trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
8f4d26b7445eef827e60ec280e1b2f6b28920469
DetectionLab/Azure/Ansible/roles/dc/tasks/main.yml
Chris Long ec57ad4fb9 Implement taskbar layout GPO
2020-12-17 17:14:22 -08:00

181 lines
5.5 KiB
YAML
Raw Blame History

---
- name: Set DNS Address
win_dns_client:
adapter_names: '*'
ipv4_addresses:
- 127.0.0.1
- 8.8.8.8
log_path: C:\dns_log.txt
- name: Install git
win_chocolatey:
name: git
state: present
- name: Check if existing DetectionLab directory
win_stat:
path: 'c:\DetectionLab'
register: dir
- name: Git clone Detectionlab
win_shell: git clone https://github.com/clong/DetectionLab.git
args:
chdir: 'c:\'
when: not dir.stat.exists
- name: Copy scripts to c:\vagrant
win_shell: Copy-Item -Recurse c:\DetectionLab\Vagrant c:\vagrant
args:
creates: c:\vagrant\Vagrantfile
- name: Create an Administrator user
win_user:
name: Administrator
password: Vagrant123
state: present
groups:
- Users
- Administrators
password_never_expires: yes
# Fail after domain creation: Failed to remove Domain Users: Exception calling \"Remove\" with \"1\" argument(s): \"This operation is not allowed on this special group.
ignore_errors: true
- name: Create the Domain
win_shell: .\\provision.ps1
args:
chdir: 'c:\vagrant\scripts'
register: domain_creation
changed_when: "'Status : Success' in domain_creation.stdout"
- name: Reboot Afer Domain Creation
win_reboot:
msg: "Installing AD. Rebooting..."
pre_reboot_delay: 15
reboot_timeout: 600
post_reboot_delay: 60
when: domain_creation.changed
- name: Configure OU
win_shell: .\\configure-ou.ps1
args:
chdir: 'c:\vagrant\scripts'
register: ou_creation
vars:
ansible_become: yes
ansible_become_method: runas
ansible_become_user: windomain.local\vagrant
ansible_become_password: vagrant
ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only
failed_when: "'Exception' in ou_creation.stderr"
changed_when: "'already exists. Moving On.' not in ou_creation.stdout"
- debug: msg="{{ ou_creation.stdout_lines }}"
- name: Configure WEF GPO
win_shell: .\\configure-wef-gpo.ps1
args:
chdir: 'c:\vagrant\scripts'
register: wef_gpo
vars:
ansible_become: yes
ansible_become_method: runas
ansible_become_user: windomain.local\vagrant
ansible_become_password: vagrant
ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only
failed_when: "'Exception' in wef_gpo.stderr"
changed_when: "' already linked on ' not in wef_gpo.stdout"
- debug: msg="{{ wef_gpo.stdout_lines }}"
when: wef_gpo.stdout_lines is defined
- name: Configure Powershell Logging GPO
win_shell: .\\configure-powershelllogging.ps1
args:
chdir: 'c:\vagrant\scripts'
register: powershell_gpo
vars:
ansible_become: yes
ansible_become_method: runas
ansible_become_user: windomain.local\vagrant
ansible_become_password: vagrant
ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only
failed_when: "'Exception' in powershell_gpo.stderr"
changed_when: "' already linked on ' not in wef_gpo.stdout"
- debug: msg="{{ powershell_gpo.stdout_lines }}"
when: powershell_gpo.stdout_lines is defined
- name: Configure Auditing Policy GPO
win_shell: .\\configure-AuditingPolicyGPOs.ps1
args:
chdir: 'c:\vagrant\scripts'
register: audit_policy
vars:
ansible_become: yes
ansible_become_method: runas
ansible_become_user: windomain.local\vagrant
ansible_become_password: vagrant
ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only
failed_when: "'Exception' in audit_policy.stderr"
changed_when: "' already linked on ' not in audit_policy.stdout"
- debug: msg="{{ audit_policy.stdout_lines }}"
when: audit_policy.stdout_lines is defined
- name: Disable Windows Defender GPO
win_shell: .\\configure-disable-windows-defender-gpo.ps1
args:
chdir: 'c:\vagrant\scripts'
register: disable_win_def
vars:
ansible_become: yes
ansible_become_method: runas
ansible_become_user: windomain.local\vagrant
ansible_become_password: vagrant
ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only
failed_when: "'Exception' in disable_win_def.stderr"
changed_when: "' already linked at ' not in disable_win_def.stdout"
- debug: msg="{{ disable_win_def.stdout_lines }}"
- name: Configure RDP Permissions GPO
win_shell: .\\configure-rdp-user-gpo.ps1
args:
chdir: 'c:\vagrant\scripts'
register: rdp_gpo
vars:
ansible_become: yes
ansible_become_method: runas
ansible_become_user: windomain.local\vagrant
ansible_become_password: vagrant
ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only
failed_when: "'Exception' in rdp_gpo.stderr"
changed_when: "' already linked at ' not in rdp_gpo.stdout"
- debug: msg="{{ rdp_gpo.stdout_lines }}"
when: rdp_gpo.stdout_lines is defined
- name: Configure Taskbar Layout GPO
win_shell: .\\configure-taskbar-layout-gpo.ps1
args:
chdir: 'c:\vagrant\scripts'
register: taskbar_gpo
vars:
ansible_become: yes
ansible_become_method: runas
ansible_become_user: windomain.local\vagrant
ansible_become_password: vagrant
ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only
failed_when: "'Exception' in taskbar_gpo.stderr"
- debug: msg="{{ taskbar_gpo.stdout_lines }}"
- name: Configure DC with raw Commands
win_shell: "{{ item }}"
with_items:
- "wevtutil el | Select-String -notmatch \"Microsoft-Windows-LiveId\" | Foreach-Object {wevtutil cl \"$_\"}"
- "Set-SmbServerConfiguration -AuditSmb1Access $true -Force"
Reference in New Issue View Git Blame Copy Permalink