From cb8cf210a170959d2139bd3ce62af12cd844ff1b Mon Sep 17 00:00:00 2001 From: Simon Baerlocher Date: Sun, 13 Sep 2020 19:04:05 +0200 Subject: [PATCH] add change --- CHANGELOG.md | 10 +++++ galaxy.yml | 2 +- plugins/modules/win_policyfile.ps1 | 61 +++++++++++++++++++++++++++ roles/remote_desktop/tasks/main.yml | 64 ++++++++++++++++++----------- 4 files changed, 111 insertions(+), 26 deletions(-) create mode 100644 plugins/modules/win_policyfile.ps1 diff --git a/CHANGELOG.md b/CHANGELOG.md index efe6fde..6d791df 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,16 @@ and [human-readable changelog](https://keepachangelog.com/en/1.0.0/). ## master +## 0.0.7 + +### Added + +- Add module win_policyfile + +### Changed + +- Change to the module win_policyfile in the Role remote_desktop + ## 0.0.6 ### Added diff --git a/galaxy.yml b/galaxy.yml index 3b81d0b..9f2cb1e 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -1,7 +1,7 @@ --- namespace: 'sbaerlocher' name: 'windows' -version: 0.0.6 +version: 0.0.7 readme: README.md authors: - 'Simon Baerlocher (https://sbaerlocher.ch)' diff --git a/plugins/modules/win_policyfile.ps1 b/plugins/modules/win_policyfile.ps1 new file mode 100644 index 0000000..2559c34 --- /dev/null +++ b/plugins/modules/win_policyfile.ps1 @@ -0,0 +1,61 @@ +#!powershell + +# Copyright: (c) 2020, Simon Baerlocher +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +#AnsibleRequires -CSharpUtil Ansible.Basic + +$spec = @{ + options = @{ + path = @{ type = 'str'; required = $true; } + key = @{ type = 'str'; required = $true; aliases = 'key' } + name = @{ type = 'str'; aliases = 'entry', 'value' } + data = @{ type = 'raw' } + type = @{ + type = 'str' + default = 'string' + choices = 'none', 'binary', 'dword', 'expandstring', 'multistring', 'string', 'qword' + aliases = 'datatype' + } + state = @{ type = 'str'; default = 'present'; choices = 'present', 'absent' } + + } + supports_check_mode = $true +} + +$module = [Ansible.Basic.AnsibleModule]::Create($args, $spec) + +$path = $module.Params.path +$key = $module.Params.key +$name = $module.Params.name +$data = $module.Params.data +$type = $module.Params.type +$state = $module.Params.state + +$module.Result.reboot_required = $false + +if (-not (Get-Command -Name Get-PolicyFileEntry -ErrorAction SilentlyContinue)) { + $module.FailJson("This version of Windows does not support the Get-PolicyFileEditor.") +} + +try { + $policy_state = Get-PolicyFileEntry -Path $path -Key $key -ValueName $Name +} +catch [System.Runtime.InteropServices.COMException] { + $policy_state = $null +} + +if ($state -eq "present" -and ($policy_state).data -notlike $data) { + if (-not $module.CheckMode) { + Set-PolicyFileEntry -Path $path -Key $key -ValueName $name -Data $data -Type $type + } + $module.Result.changed = $true +} +elseif ($state -eq "absent") { + if (-not $module.CheckMode) { + Remove-PolicyFileEntry -Path $path -Key $key -ValueName $name + } + $module.Result.changed = $true +} + +$module.ExitJson() diff --git a/roles/remote_desktop/tasks/main.yml b/roles/remote_desktop/tasks/main.yml index 300e1be..4c5c07b 100644 --- a/roles/remote_desktop/tasks/main.yml +++ b/roles/remote_desktop/tasks/main.yml @@ -1,25 +1,39 @@ --- # tasks file for remote_desktop +- name: Add a PowerShell module + win_psmodule: + name: PolicyFileEditor + state: present + # https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.TerminalServer::TS_DISABLE_CONNECTIONS - name: Allow users to connect remotely by using Remote Desktop Services - win_regedit: - path: '{{ item }}' + sbaerlocher.windows.win_policyfile: + path: "C:\\Windows\\system32\\GroupPolicy\\Machine\\registry.pol" + key: 'SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' name: fDenyTSConnections - data: 00000000 - type: dword + data: '0' + type: 'dword' state: "{{ 'present' if remote_desktop_enabled else 'absent' }}" register: register_remote_desktop_enabled - with_items: - - "HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\" - - "HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services" -- name: Firewall Enable or Disable rule for Remote Desktop Services - win_shell: > - "{{ 'Enable-NetFirewallRule' if rd_enable else 'Disable-NetFirewallRule' }} - -DisplayGroup 'Remotedesktop'" - vars: - rd_enable: '{{ remote_desktop_enabled }}' +- name: Firewall Enable or Disable for Remote Desktop Services + sbaerlocher.windows.win_policyfile: + path: "C:\\Windows\\system32\\GroupPolicy\\Machine\\registry.pol" + key: 'SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\RemoteDesktop' + name: Enabled + data: '1' + type: 'dword' + state: "{{ 'present' if remote_desktop_enabled else 'absent' }}" + +- name: Firewall Remote Address for Remote Desktop Services + sbaerlocher.windows.win_policyfile: + path: "C:\\Windows\\system32\\GroupPolicy\\Machine\\registry.pol" + key: 'SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\RemoteDesktop' + name: 'RemoteAddresses' + data: '*' + type: 'string' + state: "{{ 'present' if remote_desktop_enabled else 'absent' }}" - name: Set then Remote Desktop Port win_regedit: @@ -32,17 +46,19 @@ # https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.TerminalServer::TS_SECURITY_LAYER_POLICY - name: Require use of specific security layer for remote (RDP) connections - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services - name: SecurityLayer + sbaerlocher.windows.win_policyfile: + path: "C:\\Windows\\system32\\GroupPolicy\\Machine\\registry.pol" + key: 'SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' + name: 'SecurityLayer' data: '{{ remote_desktop_securitylayer }}' - type: dword + type: 'dword' state: "{{ 'present' if remote_desktop_enabled else 'absent' }}" # https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.TerminalServer::TS_ENCRYPTION_POLICY - name: Set client connection encryption level - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services + sbaerlocher.windows.win_policyfile: + path: "C:\\Windows\\system32\\GroupPolicy\\Machine\\registry.pol" + key: 'SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' name: MinEncryptionLevel data: '{{ remote_desktop_minencryptionLevel }}' type: dword @@ -56,15 +72,13 @@ # https://www.winfaq.de/faq_html/Content/tip1000/onlinefaq.php?h=tip1368.htm - name: Disable Shutdown Butten from Windows Start - win_regedit: - path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer + sbaerlocher.windows.win_policyfile: + path: "C:\\Windows\\system32\\GroupPolicy\\User\\registry.pol" + key: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' name: NoClose data: '1' type: dword - state: "{{ 'present' if rd_enable and rd_shutdown_disable else 'absent' }}" - vars: - rd_enable: '{{ remote_desktop_enabled }}' - rd_shutdown_disable: '{{ remote_desktop_shutdown_disable }}' + state: "{{ 'present' if remote_desktop_enabled and remote_desktop_shutdown_disable else 'absent' }}" # https://www.howtogeek.com/246728/how-to-remove-the-shutdown-button-from-the-windows-login-screen/ - name: Disable Shutdown Butten from Windows login screen