources/GPO/reports/Domain Controllers Enhanced Auditing Policy.htm differ diff --git a/Vagrant/resources/GPO/reports/Powershell Logging.htm b/Vagrant/resources/GPO/reports/Powershell Logging.htm new file mode 100644 index 0000000..aafebc4 Binary files /dev/null and b/Vagrant/resources/GPO/reports/Powershell Logging.htm differ diff --git a/Vagrant/resources/GPO/reports/Servers Enhanced Auditing Policy.htm b/Vagrant/resources/GPO/reports/Servers Enhanced Auditing Policy.htm new file mode 100644 index 0000000..692ffbd Binary files /dev/null and b/Vagrant/resources/GPO/reports/Servers Enhanced Auditing Policy.htm differ diff --git a/Vagrant/resources/GPO/reports/Windows Event Forwarding Server.htm b/Vagrant/resources/GPO/reports/Windows Event Forwarding Server.htm new file mode 100644 index 0000000..7b7dfb5 Binary files /dev/null and b/Vagrant/resources/GPO/reports/Windows Event Forwarding Server.htm differ diff --git a/Vagrant/resources/GPO/reports/Workstations Enhanced Auditing Policy.htm b/Vagrant/resources/GPO/reports/Workstations Enhanced Auditing Policy.htm new file mode 100644 index 0000000..7401e12 Binary files /dev/null and b/Vagrant/resources/GPO/reports/Workstations Enhanced Auditing Policy.htm differ diff --git a/Vagrant/resources/GPO/wef_configuration/manifest.xml b/Vagrant/resources/GPO/wef_configuration/manifest.xml new file mode 100644 index 0000000..290643d --- /dev/null +++ b/Vagrant/resources/GPO/wef_configuration/manifest.xml @@ -0,0 +1 @@ +<Backups xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" xmlns:mfst="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" mfst:version="1.0"><BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{68C5FF8C-1305-4ECC-B30B-1E2F2A5D3DE2}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{ab078dc9-15f8-49aa-98fe-a0e0b46dcb74}]]></GPODomainGuid><GPODomainController><![CDATA[dc]]></GPODomainController><BackupTime><![CDATA[2017-07-22T06:56:17]]></BackupTime><ID><![CDATA[{AE232F63-0190-47EE-BAF9-B78754178376}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Custom Event Channel Permissions]]></GPODisplayName></BackupInst><BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{4B3113E3-C8EF-4CED-813C-F0D888C55C61}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{ab078dc9-15f8-49aa-98fe-a0e0b46dcb74}]]></GPODomainGuid><GPODomainController><![CDATA[dc]]></GPODomainController><BackupTime><![CDATA[2017-07-22T06:46:11]]></BackupTime><ID><![CDATA[{F523FD69-7E4C-4315-93D0-557089F1B8A1}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Windows Event Forwarding Server]]></GPODisplayName></BackupInst></Backups> \ No newline at end of file diff --git a/Vagrant/resources/GPO/wef_configuration/{AE232F63-0190-47EE-BAF9-B78754178376}/Backup.xml b/Vagrant/resources/GPO/wef_configuration/{AE232F63-0190-47EE-BAF9-B78754178376}/Backup.xml new file mode 100644 index 0000000..dde30db --- /dev/null +++ b/Vagrant/resources/GPO/wef_configuration/{AE232F63-0190-47EE-BAF9-B78754178376}/Backup.xml @@ -0,0 +1,18 @@ +<?xml version="1.0" encoding="utf-8"?><!-- Copyright (c) Microsoft Corporation. All rights reserved. --><GroupPolicyBackupScheme bkp:version="2.0" bkp:type="GroupPolicyBackupTemplate" xmlns:bkp="http://www.microsoft.com/GroupPolicy/GPOOperations" xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations"> + <GroupPolicyObject><SecurityGroups><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-2906110659-1782557030-2646142923-1000]]></Sid><SamAccountName><![CDATA[vagrant]]></SamAccountName><Type><![CDATA[User]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[vagrant@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-2906110659-1782557030-2646142923-519]]></Sid><SamAccountName><![CDATA[Enterprise Admins]]></SamAccountName><Type><![CDATA[UniversalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Enterprise Admins@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-2906110659-1782557030-2646142923-512]]></Sid><SamAccountName><![CDATA[Domain Admins]]></SamAccountName><Type><![CDATA[GlobalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Domain Admins@windomain.local]]></UPN></Group></SecurityGroups><FilePaths/><GroupPolicyCoreSettings><ID><![CDATA[{68C5FF8C-1305-4ECC-B30B-1E2F2A5D3DE2}]]></ID><Domain><![CDATA[windomain.local]]></Domain><SecurityDescriptor>01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 c3 ba 37 ad 66 a9 3f 6a cb ef b8 9d e8 03 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 c3 ba 37 ad 66 a9 3f 6a cb ef b8 9d 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 c3 ba 37 ad 66 a9 3f 6a cb ef b8 9d 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00</SecurityDescriptor><DisplayName><![CDATA[Custom Event Channel Permissions]]></DisplayName><Options><![CDATA[0]]></Options><UserVersionNumber><![CDATA[131074]]></UserVersionNumber><MachineVersionNumber><![CDATA[1572888]]></MachineVersionNumber><MachineExtensionGuids><![CDATA[[{00000000-0000-0000-0000-000000000000}{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}][{B087BE9D-ED37-454F-AF9C-04291E351182}{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}]]]></MachineExtensionGuids><UserExtensionGuids/><WMIFilter/></GroupPolicyCoreSettings> + <GroupPolicyExtension bkp:ID="{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" bkp:DescName="Registry"> + + + <FSObjectFile bkp:Path="%GPO_FSPATH%\Adm\*.*" bkp:SourceExpandedPath="\\dc\sysvol\windomain.local\Policies\{68C5FF8C-1305-4ECC-B30B-1E2F2A5D3DE2}\Adm\*.*"/> + </GroupPolicyExtension> + + + + + + + + + + <GroupPolicyExtension bkp:ID="{F15C46CD-82A0-4C2D-A210-5D0D3182A418}" bkp:DescName="Unknown Extension"><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences" bkp:SourceExpandedPath="\\dc\sysvol\windomain.local\Policies\{68C5FF8C-1305-4ECC-B30B-1E2F2A5D3DE2}\Machine\Preferences" bkp:Location="DomainSysvol\GPO\Machine\Preferences"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences\Registry" bkp:SourceExpandedPath="\\dc\sysvol\windomain.local\Policies\{68C5FF8C-1305-4ECC-B30B-1E2F2A5D3DE2}\Machine\Preferences\Registry" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Registry"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\Preferences\Registry\Registry.xml" bkp:SourceExpandedPath="\\dc\sysvol\windomain.local\Policies\{68C5FF8C-1305-4ECC-B30B-1E2F2A5D3DE2}\Machine\Preferences\Registry\Registry.xml" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Registry\Registry.xml"/></GroupPolicyExtension></GroupPolicyObject> +</GroupPolicyBackupScheme> \ No newline at end of file diff --git a/Vagrant/resources/GPO/wef_configuration/{AE232F63-0190-47EE-BAF9-B78754178376}/DomainSysvol/GPO/Machine/Preferences/Registry/Registry.xml b/Vagrant/resources/GPO/wef_configuration/{AE232F63-0190-47EE-BAF9-B78754178376}/DomainSysvol/GPO/Machine/Preferences/Registry/Registry.xml new file mode 100644 index 0000000..ad42d31 --- /dev/null +++ b/Vagrant/resources/GPO/wef_configuration/{AE232F63-0190-47EE-BAF9-B78754178376}/DomainSysvol/GPO/Machine/Preferences/Registry/Registry.xml @@ -0,0 +1,7 @@ +<?xml version="1.0" encoding="utf-8"?