|
|
|
|
@@ -4,7 +4,7 @@ $downloadUrl = "http://download.microsoft.com/download/4/9/1/491394D1-3F28-4261-
|
|
|
|
|
$fileHash = "DC1070A9E8F84E75198A920A2E00DDC3CA8D12745AF64F6B161892D9F3975857" # Use Get-FileHash on a correct downloaded file to get the hash
|
|
|
|
|
|
|
|
|
|
# Enable web requests to endpoints with invalid SSL certs (like self-signed certs)
|
|
|
|
|
if (-not("SSLValidator" -as [type])) {
|
|
|
|
|
If (-not("SSLValidator" -as [type])) {
|
|
|
|
|
add-type -TypeDefinition @"
|
|
|
|
|
using System;
|
|
|
|
|
using System.Net;
|
|
|
|
|
@@ -25,37 +25,37 @@ public static class SSLValidator {
|
|
|
|
|
}
|
|
|
|
|
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = [SSLValidator]::GetDelegate()
|
|
|
|
|
|
|
|
|
|
if (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics\Center"))
|
|
|
|
|
If (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics\Center"))
|
|
|
|
|
{
|
|
|
|
|
$download = $false
|
|
|
|
|
if (-not (Test-Path "$env:temp\$title.iso"))
|
|
|
|
|
If (-not (Test-Path "$env:temp\$title.iso"))
|
|
|
|
|
{
|
|
|
|
|
Write-Host "$title.iso doesn't exist yet, downloading..."
|
|
|
|
|
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $title.iso doesn't exist yet, downloading..."
|
|
|
|
|
$download = $true
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
Else
|
|
|
|
|
{
|
|
|
|
|
$actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash
|
|
|
|
|
If (-not ($actualHash -eq $fileHash))
|
|
|
|
|
{
|
|
|
|
|
Write-Host "$title.iso exists, but has wrong hash, downloading..."
|
|
|
|
|
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $title.iso exists, but the hash did not validate successfully. Downloading a new copy..."
|
|
|
|
|
$download = $true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if ($download -eq $true)
|
|
|
|
|
If ($download -eq $true)
|
|
|
|
|
{
|
|
|
|
|
Write-Host "Downloading $title..."
|
|
|
|
|
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading $title..."
|
|
|
|
|
Invoke-WebRequest -Uri $downloadUrl -OutFile "$env:temp\$title.iso"
|
|
|
|
|
$actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash
|
|
|
|
|
If (-not ($actualHash -eq $fileHash))
|
|
|
|
|
{
|
|
|
|
|
Write-Host "$title.iso was not downloaded correctly: hash from downloaded file: $actualHash, should've been: $fileHash. Re-trying using BitsAdmin now..."
|
|
|
|
|
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) $title.iso was not downloaded correctly: hash from downloaded file: $actualHash, should've been: $fileHash. Re-trying using BitsAdmin now..."
|
|
|
|
|
Remove-Item -Path "$env:temp\$title.iso" -Force
|
|
|
|
|
bitsadmin /Transfer ATA $downloadUrl "$env:temp\$title.iso"
|
|
|
|
|
$actualHash = (Get-FileHash -Algorithm SHA256 -Path "$env:temp\$title.iso").Hash
|
|
|
|
|
If (-not ($actualHash -eq $fileHash))
|
|
|
|
|
{
|
|
|
|
|
throw "$title.iso was not downloaded correctly after a retry: hash from downloaded file: $actualHash, should've been: $fileHash - Giving up."
|
|
|
|
|
Throw "$title.iso was not downloaded correctly after a retry: hash from downloaded file: $actualHash, should've been: $fileHash - Giving up."
