├── .gitattributes
├── .gitignore
├── 01 - Active Directory
    ├── README.md
    └── shadowGroups.ps1
├── 02 - Local users and groups
    └── README.md
├── 03 - Logon Restrictions
    └── README.md
├── 04 - Deploy Software
    ├── InstallLAPS.ps1
    ├── README.md
    ├── installCmder.ps1
    ├── installHyperV.ps1
    ├── installMBAM.ps1
    ├── installNmap.ps1
    ├── installRSAT.ps1
    ├── installSysinternals.ps1
    └── installVIClient.ps1
├── 05 - Allow Fingerprint Sign-in
    └── README.md
├── README.md
├── xx - Antivirus
    └── README.md
├── xx - AppLocker
    ├── README.md
    └── applocker.xml
├── xx - Authentication Policies and Silos
    └── README.md
├── xx - Baselines
    ├── CIS Baseline checklist.xlsx
    └── README.md
├── xx - BitLocker
    └── README.md
├── xx - Just enough Administration (JEA)
    └── README.md
├── xx - Just in Time Administration (JITA)
    └── README.md
├── xx - LAPS
    ├── README.md
    ├── Step by Step Guide to Deploy Microsoft LAPS.pdf
    └── installLAPS.ps1
├── xx - UAC Settings
    └── README.md
├── xx - User Proxy
    ├── README.md
    └── proxy.pac
└── xx - Windows Firewall with Advanced Security and IPSec Domain Isolation
    ├── README.md
    ├── firewall_2016.wfw
    ├── firewall_ipsec_ca.wfw
    ├── firewall_ipsec_dc.wfw
    ├── firewall_ipsec_radius.wfw
    ├── firewall_ipsec_tier0.wfw
    ├── firewall_ipsec_tier1.wfw
    ├── firewall_ipsec_tier2.wfw
    ├── firewall_paw.wfw
    └── firewall_win10.wfw


/.gitattributes:
--------------------------------------------------------------------------------
1 | # Auto detect text files and perform LF normalization
2 | * text=auto
3 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
  1 | # Byte-compiled / optimized / DLL files
  2 | __pycache__/
  3 | *.py[cod]
  4 | *$py.class
  5 | 
  6 | # C extensions
  7 | *.so
  8 | 
  9 | # Distribution / packaging
 10 | .Python
 11 | build/
 12 | develop-eggs/
 13 | dist/
 14 | downloads/
 15 | eggs/
 16 | .eggs/
 17 | lib/
 18 | lib64/
 19 | parts/
 20 | sdist/
 21 | var/
 22 | wheels/
 23 | *.egg-info/
 24 | .installed.cfg
 25 | *.egg
 26 | 
 27 | # PyInstaller
 28 | #  Usually these files are written by a python script from a template
 29 | #  before PyInstaller builds the exe, so as to inject date/other infos into it.
 30 | *.manifest
 31 | *.spec
 32 | 
 33 | # Installer logs
 34 | pip-log.txt
 35 | pip-delete-this-directory.txt
 36 | 
 37 | # Unit test / coverage reports
 38 | htmlcov/
 39 | .tox/
 40 | .coverage
 41 | .coverage.*
 42 | .cache
 43 | nosetests.xml
 44 | coverage.xml
 45 | *.cover
 46 | .hypothesis/
 47 | 
 48 | # Translations
 49 | *.mo
 50 | *.pot
 51 | 
 52 | # Django stuff:
 53 | *.log
 54 | local_settings.py
 55 | 
 56 | # Flask stuff:
 57 | instance/
 58 | .webassets-cache
 59 | 
 60 | # Scrapy stuff:
 61 | .scrapy
 62 | 
 63 | # Sphinx documentation
 64 | docs/_build/
 65 | 
 66 | # PyBuilder
 67 | target/
 68 | 
 69 | # Jupyter Notebook
 70 | .ipynb_checkpoints
 71 | 
 72 | # pyenv
 73 | .python-version
 74 | 
 75 | # celery beat schedule file
 76 | celerybeat-schedule
 77 | 
 78 | # SageMath parsed files
 79 | *.sage.py
 80 | 
 81 | # Environments
 82 | .env
 83 | .venv
 84 | env/
 85 | venv/
 86 | ENV/
 87 | 
 88 | # Spyder project settings
 89 | .spyderproject
 90 | .spyproject
 91 | 
 92 | # Rope project settings
 93 | .ropeproject
 94 | 
 95 | # mkdocs documentation
 96 | /site
 97 | 
 98 | # mypy
 99 | .mypy_cache/
100 | 


--------------------------------------------------------------------------------
/01 - Active Directory/README.md:
--------------------------------------------------------------------------------
  1 | ## Shadow Groups
  2 | If you want to use Shadow Groups to aide in managing your devices, you will need to keep your PAW devices separate from your day-to-day devices.  This means a separate OU for your PAW devices and a separate OU for all your other workstations.  
  3 | 
  4 | What are Shadow Groups?
  5 | 
  6 | Shadow Groups are groups that mirror the membership of an Active Directory OU.  If you have ever administrated a Novel Netware network, you will recall that you can apply the membership of an OU to a network object's ACL.  Thus, giving access to an object based on the users in an OU.  Active Directory does not allow you to add OUs to ACLs.  Thus, if we wanted to replicate this behavior in AD, we need shadow groups.  With shadow groups you now have all members of each department in a group.  All departmental computers in their own groups.  All laptops in their own groups.  All Tablets in their own groups...
  7 | 
  8 | What else can you do with Shadow Groups?
  9 | 
 10 | * Apply GPO security filtering to shadow groups rather than **Authenticated Users**.  Now you can apply the GPO to a higher level OU, and have it apply to only certain child OUs without the need for complicated WMI filters.
 11 | * More effectively manage NPS 802.1x policies.  
 12 | * Quicker reporting for auditors.  All employees are in thier own group, filtering out things like service accounts, contacts, and contractors which are members of the **Domain Users** group.  Same for computers and the **Domain Computers** group.
 13 | * Rule the world
 14 | 
 15 | How are Shadow Groups managed?
 16 | 
 17 | A scheduled task runs on a regular interval and creates groups based on your Active Directory OU hierarchy.  It then takes the members of the OU and adds them as members of the group.  Lastly, it removes group members that may have moved to a different OU, keeping your group membership accurate.
 18 | 
 19 | ## Recommended Active Directory Hierarchy
 20 | ```
 21 | DOMAIN.COM
 22 | ├── Domain Controllers
 23 | └── Company
 24 |     ├── Computers
 25 |     │   ├── Disabled-Computers - - - Will hold all disabled computer accounts
 26 |     │   └── Location A
 27 |     │       ├── PAW
 28 |     │       │   ├── Tier 0    - - - - Will hold Tier 0 PAWs (for domain admins)
 29 |     │       │   ├── Tier 1    - - - - Will hold Tier 1 PAWs (for server admins)
 30 |     │       │   └── Tier 2    - - - - Will hold Tier 2 PAWs (for helpdesk admins)
 31 |     │       ├── Servers
 32 |     │       │   ├── Tier 0    - - - - Will hold Tier 0 servers (but not DCs!)
 33 |     │       │   └── Tier 1    - - - - Will hold Tier 1 servers (most member servers)
 34 |     │       └── Workstations  - - - - Will hold all Computer accounts.  Feel free to organize your own hierarchy.  For this example, we use <Locale>\<Department>
 35 |     │           ├── Laptops   - - - - Laptops
 36 |     |           |   └── Departments - Department Specific OUs.  Have one for every department
 37 |     │           ├── Desktops  - - - - Desktops
 38 |     |           |   └── Departments - Department Specific OUs.  Have one for every department
 39 |     │           └── VMs       - - - - All VMs, including your PAW's day-to-day VM
 40 |     |               └── Departments - Department Specific OUs.  Have one for every department
 41 |     ├── Groups
 42 |     │   └── Security Groups
 43 |     │       ├── PAW           - - - - All groups related to PAW management
 44 |     │       ├── Shadowgroups-Computers - - - Computer object's shadowgroups
 45 |     │       ├── Shadowgroups-Servers - - - - Server object's shadowgroups
 46 |     │       └── Shadowgroups-Users - - - - - User's object's shadowgroups
 47 |     └── Users
 48 |         ├── Employees         - - - - Will hold all Employee accounts.  Feel free to organize your own hierarchy.  For this example, we use <Locale>\<Department>
 49 |         │   └── Location      - - - - Each office location will have its own OU
 50 |         │       └── Department  - - - Each department will hold the user accounts for that department
 51 |         ├── Disabled-Users    - - - - Will hold all disabled user accounts
 52 |         ├── ServiceAccounts   - - - - Will hold all service accounts, and special use accounts (like accounts that run scheduled tasks)
 53 |         └── PAW Accounts
 54 |             ├── Tier 0        - - - - Will hold Tier 0 user accounts (for domain admins)
 55 |             ├── Tier 1        - - - - Will hold Tier 1 user accounts (for server admins)
 56 |             └── Tier 2        - - - - Will hold Tier 2 user accounts (for helpdesk admins)
 57 | ```
 58 | ## Active Directory Permissions
 59 | The shadowgroup.ps1 script will be run by a standard user account which must be given the explicit permissions listed below.  Modify AD Advanced Security Permissions of the following OUs (should probably be scripted in the future...)
 60 | 
 61 | ***COMPANY.COM\Company\Computers***
 62 | * ACL 1
 63 |   * Principal: **AD-Company-Computers--DeleteComputerObjects**
 64 |   * Type: **Allow**
 65 |   * Applies to: **Descendant Computer Objects**
 66 |   * Properties: **Write Name, and Write name (capitol and lower case N & n)**
 67 | * ACL 2
 68 |   * Principal: **AD-Company-Computers--DeleteComputerObjects**
 69 |   * Type: Allow
 70 |   * Applies to: **This object and all descendant Objects**
 71 |   * Permissions: **Delete Computer objects**
 72 | * ACL 3
 73 |   * Principal: **AD-Company-Computers--DeleteComputerObjects**
 74 |   * Type: **Allow**
 75 |   * Applies to: **Descendant Computer Objects**
 76 |   * Permissions: **Read all properties**
 77 | 
 78 | ***COMPANY.COM\Company\Users\Employees***
 79 | * ACL 1
 80 |   * Principal: **AD-Company-Users--DeleteUserObjects**
 81 |   * Type: **Allow**
 82 |   * Applies to: **Descendant User Objects**
 83 |   * Properties: **Write Name, and Write name (capitol and lower case N & n)**
 84 | * ACL 2
 85 |   * Principal: **AD-Company-Users--DeleteUserObjects**
 86 |   * Type: **Allow**
 87 |   * Applies to: **This object and all descendant objects**
 88 |   * Permissions: **Delete user objects**
 89 | * ACL 3
 90 |   * Principal: **AD-Company-Users--DeleteUserObjects**
 91 |   * Type: **Allow**
 92 |   * Applies to: **Descendant User Objects**
 93 |   * Properties: **Read all properties**
 94 | 
 95 | ***COMPANY.COM\Company\Computers\Disabled-Computers***
 96 | * ACL 1
 97 |   * Principal: **AD-Company-Computers-DisabledComputers--CreateComputerObjects**
 98 |   * Type: **Allow**
 99 |   * Applies to: **This object and all descendant objects**
100 |   * Permissions: **Create Computer objects**
101 | * ACL 2
102 |   * Principal: **AD-Company-Computers-DisabledComputers--CreateComputerObjects**
103 |   * Type: **Allow**
104 |   * Applies to: **This object and all descendant objects**
105 |   * Permissions: **List contents, Read all properties, write all properties, read permissions**
106 | 
107 | ***COMPANY.COM\Company\Groups\SecurityGroups\ShadowGroups-Computers***
108 | * ACL 1
109 |   * Principal: **AD-Company-Groups-ShadowGroupsComputers--Modify**
110 |   * Type: **Allow**
111 |   * Applies to: **This object and all descendant objects**
112 |   * Permissions: **Create Group objects, Delete Group objects**
113 | * ACL 2
114 |   * Principal: **AD-Company-Groups-ShadowGroupsComputers--Modify**
115 |   * Type: **Allow**
116 |   * Applies to: **Descendant Group objects**
117 |   * Permissions: **Full control**
118 | 
119 | ***COMPANY.COM\Company\Groups\SecurityGroups\ShadowGroups-Servers***
120 | * ACL 1
121 |   * Principal: **AD-Company-Groups-ShadowGroupsServers--Modify**
122 |   * Type: **Allow**
123 |   * Applies to: **This object and all descendant objects**
124 |   * Permissions: **Create Group objects, Delete Group objects**
125 | * ACL 2
126 |   * Principal: **AD-Company-Groups-ShadowGroupsServers--Modify**
127 |   * Type: **Allow**
128 |   * Applies to: **Descendant Group objects**
129 |   * Permissions: **Full control**
130 | 
131 | ***COMPANY.COM\Company\Groups\SecurityGroups\ShadowGroups-Users***
132 | * ACL 1
133 |   * Principal: **AD-Company-Groups-ShadowGroupsUsers--Modify**
134 |   * Type: **Allow**
135 |   * Applies to: **This object and all descendant objects**
136 |   * Permissions: **Create Group objects, Delete Group objects**
137 | * ACL 2
138 |   * Principal: **AD-Company-Groups-ShadowGroupsUsers--Modify**
139 |   * Type: **Allow**
140 |   * Applies to: **Descendant Group objects**
141 |   *  Permissions: **Full control**
142 | 
143 | ***COMPANY.COM\CompanyUsers\Disabled-Users***
144 | * ACL 1
145 |   * Principal: **AD-Company-Users-DisabledUsers--CreateUserObjects**
146 |   * Type: **Allow**
147 |   * Applies to: **This object only**
148 |   * Permissions: **Create User objects**
149 | * ACL 2
150 |   * Principal: **AD-Company-Users-DisabledUsers--CreateUserObjects**
151 |   * Type: **Allow**
152 |   * Applies to: **This object and all descendant objects**
153 |   * Permissions: **Full control**
154 | ## Users
155 | 
156 | ### Each Domain Admin will have the following accounts:
157 | * **Normal domain user account**: used for logging into the Tier 0 PAW.  Will escalate to local admin to do admin stuff. Also logs into the PAW VM to do day-to-day tasks.
158 | * **Tier 0 Admin**: Member of domain admins, the normal domain account elevates to this account to admin stuff on Tier 0 servers.
159 | * **Tier 1 Admin**: Used to allow the user to RDP to Tier 1 member servers using /RemoteCredentialGuard. Normal domain user also uses this to elevate certain remote management consoles (RSAT/Server Manager) to manage remote Tier 1 servers.
160 | * **Tier 2 Admin (optional)**: If the user will ever administrate workstations, they will need this account.  Used to allow the user to RDP to remote workstations using /RemoteCredentialGuard. Normal domain user also uses this to elevate certain remote management consoles (MMC) to manage  remote workstations.
161 | * **Local user account**: Used as a contingency for any lost domain trusts.  In other words, if you fubar the domain and you can no longer log in to your PAW, this is the account you would use.
162 | * **Local administrator account**: This account will be managed by LAPS.  Also used for fixing domain trust issues.  You would login with the local user account and elevate to this account to do admin stuff.
163 | * **Access to server LAPS accounts**.  They can use this if RDP with /RestrictedAdmin is too restrictive.
164 | 
165 | ### Each server administrator will have:
166 | * **Normal domain user account**: used for logging into the Tier 1 PAW.  Will escalate to local admin to do admin stuff. Also logs into the PAW VM to do day-to-day tasks.
167 | * **Tier 1 Admin**: Used to allow the user to RDP to Tier 1 member servers using /RemoteCredentialGuard. Normal domain user also uses this to elevate certain remote management consoles (RSAT/Server Manager) to manage remote Tier 1 servers.
168 | * **Local user account**: Used as a contingency for any lost domain trusts.  In other words, if you fubar the domain and you can no longer log in to your PAW, this is the account you would use.
169 | * **Local administrator account**: This account will be managed by LAPS.  Also used for fixing domain trust issues.  You would login with the local user account and elevate to this account to do admin stuff.
170 | * **Access to server LAPS accounts**.  They can use this if RDP with /RestrictedAdmin is too restrictive.
171 | 
172 | ### Each Helpdesk user will have:
173 | * **Normal domain user account**: used for logging into the Tier 1 PAW.  Will escalate to local admin to do admin stuff. Also logs into the PAW VM to do day-to-day tasks.
174 | * **Tier 2 Admin**: Normal domain user uses this to elevate certain remote management consoles (MMC) to manage remote  workstations.
175 | * **Local user account**: Used as a contingency for any lost domain trusts.  In other words, if you fubar the domain and you can no longer log in to your PAW, this is the account you would use.
176 | * **Local administrator account**: This account will be managed by LAPS.  Also used for fixing domain trust issues.  You would login with the local user account and elevate to this account to do admin stuff.
177 | * **Access to all workstation LAPS accounts**.  They can use this if RDP with RA is too restrictive.
178 | 
179 | ***NOTE***: *Helpdesk should never use this with /RemoteCredentailGuard.  This is because if an RDP session is initiated to a compromised client that an attacker already controls, the attacker could use that open channel to create sessions on the user's behalf (without compromising credentials) to access any of the user’s resources for a limited time (a few hours) after the session disconnects. [(Source)](https://docs.microsoft.com/en-us/windows/access-protection/remote-credential-guard)*
180 | 
181 | ## Groups
182 | The following groups must be created in Company > Groups > SecurityGroups > RBAC-PAW.  The sub-bullet point are the members of the specified group.
183 | 
184 | **PAW-AllPAW-Computers** - Members of this group include all PAW Tier groups.  It is a collection of all PAW machines.
185 | * PAW-Tier0-Computers
186 | * PAW-Tier1-Computers
187 | * PAW-Tier2-Computers
188 | 
189 | **PAW-BlockPowershell** - Members of this group are blocked from using PowerShell via GPO.
190 | * PAW-Users
191 | 
192 | **PAW-BlockLocalLogon** - Members of this group are not literally blocked from logging in locally, but rather from running certain applications via the AppLocker GPO after they have logged in.
193 | * PAW-Admins
194 | 
195 | **PAW-Azure-Admins** - Members of this group are permitted to connect to pre-identified cloud services via Privileged Access Workstations
196 | * not sure yet.
197 | 
198 | **PAW-Tier0-Admins** - Members of this group are Tier 0 server admins.
199 | * All members of the Company\Users\PAW Accounts\Tier 0 OU
200 | 
201 | **PAW-Tier0-Computers** - Members of this group are Tier 0 PAWs.  Used mainly for GPO filtering.
202 | * All Tier 0 PAWs
203 | 
204 | **PAW-Tier0-Users** - Members of this group are tier 0 PAW users.  They can log into Tier 0 PAWs.  They are a normal user account on PAWs that use the Tier 0/1/2 Admin accounts to elevate certain tasks.
205 | * All domain user accounts that need to log into Tier 0 PAWs
206 | 
207 | **PAW-Tier1-Admins** - Members of this group are Tier 1 server admins.
208 | * All members of the Company\Users\PAW Accounts\Tier 1 OU
209 | 
210 | **PAW-Tier1-Computers** - Members of this group are Tier 1 PAWs.  Used mainly for GPO filtering.
211 | * All Tier 1 PAWs  
212 | 
213 | **PAW-Tier1-Users** - Members of this group are tier 1 PAW users.  They can log into Tier 1 PAWs.  They are a normal user account on PAWs that use their Tier 1 Admin account to elevate certain tasks.
214 | * All domain user accounts that need to log into Tier 0 PAWs
215 | 
216 | **PAW-Tier2-Admins** - Members of this group are Tier 2 server admins.
217 | * All members of the Company\Users\PAW Accounts\Tier 2 OU
218 | 
219 | **PAW-Tier2-Computers** - Members of this group are Tier 2 PAWs.  Used mainly for GPO filtering.
220 | * All Tier 2 PAWs
221 | 
222 | **PAW-Tier2-Users** - Members of this group are tier 2 PAW users.  They can log into Tier 2 PAWs.  They are a normal user account on PAWs that use the Tier 2 Admin accounts to elevate certain tasks.
223 | * All domain user accounts that need to log into Tier 0 PAWs
224 | 
225 | **PAW-Users** - Members of this groups include all the Tier 0, 1, and 2 Users
226 | * PAW-Tier0-Users
227 | * PAW-Tier1-Users
228 | * PAW-Tier2-Users
229 | 
230 | **PAW-Admins** - Members of this groups include all the Tier 0, 1, and 2 Admins
231 | * PAW-Tier0-Admins
232 | * PAW-Tier1-Admins
233 | * PAW-Tier2-Admins
234 | 
235 | ## Additional Resources
236 | For more information on what accounts count as Tier 0, see [Microsoft's recommendations here](https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#T0E_BM).
237 | 


