Get-Process –computerName (
Get-ADComputer –filter * -searchBase "ou=WebFarm,dc=company,dc=pr" |
Select-Object –expandProperty Name
)
Tuesday, August 28, 2012
Monday, August 13, 2012
Set RDP over SSL using Powershell.
Task: Configure all Windows servers to use RDP over SSL to mitigate a man-in-the-middle vulnerability in Microsoft's RDP protocol.
Difficulty: We do not run Microsoft certificate services. We self-sign certs from a Linux system and they are provided in .pfx format. Auto-enrollment is not an option, and I can't use Group Policy to assign a certificate because (from what I can tell) it requires Microsoft's certificate services.
In doing my research, I found a blog post that provided a wmi script that supposedly would do the configuration. However, I was never able to get the script to work. (See Part II in http://blogs.msdn.com/b/rds/archive/2010/04/09/configuring-remote-desktop-certificates.aspx ).
So here is a Powershell way to do this. This would be cool if it were a function and parameterized and provided error checking, but you get what you get. Some things to point out - I had to generalize the path to the pfx file and the password, so I'm not completely sure the $Hashcode line works. I had deployed this with the Certutil command in a batch file because I was rolling this out in phases instead of dumping everything in one script. Hopefully that works. The "meat" of the script is everything that starts with $TSGeneralSettingRDP and that stuff all works.
$server = $env:computername
$PathtoPFX = "c:\temp\cert.pfx"
$PFXPass = "pfxpassword"
$Hashcode = (New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($PathtoPFX, $PFXPass)).Thumbprint
Certutil -p $PFXPass -importpfx $PathtoPFX
$TSGeneralSettingRDP = get-wmiobject win32_tsgeneralsetting | where-object {$_.TerminalName -match "RDP-Tcp"}
$TSGeneralSettingRDP.SSLCertificateSHA1Hash = $Hashcode
$TSGeneralSettingRDP.SetEncryptionLevel(4)
$TSGeneralSettingRDP.SetSecurityLayer(2)
$TSGeneralSettingRDP.put()
Difficulty: We do not run Microsoft certificate services. We self-sign certs from a Linux system and they are provided in .pfx format. Auto-enrollment is not an option, and I can't use Group Policy to assign a certificate because (from what I can tell) it requires Microsoft's certificate services.
In doing my research, I found a blog post that provided a wmi script that supposedly would do the configuration. However, I was never able to get the script to work. (See Part II in http://blogs.msdn.com/b/rds/archive/2010/04/09/configuring-remote-desktop-certificates.aspx ).
So here is a Powershell way to do this. This would be cool if it were a function and parameterized and provided error checking, but you get what you get. Some things to point out - I had to generalize the path to the pfx file and the password, so I'm not completely sure the $Hashcode line works. I had deployed this with the Certutil command in a batch file because I was rolling this out in phases instead of dumping everything in one script. Hopefully that works. The "meat" of the script is everything that starts with $TSGeneralSettingRDP and that stuff all works.
$server = $env:computername
$PathtoPFX = "c:\temp\cert.pfx"
$PFXPass = "pfxpassword"
$Hashcode = (New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($PathtoPFX, $PFXPass)).Thumbprint
Certutil -p $PFXPass -importpfx $PathtoPFX
$TSGeneralSettingRDP = get-wmiobject win32_tsgeneralsetting | where-object {$_.TerminalName -match "RDP-Tcp"}
$TSGeneralSettingRDP.SSLCertificateSHA1Hash = $Hashcode
$TSGeneralSettingRDP.SetEncryptionLevel(4)
$TSGeneralSettingRDP.SetSecurityLayer(2)
$TSGeneralSettingRDP.put()
Thursday, August 2, 2012
A Useful way to export a list of servers from AD
I was trying to come up with a list of all my servers from AD and write it to a text file. Sounds like it should be a slam-dunk, right? Get-ADComputer with some parameters and pipe it to out-file. Look at the file in notepad, and it looks perfect.....and then I try to use that file as the input for another script. Guess what? the server names are all padded with spaces at the end of them, which causes all kinds of errors.
This works much better:
PS C:\temp> Get-ADComputer -Filter {OperatingSystem -Like "*server*"} -Property Name | foreach {$_.Name.Trim()} |out-file filename.txt
This works much better:
PS C:\temp> Get-ADComputer -Filter {OperatingSystem -Like "*server*"} -Property Name | foreach {$_.Name.Trim()} |out-file filename.txt
Subscribe to:
Comments (Atom)