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
@@ -68,19 +68,16 @@ if (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics\Center
|
|
|
|
|
$body = get-content "C:\vagrant\resources\microsoft_ata\microsoft-ata-config.json"
|
|
|
|
|
|
|
|
|
|
$req = [System.Net.WebRequest]::CreateHttp("https://wef")
|
|
|
|
|
try
|
|
|
|
|
{
|
|
|
|
|
Try {
|
|
|
|
|
$req.GetResponse()
|
|
|
|
|
}
|
|
|
|
|
catch
|
|
|
|
|
{
|
|
|
|
|
Catch {
|
|
|
|
|
# we don't care about errors here, we just want to get the cert ;)
|
|
|
|
|
}
|
|
|
|
|
$ThumbPrint = $req.ServicePoint.Certificate.GetCertHashString()
|
|
|
|
|
$body = $body -replace "{{THUMBPRINT}}", $ThumbPrint
|
|
|
|
|
|
|
|
|
|
Invoke-RestMethod -uri https://localhost/api/management/systemProfiles/center -body $body -Method Post -UseBasicParsing -UseDefaultCredentials -ContentType "application/json"
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Start-Sleep -Seconds 60
|
|
|
|
|
@@ -89,20 +86,21 @@ Invoke-Command -computername dc -Credential (new-object pscredential("windomain\
|
|
|
|
|
|
|
|
|
|
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] Installing the ATA Lightweight gateway on DC..."
|
|
|
|
|
|
|
|
|
|
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] Adding wef.windomain.local to hosts file..."
|
|
|
|
|
Add-Content 'c:\\windows\\system32\\drivers\\etc\\hosts' ' 192.168.38.103 wef.windomain.local'
|
|
|
|
|
|
|
|
|
|
# Enable web requests to endpoints with invalid SSL certs (like self-signed certs)
|
|
|
|
|
if (-not("SSLValidator" -as [type])) {
|
|
|
|
|
If (-not("SSLValidator" -as [type])) {
|
|
|
|
|
add-type -TypeDefinition @"
|
|
|
|
|
using System;
|
|
|
|
|
using System.Net;
|
|
|
|
|
using System.Net.Security;
|
|
|
|
|
using System.Security.Cryptography.X509Certificates;
|
|
|
|
|
|
|
|
|
|
public static class SSLValidator {
|
|
|
|
|
public static bool ReturnTrue(object sender,
|
|
|
|
|
X509Certificate certificate,
|
|
|
|
|
X509Chain chain,
|
|
|
|
|
SslPolicyErrors sslPolicyErrors) { return true; }
|
|
|
|
|
|
|
|
|
|
public static RemoteCertificateValidationCallback GetDelegate() {
|
|
|
|
|
return new RemoteCertificateValidationCallback(SSLValidator.ReturnTrue);
|
|
|
|
|
}
|
|
|
|
|
@@ -111,38 +109,47 @@ Invoke-Command -computername dc -Credential (new-object pscredential("windomain\
|
|
|
|
|
}
|
|
|
|
|
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = [SSLValidator]::GetDelegate()
|
|
|
|
|
|
|
|
|
|
If (-not (Test-Path "$env:temp\gatewaysetup.zip"))
|
|
|
|
|
{
|
|
|
|
|
Write-Host "[$env:computername] ATA Gateway not yet downloaded. Downloading now..."
|
|
|
|
|
If (-not (Test-Path "$env:temp\gatewaysetup.zip")) {
|
|
|
|
|
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] Downloading Microsoft ATA now..."
|
|
|
|
|
Invoke-WebRequest -uri https://wef/api/management/softwareUpdates/gateways/deploymentPackage -UseBasicParsing -OutFile "$env:temp\gatewaysetup.zip" -Credential (new-object pscredential("wef\vagrant", (convertto-securestring -AsPlainText -Force -String "vagrant")))
|
|
|
|
|
Expand-Archive -Path "$env:temp\gatewaysetup.zip" -DestinationPath "$env:temp\gatewaysetup" -Force
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
Write-Host "[$env:computername] Gateway setup already downloaded. Moving On."
|
|
|
|
|
Else {
|
|
|
|
|
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] Microsoft Gateway has already been already downloaded. Moving On."