--------------------------------------------------------------------------------
/02 - Local users and groups/README.md:
--------------------------------------------------------------------------------
  1 | ## What is this?
  2 | This is one of those rare security controls that grants security AND adds usability.  PAW security is enhanced when you control the membership of local groups via Group Policy.  You enforce membership in the local admin group.  It also increases ease in usability because you are automating a process that would otherwise have to be done manually.
  3 | 
  4 | ## Local Users
  5 | Create the following accounts on each PAW:
  6 | * **a local user account** - used as a backup in case any domain trust issues occur that knock the computer off the domain.  It must be a standard user because local admins cannot log in.  Only elevate.  When using fingerprints, this will be their left hand “index finger”.
  7 | * **a local admin account (Separate from Default Local Admin)** - PAW user will use this account for all administrative purposes.  When using fingerprints, this will be their left hand “middle finger”.  We don't want to use the default local admin because that password will change every 30 days via LAPS.
  8 | 
  9 | These accounts will only be used if domain trust issues happen and a user cannot log into their PAW with their domain account.  Because of the logon restrictions we will place on PAWs, local admin accounts will not be able to logon.
 10 | 
 11 | ## Group Policy
 12 | Create a new GPO on the DOMAIN.COM\Company\Computers OU called **Security - Local Groups - PAW** with the following settings:
 13 | 
 14 | ***Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups***
 15 | 
 16 | Create the following new groups
 17 | 
 18 | * Administrators (built-in)  - You will add a new one of these for every PAW user that needs local admin on their PAW
 19 |   * Order: **1**
 20 |   * Action: **Update**
 21 |   * Description: **Rich's PAW Local Admins**
 22 |   * Delete all users and groups: **Unchecked**
 23 |   * Members:
 24 |     * **<username>.admin** - The account you created in the Local Users section above
 25 |     * **DOMAIN\user.t0** - The tier 0 account belonging to the PAW user
 26 |     * **DOMAIN\user.t1** - The tier 1 account belonging to the PAW user
 27 |     * **DOMAIN\user.t2** - The tier 2 account belonging to the PAW user
 28 | 
 29 |   * Item-level targeting
 30 |     * The NetBIOS computer name is <Select the specific User's PAW computer object>
 31 | 
 32 | * Repeat this step for **every** individual PAW, adding the correct local user to each.
 33 | 
 34 | ***NOTE***: *It is required to add each of the tier admins accounts to the local admins group because that is the only way to permit the PAW users to run their admin tools (MMC/RSAT/Server Manager\etc...) as that user with a fingerprint.  You run the tool as administrator, then swipe the finger for the given admin user.*
 35 | 
 36 | * Backup Operators (built-in)
 37 |   * Order: **2**
 38 |   * Action: **Update**
 39 |   * Description: **All PAW Backup Operators**
 40 |   * Delete all member user and groups: **Checked**
 41 |   * Members: **None**
 42 |   * Item-level targeting
 43 |     * the computer is a member of the security group DOMAIN\PAW-AllPAWComputers
 44 | 
 45 | * Cryptographic Operators (built-in)
 46 |   * Order: **3**
 47 |   * Action: **Update**
 48 |   * Description: **All PAW Cryptographic Operators**
 49 |   * Delete all member user and groups: **Checked**
 50 |   * Members: **None**
 51 |   * Item-level targeting
 52 |     * the computer is a member of the security group DOMAIN\PAW-AllPAWComputers
 53 | 
 54 | * Network Configuration Operators (built-in)
 55 |   * Order: **4**
 56 |   * Action: **Update**
 57 |   * Description: **All PAW Network Configuration Operators**
 58 |   * Delete all member user and groups: **Checked**
 59 |   * Members: **None**
 60 |   * Item-level targeting
 61 |     * the computer is a member of the security group DOMAIN\PAW-AllPAWComputers
 62 | 
 63 | * Power Users (built-in)
 64 |   * Order: **5**
 65 |   * Action: **Update**
 66 |   * Description: **All PAW Power Users**
 67 |   * Delete all member user and groups: **Checked**
 68 |   * Members: **None**
 69 |   * Item-level targeting
 70 |     * the computer is a member of the security group DOMAIN\PAW-AllPAWComputers
 71 | 
 72 | * Remote Desktop Users (built-in)
 73 |   * Order: **6**
 74 |   * Action: **Update**
 75 |   * Description: **All PAW Demote Desktop Users**
 76 |   * Delete all member user and groups: **Checked**
 77 |   * Members: **None**
 78 |   * Item-level targeting
 79 |     * the computer is a member of the security group DOMAIN\PAW-AllPAWComputers
 80 | 
 81 | * Replicators (built-in)
 82 |   * Order: **7**
 83 |   * Action: **Update**
 84 |   * Description: **All PAW Replicators**
 85 |   * Delete all member user and groups: **Checked**
 86 |   * Members: **None**
 87 |   * Item-level targeting
 88 |     * the computer is a member of the security group DOMAIN\PAW-AllPAWComputers
 89 | 
 90 | * Hyper-V Administrators
 91 |   * Order: **8**
 92 |   * Action: **Update**
 93 |   * Description: **PAW Tier 0 Hyper-V Admins**
 94 |   * Delete all member user and groups: **Checked**
 95 |   * Members: **DOMAIN\PAW-Tier0-Users**
 96 |   * Item-level targeting
 97 |     * the computer is a member of the security group DOMAIN\PAW-Tier-0Computers
 98 | 
 99 | * Repeat this step for Tier1 and Tier2 PAWs.
100 | 
101 | Close the policy window.
102 | 
103 | On the scope tab:
104 | * Ensure the Link to the Computers OU is Enabled.  
105 | * Remove **Authenticated Users** under **Security Filtering**.
106 | * Add **PAW-AllPAWComputers**
107 | * Ensure there is no WMI filter applied.
108 | 
109 | On the Details tab:
110 | * Set GPO status to: **User configuration settings disabled**.
111 | 
112 | On the Deligation tab:
113 | * Add **Authenticated Users** with **Read** access.
114 | 


--------------------------------------------------------------------------------
/03 - Logon Restrictions/README.md:
--------------------------------------------------------------------------------
  1 | ## What is this?
  2 | Here, we will be enforcing logon restrictions to all the domain joined devices.  This will involve several GPOs.
  3 | 
  4 | ## Prerequisites
  5 | * Ensure you have a functioning Shadow Group script
  6 | * Ensure the **Domain Controllers** group is a member of the **All-Tier0-Servers** group.
  7 | 
  8 | ## Account restrictions for the BUILTIN\Administrator Domain admin user
  9 | 
 10 | For the built-in Administrator account in each domain in your forest, you should configure the following settings:
 11 | * Enable the *Account is sensitive and cannot be delegated* flag on the account.
 12 | * Enable the *Smart card is required for interactive logon* flag on the account.
 13 | 
 14 | ***NOTE***: *When you enable the Smart card is required for interactive logon attribute on an account, Windows resets the account's password to a 120-character random value. By setting this flag on built-in Administrator accounts, you ensure that the password for the account is not only long and complex, but is not known to any user. It is not technically necessary to create smart cards for the accounts before enabling this attribute, but if possible, smart cards should be created for each Administrator account prior to configuring the account restrictions and the smart cards should be stored in secure locations.  Although setting the Smart card is required for interactive logon flag resets the account's password, it does not prevent a user with rights to reset the account's password from setting the account to a known value and using the account's name and new password to access resources on the network.*
 15 | 
 16 | [Click here](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-d--securing-built-in-administrator-accounts-in-active-directory) For more information.
 17 | 
 18 | ## Logon Restrictions for Domain Controllers
 19 | 
 20 | Create a new GPO on the DOMAIN.COM\Company\Computers OU called **Security - Logon Restrictions - Domain Controllers** with the following settings:
 21 | 
 22 | ***Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment***
 23 | 
 24 | * Allow log on locally:
 25 |   * **BUILTIN\Administrators**
 26 |   * **DOMAIN\PAW-Tier0-Admins**
 27 | 
 28 | * Allow log on through Terminal Services
 29 |   * **DOMAIN\PAW-Tier0-Admins**
 30 | 
 31 | * Log on as batch job
 32 |   * **Administrators**
 33 |   * **DOMAIN\task-shadowgroup** - This user is responsible for running the shadowgroup script every 10 minutes or so
 34 |   
 35 | * Deny access to this computer from the network
 36 |   * **DOMAIN\Administrator**
 37 |   
 38 | * Deny log on as a batch job
 39 |   * **DOMAIN\Administrator**
 40 |   
 41 | * Deny log on as a service
 42 |   * **DOMAIN\Administrator**
 43 |   
 44 | * Deny log on locally
 45 |   * **DOMAIN\Administrator**
 46 |   
 47 | * Deny log on through Terminal Services/Remote Desktop Services
 48 |   * **DOMAIN\Administrator**
 49 | 
 50 | Close the policy window.
 51 | 
 52 | On the scope tab:
 53 | * Ensure the Link to the Domain Controllers OU is Enabled.
 54 | * Ensure **Authenticated Users** is added to the Security Filter
 55 | * Ensure there is no WMI filter applied
 56 | 
 57 | On the Details tab:
 58 | * Set GPO status to: **User configuration settings disabled**
 59 | 
 60 | ## Logon Restrictions for Tier 0 PAWs
 61 | 
 62 | Create a new GPO on the DOMAIN.COM\Company\Computers OU called **Security - Logon Restrictions - PAW Tier 0** with the following settings:
 63 | 
 64 | ***Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment***
 65 | 
 66 | * Allow log on locally:
 67 |   * **BUILTIN\Administrators**
 68 |   * **BUILTIN\Users**
 69 |   * **DOMAIN\PAW-Tier0-Users**
 70 |   * **DOMAIN\PAW-Tier0-Admins**
 71 |   * **DOMAIN\PAW-Tier1-Admins**
 72 |   * **DOMAIN\PAW-Tier2-Admins**
 73 | 
 74 | * Allow log on through Terminal Services
 75 |   * Define the settings, but do not add any users or groups to the list.  This will prevent any user from being able to logon to PAWs over RDP.
 76 | 
 77 | * Deny access to this computer from the network
 78 |   * **DOMAIN\Administrator**
 79 |   * **BUILTIN\Guests**
 80 |   * **NT AUTHORITY\Local account**
 81 |   * **NT AUTHORITY\Local account and member of Administrators group**
 82 |   * **DOMAIN\PAW-Tier1-Admins**
 83 |   * **DOMAIN\PAW-Tier2-Admins**
 84 |   
 85 | * Deny log on as a batch job
 86 |   * **DOMAIN\Administrator**
 87 |   
 88 | * Deny log on as a service
 89 |   * **DOMAIN\Administrator**
 90 |   
 91 | * Deny log on locally
 92 |   * **DOMAIN\Administrator**
 93 |   
 94 | * Deny log on through Terminal Services/Remote Desktop Services
 95 |   * **DOMAIN\Administrator**
 96 | 
 97 | ***NOTE***: *It is questionable if "Deny access to this computer from the network" is even needed since we lock down all inbound network traffic via the Windows Firewall with Advanced Security using IPSec to authenticate connections.  I leave it here for future testing.*
 98 | 
 99 | Close the policy window.
100 | 
101 | On the scope tab:
102 | * Ensure the Link to the Computers OU is Enabled.  
103 | * Remove **Authenticated Users** from the **Security Filtering** section and add **PAW-Tier0Computers**.
104 | * Ensure there is no WMI filter applied
105 | 
106 | On the Details tab:
107 | * Set GPO status to: **User configuration settings disabled**
108 | 
109 | On the Delegation tab:
110 | * Add **Authenticated Users** and give it READ permissions.
111 | 
112 | ## Logon Restrictions for Tier 0 Servers
113 | 
114 | Create a new GPO on the DOMAIN.COM\Company\Computers OU called **Security - Logon Restrictions - Servers Tier 0** with the following settings:
115 | 
116 | ***Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment***
117 | 
118 | * Allow log on locally:
119 |   * **BUILTIN\Administrators**
120 |   * **DOMAIN\PAW-Tier0-Admins**
121 | 
122 | * Allow log on through Terminal Services
123 |   * **DOMAIN\PAW-Tier0-Admins**
124 | 
125 | * Log on as batch job
126 |   * **BUILTIN\Administrators**
127 |   * **LogOnAsBatch - This is a local group that we will create in a subsequent GPO.**
128 | 
129 | * Log on as a service
130 |   * **NT SERVICE\ALL Services**
131 |   * **LogOnAsService** - This is a local group that we will create in a subsequent GPO.
132 |   
133 | * Deny access to this computer from the network
134 |   * **DOMAIN\Administrator**
135 |   
136 | * Deny log on as a batch job
137 |   * **DOMAIN\Administrator**
138 |   
139 | * Deny log on as a service
140 |   * **DOMAIN\Administrator**
141 |   
142 | * Deny log on locally
143 |   * **DOMAIN\Administrator**
144 |   
145 | * Deny log on through Terminal Services/Remote Desktop Services
146 |   * **DOMAIN\Administrator**
147 | 
148 | Close the policy window.
149 | 
150 | On the scope tab:
151 | * Ensure the Link to the Computers OU is Enabled.
152 | * Remove **Authenticated Users** from the **Security Filtering** section and add the **All-Tier0-Servers** server Shadow Group.
153 | * Ensure there is no WMI filter applied
154 | 
155 | On the Details tab:
156 | * Set GPO status to: **User configuration settings disabled**
157 | 
158 | On the Delegation tab:
159 | * Add **Authenticated Users** and give it READ permissions.
160 | 
161 | ## Logon Restrictions for Tier 1 PAWs
162 | 
163 | Create a new GPO on the DOMAIN.COM\Company\Computers OU called **Security - Logon Restrictions - PAW Tier 1** with the following settings:
164 | 
165 | ***Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment***
166 | 
167 | * Allow log on locally:
168 |   * **BUILTIN\Administrators**
169 |   * **BUILTIN\Users**
170 |   * **DOMAIN\PAW-Tier1-Users**
171 |   * **DOMAIN\PAW-Tier1-Admins**
172 |   * **DOMAIN\PAW-Tier2-Admins**
173 | 
174 | * Allow log on through Terminal Services
175 |   * Define the settings, but do not add any users or groups to the list.  This will prevent any user from being able to logon to PAWs over RDP.
176 | 
177 | * Deny access to this computer from the network
178 |   * **BUILTIN\Guests**
179 |   * **NT AUTHORITY\Local account**
180 |   * **NT AUTHORITY\Local account and member of Administrators group**
181 |   * **DOMAIN\Administrator**
182 |   * **DOMAIN\Domain Admins**
183 |   * **DOMAIN\Enterprise Admins**
184 |   * **DOMAIN\PAW-Tier0-Admins**
185 |   * **DOMAIN\PAW-Tier2-Admins**
186 | 
187 | * Deny log on as a batch job
188 |   * **DOMAIN\Administrator**
189 |   
190 | * Deny log on as a service
191 |   * **DOMAIN\Administrator**
192 |   
193 | * Deny log on locally
194 |   * **DOMAIN\Administrator**
195 |   
196 | * Deny log on through Terminal Services/Remote Desktop Services
197 |   * **DOMAIN\Administrator**
198 | 
199 | ***NOTE***: *It is questionable if "Deny access to this computer from the network" is even needed since we lock down all inbound network traffic via the Windows Firewall with Advanced Security using IPSec to authenticate connections.  I leave it here for future testing.*
200 | 
201 | Close the policy window.
202 | 
203 | On the scope tab:
204 | * Ensure the Link to the Computers OU is Enabled.
205 | * Remove **Authenticated Users** from the **Security Filtering** section and add the **PAW-Tier1-Computers** group.
206 | * Ensure there is no WMI filter applied
207 | 
208 | On the Details tab:
209 | * Set GPO status to: **User configuration settings disabled**
210 | 
211 | On the Delegation tab:
212 | * Add **Authenticated Users** and give it READ permissions.
213 | 
214 | ## Logon Restrictions for Tier 1 Servers
215 | 
216 | Create a new GPO on the DOMAIN.COM\Company\Computers OU called **Security - Logon Restrictions - Servers Tier 1** with the following settings:
217 | 
218 | ***Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment***
219 | 
220 | * Allow log on locally:
221 |   * **BUILTIN\Administrators**
222 | 
223 | * Allow log on through Terminal Services
224 |   * **BUILTIN\Administrators**
225 |   * **DOMAIN\PAW-Tier1-Admins**
226 | 
227 | * Deny access to this computer from the network
228 |   * **BUILTIN\Guests**
229 |   * **NT AUTHORITY\Local account**
230 |   * **NT AUTHORITY\Local account and member of Administrators group**
231 |   * **DOMAIN\Administrator**
232 |   * **DOMAIN\Domain Admins**
233 |   * **DOMAIN\Enterprise Admins**
234 |   * **DOMAIN\PAW-Tier0-Admins**
235 |   * **DOMAIN\PAW-Tier2-Admins**
236 | 
237 | * Deny log on as a batch job
238 |   * **DOMAIN\Administrator**
239 |   
240 | * Deny log on as a service
241 |   * **DOMAIN\Administrator**
242 |   
243 | * Deny log on locally
244 |   * **DOMAIN\Administrator**
245 |   
246 | * Deny log on through Terminal Services/Remote Desktop Services
247 |   * **DOMAIN\Administrator**
248 | 
249 | * Log on as batch job
250 |   * **BUILTIN\Administrators**
251 |   * **LogOnAsBatch** - This is a local group that we will create in a subsequent GPO.
252 | 
253 | * Log on as a service
254 |   * **NT SERVICE\ALL Services**
255 |   * **LogOnAsService** - This is a local group that we will create in a subsequent GPO.
256 | 
257 | Close the policy window.
258 | 
259 | On the scope tab:
260 | * Ensure the Link to the Computers OU is Enabled.
261 | * Remove **Authenticated Users** from the **Security Filtering** section and add the **All-Tier1-Servers** server Shadow Group.
262 | * Ensure there is no WMI filter applied
263 | 
264 | On the Details tab:
265 | * Set GPO status to: **User configuration settings disabled**
266 | 
267 | On the Delegation tab:
268 | * Add **Authenticated Users** and give it READ permissions.
269 | 
270 | ## Logon Restrictions for Tier 2 PAWs
271 | 
272 | Create a new GPO on the DOMAIN.COM\Company\Computers OU called **Security - Logon Restrictions - PAW Tier 2** with the following settings:
273 | 
274 | ***Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment***
275 | 
276 | * Allow log on locally:
277 |   * **BUILTIN\Administrators**
278 |   * **BUILTIN\Users**
279 |   * **DOMAIN\PAW-Tier2-Users**
280 |   * **DOMAIN\PAW-Tier2-Admins**
281 | 
282 | * Allow log on through Terminal Services
283 |   * Define the settings, but do not add any users or groups to the list.  This will prevent any user from being able to logon to PAWs over RDP.
284 | 
285 | * Deny access to this computer from the network
286 |   * **BUILTIN\Guests**
287 |   * **NT AUTHORITY\Local account**
288 |   * **NT AUTHORITY\Local account and member of Administrators group**
289 |   * **DOMAIN\Administrator**
290 |   * **DOMAIN\Domain Admins**
291 |   * **DOMAIN\Enterprise Admins**
292 |   * **DOMAIN\PAW-Tier0-Admins**
293 |   * **DOMAIN\PAW-Tier1-Admins**
294 |   * **DOMAIN\Schema Admins**
295 | 
296 | * Deny log on as batch job
297 |   * **BUILTIN\Guests**
298 |   * **NT AUTHORITY\Local account**
299 |   * **NT AUTHORITY\Local account and member of Administrators group**
300 |   * **DOMAIN\Administrator**
301 |   * **DOMAIN\Domain Admins**
302 |   * **DOMAIN\Enterprise Admins**
303 |   * **DOMAIN\PAW-Tier0-Admins**
304 |   * **DOMAIN\PAW-Tier1-Admins**
305 |   * **DOMAIN\Schema Admins**
306 | 
307 | * Deny log on as service
308 |   * **BUILTIN\Guests**
309 |   * **NT AUTHORITY\Local account**
310 |   * **NT AUTHORITY\Local account and member of Administrators group**
311 |   * **DOMAIN\Administrator**
312 |   * **DOMAIN\Domain Admins**
313 |   * **DOMAIN\Enterprise Admins**
314 |   * **DOMAIN\PAW-Tier0-Admins**
315 |   * **DOMAIN\PAW-Tier1-Admins**
316 |   * **DOMAIN\Schema Admins**
317 | 
318 | * Deny log on locally
319 |   * **BUILTIN\Guests**
320 |   * **DOMAIN\Administrator**
321 |   * **DOMAIN\Domain Admins**
322 |   * **DOMAIN\Enterprise Admins**
323 |   * **DOMAIN\PAW-Tier0-Admins**
324 |   * **DOMAIN\PAW-Tier1-Admins**
325 |   * **DOMAIN\Schema Admins**
326 |   
327 |  * Deny log on through Remote Desktop Services
328 |    * **DOMAIN\Administrator**
329 | 
330 | ***NOTE***: *It is questionable if "Deny access to this computer from the network" is even needed since we lock down all inbound network traffic via the Windows Firewall with Advanced Security using IPSec to authenticate connections.  I leave it here for future testing.*
331 | 
332 | Close the policy window.
333 | 
334 | On the scope tab:
335 | * Ensure the Link to the Computers OU is Enabled.
336 | * Remove **Authenticated Users** from the **Security Filtering** section and add the **PAW-Tier2-Computers** group.
337 | * Ensure there is no WMI filter applied
338 | 
339 | On the Details tab:
340 | * Set GPO status to: **User configuration settings disabled**
341 | 
342 | On the Delegation tab:
343 | * Add **Authenticated Users** and give it READ permissions.
344 | 
345 | ## Logon Restrictions for Tier 2 Workstations (employee workstations)
346 | 
347 | Create a new GPO on the DOMAIN.COM\Company\Computers OU called **Security - Logon Restrictions - Workstations Tier 2** with the following settings:
348 | 
349 | ***Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment***
350 | 
351 | * Allow log on locally:
352 |   * **BUILTIN\Administrators**
353 |   * **BUILTIN\Users**
354 | 
355 | * Allow log on through Terminal Services
356 |   * **Administrator**
357 | 
358 |   ***NOTE***: *Helpdesk should never use their Tier 2 admin account with RDP using /RemoteCredentailGuard.  This is because if an RDP session is initiated to a compromised client that an attacker already controls, the attacker could use that open channel to create sessions on the user's behalf (without compromising credentials) to access any of the user’s resources for a limited time (a few hours) after the session disconnects.  Therefore, they should only ever log on through Terminal Services using the LAPS account. [(Source)](https://docs.microsoft.com/en-us/windows/access-protection/remote-credential-guard)*
359 | 
360 | * Deny access to this computer from the network
361 |   * **BUILTIN\Guests**
362 |   * **DOMAIN\Administrator**
363 |   * **DOMAIN\Domain Admins**
364 |   * **DOMAIN\Enterprise Admins**
365 |   * **DOMAIN\Group Policy Creator Owners**
366 |   * **DOMAIN\Schema Admins**
367 |   
368 | * Deny log on as batch job
369 |   * **BUILTIN\Guests**
370 |   * **DOMAIN\Administrator**
371 |   * **DOMAIN\Domain Admins**
372 |   * **DOMAIN\Enterprise Admins**
373 |   * **DOMAIN\PAW-Tier0-Admins**
374 |   * **DOMAIN\PAW-Tier1-Admins**
375 |   * **DOMAIN\PAW-Tier2-Admins**
376 |   * **DOMAIN\Schema Admins**
377 |   
378 | * Deny log on as a service
379 |   * **BUILTIN\Guests**
380 |   * **DOMAIN\Administrator**
381 |   * **DOMAIN\Domain Admins**
382 |   * **DOMAIN\Enterprise Admins**
383 |   * **DOMAIN\PAW-Tier0-Admins**
384 |   * **DOMAIN\PAW-Tier1-Admins**
385 |   * **DOMAIN\PAW-Tier2-Admins**
386 |   * **DOMAIN\Schema Admins**
387 |  
388 | * Deny log on locally
389 |   * **BUILTIN\Guests**
390 |   * **DOMAIN\Administrator**
391 |   * **DOMAIN\Domain Admins**
392 |   * **DOMAIN\Enterprise Admins**
393 |   * **DOMAIN\PAW-Tier0-Admins**
394 |   * **DOMAIN\PAW-Tier1-Admins**
395 |   * **DOMAIN\PAW-Tier2-Admins**
396 |   * **DOMAIN\Schema Admins**
397 |   
398 | * Deny log on through Remote Desktop Services
399 |   * **BUILTIN\Guests**
400 |   * **DOMAIN\Administrator**
401 |   * **DOMAIN\Domain Admins**
402 |   * **DOMAIN\Enterprise Admins**
403 |   * **DOMAIN\PAW-Tier0-Admins**
404 |   * **DOMAIN\PAW-Tier1-Admins**
405 |   * **DOMAIN\PAW-Tier2-Admins**
406 |   * **DOMAIN\Schema Admins**
407 | 
408 | Close the policy window.
409 | 
410 | On the scope tab:
411 | * Ensure the Link to the Computers OU is Enabled.
412 | * Remove **Authenticated Users** from the **Security Filtering** section and add the **All-Workstations** group.
413 | * Ensure there is no WMI filter applied
414 | 
415 | On the Details tab:
416 | * Set GPO status to: **User configuration settings disabled**
417 | 
418 | On the Delegation tab:
419 | * Add **Authenticated Users** and give it READ permissions.
420 | 


