As I add more virtual machines and physical servers to my Microsoft environment there are a few Windows features/settings I tend to always tweak for my own needs:
- Remote Desktop — I use non network level authentication for connectivity with remote desktop because I am contained within my own private cloud but these settings can be changed based on your environment needs.
- Internet Explorer Enhanced Security Configuration (IEESec) — Because I actually use the server desktop environment quite a bit the IE settings for IEESec tend to drive me nuts so I turn both Admin and User off. The script allows you to set either of these to On or Off.
- Windows Firewall — I turn these off in my environment since I am in my own private cloud but within the script you can set Public, Private and Domain to your desired state.
- Adding Windows Features — The only feature I always add is Multipath I/O.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 |
Import-Module NetSecurity # Set-RemoteDesktopConfig # -NonNLA Allow remote connections without requiring Network Level Authentication (NLA) # -Disable Disable remote desktop connections. Function Set-RemoteDesktopConfig { Param ([switch]$NonNLA, [switch]$Disable) If ($Disable) { Set-ItemProperty -Path 'HKLM:SystemCurrentControlSetControlTerminal Server' -Name 'fDenyTSConnections' -Value 1 -ErrorAction SilentlyContinue If (-not $?) { New-ItemProperty -Path 'HKLM:SystemCurrentControlSetControlTerminal Server' -Name 'fDenyTSConnections' -Value 1 -PropertyType Dword } Set-ItemProperty -Path 'HKLM:SystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp' -Name 'UserAuthentication' -Value 1 -ErrorAction SilentlyContinue If (-not $?) { New-ItemProperty -Path 'HKLM:SystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp' -Name 'UserAuthentication' -Value 1 -PropertyType Dword } } Else { Set-ItemProperty -Path 'HKLM:SystemCurrentControlSetControlTerminal Server' -Name 'fDenyTSConnections' -Value 0 -ErrorAction SilentlyContinue If (-not $?) { New-ItemProperty -Path 'HKLM:SystemCurrentControlSetControlTerminal Server' -Name 'fDenyTSConnections' -Value 0 -PropertyType Dword } If ($NonNLA) { Set-ItemProperty -Path 'HKLM:SystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp' -Name 'UserAuthentication' -Value 0 -ErrorAction SilentlyContinue If (-not $?) { New-ItemProperty -Path 'HKLM:SystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp' -Name 'UserAuthentication' -Value 0 -PropertyType Dword } } } } # Set IEHardendmin and IEHardenUser for IE Enhanced Security Configuration. Function Set-IEESec { Param( [Parameter(Mandatory=$True, Position=1)] [string]$IEHardenAdmin, [Parameter(Mandatory=$True, Position=2)] [string]$IEHardenUser ) # IEESec is On by default, so use the switch to turn it Off. Switch ($IEHardenAdmin) { "Off" { Set-ItemProperty -Path 'HKLM:SOFTWAREMicrosoftActive SetupInstalled Components{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}' -Name 'IsInstalled' -Value 0 } "On" { Set-ItemProperty -Path 'HKLM:SOFTWAREMicrosoftActive SetupInstalled Components{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}' -Name 'IsInstalled' -Value 1 } } Switch ($IEHardenUser) { "Off" { Set-ItemProperty -Path 'HKLM:SOFTWAREMicrosoftActive SetupInstalled Components{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}' -Name 'IsInstalled' -Value 0 } "On" { Set-ItemProperty -Path 'HKLM:SOFTWAREMicrosoftActive SetupInstalled Components{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}' -Name 'IsInstalled' -Value 1 } } } # Disable Public/Domain/Private profiles. Set-NetfirewallProfile -Name Public -Enabled False Set-NetfirewallProfile -Name Domain -Enabled False Set-NetfirewallProfile -Name Private -Enabled False # Enable Remote Desktop connections. Set-RemoteDesktopConfig -NonNLA #-Disable # Add Windows feature(s) Add-WindowsFeature -Name "Multipath-IO" # Turn IE Enhanced Security Off. Set-IEESec -IEHardenAdmin Off -IEHardenUser Off |
1 |