|
|
|
|
|
}
|
|
|
|
|
if (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics"))
|
|
|
|
|
{
|
|
|
|
|
Write-Host "[$env:computername] ATA Gateway not yet installed. Attempting to install now..."
|
|
|
|
|
If (-not (Test-Path "C:\Program Files\Microsoft Advanced Threat Analytics")) {
|
|
|
|
|
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] Attempting to install Microsoft ATA... "
|
|
|
|
|
Set-Location "$env:temp\gatewaysetup"
|
|
|
|
|
Try {
|
|
|
|
|
Start-Process -Wait -FilePath ".\Microsoft ATA Gateway Setup.exe" -ArgumentList "/q NetFrameworkCommandLineArguments=`"/q`" ConsoleAccountName=`"wef\vagrant`" ConsoleAccountPassword=`"vagrant`""
|
|
|
|
|
Write-Host "[$env:computername] ATA Gateway installation complete!"
|
|
|
|
|
} Catch {
|
|
|
|
|
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Something went wrong attempting to install the Gateway on DC. Aborting installation."
|
|
|
|
|
Exit 1
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
Write-Host "[$env:computername] ATA Gateway already installed. Moving On."
|
|
|
|
|
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] ATA Gateway installation complete!"
|
|
|
|
|
}
|
|
|
|
|
Write-Host "[$env:computername] Waiting for the ATA Gateway service to start..."
|
|
|
|
|
Else {
|
|
|
|
|
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] The Microsoft ATA Gateway was already installed. Moving On."
|
|
|
|
|
Exit 0
|
|
|
|
|
}
|
|
|
|
|
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] Ensuring the ATA Gateway service exists..."
|
|
|
|
|
Try {
|
|
|
|
|
Get-Service "ATAGateway" -ErrorAction Stop
|
|
|
|
|
} Catch [Microsoft.PowerShell.Commands.ServiceCommandException] {
|
|
|
|
|
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] Unable to find the ATAGateway service. Installation must have failed. Exiting."
|
|
|
|
|
Exit 1
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) [$env:computername] Waiting for the ATA Gateway service to start..."
|
|
|
|
|
(Get-Service ATAGateway).WaitForStatus('Running', '00:10:00')
|
|
|
|
|
If ((Get-Service "ATAGateway").Status -ne "Running")
|
|
|
|
|
{
|
|
|
|
|
throw "ATA Gateway service failed to start on DC"
|
|
|
|
|
If ((Get-Service "ATAGateway").Status -ne "Running") {
|
|
|
|
|
Throw "ATA Gateway service failed to start on DC"
|
|
|
|
|
}
|
|
|
|
|
# Disable invalid web requests to endpoints with invalid SSL certs again
|
|
|
|
|
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = $null
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# set DC as domain synchronizer
|
|
|
|
|
# Set the DC as the domain synchronizer
|
|
|
|
|
$config = Invoke-RestMethod -Uri "https://localhost/api/management/systemProfiles/gateways" -UseDefaultCredentials -UseBasicParsing
|
|
|
|
|
$config[0].Configuration.DirectoryServicesResolverConfiguration.UpdateDirectoryEntityChangesConfiguration.IsEnabled = $true
|
|
|
|
|
|
|
|
|
|
@@ -151,7 +158,6 @@ Invoke-RestMethod -Uri "https://localhost/api/management/systemProfiles/gateways
|
|
|
|
|
# Disable invalid web requests to endpoints with invalid SSL certs again
|
|
|
|
|
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = $null
|
|
|
|
|
|
|
|
|
|
If ((Get-Service -name "ATACenter").Status -ne "Running")
|
|
|
|
|
{
|
|
|
|
|
throw "MS ATA service was not running."
|
|
|
|
|
If ((Get-Service -name "ATACenter").Status -ne "Running") {
|
|
|
|
|
Throw "The Microsoft ATA service was unable to start."
|
|
|
|
|
}
|
|
|
|
|
|
Chris Long