--------------------------------------------------------------------------------
/04 - Deploy Software/InstallLAPS.ps1:
--------------------------------------------------------------------------------
  1 | <#
  2 | .NOTES
  3 |     NAME: installLAPS.ps1
  4 |     AUTHOR: Rich Johnson
  5 |     EMAIL: rjohnson@upwell.com
  6 |     Change Log:
  7 |         2018-01-19 - Initial creation 
  8 |         
  9 | .SYNOPSIS
 10 |     Runs a task that installs the LAPS admin GUI on PAWs and registers the admpwd.dll file on all other clients.  We don't want the
 11 |     GUI on standard user workstations, so they only get the dll.
 12 |         General Tab
 13 |             - runas: SYSTEM (does not require 'run as highest privileges'
 14 |         Actions Tab
 15 |             - Program/script: powershell.exe
 16 |             - Arguments: -executionpolicy bypass -command \\server\share\installLAPS.ps1 <org>
 17 | .DESCRIPTION 
 18 |     What does this script do?
 19 |     - Checks to see if the LAPS dll is registered.  If not, it registers it.
 20 |     - If the computer is a PAW, it installs the LAPS GUI tool to C:\Program Files\LAPS
 21 |     What do I need to do?
 22 |     - Read the LAPS Administration guide which will walk you through extending your AD schema and setting permissions in AD for users to read your LAPS passwords
 23 |     - Download the LAPS files, extract them, and place them on a network share
 24 |     - Search this script for <changeme> and replace it with the required data.
 25 | 
 26 | .PARAMETER location
 27 |     No parameters required
 28 | 
 29 | .Example
 30 |     >.\installLAPS
 31 |     This will install the client on a Draper workstation
 32 | #>
 33 | 
 34 | ############
 35 | # Functions
 36 | ############
 37 | 
 38 | # All actions are logged by calling this function
 39 | function logging ($level, $text) {
 40 |     if ($debug -ne "on" -and $level -eq "D") {
 41 |         return
 42 |     }
 43 |     $timeStamp = get-date -Format "yyyy-MM-dd HH:mm:ss.fff"
 44 | 
 45 |     if ($blurb -ne "yes") {
 46 |         # Override the existing log file so it does not grow out of control
 47 |         Write-Output "$timeStamp I New log created" > $logLocation
 48 |         $script:blurb = "yes"
 49 |     }
 50 |     Write-Output "$timeStamp $level $text" >> $logLocation
 51 | }
 52 | 
 53 | # Check if program is installed
 54 | function checkDllIsRegistered {
 55 |     if (Test-Path $dllPath\$file4) {
 56 |         $pathExists = $true
 57 |     }
 58 |     else {
 59 |         $pathExists = $false
 60 |     }
 61 |     logging "D" "pathExists: $pathExists"
 62 |     return $pathExists
 63 | }
 64 | 
 65 | # Install LAPS client
 66 | function installLapsClient {
 67 | 
 68 |     # Install the LAPS client
 69 |     #################################
 70 |     if(test-path $remoteFile4) {
 71 |         Copy-Item $remoteFile4 $localFile4 -Force
 72 |         if ($?) {
 73 |             logging "I" "Copied $remoteFile4 to $localFile4"
 74 | 
 75 |             # Register dll
 76 |             Start-Process -FilePath 'regsvr32.exe' -ArgumentList "/s $localFile4" -Wait
 77 |             if ($?) {
 78 |                 logging "I" "Successfully Registererd DLL."
 79 |             }
 80 |             else {
 81 |                 logging "E" "Failed to register DLL."
 82 |                 exit
 83 |             }
 84 |         }
 85 |         else {
 86 |             logging "E" "Failed to copy file!"
 87 |             exit
 88 |         }
 89 |     }
 90 |     else {
 91 |         logging "E" "$remoteFile4 does not exist!  Check your network connection."
 92 |         exit
 93 |     }
 94 | }
 95 | 
 96 | # Install LAPS GUI
 97 | function installLapsGUI {
 98 | 
 99 |     # Copy some extra files in order to make the GUI work correctly for PAW users
100 |     ############################################################################
101 |     logging "I" "Computer is a PAW."
102 | 
103 |     if ((Test-Path $remoteFile2) -and (Test-Path $remoteFile3)) {
104 |         
105 |         if (!(Test-Path $localPath)) {
106 |             # Create the directory where the subsequint files will go
107 |             [void](New-Item $localPath -ItemType Directory)
108 |             if ($?) {
109 |                 logging "I" "Created $localPath."
110 |             }
111 |             else {
112 |                 logging "E" "Failed to create $localPath."
113 |             }
114 |         }
115 |         
116 |         if (!(Test-Path $localFile2)) {
117 |             # Copy the AdmPwd.Utils.dll file to the LAPS directory
118 |             Copy-Item $remoteFile2 $localFile2 -Force -Recurse
119 |             if ($?) {
120 |                 logging "I" "Copied $remoteFile2 to $localFile2"
121 |             }
122 |             else {
123 |                 logging "E" "Failed to Copy $remoteFile2 to $localFile2"
124 |             }
125 |         }
126 |         else {
127 |             logging "I" "$localFile2 already exists."
128 |         }
129 |         
130 |         if (!(Test-Path $localFile3)) {
131 |             # Copy the AdmPwd.UI.exe file to the LAPS directory
132 |             Copy-Item $remoteFile3 $localFile3 -Force -Recurse
133 |             if ($?) {
134 |                 logging "I" "Copied $remoteFile3 to $localFile3"
135 |             }
136 |             else {
137 |                 logging "E" "Failed to Copy $remoteFile3 to $localFile3"
138 |             }
139 |         }
140 |         else {
141 |             logging "I" "$localFile2 already exists."
142 |         }
143 |     }
144 |     else {
145 |         logging "E" "Could not access $remoteFile2 or $remoteFile3."
146 |     }
147 | }
148 | 
149 | ######################
150 | # Set global variables
151 | ######################
152 | 
153 | # Location where this script will log to
154 | # This is different than the msiexec installation log file, which you specify in the install command
155 | $logLocation = "c:\programdata\installLAPS.txt"
156 | 
157 | # Turn this to on if you want additional debug logging.  Off will overwrite On if you uncomment the <debug = "off"> line.
158 | # Debug logging will show you the value of all variables so you can see if varable logic problems exist
159 | $debug = "on"
160 | #$debug = "off"
161 | 
162 | # Computer Name
163 | $computerName = $env:computername
164 | logging "D" "computername: $computername"
165 | 
166 | # Distinguished Name - cant use the activedirectory module, as all computers in the domain do not have this installed
167 | $filter = "(&(objectCategory=computer)(objectClass=computer)(cn=$computerName))"
168 | $dn = ([adsisearcher]$filter).FindOne().Properties.distinguishedname
169 | logging "D" "dn: $dn"
170 | 
171 | # Set the name of the file server.  For example: $fileServer = "serverdfs01"
172 | $fileServer = "<changeme>"
173 | 
174 | # Set the path to the file share where the install files and logs exist
175 | $remotePath = "\\$fileServer\share\LAPS"
176 | logging "D" "remotePath: $remotePath"
177 | 
178 | # Set the install directory
179 | $localPath = "C:\Program Files\LAPS"
180 | logging "D" "localPath: $localPath"
181 | 
182 | # Set the DLL path
183 | $dllPath = "C:\Windows\system32"
184 | logging "D" "dllPath: $dllPath"
185 | 
186 | # Files that need to be copied over, both the full path to the remote file and full path to local file
187 | #$file1 = "AdmPwd.Utils.config"
188 | $file2 = "AdmPwd.Utils.dll"
189 | $file3 = "AdmPwd.UI.exe"
190 | $file4 = "AdmPwd.dll"
191 | $remoteFile2 = "$remotePath\$file2"
192 | $remoteFile3 = "$remotePath\$file3"
193 | $remoteFile4 = "$remotePath\$file4"
194 | $localFile1 = "$localPath\$file1"
195 | $localFile2 = "$localPath\$file2"
196 | $localFile3 = "$localPath\$file3"
197 | $localFile4 = "$dllPath\$file4"
198 | 
199 | #########
200 | # ACTION!
201 | #########
202 | 
203 | try {
204 |         
205 |     # TODO actually search the registry for the DLL name rather than seeing if it's copied to the local machine
206 |         
207 |     # Check if c:\windows\sytem32\admpwd.dll exists
208 |     if (checkDllIsRegistered) {
209 |         # DLL exists
210 |         logging "I" "LAPS client is already installed."
211 |     }
212 |     else {
213 |         logging "I" "LAPS client is not currently installed."
214 | 
215 |         # Install client
216 |         installLapsClient
217 |             
218 |         # Confirm client was installed successfully
219 |         if (checkDllIsRegistered) {
220 |             logging "I" "LAPS client was successfully installed."
221 |         }
222 |         else {
223 |             logging "E" "Failed to install LAPS client."
224 |         }
225 |     }
226 | 
227 |     # Install GUI if device is a PAW
228 |     if ($dn -like "*,OU=PAW,*") {
229 |         installLapsGUI
230 |     }
231 | }
232 | catch {
233 |     $line = $_.InvocationInfo.ScriptLineNumber
234 |     logging "E" "Caught exception: $($Error[0]) at line $line"
235 | }
236 | finally {
237 |     logging "I" "Exiting script."
238 | }


--------------------------------------------------------------------------------
/04 - Deploy Software/README.md:
--------------------------------------------------------------------------------
  1 | ## What is this?
  2 | PAWs often requires software that the standard workstation does not.  Among these are remote administrative software and diagnostics software.  Unless you have a software deployment tool like PDQ Deploy or SCCM, Group Policy will be our main go to for deployment.  From a single GPO using Group Policy Preferences (GPP), we can schedule the installation and configuration of many software made easy by Item Level Targeting.  However, for this guide, and in the real world, I recommend splitting the software deployment to the different groups of computers.  
  3 | 
  4 | ## What are the GPOs targeting?
  5 | 
  6 | This table indicates the GPOs and on which groups they filter:
  7 | 
  8 | GPO | Security Filtering
  9 | ----|----
 10 | Scheduled Task - Install Software - Servers | All-Servers
 11 | Scheduled Task - Install Software - PAW | PAW-AllPAWComputers
 12 | Scheduled Task - Install Software - workstations | All-Workstations
 13 | 
 14 | ## Deploy software to PAWs
 15 | 
 16 | Create a new GPO on the DOMAIN.COM\Company\Computers OU called **Scheduled Task - Install Software - PAWs**.
 17 | 
 18 | Configure the following software deployments according to the settings under **GPO Settings** (Bottom of page)
 19 | 
 20 | #### Hyper-V
 21 | * Name of software: **Hyper-V**
 22 | * Name of script: **installHyperv.ps1**
 23 | 
 24 | #### MBAM Client
 25 | * Name of software: **MBAM Client**
 26 | * Name of script: **installMBAM.ps1**
 27 | 
 28 | #### Nmap
 29 | * Name of software: **Nmap**
 30 | * Name of script: **installNmap.ps1**
 31 | 
 32 | #### RSAT
 33 | * Name of Software: **RSAT**
 34 | * Name of script: **installRSAT.ps1**
 35 | 
 36 | #### Sysinternals Suite
 37 | * Name of Software: **Sysinternals Suite**
 38 | * Name of script: **installSysinternals.ps1**
 39 | 
 40 | #### LAPS
 41 | * Name of Software: **LAPS**
 42 | * Name of script: **installLAPS.ps1**
 43 | 
 44 | #### VMware VI Client
 45 | * Name of Software: **VIClient**
 46 | * Name of script: **installVIClient.ps1**
 47 | 
 48 | Close the policy window.
 49 | 
 50 | On the scope tab:
 51 | * Ensure the Link to the Computers OU is Enabled.  
 52 | * Remove **Authenticated Users** from the **Security Filtering** section and add **PAW-AllPAWComputers**.
 53 | * Ensure there is no WMI filter applied
 54 | 
 55 | On the Details tab:
 56 | * Set GPO status to: **User configuration settings disabled**
 57 | 
 58 | On the Delegation tab:
 59 | * Add **Authenticated Users** and give it READ permissions.
 60 | 
 61 | ## Deploy software to Servers
 62 | 
 63 | Create a new GPO on the DOMAIN.COM\Company\Computers OU called **Scheduled Task - Install Software - PAWs**.
 64 | 
 65 | Configure the following software deployments according to the settings under **GPO Settings** (Bottom of page)
 66 | 
 67 | #### LAPS
 68 | * Name of Software: **LAPS**
 69 | * Name of script: **installLAPS.ps1**
 70 | 
 71 | Close the policy window.
 72 | 
 73 | On the scope tab:
 74 | * Ensure the Link to the Computers OU is Enabled.  
 75 | * Remove **Authenticated Users** from the **Security Filtering** section and add **All-Servers**.
 76 | * Ensure there is no WMI filter applied
 77 | 
 78 | On the Details tab:
 79 | * Set GPO status to: **User configuration settings disabled**
 80 | 
 81 | On the Delegation tab:
 82 | * Add **Authenticated Users** and give it READ permissions.
 83 | 
 84 | ## Deploy software to Workstations
 85 | 
 86 | Create a new GPO on the DOMAIN.COM\Company\Computers OU called **Scheduled Task - Install Software - Workstations**.
 87 | 
 88 | Configure the following software deployments according to the settings under **GPO Settings** (Bottom of page)
 89 | 
 90 | #### LAPS
 91 | * Name of Software: **LAPS**
 92 | * Name of script: **installLAPS.ps1**
 93 | 
 94 | #### MBAM Client
 95 | * Name of software: **MBAM Client**
 96 | * Name of script: **installMBAM.ps1**
 97 | 
 98 | Close the policy window.
 99 | 
100 | On the scope tab:
101 | * Ensure the Link to the Computers OU is Enabled.  
102 | * Remove **Authenticated Users** from the **Security Filtering** section and add **All-Workstations**.
103 | * Ensure there is no WMI filter applied
104 | 
105 | On the Details tab:
106 | * Set GPO status to: **User configuration settings disabled**
107 | 
108 | On the Delegation tab:
109 | * Add **Authenticated Users** and give it READ permissions.
110 | 
111 | ## GPO Settings
112 | 
113 | ***Computer Configuration > Preferences > Windows Settings > Control Panel Settings > Scheduled Tasks***
114 | 
115 | Right Click > New > Scheduled Task (At least Windows 7)
116 | 
117 | General tab
118 | * Action: **Update**
119 | * Name: **Install Feature - <Name of software>**
120 | * Description: **Install <Name of software>.**
121 | * Run as: **NT AUTHORITY\System**, **Run whether user is logged in or not**
122 | * Hidden: **checked**
123 | * Do not run with highest privileges
124 | * Configure for Windows Vista or Windows Server 2008
125 | 
126 | Triggers tab
127 | * Begin the task: **On a Scheduled**
128 | * Settings: **One time**
129 | * Delay task for up to (random delay): **1 hour**
130 | * Repeat the task every: **1 hour** for a duration of **Indefinitely**
131 | * Enabled: **Checked**
132 | 
133 | Actions tab
134 | * Action: **Start a program**
135 | * Program: **powershell.exe**
136 | * Add argument(optional): **-executionpolicy bypass \\server\share\<name of script>**
137 | 
138 | Settings tab
139 | * Allow task to be run on demand


--------------------------------------------------------------------------------
/04 - Deploy Software/installCmder.ps1:
--------------------------------------------------------------------------------
  1 | <#
  2 | .NOTES
  3 |     NAME: installCmder.ps1
  4 |     AUTHOR: Rich Johnson
  5 |     EMAIL: rjohnson@upwell.com
  6 |     Change Log:
  7 |         2017-12-19 - Initial creation
  8 | 
  9 | .SYNOPSIS
 10 |     This script copies the cmder files to your workstation.
 11 |     This script is called via a scheduled task or an immediate task (via GPO) with the following details:
 12 |         General Tab
 13 |             - runas: SYSTEM (does not require 'run as highest privileges')
 14 |         Actions Tab
 15 |             - Program/script: powershell.exe
 16 |             - Arguments: -executionpolicy bypass -command \\server\share\installCmder.ps1
 17 | 
 18 | .DESCRIPTION 
 19 |     What does this script do?
 20 |     - Checks to see if the Cmder directory exists on local machine
 21 |     - Copies the zip, extracts, and configures the application
 22 | 
 23 |     What do I need to do?
 24 |     - Search this script for <changeme> and replace it with the required data.
 25 |     - Download the cmder zip file from: http://cmder.net.  I prefer the full download over mini.
 26 |     - place the .zip file on your file server
 27 | 
 28 | .PARAMETERS
 29 |     - This script takes no parameters
 30 | 
 31 | .Example
 32 |     >.\installCmder
 33 |     Runs the script
 34 | #>
 35 | 
 36 | # Location where this script will log to
 37 | $logLocation = "$env:ProgramData\installCmder.txt"
 38 | 
 39 | # Turn this to on if you want additional debug logging.  Off will overwrite On if you uncomment the <debug = "off"> line.
 40 | # Debug logging will show you the value of all variables so you can see if varable logic problems exist
 41 | $debug = "on"
 42 | #$debug = "off"
 43 | 
 44 | ###########
 45 | # Functions
 46 | ###########
 47 | 
 48 | function logging ($level, $text) {
 49 |     if ($debug -ne "on" -and $level -eq "D") {
 50 |         return
 51 |     }
 52 |     $timeStamp = get-date -Format "yyyy-MM-dd HH:mm:ss.fff"
 53 | 
 54 |     if ($blurb -ne "yes") {
 55 |         # Override the existing log file so it does not grow out of control
 56 |         Write-Output "$timeStamp I New log created" > $logLocation
 57 |         $script:blurb = "yes"
 58 |     }
 59 | 
 60 |     Write-Output "$timeStamp $level $text" >> $logLocation
 61 | }
 62 | 
 63 | # Copy the zip, extract to c:\tools
 64 | function installCmder {
 65 |     # Copy the zip file to temp
 66 |     logging "I" "Copying $remotePath to $tempDir..."
 67 |     Copy-Item $remotePath $tempDir -ErrorAction Stop
 68 | 
 69 |     # Extract the archive
 70 |     logging "I" "Extracting $tempDir\$fileName to $localPath..."
 71 |     Expand-Archive $tempDir\$fileName $localPath -ErrorAction Stop -Force
 72 |     
 73 |     # Delete the temp archive
 74 |     logging "I" "Deleting $tempDir\$fileName..."
 75 |     Remove-Item $tempDir\$fileName
 76 | }
 77 | 
 78 | # Compair the creation dates of two folders to determine is sync is needed
 79 | function compairCreation {
 80 |     $remoteCreation = (Get-ItemProperty $remotePath).CreationTime
 81 |     logging "D" "$remotePath creation time: $remoteCreation"
 82 | 
 83 |     $localCreation = (Get-ItemProperty $localPath).CreationTime
 84 |     logging "D" "$localPath creation time: $localCreation"
 85 | 
 86 |     if ($localCreation -eq $remoteCreation) {
 87 |         $sameDate = $true
 88 |     }
 89 |     else {
 90 |         $sameDate = $false
 91 |     }
 92 |     logging "D" "sameDate: $sameDate"
 93 |     return $sameDate
 94 | }
 95 | 
 96 |  # Set the creationTime of localPath to that of remotePath
 97 |  function setCreation {
 98 |     $remoteCreation = (Get-ItemProperty $remotePath).CreationTime
 99 |     Set-ItemProperty $localPath -Name CreationTime -Value $remoteCreation
100 | 
101 |     # Confirm creation date is the same for both remote and localPath
102 |     if (compairCreation) {
103 |         logging "I" "Creation dates are the same."
104 |     }
105 |     else {
106 |         logging "E" "Creation dates are still not the same.  Check your installation script."
107 |     }
108 |  }
109 | 
110 | # Add string to PATH
111 | function changePath ($addendum) {
112 |     $regLocation = "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment"
113 |     $oldPath = (Get-ItemProperty -Path $regLocation -Name PATH).path
114 |     logging "D" "oldPath: $oldPath"
115 |     if ($oldPath -like "*$addendum*") { 
116 |         logging "I" "Looks like $addendum is already in PATH.  Will not add."
117 |     }
118 |     else {
119 |         $newPath = "$oldPath;$addendum"
120 |         Set-ItemProperty -Path $regLocation -Name PATH -Value $newPath
121 |         logging "D" "newPath: $newPath"
122 |     }
123 | }
124 | 
125 | ###########
126 | # Variables
127 | ###########
128 | 
129 | # Name of the program
130 | $programName = "cmder"
131 | 
132 | # Directory we will put Cmder
133 | $localDir = "$env:SystemDrive\Tools"
134 | logging "D" "localDir: $localDir"
135 | 
136 | # Full path to local sysinternal directory
137 | $localPath = "$localDir\$programName"
138 | logging "D" "localPath: $localPath"
139 | 
140 | # Name of the file server that holds the program.  For example: $fileServer = "serverdfs01"
141 | $fileServer = "<changeme>"
142 | 
143 | # Directory we want to copy Cmder from
144 | $remoteDir =  "\\$fileServer\share\$programName"
145 | logging "D" "remoteDir: $remoteDir"
146 | 
147 | # Get the name of the .zip file
148 | $fileName = (get-item $remoteDir\*.zip).Name
149 | logging "D" "fileName: $fileName"
150 | 
151 | # Full Path to .zip file
152 | $remotePath = "$remoteDir\$fileName"
153 | logging "D" "remotePath: $remotePath"
154 | 
155 | # Temp directory, where we will copy the zip file before extracting to its final destination
156 | $tempDir = $env:TEMP
157 | logging "D" "tempDir: $tempDir"
158 | 
159 | ################
160 | # Aaaand Action!
161 | ################
162 | 
163 | try {
164 |     # Check if Cmder exists on local system
165 |     if (!(test-path -path $localPath)) {
166 |         logging "I" "$programName is not installed."
167 | 
168 |         # Copy and extract cmder zip
169 |         installCmder
170 | 
171 |         # Set creation date on localPath
172 |         setCreation
173 | 
174 |         # Add to PATH - Not needed for this tool, but good to keep just in case.
175 |         #changePath $localPath
176 |     }
177 |     else {
178 |         logging "I" "$programName is already installed."
179 | 
180 |         # Check creation date.  If they are different, delete and re-install
181 |         # if they are the same, exit
182 |         if (compairCreation) {
183 |             logging "I" "Creation dates are the same."
184 |         }
185 |         else {
186 |             logging "W" "Creation dates are not the same. Must recopy files."
187 | 
188 |             # Delete localPath
189 |             Remove-Item -Recurse $localPath
190 |             if (!(test-path -path $localPath)) {
191 |                 logging "I" "Successfully deleted $localPath."
192 |             }
193 |             else {
194 |                 logging "E" "Failed to delete $localPath."
195 |             }
196 | 
197 |             # Copy and extract cmder zip
198 |             installCmder
199 | 
200 |             # Set creation date on localPath
201 |             setCreation
202 |         }
203 |     }
204 | }
205 | catch {
206 |     $line = $_.InvocationInfo.ScriptLineNumber
207 |     logging "E" "Caught exception: $($Error[0]) at line $line"
208 | }
209 | finally {
210 |     logging "I" "Exiting Script."
211 | }