> +<RegistrySettings clsid="{A3CCFC41-DFDB-43a5-8D26-0FE8B954DA51}"><Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="ChannelAccess" status="ChannelAccess" image="7" changed="2017-07-22 01:25:45" uid="{CA8FB1DB-B0A8-427A-A00D-08C1D499DC32}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-DNSServer/Audit" name="ChannelAccess" type="REG_SZ" value="O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)"/></Registry> + <Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="ChannelAccess" status="ChannelAccess" image="7" changed="2017-07-22 06:26:23" uid="{837364B6-ECD8-46E8-9FF1-35C7B0D9F5FF}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-SMBClient/Operational" name="ChannelAccess" type="REG_SZ" value="O:BAG:SYD:(A;;0x5;;;BA)(A;;0x1;;;S-1-5-20)(A;;0x1;;;S-1-5-32-573)"/></Registry> + <Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="ChannelAccess" status="ChannelAccess" image="7" changed="2017-07-22 06:27:30" uid="{43ADFF5A-9412-44C6-8476-839EC6602558}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-SMBServer/Audit" name="ChannelAccess" type="REG_SZ" value="O:BAG:SYD:(A;;0x5;;;BA)(A;;0x1;;;S-1-5-20)(A;;0x1;;;S-1-5-32-573)"/></Registry> + <Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="CustomSD" status="CustomSD" image="7" changed="2017-07-22 06:29:26" uid="{8D55AF86-069E-4A22-A9F9-AD8DCC1711C9}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SYSTEM\CurrentControlSet\Services\EventLog\DNS Server" name="CustomSD" type="REG_SZ" value="O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-20)(A;;0x1;;;S-1-5-32-573)"/></Registry> + <Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="CustomSD" status="CustomSD" image="7" changed="2017-07-22 06:54:47" uid="{59ECA0A8-307C-4B14-9D55-BB118CC1B9D4}"><Properties action="U" displayDecimal="0" default="0" hive="HKEY_LOCAL_MACHINE" key="SYSTEM\CurrentControlSet\Services\EventLog\Security" name="CustomSD" type="REG_SZ" value="O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)"/></Registry> +</RegistrySettings> diff --git a/Vagrant/resources/GPO/wef_configuration/{AE232F63-0190-47EE-BAF9-B78754178376}/bkupInfo.xml b/Vagrant/resources/GPO/wef_configuration/{AE232F63-0190-47EE-BAF9-B78754178376}/bkupInfo.xml new file mode 100644 index 0000000..efa3bbc --- /dev/null +++ b/Vagrant/resources/GPO/wef_configuration/{AE232F63-0190-47EE-BAF9-B78754178376}/bkupInfo.xml @@ -0,0 +1 @@ +<BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{68C5FF8C-1305-4ECC-B30B-1E2F2A5D3DE2}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{ab078dc9-15f8-49aa-98fe-a0e0b46dcb74}]]></GPODomainGuid><GPODomainController><![CDATA[dc]]></GPODomainController><BackupTime><![CDATA[2017-07-22T06:56:17]]></BackupTime><ID><![CDATA[{AE232F63-0190-47EE-BAF9-B78754178376}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Custom Event Channel Permissions]]></GPODisplayName></BackupInst> diff --git a/Vagrant/resources/GPO/wef_configuration/{AE232F63-0190-47EE-BAF9-B78754178376}/gpreport.xml b/Vagrant/resources/GPO/wef_configuration/{AE232F63-0190-47EE-BAF9-B78754178376}/gpreport.xml new file mode 100644 index 0000000..5012f4c Binary files /dev/null and b/Vagrant/resources/GPO/wef_configuration/{AE232F63-0190-47EE-BAF9-B78754178376}/gpreport.xml differ diff --git a/Vagrant/resources/GPO/wef_configuration/{F523FD69-7E4C-4315-93D0-557089F1B8A1}/Backup.xml b/Vagrant/resources/GPO/wef_configuration/{F523FD69-7E4C-4315-93D0-557089F1B8A1}/Backup.xml new file mode 100644 index 0000000..74d9533 --- /dev/null +++ b/Vagrant/resources/GPO/wef_configuration/{F523FD69-7E4C-4315-93D0-557089F1B8A1}/Backup.xml @@ -0,0 +1,18 @@ +<?xml version="1.0" encoding="utf-8"?><!-- Copyright (c) Microsoft Corporation. All rights reserved. --><GroupPolicyBackupScheme bkp:version="2.0" bkp:type="GroupPolicyBackupTemplate" xmlns:bkp="http://www.microsoft.com/GroupPolicy/GPOOperations" xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations"> + <GroupPolicyObject><SecurityGroups><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-2906110659-1782557030-2646142923-1000]]></Sid><SamAccountName><![CDATA[vagrant]]></SamAccountName><Type><![CDATA[User]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[vagrant@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-2906110659-1782557030-2646142923-519]]></Sid><SamAccountName><![CDATA[Enterprise Admins]]></SamAccountName><Type><![CDATA[UniversalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Enterprise Admins@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-2906110659-1782557030-2646142923-512]]></Sid><SamAccountName><![CDATA[Domain Admins]]></SamAccountName><Type><![CDATA[GlobalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Domain Admins@windomain.local]]></UPN></Group></SecurityGroups><FilePaths/><GroupPolicyCoreSettings><ID><![CDATA[{4B3113E3-C8EF-4CED-813C-F0D888C55C61}]]></ID><Domain><![CDATA[windomain.local]]></Domain><SecurityDescriptor>01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 c3 ba 37 ad 66 a9 3f 6a cb ef b8 9d e8 03 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 c3 ba 37 ad 66 a9 3f 6a cb ef b8 9d 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 c3 ba 37 ad 66 a9 3f 6a cb ef b8 9d 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00</SecurityDescriptor><DisplayName><![CDATA[Windows Event Forwarding Server]]></DisplayName><Options><![CDATA[0]]></Options><UserVersionNumber><![CDATA[65537]]></UserVersionNumber><MachineVersionNumber><![CDATA[131074]]></MachineVersionNumber><MachineExtensionGuids><![CDATA[[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}]]]></MachineExtensionGuids><UserExtensionGuids/><WMIFilter/></GroupPolicyCoreSettings> + <GroupPolicyExtension bkp:ID="{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" bkp:DescName="Registry"> + <FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\registry.pol" bkp:SourceExpandedPath="\\dc\sysvol\windomain.local\Policies\{4B3113E3-C8EF-4CED-813C-F0D888C55C61}\Machine\registry.pol" bkp:Location="DomainSysvol\GPO\Machine\registry.pol"/> + + <FSObjectFile bkp:Path="%GPO_FSPATH%\Adm\*.*" bkp:SourceExpandedPath="\\dc\sysvol\windomain.local\Policies\{4B3113E3-C8EF-4CED-813C-F0D888C55C61}\Adm\*.*"/> + </GroupPolicyExtension> + + + + + + + + + + <GroupPolicyExtension bkp:ID="{F15C46CD-82A0-4C2D-A210-5D0D3182A418}" bkp:DescName="Unknown Extension"><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\comment.cmtx" bkp:SourceExpandedPath="\\dc\sysvol\windomain.local\Policies\{4B3113E3-C8EF-4CED-813C-F0D888C55C61}\Machine\comment.cmtx" bkp:Location="DomainSysvol\GPO\Machine\comment.cmtx"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts" bkp:SourceExpandedPath="\\dc\sysvol\windomain.local\Policies\{4B3113E3-C8EF-4CED-813C-F0D888C55C61}\Machine\Scripts" bkp:Location="DomainSysvol\GPO\Machine\Scripts"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Shutdown" bkp:SourceExpandedPath="\\dc\sysvol\windomain.local\Policies\{4B3113E3-C8EF-4CED-813C-F0D888C55C61}\Machine\Scripts\Shutdown" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Shutdown"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Startup" bkp:SourceExpandedPath="\\dc\sysvol\windomain.local\Policies\{4B3113E3-C8EF-4CED-813C-F0D888C55C61}\Machine\Scripts\Startup" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Startup"/></GroupPolicyExtension></GroupPolicyObject> +</GroupPolicyBackupScheme> \ No newline at end of file diff --git a/Vagrant/resources/GPO/wef_configuration/{F523FD69-7E4C-4315-93D0-557089F1B8A1}/DomainSysvol/GPO/Machine/comment.cmtx b/Vagrant/resources/GPO/wef_configuration/{F523FD69-7E4C-4315-93D0-557089F1B8A1}/DomainSysvol/GPO/Machine/comment.cmtx new file mode 100644 index 0000000..df59193 --- /dev/null +++ b/Vagrant/resources/GPO/wef_configuration/{F523FD69-7E4C-4315-93D0-557089F1B8A1}/DomainSysvol/GPO/Machine/comment.cmtx @@ -0,0 +1,12 @@ +<?xml version='1.0' encoding='utf-8'?