166 lines
5.0 KiB
YAML
166 lines
5.0 KiB
YAML
---
|
|
|
|
- name: Set DNS Address
|
|
win_dns_client:
|
|
adapter_names: '*'
|
|
ipv4_addresses:
|
|
- 127.0.0.1
|
|
- 8.8.8.8
|
|
log_path: C:\dns_log.txt
|
|
|
|
- name: Install git
|
|
win_chocolatey:
|
|
name: git
|
|
state: present
|
|
|
|
- name: Check if existing DetectionLab directory
|
|
win_stat:
|
|
path: 'c:\DetectionLab'
|
|
register: dir
|
|
|
|
- name: Git clone Detectionlab
|
|
win_shell: git clone https://github.com/clong/DetectionLab.git
|
|
args:
|
|
chdir: 'c:\'
|
|
when: not dir.stat.exists
|
|
|
|
- name: Copy scripts to c:\vagrant
|
|
win_shell: Copy-Item -Recurse c:\DetectionLab\Vagrant c:\vagrant
|
|
args:
|
|
creates: c:\vagrant\Vagrantfile
|
|
|
|
- name: Create an Administrator user
|
|
win_user:
|
|
name: Administrator
|
|
password: Vagrant123
|
|
state: present
|
|
groups:
|
|
- Users
|
|
- Administrators
|
|
password_never_expires: yes
|
|
# Fail after domain creation: Failed to remove Domain Users: Exception calling \"Remove\" with \"1\" argument(s): \"This operation is not allowed on this special group.
|
|
ignore_errors: true
|
|
|
|
- name: Create the Domain
|
|
win_shell: .\\provision.ps1
|
|
args:
|
|
chdir: 'c:\vagrant\scripts'
|
|
register: domain_creation
|
|
changed_when: "'Status : Success' in domain_creation.stdout"
|
|
|
|
- name: Reboot Afer Domain Creation
|
|
win_reboot:
|
|
msg: "Installing AD. Rebooting..."
|
|
pre_reboot_delay: 15
|
|
reboot_timeout: 600
|
|
post_reboot_delay: 60
|
|
when: domain_creation.changed
|
|
|
|
- name: Configure OU
|
|
win_shell: .\\configure-ou.ps1
|
|
args:
|
|
chdir: 'c:\vagrant\scripts'
|
|
register: ou_creation
|
|
vars:
|
|
ansible_become: yes
|
|
ansible_become_method: runas
|
|
ansible_become_user: windomain.local\vagrant
|
|
ansible_become_password: vagrant
|
|
ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only
|
|
failed_when: "'Exception' in ou_creation.stderr"
|
|
changed_when: "'already exists. Moving On.' not in ou_creation.stdout"
|
|
|
|
- debug: msg="{{ ou_creation.stdout_lines }}"
|
|
|
|
- name: Configure WEF GPO
|
|
win_shell: .\\configure-wef-gpo.ps1
|
|
args:
|
|
chdir: 'c:\vagrant\scripts'
|
|
register: wef_gpo
|
|
vars:
|
|
ansible_become: yes
|
|
ansible_become_method: runas
|
|
ansible_become_user: windomain.local\vagrant
|
|
ansible_become_password: vagrant
|
|
ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only
|
|
failed_when: "'Exception' in wef_gpo.stderr"
|
|
changed_when: "' already linked on ' not in wef_gpo.stdout"
|
|
|
|
- debug: msg="{{ wef_gpo.stdout_lines }}"
|
|
when: wef_gpo.stdout_lines is defined
|
|
|
|
- name: Configure Powershell Logging GPO
|
|
win_shell: .\\configure-powershelllogging.ps1
|
|
args:
|
|
chdir: 'c:\vagrant\scripts'
|
|
register: powershell_gpo
|
|
vars:
|
|
ansible_become: yes
|
|
ansible_become_method: runas
|
|
ansible_become_user: windomain.local\vagrant
|
|
ansible_become_password: vagrant
|
|
ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only
|
|
failed_when: "'Exception' in powershell_gpo.stderr"
|
|
changed_when: "' already linked on ' not in wef_gpo.stdout"
|
|
|
|
- debug: msg="{{ powershell_gpo.stdout_lines }}"
|
|
when: powershell_gpo.stdout_lines is defined
|
|
|
|
- name: Configure Auditing Policy GPO
|
|
win_shell: .\\configure-AuditingPolicyGPOs.ps1
|
|
args:
|
|
chdir: 'c:\vagrant\scripts'
|
|
register: audit_policy
|
|
vars:
|
|
ansible_become: yes
|
|
ansible_become_method: runas
|
|
ansible_become_user: windomain.local\vagrant
|
|
ansible_become_password: vagrant
|
|
ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only
|
|
failed_when: "'Exception' in audit_policy.stderr"
|
|
changed_when: "' already linked on ' not in audit_policy.stdout"
|
|
|
|
- debug: msg="{{ audit_policy.stdout_lines }}"
|
|
when: audit_policy.stdout_lines is defined
|
|
|
|
- name: Disable Windows Defender GPO
|
|
win_shell: .\\configure-disable-windows-defender-gpo.ps1
|
|
args:
|
|
chdir: 'c:\vagrant\scripts'
|
|
register: disable_win_def
|
|
vars:
|
|
ansible_become: yes
|
|
ansible_become_method: runas
|
|
ansible_become_user: windomain.local\vagrant
|
|
ansible_become_password: vagrant
|
|
ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only
|
|
failed_when: "'Exception' in disable_win_def.stderr"
|
|
changed_when: "' already linked at ' not in disable_win_def.stdout"
|
|
|
|
- debug: msg="{{ disable_win_def.stdout_lines }}"
|
|
|
|
- name: Configure RDP Permissions GPO
|
|
win_shell: .\\configure-rdp-user-gpo.ps1
|
|
args:
|
|
chdir: 'c:\vagrant\scripts'
|
|
register: rdp_gpo
|
|
vars:
|
|
ansible_become: yes
|
|
ansible_become_method: runas
|
|
ansible_become_user: windomain.local\vagrant
|
|
ansible_become_password: vagrant
|
|
ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only
|
|
failed_when: "'Exception' in rdp_gpo.stderr"
|
|
changed_when: "' already linked at ' not in rdp_gpo.stdout"
|
|
|
|
- debug: msg="{{ rdp_gpo.stdout_lines }}"
|
|
when: rdp_gpo.stdout_lines is defined
|
|
|
|
- name: Configure DC with raw Commands
|
|
win_shell: "{{ item }}"
|
|
with_items:
|
|
- "wevtutil el | Select-String -notmatch \"Microsoft-Windows-LiveId\" | Foreach-Object {wevtutil cl \"$_\"}"
|
|
- "Set-SmbServerConfiguration -AuditSmb1Access $true -Force"
|
|
|
|
|