--------------------------------------------------------------------------------
/04 - Deploy Software/installHyperV.ps1:
--------------------------------------------------------------------------------
  1 | <#
  2 | .NOTES
  3 |     NAME: installHyperV.ps1
  4 |     AUTHOR: Rich Johnson
  5 |     EMAIL: rjohnson@upwell.com
  6 |     Change Log:
  7 |         2018-01-03 - Initial creation
  8 | 
  9 | .SYNOPSIS
 10 |     This script enables the Windows-Hyper-V feature if it is Disabled.
 11 |     This script is called via a scheduled task or an immediate task (via GPO) with the following details:
 12 |         General Tab
 13 |             - runas: SYSTEM (does not require 'run as highest privileges')
 14 |         Actions Tab
 15 |             - Program/script: powershell.exe
 16 |             - Arguments: -executionpolicy bypass -command \\server\share\installHyperV.ps1
 17 | 
 18 | .DESCRIPTION 
 19 |     What does this script do?
 20 |     - Checks to see if the Hyper-V role is enabled on the machine
 21 |     - Enables it if not
 22 | 
 23 |     What do I need to do?
 24 |     - Nothing.  This script relies on on external resources.
 25 | 
 26 | .PARAMETERS
 27 |     - This script takes no parameters
 28 | 
 29 | .Example
 30 |     >.\installHyperV
 31 |     Runs the script
 32 | #>
 33 | 
 34 | # Location where this script will log to
 35 | $logLocation = "$env:ProgramData\installHyperV.txt"
 36 | 
 37 | # Turn this to on if you want additional debug logging.  Off will overwrite On if you uncomment the <debug = "off"> line.
 38 | # Debug logging will show you the value of all variables so you can see if varable logic problems exist
 39 | $debug = "on"
 40 | #$debug = "off"
 41 | 
 42 | ###########
 43 | # Functions
 44 | ###########
 45 | 
 46 | function logging ($level, $text) {
 47 |     if ($debug -ne "on" -and $level -eq "D") {
 48 |         return
 49 |     }
 50 |     $timeStamp = get-date -Format "yyyy-MM-dd HH:mm:ss.fff"
 51 | 
 52 |     if ($blurb -ne "yes") {
 53 |         # Override the existing log file so it does not grow out of control
 54 |         Write-Output "$timeStamp I New log created" > $logLocation
 55 |         $script:blurb = "yes"
 56 |     }
 57 | 
 58 |     Write-Output "$timeStamp $level $text" >> $logLocation
 59 | }
 60 | 
 61 | # Check to see if the feature is installed and enabled
 62 | function checkFeature {
 63 |     if ((Get-WindowsOptionalFeature -FeatureName $feature -Online).state -eq "Enabled") {
 64 |         $featureState = $true
 65 |     }
 66 |     else {
 67 |         $featureState = $false
 68 |     }
 69 |     logging "D" "featureState: $featureState"
 70 |     return $featureState
 71 | }
 72 | 
 73 | ###########
 74 | # Variables
 75 | ###########
 76 | 
 77 | $feature = "Microsoft-Hyper-V"
 78 | 
 79 | ################
 80 | # Aaaand Action!
 81 | ################
 82 | 
 83 | try {
 84 |     # if Hyper-V feature is disabled, enable it
 85 |     if (!(checkFeature -eq $true)) {
 86 |         logging "I" "$feature is not installed. Installing..."
 87 |         
 88 |         # Install command
 89 |         Enable-WindowsOptionalFeature -Online -FeatureName $feature -NoRestart -All
 90 | 
 91 |         # Confirm feature was correctly installed
 92 |         if (!(checkFeature -eq $true)) {
 93 |             logging "E" "Failed to install $feature."
 94 |         }
 95 |         else {
 96 |             logging "I" "Successfully installed $feature."
 97 |         }
 98 |     }
 99 |     else {
100 |         logging "I" "$feature is already installed."
101 |     }
102 | }
103 | catch {
104 |     logging "E" $Error[0]
105 | }
106 | finally {
107 |     logging "I" "Exiting script."
108 | }


--------------------------------------------------------------------------------
/04 - Deploy Software/installMBAM.ps1:
--------------------------------------------------------------------------------
  1 | <#
  2 | .NOTES
  3 |     NAME: installMBAM.ps1
  4 |     AUTHOR: Rich Johnson
  5 |     EMAIL: rjohnson@upwell.com
  6 |     Change Log:
  7 |         2018-01-08 - Initial creation 
  8 |         
  9 | .SYNOPSIS
 10 |     This script installs MBAM, needed for enabling Bitlocker
 11 |     This script is called via a scheduled task or an immediate task (via GPO) with the following details:
 12 |         General Tab
 13 |             - runas: SYSTEM (does not require 'run as highest privileges'
 14 |         Actions Tab
 15 |             - Program/script: powershell.exe
 16 |             - Arguments: -executionpolicy bypass -command \\server\share\installMBAM.ps1 <org>
 17 | 
 18 | .DESCRIPTION 
 19 |     What does this script do?
 20 |     - Checks if installed, if not it installs and verifies successful installation
 21 |     - Checks service is running, if not it starts it and verifies successful start
 22 | 
 23 |     What do I need to do?
 24 |     - Deploy and configure your MBAM server architecture (https://goo.gl/fcZow9)
 25 |     - Search this script for <changeme> and replace it with the required data.
 26 | 
 27 | .PARAMETER location
 28 |     This script requires no parameters
 29 | 
 30 | .Example
 31 |     >.\installMBAM
 32 |     Installs MBAM on the client computer
 33 | #>
 34 | 
 35 | ############
 36 | # Functions
 37 | ############
 38 | 
 39 | # All actions are logged by calling this function
 40 | function logging ($level, $text) {
 41 |     if ($debug -ne "on" -and $level -eq "D") {
 42 |         return
 43 |     }
 44 |     $timeStamp = get-date -Format "yyyy-MM-dd HH:mm:ss.fff"
 45 | 
 46 |     if ($blurb -ne "yes") {
 47 |         # Override the existing log file so it does not grow out of control
 48 |         Write-Output "$timeStamp I New log created" > $logLocation
 49 |         $script:blurb = "yes"
 50 |     }
 51 | 
 52 |     Write-Output "$timeStamp $level $text" >> $logLocation
 53 | }
 54 | 
 55 | # Check if a service exists
 56 | function checkServiceExists ($serviceName) {
 57 |     # Check if service exists
 58 |     if (Get-Service $serviceName -EA SilentlyContinue) {
 59 |         $serviceExists = $true
 60 |     }
 61 |     else {
 62 |         $serviceExists = $false
 63 |     }
 64 |     logging "D" "serviceExists: $serviceExists"
 65 |     return $serviceExists
 66 | }
 67 | 
 68 | # Check if a service is running or not
 69 | function checkServiceStatus ($serviceName) {
 70 |     if ($(get-service $serviceName).Status -eq "Running") {
 71 |         $serviceStatus = $true
 72 |     }
 73 |     else {
 74 |         $serviceStatus = $false
 75 |     }
 76 |     logging "D" "serviceStatus: $serviceStatus"
 77 |     return $serviceStatus
 78 | }
 79 | 
 80 | function installMBAM {
 81 |     # Check that the path to the install file exists and install
 82 |     if (Test-Path $installPath) {
 83 |         logging "D" "install command: msiexec /qn /lvoicewarmupx $installLog /package $installPath REBOOT=ReallySuppress"
 84 |         Start-Process -FilePath msiexec -ArgumentList /qn, /lvoicewarmupx, $installLog, /package, $installPath, REBOOT=ReallySuppress -Wait
 85 |     }
 86 |     else {
 87 |         logging "E" "$installFilePath does not exist"
 88 |         #exit
 89 |     }
 90 | }
 91 | 
 92 | ######################
 93 | # Set global variables
 94 | ######################
 95 | 
 96 | # Location where this script will log to
 97 | # This is different than the msiexec installation log file, which you specify in the install command
 98 | $logLocation = "C:\ProgramData\installMBAM.txt"
 99 | 
100 | # Turn this to on if you want additional debug logging.  Off will overwrite On if you uncomment the <debug = "off"> line.
101 | # Debug logging will show you the value of all variables so you can see if varable logic problems exist
102 | $debug = "on"
103 | #$debug = "off"
104 | 
105 | # Program Name
106 | $programName = "MBAM"
107 | logging "D" "programName: $programName"
108 | 
109 | # Name of the MBAM Service
110 | $serviceName = "MBAMAgent"
111 | logging "D" "serviceName: $serviceName"
112 | 
113 | # Set the name of the file server.  For example: $fileServer = "serverdfs01"
114 | $fileServer = "<changeme>"
115 | 
116 | # Location of the installation files
117 | $remoteDir = "\\$fileServer\share\mbam"
118 | logging "D" "remoteDir: $remoteDir"
119 | 
120 | # name of the installation file
121 | $installFile = "MbamClientSetup2_5_1100.msi"
122 | logging "D" "installFile: $installFile"
123 | 
124 | # Full path to install file
125 | $installPath = "$remoteDir\$installFile"
126 | logging "D" "installPath: $installPath"
127 | 
128 | # Path to the msi install logs
129 | $installLog = "$env:programdata\installMBAM-msiLog.txt"
130 | logging "D" "installLog: $installLog"
131 | 
132 | ##################
133 | # Aaaaaaad ACTION!
134 | ##################
135 | 
136 | try {
137 | 
138 |     # Is MBAM installed?
139 |     ###################################
140 |     if ($(checkServiceExists $serviceName) -eq $true) {
141 |         logging "I" "$programName Agent is installed."
142 |     }
143 |     else {
144 |         logging "I" "$programName is not currently installed."
145 | 
146 |         # Install
147 |         installMBAM
148 | 
149 |         # Did it install correctly?
150 |         if ($(checkServiceExists $serviceName) -eq $true) {
151 |             logging "I" "$programName installed correctly."
152 |         }
153 |         else {
154 |             logging "E" "$programName did not install correctly. Service $serviceName still not found."
155 |         }
156 |     }
157 | 
158 |     # Is the MBAM agent service started?
159 |     #############################################
160 |     if ($(checkServiceStatus $serviceName) -eq $true) {
161 |         logging "I" "Service $serviceName is running."
162 |     }
163 |     else {
164 |         logging "I" "Service $serviceName is not running."
165 | 
166 |         # Start Service
167 |         Start-Service $serviceName
168 | 
169 |         # Did it start correctly?
170 |         if ($(checkServiceStatus $serviceName) -eq $true) {
171 |             logging "I" "Successfully started service $serviceName"
172 |         }
173 |         else {
174 |             logging "E" "Failed to start service $serviceName."
175 |         }
176 |     }
177 | }
178 | catch {
179 |     $line = $_.InvocationInfo.ScriptLineNumber
180 |     logging "E" "Caught exception: $($Error[0]) at line $line"
181 | }
182 | finally {
183 |     logging "I" "Exiting script."
184 | }


--------------------------------------------------------------------------------
/04 - Deploy Software/installNmap.ps1:
--------------------------------------------------------------------------------
  1 | <#
  2 | .NOTES
  3 |     NAME: installNmap.ps1
  4 |     AUTHOR: Rich Johnson
  5 |     EMAIL: rjohnson@upwell.com
  6 |     Change Log:
  7 |         2017-12-18 - Initial creation
  8 |         
  9 | .SYNOPSIS
 10 |     This script isntalls Nmap.
 11 |     This script is called via a scheduled task or an immediate task (via GPO) with the following details:
 12 |         General Tab
 13 |             - runas: SYSTEM (does not require 'run as highest privileges')
 14 |         Actions Tab
 15 |             - Program/script: powershell.exe
 16 |             - Arguments: -executionpolicy bypass -command \\server\share\installNmap.ps1
 17 | 
 18 | .DESCRIPTION 
 19 |     What does this script do?
 20 |     - Checks if Nmap is already installed. If not, it installs
 21 |     - Creates several registry keys for performance
 22 |     - Adds the Nmap directory to Windows PATH
 23 | 
 24 |     What do I need to do?
 25 |     - Search this script for <changeme> and replace it with the required data.
 26 | 
 27 | .PARAMETERS
 28 |     - This script takes no parameters
 29 | 
 30 | .Example
 31 |     >.\installNmap
 32 |     Runs the script
 33 | #>
 34 | 
 35 | # Location where this script will log to
 36 | $logLocation = "$env:ProgramData\installNmap.txt"
 37 | 
 38 | # Turn this to on if you want additional debug logging.  Off will overwrite On if you uncomment the <debug = "off"> line.
 39 | # Debug logging will show you the value of all variables so you can see if varable logic problems exist
 40 | $debug = "on"
 41 | #$debug = "off"
 42 | 
 43 | ###########
 44 | # Functions
 45 | ###########
 46 | 
 47 | function logging ($level, $text) {
 48 |     if ($debug -ne "on" -and $level -eq "D") {
 49 |         return
 50 |     }
 51 |     $timeStamp = get-date -Format "yyyy-MM-dd HH:mm:ss.fff"
 52 | 
 53 |     if ($blurb -ne "yes") {
 54 |         # Override the existing log file so it does not grow out of control
 55 |         Write-Output "$timeStamp I New log created" > $logLocation
 56 |         $script:blurb = "yes"
 57 |     }
 58 | 
 59 |     Write-Output "$timeStamp $level $text" >> $logLocation
 60 | }
 61 | 
 62 | # Check if directory exists
 63 | function checkPath ($pathItem) {
 64 |     if (test-path -path $pathItem) {
 65 |         $pathExists = $true
 66 |     }
 67 |     else {
 68 |         $pathExists = $false
 69 |     }
 70 |     logging "D" "$pathItem exists: $pathExists"
 71 |     return $pathExists
 72 | }
 73 | 
 74 | # Rename the Nmap installation Directory if it is not "Nmap"
 75 | function renameItem {
 76 |     $installDir = (Get-Item $localDir\nmap*).Name
 77 |     logging "D" "installDir: $installDir"
 78 |     Rename-Item $localDir\$installDir $localDir\$programName
 79 |     logging "I" "Renamed the installation directory from $localDir\$installDir to $localDir\$programName."
 80 |     
 81 | }
 82 | 
 83 | # Modify PATH variable
 84 | function changePath ($action, $addendum) {
 85 |     $regLocation = "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment"
 86 |     logging "D" "regLocation: $regLocation"
 87 | 
 88 |     $path = (Get-ItemProperty -Path $regLocation -Name PATH).path
 89 |     logging "D" "Old Path: $path"
 90 |     
 91 |     # Add an item to PATH
 92 |     if ($action -eq "add") {
 93 |         logging "I" "Adding $addendum to PATH variable..."
 94 |         $path = "$path;$addendum"
 95 |         Set-ItemProperty -Path $regLocation -Name PATH -Value $path
 96 |     }
 97 | 
 98 |     # Remove an item from PATH
 99 |     if ($action -eq "remove") {
100 |         logging "I" "Removing $addendum from PATH variable..."
101 |         $path = ($path.Split(';') | Where-Object { $_ -ne "$addendum" }) -join ';'
102 |         Set-ItemProperty -Path $regLocation -Name PATH -Value $path
103 |     }
104 |     
105 |     $path = (Get-ItemProperty -Path $regLocation -Name PATH).path
106 |     logging "I" "New Path: $path"
107 | }
108 | 
109 | # Install Nmap and npcap
110 | function installNmap {
111 |     # Copy the zip file to temp
112 |     logging "I" "Copying $remotePath to $tempDir..."
113 |     Copy-Item $remotePath $tempDir -ErrorAction Stop
114 | 
115 |     # Extract the archive
116 |     logging "I" "Extracting $tempDir\$fileName to $localDir..."
117 |     Expand-Archive $tempDir\$fileName $localDir -ErrorAction Stop -Force
118 |     
119 |     # Delete the temp archive
120 |     logging "I" "Deleting $tempDir\$fileName..."
121 |     Remove-Item $tempDir\$fileName
122 | 
123 |     # Rename the install directory
124 |     renameItem
125 | 
126 |     # Install npcap
127 |     logging "I" "Installing npcap..."
128 |     $npcapInstaller = (Get-Item $localPath\npcap*.exe).Name
129 |     & $localPath\$npcapInstaller /S
130 |     
131 |     # Install the Microsoft Visual C++ 2013 Redistributable Package
132 |     logging "I" "Installing the Microsoft Visual C++ 2013 Redistributable Package..."
133 |     $vcredistInstaller = "vcredist_x86.exe"
134 |     & $localPath\$vcredistInstaller /q
135 | 
136 |     # Add registry changes for performance improvements
137 |     $regFile = "nmap_performance.reg"
138 |     logging "I" "Importing registry settings with the following command: reg.exe import $localPath\$regFile"
139 |     & reg.exe import $localPath\$regFile
140 | 
141 |     # Add to PATH if not already
142 |     changePath "add" $localPath
143 | }
144 | 
145 | function uninstallNmap {
146 |     # uninstall Nmap
147 |     logging "I" "Uninstalling $programName..."
148 |     Remove-Item -Recurse $localPath -Force
149 |     if (!(test-path -path $localPath)) {
150 |         logging "I" "Successfully deleted $localPath."
151 |     }
152 |     else {
153 |         logging "E" "Failed to delete $localPath."
154 |     }
155 | 
156 |     # Uninstall npcap
157 |     logging "I" "Uninstalling npcap..."
158 |     $pathToNpcap = "$env:ProgramFiles\npcap"
159 |     & $pathToNpcap\uninstall.exe /q
160 |     Remove-Item -Recurse $pathToNpcap -Force
161 |     if (!(test-path -path $pathToNpcap)) {
162 |         logging "I" "Successfully deleted $pathToNpcap."
163 |     }
164 |     else {
165 |         logging "E" "Failed to delete $pathToNpcap."
166 |     }
167 |     
168 |     # Remove Nmap from PATH
169 |     changePath "remove" $localPath
170 | 
171 |     # TODO - do we really need to remove the registry changes?  I don't think so...
172 | 
173 | }
174 | 
175 | function checkUpToDate {
176 |     # Get the remote verion
177 |     $remoteVersion = ($remotePath).Split('-')[1]
178 |     logging "D" "remoteVersion: $remoteVersion"
179 | 
180 |     # Get the local version
181 |     $localVersion = (Get-Item $localPath\nmap.exe).VersionInfo.FileVersion
182 |     logging "D" "localVersion: $localVersion"
183 | 
184 |     # Compair versions and return $upToDate
185 |     if ($localVersion -eq $remoteVersion) {
186 |         $upToDate = $true
187 |     }
188 |     else {
189 |         $upToDate = $false
190 |     }
191 |     logging "D" "upToDate: $upToDate"
192 |     return $upToDate
193 | }
194 | 
195 | ###########
196 | # Variables
197 | ###########
198 | 
199 | # Program Name
200 | $programName = "Nmap"
201 | 
202 | # Set the name of the file server.  For example: $fileServer = "serverdfs01"
203 | $fileServer = "<changeme>"
204 | 
205 | # Location of the remote install file
206 | $remoteDir = "\\$fileServer\share\Nmap"
207 | $fileName = (get-item $remoteDir\nmap*.zip).Name
208 | $remotePath =  "$remoteDir\$fileName"
209 | logging "D" "fileName: $fileName"
210 | logging "D" "remotePath: $remotePath"
211 | 
212 | # Location of the local install directory
213 | $localDir = $env:ProgramFiles
214 | $localPath = "$localDir\$programName"
215 | logging "D" "localPath: $localPath"
216 | 
217 | # Temp directory, where we will copy the zip file before extracting to its final destination
218 | $tempDir = $env:TEMP
219 | logging "D" "tempDir: $tempDir"
220 | 
221 | ################
222 | # Aaaand Action!
223 | ################
224 | 
225 | try {
226 | 
227 |     # Check if Nmap is installed
228 |     if (checkPath $localPath) {
229 |         logging "I" "Nmap is installed."
230 | 
231 |         # Check if Nmap is current
232 |         if (checkUpToDate) {
233 |             logging "I" "Nmap is up to date."
234 |         }
235 |         else {
236 |             logging "I" "Nmap is out of date."
237 | 
238 |             # Uninstall Nmap
239 |             uninstallNmap
240 | 
241 |             # Install Nmap and dependancies
242 |             installNmap
243 | 
244 |             # Confirm Nmap is current
245 |             if (checkUpToDate) {
246 |                 logging "I" "Nmap is up to date."
247 |             }
248 |             else {
249 |                 logging "D" "Failed to update Nmap!"
250 |             }
251 | 
252 |         }
253 |     }
254 |     else {
255 |         logging "I" "Nmap is not installed."
256 |         
257 |         # Install Nmap and dependancies
258 |         installNmap
259 | 
260 |         # Confirm Nmap is current
261 |         if (checkUpToDate) {
262 |             logging "I" "Nmap is up to date."
263 |         }
264 |         else {
265 |             logging "D" "Failed to update Nmap!"
266 |         }
267 |     }
268 | }
269 | catch {
270 |     $line = $_.InvocationInfo.ScriptLineNumber
271 |     logging "E" "Caught exception: $($Error[0]) at line $line"
272 | }
273 | finally {
274 |     logging "I" "Exiting script."
275 | }


--------------------------------------------------------------------------------
/04 - Deploy Software/installRSAT.ps1:
--------------------------------------------------------------------------------
  1 | <#
  2 | .NOTES
  3 |     NAME: installRSAT.ps1
  4 |     AUTHOR: Rich Johnson
  5 |     EMAIL: rjohnson@upwell.com
  6 |     Change Log:
  7 |         2017-12-15 - Initial creation
  8 | 
  9 | .SYNOPSIS
 10 |     This script installs RSAT for Windows 10 1709+.  
 11 |     This script is called via a scheduled task or an immediate task (via GPO) with the following details:
 12 |         General Tab
 13 |             - runas: SYSTEM (does not require 'run as highest privileges')
 14 |         Actions Tab
 15 |             - Program/script: powershell.exe
 16 |             - Arguments: -executionpolicy bypass -command \\server\share\installRSAT.ps1
 17 | 
 18 | .DESCRIPTION 
 19 |     What does this script do?
 20 |     - Checks to see if RSAT is installed, if so it exits
 21 |     - Copies the isntallation file to the local machine (installation is faster)
 22 |     - Installs RSAT via wusa.exe
 23 |     - Confirms correct installation
 24 | 
 25 |     What do I need to do?
 26 |     - Download RSAT (https://www.microsoft.com/en-us/download/details.aspx?id=45520)
 27 |     - Place the .msu file on your network file share
 28 |     - Search this script for <changeme> and replace it with the required data
 29 | 
 30 | .PARAMETERS
 31 |     - This script takes no parameters
 32 | 
 33 | .Example
 34 |     >.\installRSAT
 35 |     Runs the script and installs RSAT, assuming the installation file exists on the remote share
 36 | 
 37 | 
 38 | #>
 39 | 
 40 | # Location where this script will log to
 41 | $logLocation = "$env:ProgramData\installRSAT.txt"
 42 | 
 43 | # Turn this to on if you want additional debug logging.  Off will overwrite On if you uncomment the <debug = "off"> line.
 44 | # Debug logging will show you the value of all variables so you can see if varable logic problems exist
 45 | $debug = "on"
 46 | #$debug = "off"
 47 | 
 48 | ###########
 49 | # Functions
 50 | ###########
 51 | 
 52 | function logging ($level, $text) {
 53 |     if ($debug -ne "on" -and $level -eq "D") {
 54 |         return
 55 |     }
 56 |     $timeStamp = get-date -Format "yyyy-MM-dd HH:mm:ss.fff"
 57 | 
 58 |     if ($blurb -ne "yes") {
 59 |         # Override the existing log file so it does not grow out of control
 60 |         Write-Output "$timeStamp I New log created" > $logLocation
 61 |         $script:blurb = "yes"
 62 |     }
 63 | 
 64 |     Write-Output "$timeStamp $level $text" >> $logLocation
 65 | }
 66 | 
 67 | 
 68 | ###########
 69 | # Variables
 70 | ###########
 71 | 
 72 | # Get the OS Version.  Used to determine which installation package to use
 73 | $osVersion = [System.Environment]::OSVersion.Version.Build
 74 | logging "D" "OSVersion: $osVersion"
 75 | 
 76 | # NOTE!!!
 77 | # This part may be making it more complicated than it needs.  I'm not sure if the 1709 is backwards compatible.  
 78 | # If it is, then this section can be removed.  No time to test...
 79 | 
 80 | # The RSAT isntallation package is different for different builds of Windows 10
 81 | # 16299 = 1709
 82 | # 15063 = 1703
 83 | if ($osVersion -eq 16299) {
 84 |     $hotfix = "WindowsTH-RSAT_WS_1709-x64.msu" 
 85 | }
 86 | logging "D" "hotfix: $hotfix"
 87 | 
 88 | # Directory we want to copy RSAT installation file to
 89 | $localPath = "C:\tools\RSAT"
 90 | logging "D" "localPath: $localPath"
 91 | 
 92 | # Set the name of the file server.  For example: $fileServer = "serverdfs01"
 93 | $fileServer = "<changeme>"
 94 | 
 95 | # Directory we want to copy RSAT installation file from
 96 | $remotePath =  "\\$fileServer\share\RSAT"
 97 | logging "D" "remotePath: $remotePath"
 98 | 
 99 | ################
100 | # Aaaand Action!
101 | ################
102 | 
103 | try {
104 |     # See if RSAT is installed.  If not, install.
105 |     if (!(Get-HotFix -id kb2693643)) {
106 |         logging "I" "RSAT is not currently installed."
107 |         
108 |         # if $localPath does not exist, create it
109 |         if (!(test-path -path $localPath)) {
110 |             logging "I" "$localPath does not exist!  Will create."
111 |             new-Item $localPath -ItemType Directory
112 |             if (!(test-path -path $localPath)) {
113 |                 logging "E" "Failed to create $localPath!"
114 |                 exit
115 |             }
116 |         }
117 |         else {
118 |             logging "I" "$localPath already exists."
119 |         }
120 | 
121 |         # if instalation file does not exist on machine, copy it
122 |         if (!(Test-Path -Path $localPath\$hotfix)) {
123 |             logging "I" "Copying RSAT installation file..."
124 |             Copy-Item $remotePath\$hotfix $localPath
125 |             if (!(Test-Path -Path $localPath\$hotfix)) {
126 |                 logging "I" "Successfully copied file."
127 |             }
128 |             else {
129 |                 logging "E" "Failed to copy file!"
130 |                 exit
131 |             }
132 |         }
133 |         else {
134 |             logging "I" "RSAT installation file already exists at $localPath."
135 |         }
136 |         
137 |         logging "I" "Attempting to install RSAT..."
138 | 
139 |         # Install RSAT, and wait until finished before continuing
140 |         Start-Process -FilePath $env:SystemRoot\system32\wusa.exe -ArgumentList ("$localPath\$hotfix", '/quiet') -Wait
141 |         
142 |         # Check to see if RSAT installed successfully
143 |         if (!(Get-HotFix -id kb2693643)) {
144 |             logging "E" "Failed to install RSAT!"
145 |             exit
146 |         }
147 |         else {
148 |             logging "I" "Successfully installed RSAT."
149 |         }
150 |     }
151 |     else {
152 |         logging "I" "RSAT is already installed."
153 |     }
154 | }
155 | catch {
156 |     $line = $_.InvocationInfo.ScriptLineNumber
157 |     logging "E" "Caught exception: $($Error[0]) at line $line"
158 | }
159 | finally {
160 |     logging "I" "Exiting Script."
161 | }