> +<policyComments xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://www.microsoft.com/GroupPolicy/CommentDefinitions"> + <policyNamespaces> + <using prefix="ns0" namespace="Microsoft.Policies.EventForwarding"></using> + </policyNamespaces> + <comments> + <admTemplate></admTemplate> + </comments> + <resources minRequiredRevision="1.0"> + <stringTable></stringTable> + </resources> +</policyComments> \ No newline at end of file diff --git a/Vagrant/resources/GPO/wef_configuration/{F523FD69-7E4C-4315-93D0-557089F1B8A1}/DomainSysvol/GPO/Machine/registry.pol b/Vagrant/resources/GPO/wef_configuration/{F523FD69-7E4C-4315-93D0-557089F1B8A1}/DomainSysvol/GPO/Machine/registry.pol new file mode 100644 index 0000000..48ee7ad Binary files /dev/null and b/Vagrant/resources/GPO/wef_configuration/{F523FD69-7E4C-4315-93D0-557089F1B8A1}/DomainSysvol/GPO/Machine/registry.pol differ diff --git a/Vagrant/resources/GPO/wef_configuration/{F523FD69-7E4C-4315-93D0-557089F1B8A1}/bkupInfo.xml b/Vagrant/resources/GPO/wef_configuration/{F523FD69-7E4C-4315-93D0-557089F1B8A1}/bkupInfo.xml new file mode 100644 index 0000000..5fdd2c3 --- /dev/null +++ b/Vagrant/resources/GPO/wef_configuration/{F523FD69-7E4C-4315-93D0-557089F1B8A1}/bkupInfo.xml @@ -0,0 +1 @@ +<BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{4B3113E3-C8EF-4CED-813C-F0D888C55C61}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{ab078dc9-15f8-49aa-98fe-a0e0b46dcb74}]]></GPODomainGuid><GPODomainController><![CDATA[dc]]></GPODomainController><BackupTime><![CDATA[2017-07-22T06:46:11]]></BackupTime><ID><![CDATA[{F523FD69-7E4C-4315-93D0-557089F1B8A1}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Windows Event Forwarding Server]]></GPODisplayName></BackupInst> diff --git a/Vagrant/resources/GPO/wef_configuration/{F523FD69-7E4C-4315-93D0-557089F1B8A1}/gpreport.xml b/Vagrant/resources/GPO/wef_configuration/{F523FD69-7E4C-4315-93D0-557089F1B8A1}/gpreport.xml new file mode 100644 index 0000000..a21a488 Binary files /dev/null and b/Vagrant/resources/GPO/wef_configuration/{F523FD69-7E4C-4315-93D0-557089F1B8A1}/gpreport.xml differ diff --git a/Vagrant/resources/fleet/server.crt b/Vagrant/resources/fleet/server.crt new file mode 100644 index 0000000..8fa748b --- /dev/null +++ b/Vagrant/resources/fleet/server.crt @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICnjCCAYYCCQD3m5L/nC/akjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZr +b2xpZGUwHhcNMTcxMTAxMjAxMDIxWhcNMTgxMTAxMjAxMDIxWjARMQ8wDQYDVQQD +DAZrb2xpZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDahfD8pVJN +KSdE+GoYIPsteyHvyQXXGcCIlrt+EFI5TXKBcHE8Vyyi1xw7hTpGKA3DGbLBf43E +j26w7NS0hGhbJHwjx5EBujWhDskbH8GTzhQllVoYOOwuU85MWiISQOAWhaytIFYg +6wnBaA0EtNEOeYPD1J5t1Bt4k9pwS+ATJxAag9BSesMdmU6Uz2zCxSavsDMGepiv +kaOAzT4Bhy3aVhq56mNayLT2fCdmyEyKlou9gUzteY0dp010ZNfqyxgcsnhogUij +6LaEsVzsxDRH7HFPtCeGBb8CjnnPhMbAU9nzhn+9EEtiIUvN0Dl0G/DmgziTpKgD +EEmddbqEK6g9AgMBAAEwDQYJKoZIhvcNAQELBQADggEBALVH183jm9WeKXd3Uhqn +jyOZ8H4+RhaADm4rkABmVHUAIoqLQOfpnTuvcp/eiAAUBNaRk8B5T+yWosx+IP4u +SUoRR949zdn5kd/BkoHE5rcJh169goJlKLtKGXkPyCRgcakXC/kDSZtWrIyw/vYu +6WYjScDLiEDlgVQQuEdI3S5lDm9D0UMvCmiVsUyWYcTic2WgO9vaOErWS5UQMaPV +crzxIJKxd1eK0++gdyiwWwakWBtHpDQnpjamfFBqltvXKdpY1cIVJsyXROlZ6xNk +NqbzMLDLt/4zvGjG88zrpwqU2egigX2VkAgOMa8BEnnkvZMuCcgoYkCXbY3CXsts +YOM= +-----END CERTIFICATE----- diff --git a/Vagrant/resources/fleet/server.key b/Vagrant/resources/fleet/server.key new file mode 100644 index 0000000..f696ba8 --- /dev/null +++ b/Vagrant/resources/fleet/server.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA2oXw/KVSTSknRPhqGCD7LXsh78kF1xnAiJa7fhBSOU1ygXBx +PFcsotccO4U6RigNwxmywX+NxI9usOzUtIRoWyR8I8eRAbo1oQ7JGx/Bk84UJZVa +GDjsLlPOTFoiEkDgFoWsrSBWIOsJwWgNBLTRDnmDw9SebdQbeJPacEvgEycQGoPQ +UnrDHZlOlM9swsUmr7AzBnqYr5GjgM0+AYct2lYauepjWsi09nwnZshMipaLvYFM +7XmNHadNdGTX6ssYHLJ4aIFIo+i2hLFc7MQ0R+xxT7QnhgW/Ao55z4TGwFPZ84Z/ +vRBLYiFLzdA5dBvw5oM4k6SoAxBJnXW6hCuoPQIDAQABAoIBAGaidD5lc5NUGeKV +/laY3wBMjfLuarTNnpVInoUmK0hIrNhItJaPpyJQgC0gdO9Qjq4s2r1xKGfCqk2k +3n5ulgkAyOGRMPUrvVaI+EGqF6RRLTs9u5QW4C8eI43O46PJHrbVT/X8cxeA7RMO +yNaGCo6O2ilXKpYRAloOr5EAwhyb5OeNrxe/XkngzU2/Sy/XPqqa/gUZGReJzEW1 +/M/iJULNSo2smKftdzDkiSVxH4x5En3q/ri7EUs6NMJZ9V7mUI7LJABeDOBYNta6 +e43b9f6sVfoecFU71FmrXx6QUvUJATNUPEqCwQqp4LfmUrv/Rnty/d39ktQqkpkV +u4CQ700CgYEA9c6WoE7sK+M4ySmnc08ol0RxoUX4gp9oHbIUe+8fN4al6uLawvc1 +zgPjsev9kMGsw9Ejm2ID+PcuyQirJcE+MkT6Jdj6S39hE0umnFfxytF8vssqVcrG +bSWS3fLgQ+5k7/IbWFJiQxRW7Y/4qjlOqeHE9tAbPMUyH+viT6nu6w8CgYEA45W3 +fSHVrr72h7WettUwb/dJLSjIj7MbMcMGrq2bStwHkZikXr1tgBtxFBTiOoc2p1JK ++bII0cilAyobp1wk6spOt501QeciYxnCgHBuenC4TDmzPdgwQvBOHQoMe8oS/ZBd +SwGpuEBCfBnODnDrWNgAye9rxV1pAXwUTns45/MCgYEAqhLbs2WIEUGxS7ZvbuAp +ZKhturlwHejvoARUGgA0aDXY3PFDjbyAVN/qDnQLSLpIsGAnM96Ygw18KIq/6GqR +fzSso71CSTSEVVZ1nB1ZZgyWNGjcDOo1atWhjcH7m+T5n++zLeQqquEK2GpSEm1+ +WRqmLmOFRQHoEaAjQR2B+s8CgYBe5WvISpZuMgRcHBgdBpIW7dbedLYEbVt2iWq8 +5XjuYwbo5+wJ8RS6qTaid/7JBt58MG1A5sKUrwRXaHR1eY+PM2JVX8D4ROdqyS/4 +HGmEtoGyjxC1RfMBxm/b3ffMmjsG7e5ouz3IrUrLsnrgPKd1uUPC8AlRF50UWGej +PfBBjwKBgDqk/kpJ7aYfJB/lB5F+v+V1YucNyCgxj6cQ/aiBxOq3pN7wi8/vra2K +/cGiz4JWrSS3PeUmiu7eCsYbItxyi1yjNOcfI1/gJTjm8Mgoh7WT39a8IfPefsLD +MpJ3ISw+VcV1Vcr8g7/LsZZNfRcTVEZbCWSdPH69KgdDn8vLU1O0 +-----END RSA PRIVATE KEY----- diff --git a/Vagrant/resources/osquery/osquery.conf b/Vagrant/resources/osquery/osquery.conf new file mode 100644 index 0000000..317c033 --- /dev/null +++ b/Vagrant/resources/osquery/osquery.conf @@ -0,0 +1,151 @@ +{ + "options": { + "schedule_splay_percent": 10 + }, + "platform": "windows", + "schedule": { + "chocolatey_packages": { + "query": "SELECT * FROM chocolatey_packages;", + "interval": 3600, + "description": "List installed Chocolatey packages" + }, + "chrome_extensions": { + "query": "SELECT * FROM users JOIN chrome_extensions USING (uid);", + "interval": 3600, + "description": "List installed Chrome Extensions for all users" + }, + "drivers": { + "query": "SELECT * FROM drivers;", + "interval": 3600, + "description": "List in-use Windows drivers" + }, + "drivers_snapshot": { + "query": "SELECT * FROM drivers;", + "interval": 28800, + "description": "Drivers snapshot query", + "snapshot": true + }, + "etc_hosts": { + "query": "SELECT * FROM etc_hosts;", + "interval": 3600, + "description": "List the contents of the Windows hosts file" + }, + "ie_extensions": { + "query": "SELECT * FROM ie_extensions;", + "interval": 3600, + "description": "List installed Internet Explorer extensions" + }, + "kernel_info": { + "query": "SELECT * FROM kernel_info;", + "interval": 3600, + "description": "List the kernel path, version, etc." + }, + "os_version": { + "query": "SELECT * FROM os_version;", + "interval": 3600, + "description": "List the version of the resident operating system" + }, + "os_version_snapshot": { + "query": "SELECT * FROM os_version;", + "interval": 28800, + "description": "Operating system version snapshot query", + "snapshot": true + }, + "osquery_info": { + "query": "SELECT * FROM osquery_info;", + "interval": 28800, + "description": "Information about the resident osquery process", + "snapshot": true + }, + "patches": { + "query": "SELECT * FROM patches;", + "interval": 3600, + "description": "Lists all the patches applied" + }, + "patches_snapshot": { + "query": "SELECT * FROM patches;", + "interval": 28800, + "description": "Patches snapshot query", + "snapshot": true + }, + "programs": { + "query": "SELECT * FROM programs;", + "interval": 3600, + "description": "Lists installed programs" + }, + "programs_snapshot": { + "query": "SELECT * FROM programs;", + "interval": 28800, + "description": "Programs snapshot query", + "snapshot": true + }, + "scheduled_tasks": { + "query": "SELECT * FROM scheduled_tasks;", + "interval": 3600, + "description": "Lists all of the tasks in the Windows task scheduler" + }, + "services": { + "query": "SELECT * FROM services WHERE start_type='DEMAND_START' OR start_type='AUTO_START';", + "interval": 3600, + "description": "Lists all installed services configured to start automatically at boot" + }, + "services_snapshot": { + "query": "SELECT * FROM services;", + "interval": 28800, + "description": "Services snapshot query", + "snapshot": true + }, + "shared_resources": { + "query": "SELECT * FROM shared_resources;", + "interval": 28800, + "description": "Displays shared resources on a computer system running Windows. This may be a disk drive, printer, interprocess communication, or other sharable device." + }, + "system_info": { + "query": "SELECT * FROM system_info;", + "interval": 3600, + "description": "System information for identification." + }, + "system_info_snapshot": { + "query": "SELECT * FROM system_info;", + "interval": 28800, + "description": "System info snapshot query", + "snapshot": true + }, + "uptime": { + "query": "SELECT * FROM uptime;", + "interval": 3600, + "description": "System