As I add more virtual machines and physical servers to my Microsoft environment there are a few Windows features/settings I tend to always tweak for my own needs with IEESec:
- Remote Desktop — I use non network level authentication for connectivity with remote desktop because I am contained within my own private cloud but these settings can be changed based on your environment needs.
- Internet Explorer Enhanced Security Configuration (IEESec) — Because I actually use the server desktop environment quite a bit the IE settings for IEESec tend to drive me nuts so I turn both Admin and User off. The script allows you to set either of these to On or Off.
- Windows Firewall — I turn these off in my environment since I am in my own private cloud but within the script you can set Public, Private and Domain to your desired state.
- Adding Windows Features — The only feature I always add is Multipath I/O.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 |
Import-Module NetSecurity # Set-RemoteDesktopConfig # -NonNLA Allow remote connections without requiring Network Level Authentication (NLA) # -Disable Disable remote desktop connections. Function Set-RemoteDesktopConfig { Param ([switch]$NonNLA, [switch]$Disable) If ($Disable) { Set-ItemProperty -Path 'HKLM:SystemCurrentControlSetControlTerminal Server' -Name 'fDenyTSConnections' -Value 1 -ErrorAction SilentlyContinue If (-not $?) { New-ItemProperty -Path 'HKLM:SystemCurrentControlSetControlTerminal Server' -Name 'fDenyTSConnections' -Value 1 -PropertyType Dword } Set-ItemProperty -Path 'HKLM:SystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp' -Name 'UserAuthentication' -Value 1 -ErrorAction SilentlyContinue If (-not $?) { New-ItemProperty -Path 'HKLM:SystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp' -Name 'UserAuthentication' -Value 1 -PropertyType Dword } } Else { Set-ItemProperty -Path 'HKLM:SystemCurrentControlSetControlTerminal Server' -Name 'fDenyTSConnections' -Value 0 -ErrorAction SilentlyContinue If (-not $?) { New-ItemProperty -Path 'HKLM:SystemCurrentControlSetControlTerminal Server' -Name 'fDenyTSConnections' -Value 0 -PropertyType Dword } If ($NonNLA) { Set-ItemProperty -Path 'HKLM:SystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp' -Name 'UserAuthentication' -Value 0 -ErrorAction SilentlyContinue If (-not $?) { New-ItemProperty -Path 'HKLM:SystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp' -Name 'UserAuthentication' -Value 0 -PropertyType Dword } } } } # Set IEHardendmin and IEHardenUser for IE Enhanced Security Configuration. Function Set-IEESec { Param( [Parameter(Mandatory=$True, Position=1)] [string]$IEHardenAdmin, [Parameter(Mandatory=$True, Position=2)] [string]$IEHardenUser ) # IEESec is On by default, so use the switch to turn it Off. Switch ($IEHardenAdmin) { "Off" { Set-ItemProperty -Path 'HKLM:SOFTWAREMicrosoftActive SetupInstalled Components{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}' -Name 'IsInstalled' -Value 0 } "On" { Set-ItemProperty -Path 'HKLM:SOFTWAREMicrosoftActive SetupInstalled Components{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}' -Name 'IsInstalled' -Value 1 } } Switch ($IEHardenUser) { "Off" { Set-ItemProperty -Path 'HKLM:SOFTWAREMicrosoftActive SetupInstalled Components{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}' -Name 'IsInstalled' -Value 0 } "On" { Set-ItemProperty -Path 'HKLM:SOFTWAREMicrosoftActive SetupInstalled Components{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}' -Name 'IsInstalled' -Value 1 } } } # Disable Public/Domain/Private profiles. Set-NetfirewallProfile -Name Public -Enabled False Set-NetfirewallProfile -Name Domain -Enabled False Set-NetfirewallProfile -Name Private -Enabled False # Enable Remote Desktop connections. Set-RemoteDesktopConfig -NonNLA #-Disable # Add Windows feature(s) Add-WindowsFeature -Name "Multipath-IO" # Turn IE Enhanced Security Off. Set-IEESec -IEHardenAdmin Off -IEHardenUser Off |
Check out more from Barkz!:
- Troubleshooting Get-MPIOSetting in Windows Server
- Updated: Restoring Protection Group Volume Snapshots
- Creating Volumes from Protection Group Sources (Part 1)
- Creating Volumes from Protection Group Sources (Part 2)
- Update! Setup Active Directory Integration with the PowerShell SDK
- A Brief History of Time with PowerShell and Pure Storage
- New Release! Pure Storage Hybrid Cloud with AWS Design Guide
- Purity//FA comes with Offloaded Data Transfer (ODX)
- Overwriting a Volume in Windows Server
- Access FlashBlade with the Pure Storage PowerShell SDK
- Pure Storage PowerShell ISE Add-on
- Simple Provisioning Script to Create Multiple Volumes and Adding to a PGroup
|
1 |