--------------------------------------------------------------------------------
/04 - Deploy Software/installSysinternals.ps1:
--------------------------------------------------------------------------------
  1 | <#
  2 | .NOTES
  3 |     NAME: installSysinternals.ps1
  4 |     AUTHOR: Rich Johnson
  5 |     EMAIL: rjohnson@upwell.com
  6 |     Change Log:
  7 |         2017-12-15 - Initial creation
  8 | 
  9 | .SYNOPSIS
 10 |     This script copies the Sysinternals files to your workstation.
 11 |     This script is called via a scheduled task or an immediate task (via GPO) with the following details:
 12 |         General Tab
 13 |             - runas: SYSTEM (does not require 'run as highest privileges')
 14 |         Actions Tab
 15 |             - Program/script: powershell.exe
 16 |             - Arguments: -executionpolicy bypass -command \\server\share\installSysinternals.ps1
 17 | 
 18 | .DESCRIPTION 
 19 |     What does this script do?
 20 |     - Checks to see if the SysinternalsSuite directory exists on local machine (C:\Tools\Sysinternals)
 21 |     - Copies the tool's zip file to the local machine and extracts to the C:\Tools\Sysinternals location
 22 |     - Adds 
 23 | 
 24 |     What do I need to do?
 25 |     - Download the latest stable command-line zipfile (https://nmap.org/download.html) NOT the self-installer!!
 26 |     - put the zip file on your network file share
 27 |     - Search this script for <changeme> and replace it with the required data.
 28 | 
 29 | .PARAMETERS
 30 |     - This script takes no parameters
 31 | 
 32 | .Example
 33 |     >.\installSysinternals
 34 |     Runs the script
 35 | #>
 36 | 
 37 | # Location where this script will log to
 38 | $logLocation = "$env:ProgramData\installSysinternals.txt"
 39 | 
 40 | # Turn this to on if you want additional debug logging.  Off will overwrite On if you uncomment the <debug = "off"> line.
 41 | # Debug logging will show you the value of all variables so you can see if varable logic problems exist
 42 | $debug = "on"
 43 | #$debug = "off"
 44 | 
 45 | ###########
 46 | # Functions
 47 | ###########
 48 | 
 49 | function logging ($level, $text) {
 50 |     if ($debug -ne "on" -and $level -eq "D") {
 51 |         return
 52 |     }
 53 |     $timeStamp = get-date -Format "yyyy-MM-dd HH:mm:ss.fff"
 54 | 
 55 |     if ($blurb -ne "yes") {
 56 |         # Override the existing log file so it does not grow out of control
 57 |         Write-Output "$timeStamp I New log created" > $logLocation
 58 |         $script:blurb = "yes"
 59 |     }
 60 | 
 61 |     Write-Output "$timeStamp $level $text" >> $logLocation
 62 | }
 63 | 
 64 | # Copy the zip, extract to c:\tools
 65 | function installSI {
 66 |     # Copy the zip file to temp
 67 |     logging "I" "Copying $remotePath to $tempDir..."
 68 |     Copy-Item $remotePath $tempDir -ErrorAction Stop
 69 | 
 70 |     # Extract the archive
 71 |     logging "I" "Extracting $tempDir\$fileName to $localPath..."
 72 |     Expand-Archive $tempDir\$fileName $localPath -ErrorAction Stop -Force
 73 |     
 74 |     # Delete the temp archive
 75 |     logging "I" "Deleting $tempDir\$fileName..."
 76 |     Remove-Item $tempDir\$fileName
 77 | }
 78 | 
 79 | # Compair the creation dates of two folders to determine is sync is needed
 80 | function compairCreation {
 81 |     $remoteCreation = (Get-ItemProperty $remotePath).CreationTime
 82 |     logging "D" "$remotePath creation time: $remoteCreation"
 83 | 
 84 |     $localCreation = (Get-ItemProperty $localPath).CreationTime
 85 |     logging "D" "$localPath creation time: $localCreation"
 86 | 
 87 |     if ($localCreation -eq $remoteCreation) {
 88 |         $sameDate = $true
 89 |     }
 90 |     else {
 91 |         $sameDate = $false
 92 |     }
 93 |     logging "D" "sameDate: $sameDate"
 94 |     return $sameDate
 95 | }
 96 | 
 97 |  # Set the creationTime of localPath to that of remotePath
 98 |  function setCreation {
 99 |     $remoteCreation = (Get-ItemProperty $remotePath).CreationTime
100 |     Set-ItemProperty $localPath -Name CreationTime -Value $remoteCreation
101 | 
102 |     # Confirm creation date is the same for both remote and localPath
103 |     if (compairCreation) {
104 |         logging "I" "Creation dates are the same."
105 |     }
106 |     else {
107 |         logging "E" "Creation dates are still not the same.  Check your installation script."
108 |     }
109 |  }
110 | 
111 | # Add string to PATH
112 | function changePath ($addendum) {
113 |     $regLocation = "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment"
114 |     $oldPath = (Get-ItemProperty -Path $regLocation -Name PATH).path
115 |     logging "D" "oldPath: $oldPath"
116 |     if ($oldPath -like "*$addendum*") { 
117 |         logging "I" "Looks like $addendum is already in PATH.  Will not add."
118 |     }
119 |     else {
120 |         $newPath = "$oldPath;$addendum"
121 |         Set-ItemProperty -Path $regLocation -Name PATH -Value $newPath
122 |         logging "D" "newPath: $newPath"
123 |     }
124 | }
125 | 
126 | ###########
127 | # Variables
128 | ###########
129 | 
130 | # Name of the program
131 | $programName = "SysinternalsSuite"
132 | 
133 | # Directory we will put Sysinternals
134 | $localDir = "$env:SystemDrive\Tools"
135 | logging "D" "localDir: $localDir"
136 | 
137 | # Full path to local sysinternal directory
138 | $localPath = "$localDir\$programName"
139 | logging "D" "localPath: $localPath"
140 | 
141 | # Set the name of the file server.  For example: $fileServer = "serverdfs01"
142 | $fileServer = "<changeme>"
143 | 
144 | # Directory we want to copy Sysinternals directory from
145 | $remoteDir =  "\\$fileServer\share\$programName"
146 | logging "D" "remoteDir: $remoteDir"
147 | 
148 | # Get the name of the .zip file
149 | $fileName = (get-item $remoteDir\*.zip).Name
150 | logging "D" "fileName: $fileName"
151 | 
152 | # Full Path to .zip file
153 | $remotePath = "$remoteDir\$fileName"
154 | logging "D" "remotePath: $remotePath"
155 | 
156 | # Temp directory, where we will copy the zip file before extracting to its final destination
157 | $tempDir = $env:TEMP
158 | logging "D" "tempDir: $tempDir"
159 | 
160 | ################
161 | # Aaaand Action!
162 | ################
163 | 
164 | try {
165 |     # Check if Sysinternals Suite exists on local system
166 |     if (!(test-path -path $localPath)) {
167 |         logging "I" "$programName is not installed."
168 | 
169 |         # Copy and extract the SI tools
170 |         installSI
171 | 
172 |         # Set creation date on localPath
173 |         setCreation
174 | 
175 |         # Add to PATH
176 |         changePath $localPath
177 |     }
178 |     else {
179 |         logging "I" "$programName is already installd."
180 | 
181 |         # Check creation date.  If they are different, delete and re-install
182 |         # if they are the same, exit
183 |         if (compairCreation) {
184 |             logging "I" "Creation dates are the same."
185 |         }
186 |         else {
187 |             logging "W" "Creation dates are not the same. Must recopy files."
188 | 
189 |             # Delete localPath
190 |             Remove-Item -Recurse $localPath
191 |             if (!(test-path -path $localPath)) {
192 |                 logging "I" "Successfully deleted $localPath."
193 |             }
194 |             else {
195 |                 logging "E" "Failed to delete $localPath."
196 |             }
197 | 
198 |             # Copy and extract the SI tools
199 |             installSI
200 | 
201 |             # Set creation date on localPath
202 |             setCreation
203 |         }
204 |     }
205 | }
206 | catch {
207 |     $line = $_.InvocationInfo.ScriptLineNumber
208 |     logging "E" "Caught exception: $($Error[0]) at line $line"
209 | }
210 | finally {
211 |     logging "I" "Exiting Script."
212 | }


--------------------------------------------------------------------------------
/04 - Deploy Software/installVIClient.ps1:
--------------------------------------------------------------------------------
  1 | <#
  2 | .NOTES
  3 |     NAME: installVIClient.ps1
  4 |     AUTHOR: Rich Johnson
  5 |     EMAIL: rjohnson@upwell.com
  6 |     Change Log:
  7 |         2018-02-05 - Initial creation
  8 | 
  9 | .SYNOPSIS
 10 |     This script copies the VI Client installation file to your workstation's temp directory.
 11 |     This script is called via a scheduled task or an immediate task (via GPO) with the following details:
 12 |         General Tab
 13 |             - runas: SYSTEM (does not require 'run as highest privileges')
 14 |         Actions Tab
 15 |             - Program/script: powershell.exe
 16 |             - Arguments: -executionpolicy bypass -command \\server\share\installVIClient.ps1
 17 | 
 18 | .DESCRIPTION
 19 |     What does this script do?
 20 |     - Checks to see if the VMware VI Client is installed
 21 |     - If not, it copies the install file to the temp directory then installs
 22 | 
 23 |     What do I need to do?
 24 |     - Download the latest installer for your environment (https://kb.vmware.com/s/article/2089791)
 25 |     - put the install file on your network file share
 26 |     - Search this script for <changeme> and replace it with the required data.
 27 | 
 28 | .PARAMETERS
 29 |     - This script takes no parameters
 30 | 
 31 | .Example
 32 |     >.\installVIClient
 33 |     Runs the script
 34 | #>
 35 | 
 36 | # Location where this script will log to
 37 | $logLocation = "$env:ProgramData\installVIClient.txt"
 38 | 
 39 | # Turn this to on if you want additional debug logging.  Off will overwrite On if you uncomment the <debug = "off"> line.
 40 | # Debug logging will show you the value of all variables so you can see if varable logic problems exist
 41 | $debug = "on"
 42 | #$debug = "off"
 43 | 
 44 | ###########
 45 | # Functions
 46 | ###########
 47 | 
 48 | function logging ($level, $text) {
 49 |     if ($debug -ne "on" -and $level -eq "D") {
 50 |         return
 51 |     }
 52 |     $timeStamp = get-date -Format "yyyy-MM-dd HH:mm:ss.fff"
 53 | 
 54 |     if ($blurb -ne "yes") {
 55 |         # Override the existing log file so it does not grow out of control
 56 |         Write-Output "$timeStamp I New log created" > $logLocation
 57 |         $script:blurb = "yes"
 58 |     }
 59 | 
 60 |     Write-Output "$timeStamp $level $text" >> $logLocation
 61 | }
 62 | 
 63 | # Copy the installer to temp and installs
 64 | function installVIClient {
 65 |     # Copy the install file to temp
 66 | 
 67 |     if (!(test-path -Path $tempDir\$fileName)) {
 68 |         logging "I" "Copying $remotePath to $tempDir..."
 69 |         Copy-Item $remotePath $tempDir -ErrorAction Stop
 70 |     }
 71 |     else {
 72 |         logging "I" "$tempDir\$fileName already exists.  Will not copy." 
 73 |     }
 74 | 
 75 |     # Install
 76 |     $argList = "/q", "/s", "/w", "/L1033", "/v", "/qr"
 77 |     Start-Process -Wait -FilePath "$tempDir\$fileName" -ArgumentList $argList
 78 | 
 79 |     # Delete the temp archive
 80 |     logging "I" "Deleting $tempDir\$fileName..."
 81 |     Remove-Item $tempDir\$fileName
 82 | }
 83 | 
 84 | ###########
 85 | # Variables
 86 | ###########
 87 | 
 88 | # Name of the program
 89 | $programName = "VMware VI Client"
 90 | 
 91 | # Installation directory
 92 | $localDir = "C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client"
 93 | logging "D" "localDir: $localDir"
 94 | 
 95 | # Set the name of the file server.  For example: $fileServer = "serverdfs01"
 96 | $fileServer = "<changeme>"
 97 | 
 98 | # Remote directory
 99 | $remoteDir =  "\\$fileServer\share\vmware"
100 | logging "D" "remoteDir: $remoteDir"
101 | 
102 | # Get the name of the install file
103 | $fileName = (get-item $remoteDir\*.exe).Name
104 | logging "D" "fileName: $fileName"
105 | 
106 | # Full Path to install file
107 | $remotePath = "$remoteDir\$fileName"
108 | logging "D" "remotePath: $remotePath"
109 | 
110 | # Temp directory, where we will copy the zip file before extracting to its final destination
111 | $tempDir = $env:TEMP
112 | logging "D" "tempDir: $tempDir"
113 | 
114 | ################
115 | # Aaaand Action!
116 | ################
117 | 
118 | try {
119 |     # Check if VI Client exists on local system
120 |     if (!(test-path -path $localDir)) {
121 |         logging "I" "$programName is not installed."
122 | 
123 |         # Install
124 |         installVIClient
125 | 
126 |         # Confirm it installed correctly
127 |         if (!(test-path -path $localDir)) {
128 |             logging "E" "Failed to install $programName."
129 |         }
130 |         else {
131 |             logging "I" "Successfully installed $programName."
132 |         }
133 | 
134 |     }
135 |     else {
136 |         logging "I" "$programName is already installed."
137 |     }
138 | }
139 | catch {
140 |     $line = $_.InvocationInfo.ScriptLineNumber
141 |     logging "E" "Caught exception: $($Error[0]) at line $line"
142 | }
143 | finally {
144 |     logging "I" "Exiting Script."
145 | }


--------------------------------------------------------------------------------
/05 - Allow Fingerprint Sign-in/README.md:
--------------------------------------------------------------------------------
 1 | ## What is this?
 2 | Moving to the PAW paradigm opens up a slew of changes regarding how you will administrate your network.  One of those changes is the number of credentials you have to keep track of.  A typical Tier 0 administrator could have up to 6 accounts:
 3 | 
 4 | * Local user - contingency for if you ever lose trust in your domain.  You can log on with this account and rejoin the domain.
 5 | * Local administrator user - contingency for if you ever lose trust in your domain.  You log in with the above account and elevate with this account to rejoin the domain.
 6 | * Tier 0 admin user
 7 | * Tier 1 admin user
 8 | * Tier 2 admin user
 9 | * standard user account
10 | 
11 | Fingerprints help alleviate some of the frustration with having to remember so many account passwords.
12 | 
13 | ## Allowing biometrics for local users and domain users
14 | 
15 | Create a new GPO on the DOMAIN.COM\Company\Computers OU called **Security - Allow Fingerprint Sign in** with the following settings:
16 | 
17 | ***Computer Configuration > Policies > Administrative Templates > System > Logon***
18 | * Turn on convenience PIN sign-in: **Enabled**
19 | 
20 | ***Computer Configuration > Policies > Administrative Templates > Windows Components > Biometrics***
21 | * Allow domain users to log on using biometrics: **Enabled**
22 | * Allow the use of biometrics: **Enabled**
23 | * Allow users to log on using biometrics: **Enabled**
24 | 
25 | ***Computer Configuration > Policies > Administrative Templates > Windows Components > Biometrics > Facial Features***
26 | * Configure enhanced anti-spoofing: **Enabled**
27 | 
28 | Close the policy window.
29 | 
30 | On the scope tab:
31 | * Ensure the Link to the Computers OU is Enabled.  
32 | * Remove **Authenticated Users** from the **Security Filtering** section and add **All-Workstations** and **PAW-AllPAWComputers**.
33 | * Ensure there is no WMI filter applied
34 | 
35 | On the Details tab:
36 | * Set GPO status to: **User configuration settings disabled**
37 | 
38 | On the Delegation tab:
39 | * Add **Authenticated Users** and give it READ permissions.
40 | 
41 | Reboot the PAW after running *gpupdate /force*
42 | 
43 | ## Configure Fingerprints
44 | Login as each of the accounts you own and configure a fingerprint via:
45 | 
46 | ***Settings > Accounts > Sign-in options > Add Fingerprint***
47 | 
48 | You have 10 fingers.  You figure out what user you want to assign to what finger.  Doing so will force you to create a PIN.  I would highly suggest using KeePass/LastPass to keep track of all these passwords and PINs.
49 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | ## How do I use this repo?
 2 | 
 3 | I have listed each security control in a recommended order that should be followed when starting out.  Each directory is labeled **## - Title**.  Each directory contains its own README file that details what's going on and how to apply the control. Follow the order of the numbers.  When done, work on the *xx - policy* controls in any order you desire. 
 4 | 
 5 | To alleviate troubleshooting, fully test your environment before continuing on to the next section.  Literally spend several days living under the new policy to see how things work. 
 6 | 
 7 | Where a script is concerned, specific instruction and requirements to run the script can be found within the script's comment header.
 8 | 
 9 | ## Privileged Access Workstation (PAW)
10 | 
11 | **What is a PAW?**
12 | 
13 | In short, a PAW is one solution to the problem of credential theft, replay and pivoting attacks, and privilege escalation.  PAW is a method of administrating network devices in a more secure and more hardened environment than what most admins are used to.  A successful PAW deployment will contain many security controls aimed to enable a more [Defense in Depth](https://en.wikipedia.org/wiki/Defense_in_depth_(computing)) security strategy.
14 | 
15 | **Okay, but what is a PAW?**
16 | 
17 | A PAW is the workstation the admin uses to access and administrate the network using privileged credentials.  It provides the admin a secure method to perform day-to-day administrative tasks on network devices such as Domain Controllers, member servers, user workstations, networking equipment, and cloud admin portals (like Azure and AWS).  Because the PAW adheres to the [Clean Source Security Principal](https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#CSP_BM) it prevents the logged on user from freely surfing the Internet, checking email, running applications outside of the AppLocker whitelist, or insecurely accessing network devices that could expose risk to credential theft.  It provides the admin everything they need to do their job and nothing more [Least Privilege Security](https://en.wikipedia.org/wiki/Principle_of_least_privilege).
18 | 
19 | **How is a PAW physically different than a normal workstation where I administrate my servers with RDP and MMC?**
20 | 
21 | The PAW is a physical workstation, preferably a laptop, that runs Windows 10 Enterprise Edition (1709+) as the primary host OS.  This device is used to administrate the network and all the systems on it.  It has the Hyper-V role installed that, in addition to security features like Credential Guard, hosts a VM that provides the admin day-to-day Internet access and email.  PAWs have several hardware requirements to make for the most secure deployment:
22 | 
23 | - Windows 10 compatible (no Chrome books or Mac)
24 | - TPM 2.0
25 | - Enough hard drive, CPU, and RAM resources to have a pleasant experience in your day-to-day VM
26 | 
27 | Consider buying from a vendor that has frequent firmware updates and a long support life-cycle.  Specialized hardware like Sony Vaio and Alienware should also not be considered.
28 | 
29 | Additionally, you should be aware of DMA attacks and consider purchasing hardware that does not come with DMA ports (Thunderbolt, PCI-E, Firewire, ExpressCard).  See [Sami Laiho's Win-Fu Blog](http://blog.win-fu.com/2017/02/the-true-story-of-windows-10-and-dma.html) for more details about DMA attacks and mitigation.
30 | 
31 | If a single workstation that handles the load of two is not optimal for your environment, you can split the roles onto separate laptops.  One workstation for secure administration, and one for Internet and email.  
32 | 
33 | **Is it difficult to configure PAWs?**
34 | 
35 | The main purpose of this repo is provide baseline configuration templates and walkthroughs to make the configuration simpler.  Initially, it is quite complex.  As I look at my GPOs that are designed to address only PAWs, I count 36 and growing.  The biggest complexity, however, is changing your IT team's behavior around remote administration.  You will be doing things very different than you are used to.  I like the saying, *it is fundamentally impossible to improve something wilst keeping it the same*.
36 | 