uptime" + }, + "users": { + "query": "SELECT * FROM users;", + "interval": 3600, + "description": "Local system users." + }, + "users_snapshot": { + "query": "SELECT * FROM users;", + "interval": 28800, + "description": "Users snapshot query", + "snapshot": true + }, + "wmi_cli_event_consumers": { + "query": "SELECT * FROM wmi_cli_event_consumers;", + "interval": 3600, + "description": "WMI CommandLineEventConsumer, which can be used for persistance on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details." + }, + "wmi_event_filters": { + "query": "SELECT * FROM wmi_event_filters;", + "interval": 3600, + "description": "Lists WMI event filters." + }, + "wmi_filter_consumer_binding": { + "query": "SELECT * FROM wmi_filter_consumer_binding;", + "interval": 3600, + "description": "Lists the relationship between event consumers and filters." + }, + "wmi_script_event_consumers": { + "query": "SELECT * FROM wmi_script_event_consumers;", + "interval": 3600, + "description": "WMI ActiveScriptEventConsumer, which can be used for persistance on Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf for more details." + } + } +} diff --git a/Vagrant/resources/osquery/osquery.flags b/Vagrant/resources/osquery/osquery.flags new file mode 100644 index 0000000..dcaef8e --- /dev/null +++ b/Vagrant/resources/osquery/osquery.flags @@ -0,0 +1,3 @@ +--config_path=c:\programdata\osquery\osquery.conf +--disable_events=true +--disable_tables=windows_events diff --git a/Vagrant/resources/splunk_forwarder/inputs.conf b/Vagrant/resources/splunk_forwarder/inputs.conf new file mode 100755 index 0000000..d64de6b --- /dev/null +++ b/Vagrant/resources/splunk_forwarder/inputs.conf @@ -0,0 +1,29 @@ +[WinEventLog://Microsoft-Windows-Sysmon/Operational] +index = sysmon +disabled = false +renderXml = true + +[monitor://c:\programdata\osquery\log\osqueryd.results.log] +index = osquery +disabled = false +sourcetype = osquery:json + +[monitor://c:\programdata\osquery\log\osqueryd.snapshots.log] +index = osquery +disabled = false +sourcetype = osquery:json + +[monitor://c:\programdata\osquery\log\osqueryd.INFO.*] +index = osquery-status +disabled = false +sourcetype = osquery-info:syslog + +[monitor://c:\programdata\osquery\log\osqueryd.WARNING.*] +index = osquery-status +disabled = false +sourcetype = osquery-warn:syslog + +[monitor://c:\programdata\osquery\log\osqueryd.ERROR.*] +index = osquery-status +disabled = false +sourcetype = osquery-error:syslog diff --git a/Vagrant/resources/splunk_forwarder/splunk-add-on-for-microsoft-windows_483.tgz b/Vagrant/resources/splunk_forwarder/splunk-add-on-for-microsoft-windows_483.tgz new file mode 100755 index 0000000..101260b Binary files /dev/null and b/Vagrant/resources/splunk_forwarder/splunk-add-on-for-microsoft-windows_483.tgz differ diff --git a/Vagrant/resources/splunk_forwarder/wef_inputs.conf b/Vagrant/resources/splunk_forwarder/wef_inputs.conf new file mode 100755 index 0000000..de44d42 --- /dev/null +++ b/Vagrant/resources/splunk_forwarder/wef_inputs.conf @@ -0,0 +1,402 @@ +[default] +evt_resolve_ad_obj = 1 +evt_dc_name = ldaps.ad.ha.palantir +evt_dns_name = ldaps.ad.ha.palantir +evt_ad_cache_disabled = 0 +evt_ad_cache_max_entries = 40000 +evt_ad_cache_exp_neg = 10 +evt_sid_cache_disabled = 0 +evt_sid_cache_max_entries = 40000 +evt_sid_cache_exp_neg = 1000 +batch_size = 500 + +[WinEventLog://ForwardedEvents] +sourcetype = WinEventLog:ForwardedEvents +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC-Powershell] +sourcetype = WinEventLog:Powershell +source = WinEventLog:Powershell +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC-WMI] +sourcetype = WinEventLog:WMI +source = WinEventLog:WMI +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC-EMET] +sourcetype = WinEventLog:Security +source = WinEventLog:EMET +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC-Authentication] +sourcetype = WinEventLog:Security +source = WinEventLog:Authentication +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC-Services] +sourcetype = WinEventLog:System +source = WinEventLog:Services +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC-Process-Execution] +sourcetype = WinEventLog:Security +source = WinEventLog:Process-Execution +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC-Code-Integrity] +sourcetype = WinEventLog:Security +source = WinEventLog:Code-Integrity +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC2-Registry] +sourcetype = WinEventLog:Security +source = WinEventLog:Registry +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC2-Applocker] +sourcetype = WinEventLog:Applocker +source = WinEventLog:Applocker +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC2-Task-Scheduler] +sourcetype = WinEventLog:Task-Scheduler +source = WinEventLog:Task-Scheduler +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC2-Application-Crashes] +sourcetype = WinEventLog:Application +source = WinEventLog:Application-Crashes +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC2-Windows-Defender] +sourcetype = WinEventLog:Windows-Defender +source = WinEventLog:Windows-Defender +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC2-Group-Policy-Errors] +sourcetype = WinEventLog:System +source = WinEventLog:Group-Policy-Errors +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC3-Drivers] +sourcetype = WinEventLog:System +source = WinEventLog:Drivers +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC3-Account-Management] +sourcetype = WinEventLog:Security +source = WinEventLog:Account-Management +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC3-Windows-Diagnostics] +sourcetype = WinEventLog:System +source = WinEventLog:Windows-Diagnostics +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC3-Smart-Card] +sourcetype = WinEventLog:Smart-Card +source = WinEventLog:Smart-Card +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC3-USB] +sourcetype = WinEventLog:USB +source = WinEventLog:USB +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC3-Print] +sourcetype = WinEventLog:Print +source = WinEventLog:Print +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC3-Firewall] +sourcetype = WinEventLog:Firewall +source = WinEventLog:Firewall +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC4-Wireless] +sourcetype = WinEventLog:Security +source = WinEventLog:Wireless +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC4-Shares] +sourcetype = WinEventLog:Security +source = WinEventLog:Shares +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC4-Bits-Client] +sourcetype = WinEventLog:Bits-Client +source = WinEventLog:Bits-Client +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC4-Windows-Updates] +sourcetype = WinEventLog:System +source = WinEventLog:Windows-Updates +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC4-Hotpatching-Errors] +sourcetype = WinEventLog:Security +source = WinEventLog:Hotpatching-Errors +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC4-DNS] +sourcetype = WinEventLog:DNS +source = WinEventLog:DNS +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC4-System-Time-Change] +sourcetype = WinEventLog:Security +source = WinEventLog:System-Time-Change +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC5-Operating-System] +sourcetype = WinEventLog:System +source = WinEventLog:Operating-System +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC5-Certificate-Authority] +sourcetype = WinEventLog:Security +source = WinEventLog:Certificate-Authority +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC5-Crypto-API] +sourcetype = WinEventLog:Security +source = WinEventLog:Crypto-API +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC2-File-System] +sourcetype = WinEventLog:Security +source = WinEventLog:File-System +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC5-MSI-Packages] +sourcetype = WinEventLog:Security +source = WinEventLog:MSI-Packages +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC5-Log-Deletion-Security] +sourcetype = WinEventLog:Security +source = WinEventLog:Log-Deletion-Security +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC5-Log-Deletion-System] +sourcetype = WinEventLog:System +source = WinEventLog:Log-Deletion-System +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC5-Autoruns] +sourcetype = WinEventLog:Autoruns +source = WinEventLog:Autoruns +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC6-Sysmon] +sourcetype = WinEventLog:Sysmon +source = WinEventLog:Sysmon +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC6-Software-Restriction-Policies] +sourcetype = WinEventLog:Software-Restriction-Policies +source = WinEventLog:Software-Restriction-Policies +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC6-Microsoft-Office] +sourcetype = WinEventLog:Microsoft-Office +source = WinEventLog:Microsoft-Office +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC6-Exploit-Guard] +sourcetype = WinEventLog:Security +source = WinEventLog:Exploit-Guard +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC6-Duo-Security] +sourcetype = WinEventLog:Duo-Security +source = WinEventLog:Duo-Security +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC6-Device-Guard] +sourcetype = WinEventLog:Security +source = WinEventLog:Device-Guard +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[WinEventLog://WEC6-ADFS] +sourcetype = WinEventLog:ADFS +source = WinEventLog:ADFS +index=wineventlog +disabled = 0 +start_from = oldest +current_only = 0 +checkpointInterval = 5 + +[monitor://c:\pslogs] +index = powershell +sourcetype = powershell_transcript +recursive = true diff --git a/Vagrant/resources/splunk_server/add-on-for-microsoft-sysmon_600.tgz b/Vagrant/resources/splunk_server/add-on-for-microsoft-sysmon_600.tgz new file mode 100755 index 0000000..e44e316 Binary files /dev/null and b/Vagrant/resources/splunk_server/add-on-for-microsoft-sysmon_600.tgz differ diff --git a/Vagrant/resources/splunk_server/props.conf b/Vagrant/resources/splunk_server/props.conf new file mode 100644 index 0000000..8fc9895 --- /dev/null +++ b/Vagrant/resources/splunk_server/props.conf @@ -0,0 +1,14 @@ +[source::WinEventLog:*] +TRANSFORMS-host = wef_computername_as_host + +[sourcetype::powershell_transcript] +TRANSFORMS-powershell_rename_host = powershell_rename_host + +[powershell_transcript] +BREAK_ONLY_BEFORE = THISREGEXDOESNTEXIST +DATETIME_CONFIG = +NO_BINARY_CHECK = true +TIME_FORMAT = %Y%m%d%H%M%S +TIME_PREFIX = Start\stime\:\s +category = Custom +pulldown_type = true diff --git a/Vagrant/resources/splunk_server/transforms.conf b/Vagrant/resources/splunk_server/transforms.conf new file mode 100644 index 0000000..11c7c9e --- /dev/null +++ b/Vagrant/resources/splunk_server/transforms.conf @@ -0,0 +1,10 @@ +[powershell_rename_host] +DEST_KEY = MetaData:Host +SOURCE_KEY = MetaData:Source +REGEX = PowerShell_transcript\.([^\S]+)\. +FORMAT = host::$1 + +[wef_computername_as_host] +DEST_KEY = MetaData:Host +REGEX = (?m)ComputerName=(.+) +FORMAT = host::$1 diff --git a/Vagrant/scripts/bginfo-simple.bgi b/Vagrant/scripts/bginfo-simple.bgi new file mode 100755 index 0000000..0121b7b Binary files /dev/null and b/Vagrant/scripts/bginfo-simple.bgi differ diff --git a/Vagrant/scripts/bginfo-workshop.bgi b/Vagrant/scripts/bginfo-workshop.bgi new file mode 100755 index 0000000..e8dbf41 Binary files /dev/null and b/Vagrant/scripts/bginfo-workshop.bgi differ diff --git a/Vagrant/scripts/bginfo.bgi b/Vagrant/scripts/bginfo.bgi new file mode 100755 index 0000000..88ddfbd Binary files /dev/null and b/Vagrant/scripts/bginfo.bgi differ diff --git a/Vagrant/scripts/configure-AuditingPolicyGPOs.ps1 b/Vagrant/scripts/configure-AuditingPolicyGPOs.ps1 new file mode 100644 index 0000000..87ed644 --- /dev/null +++ b/Vagrant/scripts/configure-AuditingPolicyGPOs.ps1 @@ -0,0 +1,13 @@ +# Purpose: Installs the GPOs for the custom WinEventLog auditing policy. +Write-Host "Configuring auditing policy GPOS..." +Write-Host "Importing Domain Controller Enhanced Auditing Policy..." +Import-GPO -BackupGpoName 'Domain Controllers Enhanced Auditing Policy' -Path "c:\vagrant\resources\GPO\Domain_Controllers_Enhanced_Auditing_Policy" -TargetName 'Domain Controllers Enhanced Auditing Policy' -CreateIfNeeded +New-GPLink -Name 'Domain Controllers Enhanced Auditing Policy' -Target "ou=Domain Controllers,dc=windomain,dc=local" -Enforced yes + +Write-Host "Importing Servers Enhanced Auditing Policy..." +Import-GPO -BackupGpoName 'Servers Enhanced Auditing Policy' -Path "c:\vagrant\resources\GPO\Servers_Enhanced_Auditing_Policy" -TargetName 'Servers Enhanced Auditing Policy' -CreateIfNeeded +New-GPLink -Name 'Servers Enhanced Auditing Policy' -Target "ou=Servers,dc=windomain,dc=local" -Enforced yes + +Write-Host "Importing Workstations Enhanced Auditing Policy..." +Import-GPO -BackupGpoName 'Workstations Enhanced Auditing Policy' -Path "c:\vagrant\resources\GPO\Workstations_Enhanced_Auditing_Policy" -TargetName 'Workstations Enhanced Auditing Policy' -CreateIfNeeded +New-GPLink -Name 'Workstations Enhanced Auditing Policy' -Target "ou=Workstations,dc=windomain,dc=local" -Enforced yes diff --git a/Vagrant/scripts/configure-ou.ps1 b/Vagrant/scripts/configure-ou.ps1 new file mode 100644 index 0000000..d980fd4 --- /dev/null +++ b/Vagrant/scripts/configure-ou.ps1 @@ -0,0 +1,12 @@ +# Purpose: Sets up the Server and Workstations OUs +Write-Host "Sleeping for 30 seconds, then creating Server and Workstation OUs" +Start-Sleep 30 +Write-Host "Creating Servers OU" +New-ADOrganizationalUnit -Name "Servers" -Server "dc.windomain.local" +Write-Host "Creating Workstations OU" +New-ADOrganizationalUnit -Name "Workstations" -Server "dc.windomain.local" + +# Sysprep breaks auto-login. Let's restore it here: +Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -Value 1 +Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Value "vagrant" +Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -Value "vagrant" diff --git a/Vagrant/scripts/configure-powershelllogging.ps1 b/Vagrant/scripts/configure-powershelllogging.ps1 new file mode 100755 index 0000000..ec691bd --- /dev/null +++ b/Vagrant/scripts/configure-powershelllogging.ps1 @@ -0,0 +1,6 @@ +# Purpose: Install the GPO that specifies the WEF collector +Write-Host "Importing the GPO to enable Powershell Module, ScriptBlock and Transcript logging..." +Import-GPO -BackupGpoName 'Powershell Logging' -Path "c:\vagrant\resources\GPO\powershell_logging" -TargetName 'Powershell Logging' -CreateIfNeeded +New-GPLink -Name 'Powershell Logging' -Target "dc=windomain,dc=local" -Enforced yes +New-GPLink -Name 'Powershell Logging' -Target "ou=Domain Controllers,dc=windomain,dc=local" -Enforced yes +gpupdate /force diff --git a/Vagrant/scripts/configure-pslogstranscriptsshare.ps1 b/Vagrant/scripts/configure-pslogstranscriptsshare.ps1 new file mode 100755 index 0000000..9bfd0ad --- /dev/null +++ b/Vagrant/scripts/configure-pslogstranscriptsshare.ps1 @@ -0,0 +1,42 @@ +# Purpose: Configure an SMB share for Powershell transcription logs to be written to +# Source: https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/ +Write-Host "Configuring the Powershell Transcripts Share" +md c:\pslogs + + +## Kill all inherited permissions +$acl = Get-Acl c:\pslogs +$acl.SetAccessRuleProtection($true, $false) + + +## Grant Administrators full control +$administrators = [System.Security.Principal.NTAccount] "Administrators" +$permission = $administrators,"FullControl","ObjectInherit,ContainerInherit","None","Allow" +$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission +$acl.AddAccessRule($accessRule) + + +## Grant everyone else Write and ReadAttributes. This prevents users from listing +## transcripts from other machines on the domain. +$everyone = [System.Security.Principal.NTAccount] "Everyone" +$permission = $everyone,"Write,ReadAttributes","ObjectInherit,ContainerInherit","None","Allow" +$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission +$acl.AddAccessRule($accessRule) + +## TODO: Leaving this commented out so Splunk Forwader can read these files +## Might be a way to leave this permission intact but still allow Splunk +## Deny "Creator Owner" everything. This prevents users from +## viewing the content of previously written files. +#$creatorOwner = [System.Security.Principal.NTAccount] "Creator Owner" +#$permission = $creatorOwner,"FullControl","ObjectInherit,ContainerInherit","InheritOnly","Deny" +#$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission +#$acl.AddAccessRule($accessRule) + + +## Set the ACL +$acl | Set-Acl c:\pslogs\ + + +## Create the SMB Share, granting Everyone the right to read and write files. Specific +## actions will actually be enforced by the ACL on the file folder. +New-SmbShare -Name pslogs -Path c:\pslogs -ChangeAccess Everyone diff --git a/Vagrant/scripts/configure-wef-gpo.ps1 b/Vagrant/scripts/configure-wef-gpo.ps1 new file mode 100644 index 0000000..0268a86 --- /dev/null +++ b/Vagrant/scripts/configure-wef-gpo.ps1 @@ -0,0 +1,16 @@ +# Purpose: Installs the GPOs needed to specify a Windows Event Collector and makes certain event channels readable by Event Logger +Write-Host "Importing the GPO to specify the WEF collector" +Import-GPO -BackupGpoName 'Windows Event Forwarding Server' -Path "c:\vagrant\resources\GPO\wef_configuration" -TargetName 'Windows Event Forwarding Server' -CreateIfNeeded +New-GPLink -Name 'Windows Event Forwarding Server' -Target "dc=windomain,dc=local" -Enforced yes +New-GPLink -Name 'Windows Event Forwarding Server' -Target "ou=Domain Controllers,dc=windomain,dc=local" -Enforced yes +Write-Host "Importing the GPO to modify ACLs on Custom Event Channels" +Import-GPO -BackupGPOName 'Custom Event Channel Permissions' -Path "c:\vagrant\resources\GPO\wef_configuration" -TargetName 'Custom Event Channel Permissions' -CreateIfNeeded +New-GPLink -Name 'Custom Event Channel Permissions' -Target "dc=windomain,dc=local" -Enforced yes +New-GPLink -Name 'Custom Event Channel Permissions' -Target "ou=Domain Controllers,dc=windomain,dc=local" -Enforced yes +New-GPLink -Name 'Custom Event Channel Permissions' -Target "ou=Servers,dc=windomain,dc=local" -Enforced yes +New-GPLink -Name 'Custom Event Channel Permissions' -Target "ou=Workstations,dc=windomain,dc=local" -Enforced yes +gpupdate /force +# Enable WinRM +Write-Host "Enabling WinRM" +winrm qc /q:true +Write-Host "Rebooting to make settings take effect..." diff --git a/Vagrant/scripts/create-domain.ps1 b/Vagrant/scripts/create-domain.ps1 new file mode 100644 index 0000000..a93a24a --- /dev/null +++ b/Vagrant/scripts/create-domain.ps1 @@ -0,0 +1,55 @@ +# Purpose: Creates the "windomain.local" domain +# Source: https://github.com/StefanScherer/adfs2 +param ([String] $ip) + +$subnet = $ip -replace "\.\d+$", "" + +if ((gwmi win32_computersystem).partofdomain -eq $false) { + + Write-Host 'Installing RSAT tools' + Import-Module ServerManager + Add-WindowsFeature RSAT-AD-PowerShell,RSAT-AD-AdminCenter + + Write-Host 'Creating domain controller' + # Disable password complexity policy + secedit /export /cfg C:\secpol.cfg + (gc C:\secpol.cfg).replace("PasswordComplexity = 1", "PasswordComplexity = 0") | Out-File C:\secpol.cfg + secedit /configure /db C:\Windows\security\local.sdb /cfg C:\secpol.cfg /areas SECURITYPOLICY + rm -force C:\secpol.cfg -confirm:$false + + # Set administrator password + $computerName = $env:COMPUTERNAME + $adminPassword = "vagrant" + $adminUser = [ADSI] "WinNT://$computerName/Administrator,User" + $adminUser.SetPassword($adminPassword) + + $PlainPassword = "vagrant" # "P@ssw0rd" + $SecurePassword = $PlainPassword | ConvertTo-SecureString -AsPlainText -Force + + # Windows Server 2016 R2 + Install-WindowsFeature AD-domain-services + Import-Module ADDSDeployment + Install-ADDSForest ` + -SafeModeAdministratorPassword $SecurePassword ` + -CreateDnsDelegation:$false ` + -DatabasePath "C:\Windows\NTDS" ` + -DomainMode "7" ` + -DomainName "windomain.local" ` + -DomainNetbiosName "WINDOMAIN" ` + -ForestMode "7" ` + -InstallDns:$true ` + -LogPath "C:\Windows\NTDS" ` + -NoRebootOnCompletion:$true ` + -SysvolPath "C:\Windows\SYSVOL" ` + -Force:$true + + $newDNSServers = "8.8.8.8", "4.4.4.4" + $adapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object { $_.IPAddress -And ($_.IPAddress).StartsWith($subnet) } + if ($adapters) { + Write-Host Setting DNS + $adapters | ForEach-Object {$_.SetDNSServerSearchOrder($newDNSServers)} + } + Write-Host "Setting timezone to UTC" + c:\windows\system32\tzutil.exe /s "UTC" + Write-Host "Excluding NAT interface from DNS" +} diff --git a/Vagrant/scripts/download_palantir_osquery.ps1 b/Vagrant/scripts/download_palantir_osquery.ps1 new file mode 100644 index 0000000..4daaac3 --- /dev/null +++ b/Vagrant/scripts/download_palantir_osquery.ps1 @@ -0,0 +1,7 @@ +# Purpose: Downloads and unzips a copy of the Palantir osquery Github Repo. These configs are added to the Fleet server in bootstrap.sh. +Write-Host "Downloading and unzipping the Palantir osquery Repo from Github..." + +$osqueryRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\osquery-Master.zip' + +Invoke-WebRequest -Uri "https://github.com/palantir/osquery-configuration/archive/master.zip" -OutFile $osqueryRepoPath +Expand-Archive -path "$osqueryRepoPath" -destinationpath 'c:\Users\vagrant\AppData\Local\Temp' -Force diff --git a/Vagrant/scripts/download_palantir_wef.ps1 b/Vagrant/scripts/download_palantir_wef.ps1 new file mode 100644 index 0000000..263fe4c --- /dev/null +++ b/Vagrant/scripts/download_palantir_wef.ps1 @@ -0,0 +1,7 @@ +# Purpose: Downloads and unzips a copy of the Palantir WEF Github Repo. This includes WEF subscriptions and custom WEF channels. +Write-Host "Downloading and unzipping the Palantir Windows Event Forwarding Repo from Github..." + +$wefRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\wef-Master.zip' + +Invoke-WebRequest -Uri "https://github.com/palantir/windows-event-forwarding/archive/master.zip" -OutFile $wefRepoPath +Expand-Archive -path "$wefRepoPath" -destinationpath 'c:\Users\vagrant\AppData\Local\Temp' -Force diff --git a/Vagrant/scripts/fix-second-network.ps1 b/Vagrant/scripts/fix-second-network.ps1 new file mode 100755 index 0000000..705386f --- /dev/null +++ b/Vagrant/scripts/fix-second-network.ps1 @@ -0,0 +1,35 @@ +# Source: https://github.com/StefanScherer/adfs2 +param ([String] $ip, [String] $dns) + +if (Test-Path C:\Users\vagrant\enable-winrm-after-customization.bat) { + Write-Host "Nothing to do in vCloud." + exit 0 +} +if (! (Test-Path 'C:\Program Files\VMware\VMware Tools')) { + Write-Host "Nothing to do for other providers than VMware." + exit 0 +} + +$subnet = $ip -replace "\.\d+$", "" + +$name = (Get-NetIPAddress -AddressFamily IPv4 ` + | Where-Object -FilterScript { ($_.IPAddress).StartsWith($subnet) } ` + ).InterfaceAlias + +if (!$name) { + $name = (Get-NetIPAddress -AddressFamily IPv4 ` + | Where-Object -FilterScript { ($_.IPAddress).StartsWith("169.254.") } ` + ).InterfaceAlias +} + +if ($name) { + Write-Host "Set IP address to $ip of interface $name" + & netsh.exe int ip set address "$name" static $ip 255.255.255.0 "$subnet.1" + + if ($dns) { + Write-Host "Set DNS server address to $dns of interface $name" + & netsh.exe interface ipv4 add dnsserver "$name" address=$dns index=1 + } +} else { + Write-Error "Could not find a interface with subnet $subnet.xx" +} diff --git a/Vagrant/scripts/install-autorunstowineventlog.ps1 b/Vagrant/scripts/install-autorunstowineventlog.ps1 new file mode 100644 index 0000000..2b02c8b --- /dev/null +++ b/Vagrant/scripts/install-autorunstowineventlog.ps1 @@ -0,0 +1,7 @@ +# Purpose: Installs AutorunsToWinEventLog from the Palantir WEF repo: (https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog) +# TL;DR - Logs all entries from Autoruns to the Windows event log to be indexed by Splunk +Write-Host "Installing AutorunsToWinEventLog..." +cd "c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\AutorunsToWinEventLog" +.