--------------------------------------------------------------------------------
/xx - Antivirus/README.md:
--------------------------------------------------------------------------------
 1 | ## What is this?
 2 | With traditional AV, typically a central console would have access to the endpoint with an agent that is running with administrative permissions on the endpoint.  This means that the console has indirect administrative access to the endpoint.  In the world of PAWs, this would require us to treat the central console as a Tier 0 server, and up our protections (cost) to bring that server in the same tier as our domain controllers.  
 3 | 
 4 | With all the surrounding security controls (e.g., AppLocker software white list, log on restrictions, etc...) I recommend sticking with Windows Defender (1709 or greater).  1709 came out with many additional security features that enhance the product and offer more of a competitive edge with other AV vendors.  Things like extended EMET protection, protected folders, and such.
 5 | 
 6 | ## Group Policy
 7 | 
 8 | Create a new GPO on the DOMAIN.COM\Company\Users\PAW Accounts OU called **Security - Windows Defender - PAW** with the following settings:
 9 | 
10 | ***Computer Configuration > Policies > Admin Templates > System > Device Guard***
11 | * Turn on Virtualization Based Security: **Enabled**
12 |     * Select Platform Security level: **Secure Boot and DMA Protection**
13 |     * Virtualization Based protection of code: **Cont configured**
14 |     * Require UEFI memory attributes table: **Disabled**
15 |     * Credential Guard Configuration: **Enabled with UEFI lock**
16 | 
17 | ***Computer Configuration > Policies > Admin Templates > Windows Components > Windows Defender Antivirus***
18 | * Turn off Windows Defender anti-virus: **Disabled**
19 | 
20 | ***Computer Configuration > Policies > Admin Templates > Windows Components > Windows Defender Antivirus > Client interface***
21 | * Display additional text to clients when they need to perform an action: **With great power comes great fun!**
22 | 
23 | ***Computer Configuration > Policies > Admin Templates > Windows Components > Windows Defender Antivirus > MAPS***
24 | * Send sample files...: **Disabled**
25 | 
26 | ***Computer Configuration > Policies > Admin Templates > Windows Components > Windows Defender Antivirus > Network Inspection System***
27 | * Turn on definition retirement: **Enabled**
28 | * Turn on protocol recognition: **Enabled**
29 | 
30 | ***Computer Configuration > Policies > Admin Templates > Windows Components > Windows Defender Antivirus > Real-time protection***
31 | * Monitor file and program activity...: **Enabled**
32 | * Scan all downloaded files and attachments: **Enabled**
33 | * Turn off real-time protection: **Disabled**
34 | * Turn on behavior monitoring: **Enabled**
35 | * Turn on process scanning whenever real-time protection is enabled: **Enabled**
36 | * Turn on raw volume write notifications: **Enabled**
37 | 
38 | ***Computer Configuration > Policies > Admin Templates > Windows Components > Windows Defender Antivirus > Scan***
39 | * Allow user to pause scan: **Enabled**
40 | * Check for the latest virus and spy-ware definitions before running a scan: **Enabled**
41 | * Run full scan on mapped network drives: **Disabled**
42 | * Scan archived files: **Enabled**
43 | * Scan network files: **Disabled**
44 | * Scan packed executables: **Enabled**
45 | * Scan removable drives: **Enabled**
46 | * Specify the maximum percentage of CPU...: **Enabled**
47 |     * **20%**
48 | * Turn on catch-up full scan: **Enabled**
49 | * Turn on catch-up quick scan: **Enabled**
50 | * Turn on heuristics: **Enabled**
51 | 
52 | ***Computer Configuration > Policies > Admin Templates > Windows Components > Windows Defender Antivirus > Signature Updates***
53 | * Define number of days before spy-ware definitions are out of date: **Enabled**
54 |     * **7**
55 | * Define number of days before virus definitions are out of date: **Enabled**
56 |     * **7**
57 | 
58 | ***Computer Configuration > Policies > Admin Templates > Windows Components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled Folder Access***
59 | * Configure the guard my folders feature: **Enabled**
60 | * Configure protected folders: **Enabled**
61 |     * **%userprofile%**
62 |     * **C:\Users\Public**
63 | 
64 | ***Computer Configuration > Policies > Admin Templates > Windows Components > Windows Defender Antivirus > App and browser protection***
65 | * Prevent users from modifying settings: **Enabled**
66 | 
67 | ***Computer Configuration > Policies > Admin Templates > Windows Components > Windows Defender Antivirus > Enterprise Customization***
68 | * Configure custom contact info: **Enabled**
69 | * Configure custom notification: **Enabled**
70 | * Specify contact company name: **Enabled**
71 |     * Company Name: **Company**
72 | * Specify contact email address: **Enabled**
73 |     * **helpdesk@company.com**
74 | 
75 | ***Computer Configuration > Policies > Admin Templates > Windows Components > Windows Defender Antivirus > Family Options***
76 | * Hide the family options area: **Enabled**
77 | 
78 | Close the policy window.
79 | 
80 | On the scope tab:
81 | * Ensure the Link to the Computers OU is Enabled.  
82 | * Remove **Authenticated Users** from the **Security Filtering** section and add **PAW-AllPAWComputers**.
83 | * Ensure there is no WMI filter applied
84 | 
85 | On the Details tab:
86 | * Set GPO status to: **User configuration settings disabled**
87 | 
88 | On the Delegation tab:
89 | * Add **Authenticated Users** and give it READ permissions.


--------------------------------------------------------------------------------
/xx - AppLocker/README.md:
--------------------------------------------------------------------------------
 1 | ## Special Thanks
 2 | First things first.  A ***HUGE*** thanks to [Sami Laiho](http://blog.win-fu.com/), Chief Sr. Principal Technical Fellow.  Without his help this section would not exist since I would not have wanted to go down the long dark path of configuring these policies myself.  
 3 | 
 4 | ## What is this?
 5 | AppLocker is a Microsoft product, built into Windows, that allows administrators to whitelist or blacklist applications.  In the world of PAWs we want the most security, and so opt for a whitelist.  
 6 | 
 7 | A note about AppLocker policy administration - AppLocker management requires a Windows 10 Enterprise license to manage the policies, though you can deploy the policies to Pro or Education editions of Windows 10. [Source](https://docs.microsoft.com/en-us/windows/device-security/applocker/requirements-to-use-applocker)
 8 | 
 9 | ## AppLocker Warning
10 | Applocker is not a perfect product, and can be bypassed.  GitHub user [pi0cradle](https://github.com/api0cradle/UltimateAppLockerByPassList/commits?author=api0cradle) has compiled his [Ultimate AppLocker ByPass List](https://github.com/api0cradle/UltimateAppLockerByPassList).  You should be aware.
11 | 
12 | ## Best Practices
13 | 
14 | ### Configure policies on the container, not the item
15 | If you find yourself configuring policies for individual bypasses (single executable files or scripts), you are probably making AppLocker administration more difficult than it needs to be. Instead, focus more on the publisher and in very rare cases (with additional security controls) a path.  Going by hash focuses on the individual item and requires you to update the hash with each product update.
16 | 
17 | ### Confirm directory whitelisting with accesschk
18 | When you create the default rule set, AppLocker creates a set of policies that whitelist the *Program Files* and *Windows* directories.  When you whitelist a directory it is important that the user not be able to modify the contents of that directory, else they could run any program they want.  I bet you thought the Windows directory was *read only* to standard users, eh?  Download systenternals and run the following command:
19 | 
20 | ```
21 | C:\Tools> accesschk -w users c:\windows
22 | ```
23 |  Default results look like this:
24 | 
25 | ```
26 | RW C:\windows\Tasks
27 | RW C:\windows\Temp
28 | RW C:\windows\tracing
29 | ```
30 | 
31 | This means users have WRITE (RW) access to these three directories under C:\Windows.  If you import my policy.xml, you will see these directories (and others) have been added to the exception tab of the *Allow everyone all files located in the Windows folder*. If you don't import my policy, ensure you add these exceptions.
32 | 
33 | I would recommend using the *accesschk* tool any time you whitelist a directory to ensure users do not have Write access.
34 | 
35 | ## Configure AppLocker whitelist
36 | 
37 | Create a new GPO on the DOMAIN.COM\Company\Computers OU called **Security - AppLocker - PAW** with the following settings:
38 | 
39 | ***Computer Configuration > Policies > Windows Settings > Security Settings > System Services***
40 | * Application Identity: **Enabled (Automatic)** - This service is used by AppLocker to determine what action to take on user-launched applications.
41 | 
42 | ***Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies***
43 | 
44 | Import the applocker.xml policy by right clicking on AppLocker (under Application Control Policies) and selecting *Import Policy...*.
45 | 
46 | You must update the following policies:
47 | * **Executable Rules**
48 | 	* *Deny paw-blockpowershell powershell.exe* - Add the **DOMAIN\PAW-BlockPowershell** group to the User or Group field
49 | 	* *Deny paw-blockpowershell powershell_ise.exe* - Add the **DOMAIN\PAW-BlockPowershell** group to the User or Group field
50 |   * *Deny PAW-BlockLocalLogon explorer.exe* - Add the **DOMAIN\PAW-BlockLocalLogon** group to the User or Group filed
51 |   * *Deny PAW-BlockLocalLogon TASKMGR.exe* - Add the **DOMAIN\PAW-BlockLocalLogon** group to the User or Group filed
52 | * **DLL Rules**
53 | 	* *The Deny rule that shows an SID under the *User* column* - Add the **DOMAIN\PAW-BlockPowershell** group to the User or Group field
54 | * **Script Rules**
55 | 	* Update the \\DOMAIN.com\SYSVOL\* rule to point to your domain's SYSVOL.
56 | 


--------------------------------------------------------------------------------
/xx - AppLocker/applocker.xml:
--------------------------------------------------------------------------------
  1 | <AppLockerPolicy Version="1">
  2 |   <RuleCollection Type="Appx" EnforcementMode="Enabled">
  3 |     <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow">
  4 |       <Conditions>
  5 |         <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
  6 |           <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
  7 |         </FilePublisherCondition>
  8 |       </Conditions>
  9 |     </FilePublisherRule>
 10 |   </RuleCollection>
 11 |   <RuleCollection Type="Dll" EnforcementMode="Enabled">
 12 |     <FilePublisherRule Id="437c190a-7181-46c8-b2e3-f32488047b69" Name="Signed by O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
 13 |       <Conditions>
 14 |         <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="*">
 15 |           <BinaryVersionRange LowSection="*" HighSection="*" />
 16 |         </FilePublisherCondition>
 17 |       </Conditions>
 18 |     </FilePublisherRule>
 19 |     <FilePublisherRule Id="7aa3e512-43eb-442a-ab77-e7e1c57116ea" Name="SYSTEM.MANAGEMENT.AUTOMATION.DLL, in MICROSOFT (R) WINDOWS (R) OPERATING SYSTEM, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="Blocks Powershell for users of the group below." UserOrGroupSid="S-1-5-21-2373959184-1017718198-3349084539-1606" Action="Deny">
 20 |       <Conditions>
 21 |         <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT (R) WINDOWS (R) OPERATING SYSTEM" BinaryName="SYSTEM.MANAGEMENT.AUTOMATION.DLL">
 22 |           <BinaryVersionRange LowSection="*" HighSection="*" />
 23 |         </FilePublisherCondition>
 24 |       </Conditions>
 25 |     </FilePublisherRule>
 26 |     <FilePathRule Id="4d49228c-723c-4219-8001-9fb6679a5e88" Name="Microsoft Windows DLLs" Description="Allows members of the Everyone group to load DLLs located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
 27 |       <Conditions>
 28 |         <FilePathCondition Path="%WINDIR%\*" />
 29 |       </Conditions>
 30 |       <Exceptions>
 31 |         <FilePathCondition Path="%SYSTEM32%\WindowsPowerShell\*" />
 32 |         <FilePathCondition Path="%WINDIR%\tracing\*" />
 33 |         <FilePathCondition Path="c:\Windows\Registration\CRMLog\*" />
 34 |         <FilePathCondition Path="c:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Dlna\DeviceIcons\*" />
 35 |         <FilePathCondition Path="c:\Windows\servicing\Packages\*" />
 36 |         <FilePathCondition Path="c:\Windows\System32\Com\dmp\*" />
 37 |         <FilePathCondition Path="c:\Windows\System32\FxsTmp\*" />
 38 |         <FilePathCondition Path="c:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\*" />
 39 |         <FilePathCondition Path="c:\Windows\System32\spool\*" />
 40 |         <FilePathCondition Path="c:\Windows\System32\Tasks\*" />
 41 |         <FilePathCondition Path="c:\Windows\SysWOW64\Com\dmp\*" />
 42 |         <FilePathCondition Path="c:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Apple Computer\QuickTime\*" />
 43 |         <FilePathCondition Path="c:\Windows\SysWOW64\FxsTmp\*" />
 44 |         <FilePathCondition Path="c:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\*" />
 45 |         <FilePathCondition Path="c:\windows\temp\*" />
 46 |       </Exceptions>
 47 |     </FilePathRule>
 48 |     <FilePathRule Id="66d4e362-6dae-4a85-b117-b283c591d28a" Name="All DLLs located in the Program Files folder" Description="Allows members of the Everyone group to load DLLs that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
 49 |       <Conditions>
 50 |         <FilePathCondition Path="%PROGRAMFILES%\*" />
 51 |       </Conditions>
 52 |       <Exceptions>
 53 |         <FilePathCondition Path="%PROGRAMFILES%\Mobile Partner\*" />
 54 |       </Exceptions>
 55 |     </FilePathRule>
 56 |     <FilePathRule Id="e7f67bfb-fe7d-4674-b38b-18b61af8bb75" Name="Allow everyone cmder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
 57 |       <Conditions>
 58 |         <FilePathCondition Path="%OSDRIVE%\Tools\cmder\*" />
 59 |       </Conditions>
 60 |     </FilePathRule>
 61 |     <FilePathRule Id="fe64f59f-6fca-45e5-a731-0f6715327c38" Name="(Default Rule) All DLLs" Description="Allows members of the local Administrators group to load all DLLs." UserOrGroupSid="S-1-5-32-544" Action="Allow">
 62 |       <Conditions>
 63 |         <FilePathCondition Path="*" />
 64 |       </Conditions>
 65 |     </FilePathRule>
 66 |   </RuleCollection>
 67 |   <RuleCollection Type="Exe" EnforcementMode="Enabled">
 68 |     <FilePublisherRule Id="33e5314d-4c33-4568-84e8-5f465efe62b8" Name="Deny paw-blockpowershell powershell.exe" Description="Why?  non-privileged users do not need access to powershell.  Modern ransomware uses powershell running in the user's context to call out to the internet to download malware.  If you need powershell, elevate!" UserOrGroupSid="S-1-5-21-2373959184-1017718198-3349084539-1606" Action="Deny">
 69 |       <Conditions>
 70 |         <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT® WINDOWS® OPERATING SYSTEM" BinaryName="POWERSHELL.EXE">
 71 |           <BinaryVersionRange LowSection="10.0.0.0" HighSection="*" />
 72 |         </FilePublisherCondition>
 73 |       </Conditions>
 74 |     </FilePublisherRule>
 75 |     <FilePublisherRule Id="39432355-48b2-44be-a870-23a18536fb04" Name="Deny PAW-BlockLocalLogon TASKMGR.EXE" Description="Give your local users the ability to elevate to admin when needed, but if they try to logon as that local admin this rule will block them from being able to do anything.  Users should never login as an admin account!" UserOrGroupSid="S-1-5-21-2373959184-1017718198-3349084539-3969" Action="Deny">
 76 |       <Conditions>
 77 |         <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="TASK MANAGER" BinaryName="TASKMGR.EXE">
 78 |           <BinaryVersionRange LowSection="1.0.0.0" HighSection="*" />
 79 |         </FilePublisherCondition>
 80 |       </Conditions>
 81 |     </FilePublisherRule>
 82 |     <FilePublisherRule Id="5ee49b31-280b-40c7-8990-da3adee0797c" Name="Allow everyone signed by Microsoft" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
 83 |       <Conditions>
 84 |         <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="*">
 85 |           <BinaryVersionRange LowSection="*" HighSection="*" />
 86 |         </FilePublisherCondition>
 87 |       </Conditions>
 88 |     </FilePublisherRule>
 89 |     <FilePublisherRule Id="7420c333-49fe-4d99-8870-5e1d7e1551bb" Name="Allow everyone signed by SYSINTERNALS" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
 90 |       <Conditions>
 91 |         <FilePublisherCondition PublisherName="O=SYSINTERNALS, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="*">
 92 |           <BinaryVersionRange LowSection="*" HighSection="*" />
 93 |         </FilePublisherCondition>
 94 |       </Conditions>
 95 |     </FilePublisherRule>
 96 |     <FilePublisherRule Id="83c1adf2-f319-4c34-9b3b-bb73738d60ab" Name="Deny local admins TASKMGR.EXE" Description="Give your local users the ability to elevate to admin when needed, but if they try to logon as that local admin this rule will block them from being able to do anything.  Users should never login as an admin account!" UserOrGroupSid="S-1-5-114" Action="Deny">
 97 |       <Conditions>
 98 |         <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT® WINDOWS® OPERATING SYSTEM" BinaryName="TASKMGR.EXE">
 99 |           <BinaryVersionRange LowSection="*" HighSection="*" />
100 |         </FilePublisherCondition>
101 |       </Conditions>
102 |     </FilePublisherRule>
103 |     <FilePublisherRule Id="c2c9a576-fcb1-4013-a89f-f6c4012d7be2" Name="Deny paw-blockpowershell powershell_ise.exe" Description="Why?  non-privileged users do not need access to powershell.  Modern ransomware uses powershell running in the user's context to call out to the internet to download malware.  If you need powershell, elevate!" UserOrGroupSid="S-1-5-21-2373959184-1017718198-3349084539-1606" Action="Deny">
104 |       <Conditions>
105 |         <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT® WINDOWS® OPERATING SYSTEM" BinaryName="POWERSHELL_ISE.EXE">
106 |           <BinaryVersionRange LowSection="10.0.0.0" HighSection="*" />
107 |         </FilePublisherCondition>
108 |       </Conditions>
109 |     </FilePublisherRule>
110 |     <FilePathRule Id="22dc8e8c-e1c4-4a41-80e2-5d74a356929e" Name="Deny local admins explorer.exe" Description="Give your local users the ability to elevate to admin when needed, but if they try to logon as that local admin this rule will block them from being able to do anything.  Users should never login as an admin account!" UserOrGroupSid="S-1-5-114" Action="Deny">
111 |       <Conditions>
112 |         <FilePathCondition Path="%WINDIR%\explorer.exe" />
113 |       </Conditions>
114 |     </FilePathRule>
115 |     <FilePathRule Id="5713684a-65fe-4bae-bf29-b84a896daeb5" Name="Deny PAW-BlockLocalLogon explorer.exe" Description="Give your local users the ability to elevate to admin when needed, but if they try to logon as that local admin this rule will block them from being able to do anything.  Users should never login as an admin account!" UserOrGroupSid="S-1-5-21-2373959184-1017718198-3349084539-3969" Action="Deny">
116 |       <Conditions>
117 |         <FilePathCondition Path="%WINDIR%\explorer.exe" />
118 |       </Conditions>
119 |     </FilePathRule>
120 |     <FilePathRule Id="8fc27fd3-1f04-44e0-9bed-e3e5faaf4395" Name="Allow everyone all files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
121 |       <Conditions>
122 |         <FilePathCondition Path="%PROGRAMFILES%\*" />
123 |       </Conditions>
124 |       <Exceptions>
125 |         <FilePathCondition Path="%PROGRAMFILES%\Mobile Partner\*" />
126 |       </Exceptions>
127 |     </FilePathRule>
128 |     <FilePathRule Id="9618e89e-90c1-48b1-91bf-965a4b50b412" Name="Allow Everyone cmder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
129 |       <Conditions>
130 |         <FilePathCondition Path="%OSDRIVE%\Tools\*" />
131 |       </Conditions>
132 |     </FilePathRule>
133 |     <FilePathRule Id="c4899de9-a86a-4315-84a9-4b8e100852de" Name="Allow Admins all files" Description="Allows members of the local Administrators group to run all applications.  Of course, you must elivate to do so as you cannot login as an admin." UserOrGroupSid="S-1-5-32-544" Action="Allow">
134 |       <Conditions>
135 |         <FilePathCondition Path="*" />
136 |       </Conditions>
137 |     </FilePathRule>
138 |     <FilePathRule Id="d9cdc435-5a2e-44b4-b23b-288282bf11c7" Name="Allow everyone all files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
139 |       <Conditions>
140 |         <FilePathCondition Path="%WINDIR%\*" />
141 |       </Conditions>
142 |       <Exceptions>
143 |         <FilePathCondition Path="%SYSTEM32%\WindowsPowerShell\*" />
144 |         <FilePathCondition Path="%WINDIR%\tracing\*" />
145 |         <FilePathCondition Path="c:\Windows\Registration\CRMLog\*" />
146 |         <FilePathCondition Path="c:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Dlna\DeviceIcons\*" />
147 |         <FilePathCondition Path="c:\Windows\servicing\Packages\*" />
148 |         <FilePathCondition Path="c:\Windows\System32\Com\dmp\*" />
149 |         <FilePathCondition Path="c:\Windows\System32\FxsTmp\*" />
150 |         <FilePathCondition Path="c:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\*" />
151 |         <FilePathCondition Path="c:\Windows\System32\spool\*" />
152 |         <FilePathCondition Path="c:\Windows\System32\Tasks\*" />
153 |         <FilePathCondition Path="c:\Windows\SysWOW64\Com\dmp\*" />
154 |         <FilePathCondition Path="c:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Apple Computer\QuickTime\*" />
155 |         <FilePathCondition Path="c:\Windows\SysWOW64\FxsTmp\*" />
156 |         <FilePathCondition Path="c:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\*" />
157 |         <FilePathCondition Path="c:\windows\temp\*" />
158 |       </Exceptions>
159 |     </FilePathRule>
160 |   </RuleCollection>
161 |   <RuleCollection Type="Msi" EnforcementMode="Enabled">
162 |     <FilePublisherRule Id="b7af7102-efde-4369-8a89-7a6a392d1473" Name="(Default Rule) All digitally signed Windows Installer files" Description="Allows members of the Everyone group to run digitally signed Windows Installer files." UserOrGroupSid="S-1-1-0" Action="Allow">
163 |       <Conditions>
164 |         <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
165 |           <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
166 |         </FilePublisherCondition>
167 |       </Conditions>
168 |     </FilePublisherRule>
169 |     <FilePathRule Id="5b290184-345a-4453-b184-45305f6d9a54" Name="(Default Rule) All Windows Installer files in %systemdrive%\Windows\Installer" Description="Allows members of the Everyone group to run all Windows Installer files located in %systemdrive%\Windows\Installer." UserOrGroupSid="S-1-1-0" Action="Allow">
170 |       <Conditions>
171 |         <FilePathCondition Path="%WINDIR%\Installer\*" />
172 |       </Conditions>
173 |     </FilePathRule>
174 |     <FilePathRule Id="64ad46ff-0d71-4fa0-a30b-3f3d30c5433d" Name="(Default Rule) All Windows Installer files" Description="Allows members of the local Administrators group to run all Windows Installer files." UserOrGroupSid="S-1-5-32-544" Action="Allow">
175 |       <Conditions>
176 |         <FilePathCondition Path="*.*" />
177 |       </Conditions>
178 |     </FilePathRule>
179 |   </RuleCollection>
180 |   <RuleCollection Type="Script" EnforcementMode="Enabled">
181 |     <FilePathRule Id="1c45a3f8-93ba-4ee7-bacd-3ede8fef013b" Name="Allow everyone cmder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
182 |       <Conditions>
183 |         <FilePathCondition Path="%OSDRIVE%\Tools\cmder\*" />
184 |       </Conditions>
185 |     </FilePathRule>
186 |     <FilePathRule Id="369280df-2ecd-4126-9f18-2ea9bc7aa765" Name="All scripts located in the Windows folder" Description="Allows members of the Everyone group to run scripts that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
187 |       <Conditions>
188 |         <FilePathCondition Path="%WINDIR%\*" />
189 |       </Conditions>
190 |       <Exceptions>
191 |         <FilePathCondition Path="%WINDIR%\temp\*" />
192 |         <FilePathCondition Path="%WINDIR%\tracing\*" />
193 |       </Exceptions>
194 |     </FilePathRule>
195 |     <FilePathRule Id="7705267d-b85e-4f5c-be2c-74a2f1499cec" Name="All scripts" Description="Allows members of the local Administrators group to run all scripts." UserOrGroupSid="S-1-5-32-544" Action="Allow">
196 |       <Conditions>
197 |         <FilePathCondition Path="*" />
198 |       </Conditions>
199 |     </FilePathRule>
200 |     <FilePathRule Id="8881d94c-8f27-4a0e-9ada-bc64f10a7871" Name="All scripts located in the Program Files folder" Description="Allows members of the Everyone group to run scripts that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
201 |       <Conditions>
202 |         <FilePathCondition Path="%PROGRAMFILES%\*" />
203 |       </Conditions>
204 |       <Exceptions>
205 |         <FilePathCondition Path="%PROGRAMFILES%\Mobile Partner\*" />
206 |       </Exceptions>
207 |     </FilePathRule>
208 |     <FilePathRule Id="bb6a8a8c-015d-45a6-a337-bc3f7f89f68a" Name="\\DOMAIN.com\SYSVOL\*" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
209 |       <Conditions>
210 |         <FilePathCondition Path="\\DOMAIN.coml\SYSVOL\*" />
211 |       </Conditions>
212 |     </FilePathRule>
213 |   </RuleCollection>
214 | </AppLockerPolicy>


--------------------------------------------------------------------------------
/xx - Authentication Policies and Silos/README.md:
--------------------------------------------------------------------------------
 1 | # This section has been deprecated
 2 | Although I highly advocate the use of protected groups in AD, I have opted to use Domain Isolation policies via IPSec in favor of authentication polices/silos.  Why?
 3 | 
 4 | * IPSec filters at the network level, packets aren't even allowed if they come from the wrong device/user.
 5 | * Unable to connect to shares from my PAW if the File server is outside of the silo.
 6 | * Unable to launch my T0, T1, T2 tools that prompt for credentials. I can only assume that since I actually log into my PAW with my normal domain user account (which is not a member of the silo) it is denying me from being able to run these tools under the context of a different user. I also assume I would be limited to running these tools only when I am logged in as the Tier 0/1/2 admin. Which I don't want to do.
 7 | * I cannot authenticate to vCenter using my siloed Tier account.
 8 | 
 9 | I keep this section here for matters of interest only.
10 | 
11 | ## What is this?
12 | Authentication Policies and Silos allow us to restrict user accounts from accessing remote servers as long as the connection is initiated from specified hosts.  In the following example configuration, we will create a silo containing all Domain controllers and other Tier 0 servers, Tier 0 user accounts, and Tier 0 PAWs.  This will only allow Tier 0 user accounts to login to Tier 0 servers (and DCs) from their Tier 0 PAW.  All other connections will be denied.
13 | 
14 | ## Enable Dynamic Access Control (DAC) on Domain Controllers
15 | Create a GPO and apply it to the Domain Controller's OU called **Security - Allow Dynamic Access Control - DCs** with the following settings:
16 | 
17 | ***Computer Configuration > Policies > Admin Templates > System > KDC***
18 | * KDC support for claims, compound authentication and Kerberos armoring: **Enabled, Always provide claims**
19 | 
20 | On the scope tab:
21 | * Ensure the Link to the Domain Controllers OU is Enabled.  
22 | * Ensure **Authenticated Users** is selected under **Security Filtering**.
23 | * Ensure there is no WMI filter applied.
24 | 
25 | On the Details tab:
26 | * Set GPO status to: **User configuration settings disabled**
27 | 
28 | ## Enable DAC on PAWs
29 | Create a GPO and apply it to the DOMAIN.COM\Company\Computers OU called **Security - Allow Dynamic Access Control - PAW** with the following settings:
30 | 
31 | ***Computer Configuration > Policies > Admin Templates > System > Kerberos***
32 | * Kerberos client support for claims, compound authentication and Kerberos armoring: **Enabled**
33 | 
34 | On the scope tab:
35 | * Ensure the Link to the Computers OU is Enabled.  
36 | * Remove **Authenticated Users** from the **Security Filtering** section and add **PAW-AllPAWComputers**.
37 | * Ensure there is no WMI filter applied.
38 | 
39 | On the Details tab:
40 | * Set GPO status to: **User configuration settings disabled**.
41 | 
42 | On the Delegation tab:
43 | * Add **Authenticated Users** and give it READ permissions.
44 | 
45 | 
46 | ## Configure the Authentication Policy and Silo
47 | 1. Create a new policy by opening Active Directory Administrative Center and navigate to **Authentication > Policies > right click and create new policy**.
48 | 2. Name: **Allow Tier0 users access to Tier0 servers from Tier0 PAW**
49 | 3. Description: **This Policy allows Tier 0 users to access Tier 0 servers from Tier 0 PAWs only.**
50 | 4. Assigned Silos: **(Will come back to this after you create the silo)**
51 | 5. User sign on > Specify a TGT lifetime for user accounts: **240**
52 | 6. Computer > Edit > Add a condition
53 | 	1. **User > AuthenticationSilo > Equals > Value > Tier0**
54 | 7. Click OK
55 | 
56 | ## Configure the Silo
57 | 1. In Active Directory Administrative Center, navigate to **Authentication > Policy Silos > right click and create a new silo**
58 | 2. Name: **Tier 0**
59 | 3. Put a bullet in **Enforce silo policies**
60 | 4. Description: **All members of Tier 0 users and computers.**
61 | 5. permitted Accounts > Add the following Computer and user accounts (cannot add groups)
62 |     1. All Domain Controllers
63 |     2. All PAW Tier 0 Computer accounts
64 |     3. All Tier 0 User accounts
65 |     4. Any other Tier 0 server accounts
66 | 6. Authentication Policy > Use a single policy... **Select the policy you created above**
67 | 
68 | Update the Policy to include the new Silo
69 | 1. Edit the policy
70 | 2. Assign the silo you created above under Assigned Silos
71 | 
72 | ## Test your settings
73 | Make sure to gpupdate on your servers and your PAWs.
74 | 
75 | Authentication | Result
76 | ---------------|--------
77 | RDP into a DC with your Tier 0 account from your Tier 0 PAW | PASS
78 | RDP from a DC to your Tier 0 PAW | PASS
79 | RDP into a member Tier 1 server from your Tier 0 PAW with your Tier 0 account | FAIL
80 | RDP into your Tier 0 PAW from a HelpDesk workstation | FAIL
81 | Log into your Tier 0 PAW with a non-Tier 0 user account | FAIL
82 | 


--------------------------------------------------------------------------------
/xx - Baselines/CIS Baseline checklist.xlsx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/utsecnet/PAW/c5bb0fac1e2f5751fdc582a75d97518d9bc5ba40/xx - Baselines/CIS Baseline checklist.xlsx


--------------------------------------------------------------------------------
/xx - Baselines/README.md:
--------------------------------------------------------------------------------
  1 | # Warning about Baselines
  2 | 
  3 | ***WARNING***: *You cannot simply take the baselines and bolt them on into your environment!  Some of these settings may not be compatible with your environment.  You must read through the individual settings and understand what is happening.  If you are unsure what the effect will be, either test it or don't enable it (but note that you are not enabling it). You are the admin in your domain.  Not me.*
  4 | 
  5 | ## What is this?
  6 | We will be applying the CIS baselines to Windows 10 client computers And Server 2016.  I have broken the baseline up into several GPOs for the ease of troubleshooting potential issues.  The GPOS are:
  7 | 
  8 | * Server/Client Admin Templates
  9 | * Server/Client Security settings
 10 | * Server/Client System services
 11 | * Server/Client User Rights Assignments
 12 | * Server/Client Windows Firewall
 13 | * Users
 14 | 
 15 | ## Prerequisites
 16 | * Ensure you have a functioning Shadow Group script
 17 | * Download the latest Windows 10 and Server 2016 CIS benchmarks from https://www.cisecurity.org/cis-benchmarks/.  These will be in PDF form.
 18 | * Read through these and understand what each setting does.  You will, on occasion need to make an exception.  You need to understand your environment and what these settings do.  
 19 | * I would recommend printing it out.  Yes, it will take hundreds of pieces of paper.  But it will make it easier to bookmark and note.
 20 | * Alternatively, you can use the attached *CIS baseline checklist.xlsx* file as a means to track your progress.  The downside is this file does not auto update when a new baseline is released.
 21 | 
 22 | ## A note on GPO processing Order
 23 | 
 24 | GPOs are processed in a very specific order.  Generally, you want to apply the Default Domain Policy first, and then your Baseline policies, and finally everything else.  Remember this when you are creating your various policies because when you create a new policy, GPMC creates it at the bottom of the **Linked Group Policy Objects** list, which means it will be over-written by all the above polices. To summarize:
 25 | 
 26 | * Default Group Policy (DGP) goes at the bottom
 27 | * Baselines go above the DGP
 28 | * Everything Else goes above the baselines
 29 | 
 30 | ## WMI Filters
 31 | 
 32 | Create a WMI filter for Windows 10:  
 33 | 1. Navigate to ***GPMC > Forest > Domains > Company.com > WMI Filters***.
 34 | 2. Right click > New...
 35 | 3. Name: **Windows 10**
 36 | 4. Click Add
 37 |   1. Namespace: **root\CIMv2**
 38 |   2. Query: **select * from Win32_OperatingSystem where Name like "%Windows 10%"**
 39 | 
 40 | Create a WMI filter for Server 2016:
 41 | 1. Navigate to ***GPMC > Forest > Domains > Company.com > WMI Filters***.
 42 | 2. Right click > New...
 43 | 3. Name: **Server 2016**
 44 | 4. Click Add
 45 |   1. Namespace: **root\CIMv2**
 46 |   2. Query: **select * from Win32_OperatingSystem where Name like "%Server 2016%"**
 47 | 
 48 | # Windows 10
 49 | 
 50 | ##  Win 10 Admin Templates
 51 | 
 52 | Create a new GPO on the DOMAIN.COM\Company\Computers OU called **Security - CIS baseline - Win 10 - Admin Templates**.
 53 | 
 54 | ***Computer Configuration > Policies > Administrative Templates***
 55 | 
 56 | Create each of the policies.
 57 | 
 58 | Close the policy window.
 59 | 
 60 | On the scope tab:
 61 | * Ensure the Link to the Computers OU is Enabled.  
 62 | * Ensure **Authenticated Users** is targeted from the **Security Filtering**.
 63 | * Apply the **Windows 10** WMI Filter
 64 | 
 65 | On the Details tab:
 66 | * Set GPO status to: **User configuration settings disabled**
 67 | 
 68 | ## Win 10 - Security Settings
 69 | 
 70 | Create a new GPO on the DOMAIN.COM\Company\Computers OU called **Security - CIS baseline - Win 10 - Security Settings**.
 71 | 
 72 | ***Computer Configuration > Policies > Windows Settings > Security Settings***
 73 | 
 74 | Create each of the policies.
 75 | 
 76 | Close the policy window.
 77 | 
 78 | On the scope tab:
 79 | * Ensure the Link to the Computers OU is Enabled.  
 80 | * Ensure **Authenticated Users** is targeted from the **Security Filtering**.
 81 | * Apply the **Windows 10** WMI Filter
 82 | 
 83 | On the Details tab:
 84 | * Set GPO status to: **User configuration settings disabled**
 85 | 
 86 | ## Win 10 - System Services
 87 | 
 88 | Create a new GPO on the DOMAIN.COM\Company\Computers OU called **Security - CIS baseline - Win 10 - System Services**.
 89 | 
 90 | ***Computer Configuration > Policies > Windows Settings > Security Settings > System Services***
 91 | 
 92 | Create each of the policies.
 93 | 
 94 | Close the policy window.
 95 | 
 96 | On the scope tab:
 97 | * Ensure the Link to the Computers OU is Enabled.  
 98 | * Ensure **Authenticated Users** is targeted from the **Security Filtering**.
 99 | * Apply the **Windows 10** WMI Filter
100 | 
101 | On the Details tab:
102 | * Set GPO status to: **User configuration settings disabled**
103 | 
104 | ## Win 10 - User Rights Assignment
105 | 
106 | Create a new GPO on the DOMAIN.COM\Company\Computers OU called **Security - CIS baseline - Win 10 - System Services**.
107 | 
108 | ***Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment***
109 | 
110 | Create each of the policies.
111 | 
112 | Close the policy window.
113 | 
114 | On the scope tab:
115 | * Ensure the Link to the Computers OU is Enabled.  
116 | * Ensure **Authenticated Users** is targeted from the **Security Filtering**.
117 | * Apply the **Windows 10** WMI Filter
118 | 
119 | On the Details tab:
120 | * Set GPO status to: **User configuration settings disabled**
121 | 
122 | ## Win 10 - Windows Firewall
123 | 
124 | Create a new GPO on the DOMAIN.COM\Company\Computers OU called **Security - CIS baseline - Win 10 - System Services**.
125 | 
126 | ***Computer Configuration > Policies > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security***
127 | 
128 | Create each of the policies.
129 | 
130 | Close the policy window.
131 | 
132 | On the scope tab:
133 | * Ensure the Link to the Computers OU is Enabled.  
134 | * Ensure **Authenticated Users** is targeted from the **Security Filtering**.
135 | * Apply the **Windows 10** WMI Filter
136 | 
137 | On the Details tab:
138 | * Set GPO status to: **User configuration settings disabled**
139 | 
140 | ## Users
141 | 
142 | Create a new GPO on the DOMAIN.COM\Company\Users OU called **Security - CIS Baseline - Users**.
143 | 
144 | ***User Configuration > Policies***
145 | 
146 | Create each of the policies.
147 | 
148 | Close the policy window.
149 | 
150 | On the scope tab:
151 | * Ensure the Link to the Users OU is Enabled.  
152 | * Ensure **Authenticated Users** is targeted from the **Security Filtering**.
153 | * Ensure there are no WMI filters applied.
154 | 
155 | On the Details tab:
156 | * Set GPO status to: **Computer configuration settings disabled**
157 | 
158 | # Server 2016
159 | 
160 | Repeat all the above steps, but name the GPOs **Security - CIS Baseline - Server 2016 - <whatever>** Instead of **Win 10**.
161 | Apply the **Server 2016** WMI filter to each, rather than the **Windows 10** WMI filter.
162 | 
163 | ***NOTE!*** *Serious consideration should go into developing a dedicated Baseline for Domain Controllers as they will have different security requirements than a member server.*
164 | 


--------------------------------------------------------------------------------
/xx - BitLocker/README.md:
--------------------------------------------------------------------------------
  1 | ## What is this?
  2 | BitLocker is drive encryption software. Configuring BitLocker includes setting up the backend policies, then manually enabling BitLocker on the device.  That is, unless you deploy an MBAM server in your environment.  That process is outside the scope of this document as it has been [fully documented on TechNet]https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/deploying-the-mbam-25-server-infrastructure).
  3 | 
  4 | ## Configure AD
  5 | 1. [Download the BitLocker scripts](https://technet.microsoft.com/en-us/library/dn466534.aspx#Sample#scripts) to your DC.
  6 | 2. On the DC, run CMD as administrator
  7 | 	```
  8 | 	C:\ >cscript Add-TPMSelfWriteACE.vbs
  9 | 	Microsoft (R) Windows Script Host Version 5.812
 10 | 	Copyright (C) Microsoft Corporation. All rights reserved.
 11 | 
 12 | 	Accessing object: DC=DOMAIN,DC=COM
 13 | 	SUCCESS!
 14 | 	```
 15 | 3. Delegate msTPM-OwnerInformation
 16 | 	1. Open ADUC
 17 | 	2. Navigate to the OU where all your Workstations are stored
 18 | 	3. Right Click on it > Delegate Control...
 19 | 	4. Click Next on the welcome screen
 20 | 	5. Click Add... button
 21 | 	6. Type SELF, hit the Check Names button, and click OK
 22 | 	7. Click Next
 23 | 	8. Click Create a custom task to delegate and click Next
 24 | 	9. Check Only the following objects in the folder, check Computer Objects, click next
 25 | 	10. Check Property-specific, scroll down and find Write msTPM-OwnerInformation and click Next
 26 | 	11. Click Finish
 27 | 
 28 | ## Add the MBAM Files to your Central Store
 29 | [Learn more about what a Central Store is](https://support.microsoft.com/en-us/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra).  You should be using it.
 30 | 
 31 | [Download the MDOP Policy Templates](https://www.microsoft.com/en-us/download/details.aspx?id=55531), and move ONLY the MBAM template files to your central store.  [Click here](https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/copying-the-mbam-25-group-policy-templates) to learn how.
 32 | 
 33 | * BitLockerManangent.adml and BitLockerUserManagement.adml go into the \\Domain.com\SYSVOL\DOMAIN.COM\Policies\PolicyDefinitions\en-us directory.
 34 | * BitLockerManangent.admx and BitLockerUserManagement.admx go into the \\Domain.com\SYSVOL\DOMAIN.COM\Policies\PolicyDefinitions directory.
 35 | 
 36 | 
 37 | ## Configure Group Policy
 38 | Create a new GPO on the DOMAIN.COM\Company\Computers OU called **Security - AppLocker - PAW** with the following settings:
 39 | 
 40 | ***Computer Configuration > Policies > Admin Templates > System > Trusted Platform Module Services***
 41 | * Configure the system to use legacy Dictionary Attack Prevention Parameters settings for TPM 2.0: **Enabled**
 42 | * Standard User individual lockout threshold: **Enabled**
 43 | 	* Maximum number of authentication failures per duration: **5**
 44 | * Standard user lockout duration: **Enabled**
 45 | 	* Duration for counting TPM authorization failures (minutes): **2**
 46 | * Standard user total lockout threshold: **Enabled**
 47 | 	Maximum number of authorization failures per duration: **5**
 48 | 
 49 | ***Computer Configuration > Policies > Admin Templates > Windows Components > BitLocker Drive Encryption***
 50 | * Chose drive encryption method...Windows 10 1511 and later: **Enabled**
 51 | 	* Select the encryption method of OS drives: **XTS-AES 256-bit**
 52 | 	* Select the encryption method of fixed data drives: **XTS-AES 256-bit**
 53 | 	* Select the encryption method of Removable data drives: **AES-CBC 256-bit**
 54 | * Choose drive encryption method...Windows 8...Windows 10 1507: **Enabled**
 55 | 	* Select the encryption method: **AES 256-bit**
 56 | * Disable new DMA devices when this computer is locked: **Enabled**
 57 | 
 58 | ***NOTE***: *If you enable the above, your Wireless NIC may fail to enable on boot up.  This is a known issue [Microsoft has outlined here](https://support.microsoft.com/en-us/help/4057300/devices-not-working-before-log-on-a-computer-running-windows-10-1709).  If you update all your drivers and firmware and still have this issue, I would recommend disabling the setting until your vendor releases a new patch.*
 59 | 
 60 | * Store BitLocker recovery information in AD: **Enabled**
 61 | 	* Require BitLocker backup to AD DS: **Enabled**
 62 | 
 63 | ***Computer Configuration > Policies > Admin Templates > Windows Components > BitLocker Drive Encryption > Fixed Data Drives***
 64 | * Configure use of hardware encryption for fixed data drives: **Enabled**
 65 | 	* Use BitLocker software-based encryption whn hardware encryption not available: **Enabled**
 66 | 	* Restrict encryption algorithm... **Disabled**
 67 | 	* Restrict crypto...: **(Keep default settings)**
 68 | * Enforce drive encryption type on fixed data drives: **Enabled**
 69 | 	* Select the encryption type: **Full encryption**
 70 | 
 71 | ***Computer Configuration > Policies > Admin Templates > Windows Components > BitLocker Drive Encryption > Fixed Data Drives***
 72 | * Configure use of hardware encryption for fixed data drives: **Enabled**
 73 | 	* Use BitLocker software-based encryption whn hardware encryption not available: **Enabled**
 74 | 	* Restrict encryption algorithm... **Disabled**
 75 | 	* Restrict crypto...: **(Keep default settings)**
 76 | * Configure use of smart cards on removable data drives: **Enabled**
 77 | 	* Require...: **Disabled** (We don't use smart cards)
 78 | * Enforce drive encryption type on removable data drives: **Enabled**
 79 | 	* Select the encryption type: **Full encryption**
 80 | 
 81 | ### If you do not see the following GPO Paths, it is because you did not import the MBAM policy templates into your central store and refresh GPMC.
 82 | 
 83 | NOTE: Many of the following settings will already be configured based upon the settings you made above.
 84 | 
 85 | ***Computer Configuration > Policies > Admin Templates > Windows Components > MDOP MBAM***
 86 | * Choose drive encryption method: **Enabled**
 87 | 	* Select: AES 256-bit
 88 | 
 89 | ***Computer Configuration > Policies > Admin Templates > Windows Components > MDOP MBAM > Client Management***
 90 | * Configure customer experience improvement program: **Disabled**
 91 | * Configure MBAM Services: **Enabled**
 92 | 	* MBAM recovery service endpoint: **https://server.domain.com:443/MBAMRecoveryAndHardwareService/CoreService.svc**
 93 | 	* Select BitLocker recovery information to store: **Recovery password and key package**
 94 | 	* Enter client checking status frequency in (minutes): **90**
 95 | 	* Configure MBAM status reporting service: **Enabled**
 96 | 	* MBAM status reporting service endpoint: **https://server.domain.com:443/MBAMComplianceStatusService/StatusReportingService.svc**
 97 | 	* Enter status report frequency in (minutes): **90**
 98 | 
 99 | ***Computer Configuration > Policies > Admin Templates > Windows Components > MDOP MBAM > Fixed Drive***
100 | * Allow access to BitLocker-protected fixed data...: **Disabled**
101 | * Choose how BitLocker -protected fixed drives can be recovered: **Enabled**
102 | 	* Allow data recovery agent: **Enabled**
103 | 	* Configure user storage...: **Allow 48-digit recovery password** and **Allow 256-bit recovery key**
104 | 	* Omit recovery options...: **Enabled**
105 | 	* Save BitLocker recovery information to AD: **Enabled**
106 | 	* Configure storage of BitLocker...: **Backup recovery passwords and key packages**
107 | 	* Do not enable BitLocker until... **Enabled**
108 | * Encryption Policy enforcement settings: **Enabled**
109 | 	* Configure the number...: **3**
110 | * Fixed data drive encryption settings: **Enabled**
111 | 	* Configure auto-unlock...: **Allow auto-unlock**
112 | 
113 | ***Computer Configuration > Policies > Admin Templates > Windows Components > MDOP MBAM > Operating System Drive***
114 | * Allow enhanced PINs for startups: **Enabled**
115 | 	* Require ACSII only PINS: **Checked**
116 | * Choose how BitLocker -protected OS drives can be recovered: **Enabled**
117 | 	* Allow data recovery agent: **Enabled**
118 | 	* Configure user storage...: **Allow 48-digit recovery password** and **Allow 256-bit recovery key**
119 | 	* Omit recovery options...: **Enabled**
120 | 	* Save BitLocker recovery information to AD: **Enabled**
121 | 	* Configure storage of BitLocker...: **Backup recovery passwords and key packages**
122 | 	* Do not enable BitLocker until... **Enabled**
123 | * Configure the use of passwords for Operating System Drives: **Disabled**
124 | * Encryption Policy enforcement settings: **Enabled**
125 | 	* Configure the number...: **3**
126 | * Operating System drive encryption settings: **Enabled**
127 | 	* Allow BitLocker without a compatible TPM: **Disabled**
128 | 	* Select protector for OS drives:  **TPM and PIN**
129 | 	* Configure minimum PIN length for startup: **7**
130 | 
131 | ***Computer Configuration > Policies > Admin Templates > Windows Components > MDOP MBAM > Removable Drive***
132 | * Allow access to BitLocker-protected removable data...: **Disabled**
133 | * Choose how BitLocker -protected removable drives can be recovered: **Enabled**
134 | 	* Allow data recovery agent: **Enabled**
135 | 	* Configure user storage...: **Allow 48-digit recovery password** and **Allow 256-bit recovery key**
136 | 	* Omit recovery options...: **Enabled**
137 | 	* Save BitLocker recovery information to AD: **Enabled**
138 | 	* Configure storage of BitLocker...: **Backup recovery passwords and key packages**
139 | 	* Do not enable BitLocker until... **Enabled**
140 | * Configure use of passwords for removable data drives: **Disabled**
141 | * Deny write access to removable drives not protected by BitLocker: **Enabled**
142 | 	* Deny write access to devices configured in another organization: **Disabled**
143 | 
144 | ## Configure Domain Controllers
145 |          
146 | Install the Bitlocker Drive Encryption Feature on your DCs
147 | 
148 | 1. In Server Manager > Add Roles and Features
149 | 2. Go through the Wizard to the Features page, and add the BitLocker Drive Encryption feature
150 | 3. Finish
151 | 
152 | ## Configure Pre-Existing Encrypted Clients (if applicable)
153 |          
154 | Push existing BitLocker protected machines to AD (OPTIONAL)
155 | 
156 | 1. On the client machine, open CMD as administrator, and run the following command:
157 |          
158 | 	```
159 | 	C:\> Manage-bde -protectors -adbackup c: -id {your numerical password ID}
160 | 	...
161 | 	Recovery information was successfully backed up to Active Directory.
162 | 	```
163 | 
164 | 2. Verify in ADUC, find the computer, Right click > properties > BitLocker Recovery
165 | 


--------------------------------------------------------------------------------
/xx - Just enough Administration (JEA)/README.md:
--------------------------------------------------------------------------------
1 | Coming soon. Don't ask when.