\Install.ps1 +Write-Host "AutorunsToWinEventLog installed. Starting the scheduled task. Future runs will begin at 11am" +Start-ScheduledTask -TaskName "AutorunsToWinEventLog" diff --git a/Vagrant/scripts/install-bginfo.ps1 b/Vagrant/scripts/install-bginfo.ps1 new file mode 100755 index 0000000..05e46a9 --- /dev/null +++ b/Vagrant/scripts/install-bginfo.ps1 @@ -0,0 +1,20 @@ +# Installs BGInfo on the host for easy identification +# Source: https://github.com/StefanScherer/adfs2 +if (!(Test-Path 'c:\Program Files\sysinternals')) { + New-Item -Path 'c:\Program Files\sysinternals' -type directory -Force -ErrorAction SilentlyContinue +} +if (!(Test-Path 'c:\Program Files\sysinternals\bginfo.exe')) { + (New-Object Net.WebClient).DownloadFile('http://live.sysinternals.com/bginfo.exe', 'c:\Program Files\sysinternals\bginfo.exe') +} +$vbsScript = @' +WScript.Sleep 15000 +Dim objShell +Set objShell = WScript.CreateObject( "WScript.Shell" ) +objShell.Run("""c:\Program Files\sysinternals\bginfo.exe"" /accepteula ""c:\Program Files\sysinternals\bginfo.bgi"" /silent /timer:0") +'@ + +$vbsScript | Out-File 'c:\Program Files\sysinternals\bginfo.vbs' + +Copy-Item "C:\vagrant\scripts\bginfo.bgi" 'c:\Program Files\sysinternals\bginfo.bgi' + +Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -Name bginfo -Value 'wscript "c:\Program Files\sysinternals\bginfo.vbs"' diff --git a/Vagrant/scripts/install-inputsconf.ps1 b/Vagrant/scripts/install-inputsconf.ps1 new file mode 100755 index 0000000..723bec3 --- /dev/null +++ b/Vagrant/scripts/install-inputsconf.ps1 @@ -0,0 +1,16 @@ +# Purpose: Configures the inputs.conf for the Splunk forwarders on the Windows hosts + +Write-Host "Setting up Splunk Inputs for Sysmon & osquery" +$inputsPath = "C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf" + +Write-Host "Stopping the Splunk forwarder" +Stop-Service splunkforwarder + +Write-Host "Deleting the default configuration" +Remove-Item $inputsPath + +Write-Host "Copying over the custom configuration" +Copy-Item c:\vagrant\resources\splunk_forwarder\inputs.conf $inputsPath + +Write-Host "Starting the Splunk forwarder" +Start-Service splunkforwarder diff --git a/Vagrant/scripts/install-osquery.ps1 b/Vagrant/scripts/install-osquery.ps1 new file mode 100755 index 0000000..b7cdc2e --- /dev/null +++ b/Vagrant/scripts/install-osquery.ps1 @@ -0,0 +1,40 @@ +# Purpose: Installs osquery on the host +# Note: by default, osquery will be configured to connect to the Fleet server on the "logger" host via TLS. +# If you would like to have osquery run without TLS & Fleet, uncomment line 15 and comment lines 21-30. + +Write-Host "Installing osquery" +$packsDir = "c:\programdata\osquery\packs" +choco install -y osquery | Out-String # Apparently Out-String makes the process wait +$service = Get-WmiObject -Class Win32_Service -Filter "Name='osqueryd'" +If (-not ($service)) { + Write-Host "Setting osquery to run as a service" + Start-Process -FilePath "c:\programdata\osquery\osqueryd\osqueryd.exe" -ArgumentList "--install" -Wait + # Copy over the config and packs from the Palantir repo + Copy-Item "c:\Users\vagrant\AppData\Local\Temp\osquery-configuration-master\Endpoints\Windows\*" "c:\ProgramData\osquery" + Copy-Item "c:\Users\vagrant\AppData\Local\Temp\osquery-configuration-master\Endpoints\packs" -Path "c:\ProgramData\osquery" + + ## Use the TLS config by default. Un-comment the line below to use the local configuration and avoid connecting to Fleet. + # Copy-Item "c:\ProgramData\osquery\osquery_no_tls.flags" -Path "c:\ProgramData\osquery\osquery.flags" -Force + + ### --- TLS CONFIG BEGINS --- + ### COMMENT ALL LINES BELOW UNTIL "TLS CONFIG ENDS" if using local configuration + ## Add entry to hosts file for Kolide for SSL validation + Add-Content "c:\windows\system32\drivers\etc\hosts" " 192.168.38.5 kolide" + ## Add kolide secret and avoid BOM + $Utf8NoBomEncoding = New-Object System.Text.UTF8Encoding $False + [System.IO.File]::WriteAllLines("c:\ProgramData\osquery\kolide_secret.txt", "enrollmentsecret", $Utf8NoBomEncoding) + ## Change TLS server hostname + (Get-Content c:\ProgramData\osquery\osquery.flags) -replace 'tls.endpoint.server.com', 'kolide:8412' | Set-Content c:\ProgramData\osquery\osquery.flags + ## Change path to secrets + (Get-Content c:\ProgramData\osquery\osquery.flags) -replace 'path\\to\\file\\containing\\secret.txt', 'ProgramData\osquery\kolide_secret.txt' | Set-Content c:\ProgramData\osquery\osquery.flags + ## Add certfile.crt + Copy-Item "c:\vagrant\resources\fleet\server.crt" "c:\ProgramData\osquery\certfile.crt" + ### --- TLS CONFIG ENDS --- + + Stop-service osqueryd + Start-Sleep -s 5 + Start-Service osqueryd +} +else { + Write-Host "osquery is already installed" +} diff --git a/Vagrant/scripts/install-splunkuf.ps1 b/Vagrant/scripts/install-splunkuf.ps1 new file mode 100755 index 0000000..2eb7b77 --- /dev/null +++ b/Vagrant/scripts/install-splunkuf.ps1 @@ -0,0 +1,13 @@ +# Purpose: Installs a Splunk Universal Forwader on the host + +If (-not (Test-Path "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe")) { + Write-Host "Downloading Splunk" + $msiFile = $env:Temp + "\splunkforwarder-6.5.2-67571ef4b87d-x64-release.msi" + + Write-Host "Installing & Starting Splunk" + (New-Object System.Net.WebClient).DownloadFile('https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=windows&version=6.5.2&product=universalforwarder&filename=splunkforwarder-6.5.2-67571ef4b87d-x64-release.msi&wget=true', $msiFile) + Start-Process -FilePath "c:\windows\system32\msiexec.exe" -ArgumentList '/i', "$msiFile", 'RECEIVING_INDEXER="192.168.38.5:9997" WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_APP_ENABLE=1 AGREETOLICENSE=Yes SERVICESTARTTYPE=1 LAUNCHSPLUNK=1 /quiet' -Wait +} Else { + Write-Host "Splunk is already installed. Moving on." +} +Write-Host "Splunk installation complete!" diff --git a/Vagrant/scripts/install-sysinternals.ps1 b/Vagrant/scripts/install-sysinternals.ps1 new file mode 100755 index 0000000..d557aa3 --- /dev/null +++ b/Vagrant/scripts/install-sysinternals.ps1 @@ -0,0 +1,40 @@ +# Purpose: Installs a handful of SysInternals tools on the host into c:\Tools\Sysinternals + +$sysinternalsDir = "C:\Tools\Sysinternals" +$sysmonDir = "C:\ProgramData\Sysmon" +If(!(test-path $sysinternalsDir)) { + New-Item -ItemType Directory -Force -Path $sysinternalsDir +} Else { + Write-Host "Tools directory exists. Exiting." + exit +} + +If(!(test-path $sysmonDir)) { + New-Item -ItemType Directory -Force -Path $sysmonDir +} Else { + Write-Host "Sysmon directory exists. Exiting." + exit +} + +$autorunsPath = "C:\Tools\Sysinternals\Autoruns64.exe" +$procmonPath = "C:\Tools\Sysinternals\Procmon.exe" +$psexecPath = "C:\Tools\Sysinternals\PsExec64.exe" +$procexpPath = "C:\Tools\Sysinternals\procexp64.exe" +$sysmonPath = "C:\Tools\Sysinternals\Sysmon64.exe" +$tcpviewPath = "C:\Tools\Sysinternals\Tcpview.exe" +$sysmonConfigPath = "$sysmonDir\sysmonConfig.xml" + +Invoke-WebRequest -Uri "https://live.sysinternals.com/Autoruns64.exe" -OutFile $autorunsPath +Invoke-WebRequest -Uri "https://live.sysinternals.com/Procmon.exe" -OutFile $procmonPath +Invoke-WebRequest -Uri "https://live.sysinternals.com/PsExec64.exe" -OutFile $psexecPath +Invoke-WebRequest -Uri "https://live.sysinternals.com/procexp64.exe" -OutFile $procexpPath +Invoke-WebRequest -Uri "https://live.sysinternals.com/Sysmon64.exe" -Outfile $sysmonPath +Invoke-WebRequest -Uri "https://live.sysinternals.com/Tcpview.exe" -Outfile $tcpviewPath +Copy-Item $sysmonPath $sysmonDir + +# Download SwiftOnSecurity's Sysmon config +Invoke-WebRequest -Uri "https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml" -Outfile "$sysmonDir\sysmonConfig.xml" + +# Startup Sysmon +Write-Host "Starting Sysmon..." +Start-Process -FilePath "$sysmonDir\Sysmon64.exe" -ArgumentList "-accepteula -i $sysmonConfigPath" diff --git a/Vagrant/scripts/install-utilities.ps1 b/Vagrant/scripts/install-utilities.ps1 new file mode 100755 index 0000000..9671fc5 --- /dev/null +++ b/Vagrant/scripts/install-utilities.ps1 @@ -0,0 +1,25 @@ +# Purpose: Installs chocolatey package manager, then installs custom utilities from Choco and adds syntax highlighting for Powershell, Batch, and Docker. Also installs Mimikatz into c:\Tools\Mimikatz. + +If (-not (Test-Path "C:\ProgramData\chocolatey")) { + Write-Host "Installing Chocolatey" + iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1')) +} +else { + Write-Host "Chocolatey is already installed." +} + +Write-Host "Installing atom, Notepad++, Chrome, WinRar, and Mimikatz." +choco install -y atom +choco install -y NotepadPlusPlus +choco install -y GoogleChrome +choco install -y WinRar +Write-Host $env:LOCALAPPDATA +$env:PATH="$env:PATH;$env:LOCALAPPDATA\atom\bin" +apm install language-powershell +apm install language-batch +apm install language-docker + +# Purpose: Downloads and unzips a copy of the Palantir osquery Github Repo. These configs are added to the Fleet server in bootstrap.sh. +$mimikatzRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\osquery-Master.zip' +Invoke-WebRequest -Uri "https://github.com/gentilkiwi/mimikatz/releases/download/2.1.1-20171203/mimikatz_trunk.zip" -OutFile $mimikatzRepoPath +Expand-Archive -path "$mimikatzRepoPath" -destinationpath 'c:\Tools\Mimikatz' -Force diff --git a/Vagrant/scripts/install-wefsubscriptions.ps1 b/Vagrant/scripts/install-wefsubscriptions.ps1 new file mode 100644 index 0000000..5af3111 --- /dev/null +++ b/Vagrant/scripts/install-wefsubscriptions.ps1 @@ -0,0 +1,27 @@ +# Purpose: Imports the custom Windows Event Channel and XML subscriptions on the WEF host +# Note: This only needs to be installed on the WEF server + +Write-Host "Installing WEF Subscriptions" + +Write-Host "Copying Custom Event Channels DLL" +Copy-Item c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\windows-event-channels\CustomEventChannels.dll c:\windows\system32 +Copy-Item c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\windows-event-channels\CustomEventChannels.man c:\windows\system32 + +Write-Host "Installing Custom Event Channels Manifest" +wevtutil im "c:\windows\system32\CustomEventChannels.man" +Write-Host "Resizing Channels to 4GB" +$xml = wevtutil el | select-string -pattern "WEC" +foreach ($subscription in $xml) { wevtutil sl $subscription /ms:4294967296 } + +Write-Host "Starting the Windows Event Collector Service" +net start wecsvc + +Write-Host "Creating custom event subscriptions" +cd c:\Users\vagrant\AppData\Local\Temp\windows-event-forwarding-master\wef-subscriptions +cmd /c "for /r %i in (*.xml) do wecutil cs %i" + +Write-Host "Enabling custom event subscriptions" +cmd /c "for /r %i in (*.xml) do wecutil ss %~ni /e:true" + +Write-Host "Enabling WecUtil Quick Config" +wecutil qc /q:true diff --git a/Vagrant/scripts/install-windows_ta.ps1 b/Vagrant/scripts/install-windows_ta.ps1 new file mode 100755 index 0000000..67c221b --- /dev/null +++ b/Vagrant/scripts/install-windows_ta.ps1 @@ -0,0 +1,29 @@ +# Purpose: Installs the Windows Splunk Technial Add-On +# Note: This only needs to be installed on the WEF server + +Write-Host "Installing the Windows TA for Splunk" + +If (test-path "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default") { + Write-Host "Windows TA is already installed. Moving on." + Exit +} + +# Install Windows TA (this only needs to be done on the WEF server) +$windowstaPath = "C:\vagrant\resources\splunk_forwarder\splunk-add-on-for-microsoft-windows_483.tgz" +$inputsPath = "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf" +Write-Host "Installing the Windows TA" +Start-Process -FilePath "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" -ArgumentList "install app $windowstaPath -auth admin:changeme" -NoNewWindow + +# Create local directory +New-Item -ItemType Directory -Force -Path "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local" +Copy-Item c:\vagrant\resources\splunk_forwarder\wef_inputs.conf $inputsPath + +# Add a check here to make sure the TA was installed correctly +Write-Host "Sleeping for 15 seconds" +start-sleep -s 15 +If (test-path "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default") { + Write-Host "Windows TA installed successfully." +} Else { + Write-Host "Something went wrong during installation." + exit 1 +} diff --git a/Vagrant/scripts/join-domain.ps1 b/Vagrant/scripts/join-domain.ps1 new file mode 100755 index 0000000..894abb5 --- /dev/null +++ b/Vagrant/scripts/join-domain.ps1 @@ -0,0 +1,29 @@ +# Purpose: Joins a Windows host to the windomain.local domain which was created with "create-domain.ps1". +# Source: https://github.com/StefanScherer/adfs2 + +Write-Host 'Join the domain' + +Write-Host "First, set DNS to DC to join the domain" +$newDNSServers = "192.168.38.2" +$adapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object {$_.IPAddress -match "192.168.38."} +$adapters | ForEach-Object {$_.SetDNSServerSearchOrder($newDNSServers)} + +Write-Host "Now join the domain" +$hostname = $(hostname) +$user = "windomain.local\vagrant" +$pass = ConvertTo-SecureString "vagrant" -AsPlainText -Force +$DomainCred = New-Object System.Management.Automation.PSCredential $user, $pass + +# Place the computer in the correct OU based on hostname +If ($hostname -eq "wef") { + Add-Computer -DomainName "windomain.local" -credential $DomainCred -OUPath "ou=Servers,dc=windomain,dc=local" -PassThru +} ElseIf ($hostname -eq "win10") { + Write-Host "Adding Win10 to the domain. Sometimes this step times out when using VMWare. If that happens, just run 'vagrant reload win10 --provision'" #debug + Add-Computer -DomainName "windomain.local" -credential $DomainCred -OUPath "ou=Workstations,dc=windomain,dc=local" +} Else { + Add-Computer -DomainName "windomain.local" -credential $DomainCred -PassThru +} + +Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -Value 1 +Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Value "vagrant" +Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -Value "vagrant" diff --git a/Vagrant/scripts/provision.ps1 b/Vagrant/scripts/provision.ps1 new file mode 100644 index 0000000..e308d22 --- /dev/null +++ b/Vagrant/scripts/provision.ps1 @@ -0,0 +1,48 @@ +# Purpose: Sets timezone to UTC, sets hostname, creates/joins domain. +# Source: https://github.com/StefanScherer/adfs2 + +$box = Get-ItemProperty -Path HKLM:SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName -Name "ComputerName" +$box = $box.ComputerName.ToString().ToLower() + +Write-Host "Setting timezone to UTC" +c:\windows\system32\tzutil.exe /s "UTC" + +if ($env:COMPUTERNAME -imatch 'vagrant') { + + Write-Host 'Hostname is still the original one, skip provisioning for reboot' + + Write-Host 'Install bginfo' + . c:\vagrant\scripts\install-bginfo.ps1 + + Write-Host -fore red 'Hint: vagrant reload' $box '--provision' + +} elseif ((gwmi win32_computersystem).partofdomain -eq $false) { + + Write-Host -fore red "Current domain is set to 'workgroup'. Time to join the domain!" + + if (!(Test-Path 'c:\Program Files\sysinternals\bginfo.exe')) { + Write-Host 'Install bginfo' + . c:\vagrant\scripts\install-bginfo.ps1 + } + + if ($env:COMPUTERNAME -imatch 'dc') { + . c:\vagrant\scripts\create-domain.ps1 192.168.38.2 + } else { + . c:\vagrant\scripts\join-domain.ps1 + } + Write-Host -fore red 'Hint: vagrant reload' $box '--provision' + +} else { + + Write-Host -fore green "I am domain joined!" + + if (!(Test-Path 'c:\Program Files\sysinternals\bginfo.exe')) { + Write-Host 'Install bginfo' + . c:\vagrant\scripts\install-bginfo.ps1 + } + + Write-Host 'Provisioning after joining domain' + + # $script = "c:\vagrant\scripts\provision-" + $box + ".ps1" + # . $script +}