--------------------------------------------------------------------------------
/xx - Just in Time Administration (JITA)/README.md:
--------------------------------------------------------------------------------
1 | Coming soon. Don't ask when.


--------------------------------------------------------------------------------
/xx - LAPS/README.md:
--------------------------------------------------------------------------------
 1 | ## What is this?
 2 | LAPS is an agent-based control designed to prevent Pass-the-hash attacks and other similar internal pivoting attacks.  It does this by automatically assigning a unique password to the local administrator account.  The password policy is configured via the Group Policy MMC snap-in.  The LAPS agent is installed via a scheduled task that calls a powershell script.  Read access to the passwords are delegated via Active Directory ACLs, much like NTFS permissions on a file share. Passwords are accessed via one of three ways:
 3 | 
 4 | 1. From the LAPS UI (installed on PAWs)
 5 | 2. From AD (object properties > Attribute Editor > find the LAPS password in the list)
 6 | 3. PowerShell
 7 | 
 8 | ***NOTE***: *Currently, there is no native way to access the LAPS password from a phone or other mobile device.  Normally, you could enable RDP on a workstation or jump-box with one of the three above tools, but this would break our clean-source principal so I do not recommend it or go over how to do this in this guide.*
 9 | 
10 | ## Aquare LAPS software
11 | The LAPS Software can be [downloaded here](https://www.microsoft.com/en-us/download/details.aspx?id=46899).
12 | 
13 | ## Step by step guide for deploying LAPS
14 | I'm not going to re-write what has already been written.  The point of this guide is to adapt your LAPS deployment to meet the security requirements for PAW deployment.  You can download a very thorough guide [here](https://encrypted.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwiFhqTc2djZAhVE5YMKHQ7TAKoQFggoMAA&url=https%3A%2F%2Fgallery.technet.microsoft.com%2FStep-by-Step-Deploy-Local-7c9ef772%2Ffile%2F150657%2F1%2FStep%2520by%2520Step%2520Guide%2520to%2520Deploy%2520Microsoft%2520LAPS.pdf&usg=AOvVaw1oFbhKjAgDhW8We0LLPNax).  The guide is also available in the file list above, just in case it ever gets taken off line.
15 | 
16 | ## Configuring AD Permissions
17 | When you get to the section titled, "How to configure Active directory for LAPS", you will deviate from the instruction and follow these instruction instead:
18 | 
19 | ### Create AD Groups
20 | Create the following AD groups under DOMAIN.COM/Company/Groups/SecurityGroups/LAPS-RBAC:
21 | * AD-Company-Computers-AllLocations-Servers-Tier1--LAPSPassword
22 | * AD-Company-Computers-AllLocations-WKS--LAPSPassword
23 | 
24 | ***NOTE***: The Tier 0 server's LAPS passwords will not need to be delegated to a specific group, since your Tier 0 Admin users are already a member of Domain Admins, which has full access to the LAPS password attribute.
25 | 
26 | ### Run the following PowerShell commands to set the ACLs
27 | ```powershell
28 | Set-AdmPwdReadPasswordPermission -OrgUnit "OU=Tier1,OU=Servers,OU=Location1,OU=Computers,OU=Company,DC=DOMAIN,DC=COM" -AllowedPrincipals AD-Company-Computers-AllLocations-Servers-Tier1--LAPSPassword
29 | Set-AdmPwdReadPasswordPermission -OrgUnit "OU=Workstations,OU=Location 1,OU=Computers,OU=Company,DC=DOMAIN,DC=COM" -AllowedPrincipals AD-UpWell-Computers-AllLocations-Workstations--LAPSPassword
30 | ```
31 | 
32 | Repeat as needed for your various locations throughout AD.  
33 | 
34 | ***NOTE***: *If you mess up and need to undo the permission, you can right click the OU > Properties > Security Tab > Advanced button.  There will be two ACLs you need to remove.*
35 | 
36 | ## Install the LAPS agent
37 | Follow the instruction in the section titled, "04 - Deploy Software to PAW" regarding LAPS.  The script above will also be found in that section.


--------------------------------------------------------------------------------
/xx - LAPS/Step by Step Guide to Deploy Microsoft LAPS.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/utsecnet/PAW/c5bb0fac1e2f5751fdc582a75d97518d9bc5ba40/xx - LAPS/Step by Step Guide to Deploy Microsoft LAPS.pdf


--------------------------------------------------------------------------------
/xx - LAPS/installLAPS.ps1:
--------------------------------------------------------------------------------
  1 | <#
  2 | .NOTES
  3 |     NAME: installLAPS.ps1
  4 |     AUTHOR: Rich Johnson
  5 |     EMAIL: rjohnson@upwell.com
  6 |     Change Log:
  7 |         2018-01-19 - Initial creation 
  8 |         
  9 | .SYNOPSIS
 10 |     Runs a task that installs the LAPS admin GUI on PAWs and registers the admpwd.dll file on all other clients.  We don't want the
 11 |     GUI on standard user workstations, so they only get the dll.
 12 |         General Tab
 13 |             - runas: SYSTEM (does not require 'run as highest privileges'
 14 |         Actions Tab
 15 |             - Program/script: powershell.exe
 16 |             - Arguments: -executionpolicy bypass -command \\server\share\installLAPS.ps1 <org>
 17 | .DESCRIPTION 
 18 |     What does this script do?
 19 |     - Checks to see if the LAPS dll is registered.  If not, it registers it.
 20 |     - If the computer is a PAW, it installs the LAPS GUI tool to C:\Program Files\LAPS
 21 |     What do I need to do?
 22 |     - Read the LAPS Administration guide which will walk you through extending your AD schema and setting permissions in AD for users to read your LAPS passwords
 23 |     - Download the LAPS files, extract them, and place them on a network share
 24 |     - Search this script for <changeme> and replace it with the required data.
 25 | 
 26 | .PARAMETER location
 27 |     No parameters required
 28 | 
 29 | .Example
 30 |     >.\installLAPS
 31 |     This will install the client on a Draper workstation
 32 | #>
 33 | 
 34 | ############
 35 | # Functions
 36 | ############
 37 | 
 38 | # All actions are logged by calling this function
 39 | function logging ($level, $text) {
 40 |     if ($debug -ne "on" -and $level -eq "D") {
 41 |         return
 42 |     }
 43 |     $timeStamp = get-date -Format "yyyy-MM-dd HH:mm:ss.fff"
 44 | 
 45 |     if ($blurb -ne "yes") {
 46 |         # Override the existing log file so it does not grow out of control
 47 |         Write-Output "$timeStamp I New log created" > $logLocation
 48 |         $script:blurb = "yes"
 49 |     }
 50 |     Write-Output "$timeStamp $level $text" >> $logLocation
 51 | }
 52 | 
 53 | # Check if program is installed
 54 | function checkDllIsRegistered {
 55 |     if (Test-Path $dllPath\$file4) {
 56 |         $pathExists = $true
 57 |     }
 58 |     else {
 59 |         $pathExists = $false
 60 |     }
 61 |     logging "D" "pathExists: $pathExists"
 62 |     return $pathExists
 63 | }
 64 | 
 65 | # Install LAPS client
 66 | function installLapsClient {
 67 | 
 68 |     # Install the LAPS client
 69 |     #################################
 70 |     if(test-path $remoteFile4) {
 71 |         Copy-Item $remoteFile4 $localFile4 -Force
 72 |         if ($?) {
 73 |             logging "I" "Copied $remoteFile4 to $localFile4"
 74 | 
 75 |             # Register dll
 76 |             Start-Process -FilePath 'regsvr32.exe' -ArgumentList "/s $localFile4" -Wait
 77 |             if ($?) {
 78 |                 logging "I" "Successfully Registererd DLL."
 79 |             }
 80 |             else {
 81 |                 logging "E" "Failed to register DLL."
 82 |                 exit
 83 |             }
 84 |         }
 85 |         else {
 86 |             logging "E" "Failed to copy file!"
 87 |             exit
 88 |         }
 89 |     }
 90 |     else {
 91 |         logging "E" "$remoteFile4 does not exist!  Check your network connection."
 92 |         exit
 93 |     }
 94 | }
 95 | 
 96 | # Install LAPS GUI
 97 | function installLapsGUI {
 98 | 
 99 |     # Copy some extra files in order to make the GUI work correctly for PAW users
100 |     ############################################################################
101 |     logging "I" "Computer is a PAW."
102 | 
103 |     if ((Test-Path $remoteFile2) -and (Test-Path $remoteFile3)) {
104 |         
105 |         if (!(Test-Path $localPath)) {
106 |             # Create the directory where the subsequint files will go
107 |             [void](New-Item $localPath -ItemType Directory)
108 |             if ($?) {
109 |                 logging "I" "Created $localPath."
110 |             }
111 |             else {
112 |                 logging "E" "Failed to create $localPath."
113 |             }
114 |         }
115 |         
116 |         if (!(Test-Path $localFile2)) {
117 |             # Copy the AdmPwd.Utils.dll file to the LAPS directory
118 |             Copy-Item $remoteFile2 $localFile2 -Force -Recurse
119 |             if ($?) {
120 |                 logging "I" "Copied $remoteFile2 to $localFile2"
121 |             }
122 |             else {
123 |                 logging "E" "Failed to Copy $remoteFile2 to $localFile2"
124 |             }
125 |         }
126 |         else {
127 |             logging "I" "$localFile2 already exists."
128 |         }
129 |         
130 |         if (!(Test-Path $localFile3)) {
131 |             # Copy the AdmPwd.UI.exe file to the LAPS directory
132 |             Copy-Item $remoteFile3 $localFile3 -Force -Recurse
133 |             if ($?) {
134 |                 logging "I" "Copied $remoteFile3 to $localFile3"
135 |             }
136 |             else {
137 |                 logging "E" "Failed to Copy $remoteFile3 to $localFile3"
138 |             }
139 |         }
140 |         else {
141 |             logging "I" "$localFile2 already exists."
142 |         }
143 |     }
144 |     else {
145 |         logging "E" "Could not access $remoteFile2 or $remoteFile3."
146 |     }
147 | }
148 | 
149 | ######################
150 | # Set global variables
151 | ######################
152 | 
153 | # Location where this script will log to
154 | # This is different than the msiexec installation log file, which you specify in the install command
155 | $logLocation = "c:\programdata\installLAPS.txt"
156 | 
157 | # Turn this to on if you want additional debug logging.  Off will overwrite On if you uncomment the <debug = "off"> line.
158 | # Debug logging will show you the value of all variables so you can see if varable logic problems exist
159 | $debug = "on"
160 | #$debug = "off"
161 | 
162 | # Computer Name
163 | $computerName = $env:computername
164 | logging "D" "computername: $computername"
165 | 
166 | # Distinguished Name - cant use the activedirectory module, as all computers in the domain do not have this installed
167 | $filter = "(&(objectCategory=computer)(objectClass=computer)(cn=$computerName))"
168 | $dn = ([adsisearcher]$filter).FindOne().Properties.distinguishedname
169 | logging "D" "dn: $dn"
170 | 
171 | # Set the name of the file server.  For example: $fileServer = "serverdfs01"
172 | $fileServer = "<changeme>"
173 | 
174 | # Set the path to the file share where the install files and logs exist
175 | $remotePath = "\\$fileServer\share\LAPS"
176 | logging "D" "remotePath: $remotePath"
177 | 
178 | # Set the install directory
179 | $localPath = "C:\Program Files\LAPS"
180 | logging "D" "localPath: $localPath"
181 | 
182 | # Set the DLL path
183 | $dllPath = "C:\Windows\system32"
184 | logging "D" "dllPath: $dllPath"
185 | 
186 | # Files that need to be copied over, both the full path to the remote file and full path to local file
187 | #$file1 = "AdmPwd.Utils.config"
188 | $file2 = "AdmPwd.Utils.dll"
189 | $file3 = "AdmPwd.UI.exe"
190 | $file4 = "AdmPwd.dll"
191 | $remoteFile2 = "$remotePath\$file2"
192 | $remoteFile3 = "$remotePath\$file3"
193 | $remoteFile4 = "$remotePath\$file4"
194 | $localFile1 = "$localPath\$file1"
195 | $localFile2 = "$localPath\$file2"
196 | $localFile3 = "$localPath\$file3"
197 | $localFile4 = "$dllPath\$file4"
198 | 
199 | #########
200 | # ACTION!
201 | #########
202 | 
203 | try {
204 |         
205 |     # TODO actually search the registry for the DLL name rather than seeing if it's copied to the local machine
206 |         
207 |     # Check if c:\windows\sytem32\admpwd.dll exists
208 |     if (checkDllIsRegistered) {
209 |         # DLL exists
210 |         logging "I" "LAPS client is already installed."
211 |     }
212 |     else {
213 |         logging "I" "LAPS client is not currently installed."
214 | 
215 |         # Install client
216 |         installLapsClient
217 |             
218 |         # Confirm client was installed successfully
219 |         if (checkDllIsRegistered) {
220 |             logging "I" "LAPS client was successfully installed."
221 |         }
222 |         else {
223 |             logging "E" "Failed to install LAPS client."
224 |         }
225 |     }
226 | 
227 |     # Install GUI if device is a PAW
228 |     if ($dn -like "*,OU=PAW,*") {
229 |         installLapsGUI
230 |     }
231 | }
232 | catch {
233 |     $line = $_.InvocationInfo.ScriptLineNumber
234 |     logging "E" "Caught exception: $($Error[0]) at line $line"
235 | }
236 | finally {
237 |     logging "I" "Exiting script."
238 | }


--------------------------------------------------------------------------------
/xx - UAC Settings/README.md:
--------------------------------------------------------------------------------
 1 | ## What is this?
 2 | Most of your UAC settings will be inherited from your baseline GPOS (e.g., STIG or CIS).  There is one thing we need to make an over-ride for, however.  By default, the following UAC setting is applied:
 3 | 
 4 | ***Computer Configuration > Policies > Windows Settings > Local Policies > Security Options***
 5 | * User Account Control: Behavior of the elevation prompt for standard users: **Automatically deny elevation requests**
 6 | 
 7 | We will want to be able to elevate as admin on our PAWs.  Therefore, we need an override policy.
 8 | 
 9 | ## Override Policy
10 | 
11 | Create a new GPO on the DOMAIN.COM\Company\Users\PAW Accounts OU called **Security - UAC - PAW** with the following settings:
12 | 
13 | ***Computer Configuration > Policies > Windows Settings > Local Policies > Security Options***
14 | * User Account Control: Behavior of the elevation prompt for standard users: **Prompt for credentials on the secure desktop**
15 | 
16 | Close the policy window.
17 | 
18 | On the scope tab:
19 | * Ensure the Link to the Computers OU is Enabled.  
20 | * Remove **Authenticated Users** from the **Security Filtering** section and add **PAW-AllPAWComputers**.
21 | * Ensure there is no WMI filter applied
22 | 
23 | On the Details tab:
24 | * Set GPO status to: **User configuration settings disabled**
25 | 
26 | On the Delegation tab:
27 | * Add **Authenticated Users** and give it READ permissions.


--------------------------------------------------------------------------------
/xx - User Proxy/README.md:
--------------------------------------------------------------------------------
  1 | ## What is this?
  2 | To maintain the Clean Source Principal, you must deny PAW users full Internet access, and ensure that wherever they are, they only have limited access to the domains they need in order to do their job from the PAW machine.  We can do that by enforcing all domains not specified in a whitelist to point to a proxy server that doesn't exist on the PAW.
  3 | 
  4 | ***Note***: *Even though you login with the same user on both the PAW and the day-to-day VM, this process does not affect your user's proxy settings on the VM.  It will still have full access to the Internet.  We address this issue below by using Group Policy's loopback Processing.*
  5 | 
  6 | ## Proxy.pac
  7 | Download the proxy.pac file above and make any changes or additions that will suite your needs.  Store it on a web server that is accessible to the whole Internet.  Your PAWs will need to be able to access this if they leave the office.
  8 | 
  9 | ***NOTE***: *I recommend hosting the file on a local file server, then syncing it up to your web server.*
 10 | 
 11 | ## Configure Proxy settings via GPO
 12 | 
 13 | Create a new GPO on the DOMAIN.COM\Company\Users\PAW Accounts OU called **Security - Proxy - PAW Users** with the following settings:
 14 | 
 15 | ***User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer***
 16 | * Disable changing Automatic Configuration settings: **Enabled**
 17 | * Prevent changing proxy settings: **Enabled**
 18 | 
 19 | ***User Configuration > Preferences > Windows Settings > Registry***
 20 | 
 21 | ### ProxyEnable
 22 | Right click > New
 23 | * Hive: **HKEY_CURRENT_USER**
 24 | * KeyPath: **Software\Microsoft\Windows\CurrentVersion\Internet Settings**
 25 | * Default: **unchecked**
 26 | * Value name: **ProxyEnable**
 27 | * Value type: **REG_DWORD**
 28 | * Value Data: **00000001**
 29 | * Base: **Hexadecimal**
 30 | 
 31 | Common tab
 32 | * Remove this item when it is no longer applied: **checked**
 33 | * Item-level targeting
 34 | 	* Click **Add Collection**
 35 | 	* Click **New item > Security Group**
 36 | 	* Select the **DOMAIN\PAW-AzureAdmins** group
 37 | 	* Highlight the group and click **Item Options > Is Not**
 38 | 	* Click **New item > Security Group**
 39 | 	* Select the **DOMAIN\PAW-Users** group
 40 | 	* Move both of these items under **this collection is true**
 41 | 	* Click OK twice
 42 | 
 43 | It should look like this:
 44 | ```
 45 | This collection is true
 46 | 	the user is not a member of the security group DOMAIN\PAW-AzureAdmins
 47 | 	AND the user is a member of the security group DOMAIN\PAW-Users
 48 | ```
 49 | 
 50 | ### ProxyServer
 51 | Right click > New
 52 | * Hive: **HKEY_CURRENT_USER**
 53 | * KeyPath: **Software\Microsoft\Windows\CurrentVersion\Internet Settings**
 54 | * Default: **unchecked**
 55 | * Value name: **ProxyServer**
 56 | * Value type: **REG_SZ**
 57 | * Value Data: **127.0.0.1:80**
 58 | 
 59 | Common tab
 60 | * Remove this item when it is no longer applied: checked
 61 | * Item-level targeting
 62 | 	* Click **Add Collection**
 63 | 	* Click **New item > Security Group**
 64 | 	* Select the **DOMAIN\PAW-AzureAdmins** group
 65 | 	* Highlight the group and click **Item Options > Is Not**
 66 | 	* Click **New item > Security Group**
 67 | 	* Select the **DOMAIN\PAW-Users** group
 68 | 	* Move both of these items under **this collection is true**
 69 | 	* Click OK twice
 70 | 
 71 | It should look like this:
 72 | ```
 73 | This collection is true
 74 | 	the user is not a member of the security group DOMAIN\PAW-AzureAdmins
 75 | 	AND the user is a member of the security group DOMAIN\PAW-Users
 76 | ```
 77 | 
 78 | ***User Configuration > Preferences > Control Panel Settings > Internet Settings > New > Internet Explorer 10***
 79 | Right click > New > Internet Explorer 10 > Connection Tab > LAN Settings
 80 | * Automatically detect settings: **Checked**
 81 | * Address: **http://<your url>/proxy.pac**
 82 | * Use a proxy server for your LAN: **checked**
 83 | * Address: **127.0.0.1**
 84 | * Port: **80**
 85 | 
 86 | Click *Advanced...*
 87 | * HTTP: **127.0.0.1 : 80**
 88 | * Exceptions
 89 | * Use the same proxy for all protocols: **Checked**
 90 | 
 91 | You need to put all the same URLs from your proxy.pac into this box, separated by a ***;***
 92 | 
 93 | ```
 94 | *.aspnetcdn.com;*.aadrm.com;*.appex.bing.com;*.appex-rf.msn.com;*.assets-yammer.com;*.azure.com;*.azurecomcdn.net;*.cloudappsecurity.com;*.c.bing.com;*.gfx.ms;*.live.com;*.live.net;*.lync.com;maodatafeedsservice.cloudapp.net;*.microsoft.com;*.microsoftonline.com;*.microsoftonline-p.com;*.microsoftonline-p.net;*.microsoftonlineimages.com;*.microsoftonlinesupport.net;ms.tific.com;*.msecnd.net;*.msedge.net;*.msft.net;*.msocdn.com;*.onenote.com;*.outlook.com;*.office365.com;*.office.com;*.office.net;*.onmicrosoft.com;partnerservices.getmicrosoftkey.com;*.passport.net;*.phonefactor.net;*.s-microsoft.com;*.s-msn.com;*.sharepoint.com;*.sharepointonline.com;*.s-msn.com;spoprod-a.akamaihd.net;*.symcb.com;*.yammer.com;*.yammerusercontent.com;*.verisign.com;*.windows.com;*.windows.net;*.windowsazure.com;*.windowsupdate.com;*.upwell.com;*.alliancehealth.com;*.ingrammed.com;ingrammedical.com;*.lync.com;*.cqd.lync.com;*.infra.lync.com;*.online.lync.com;*.resources.lync.com;*.config.skype.com;*.skypeforbusiness.com;*.pipe.aria.microsoft.com;config.edge.skype.com;pipe.skype.com;s-0001.s-msedge.net;s-0004.s-msedge.net;*.azureedge.net;*.sfbassets.com;*.urlp.sfbassets.com;skypemaprdsitus.trafficmanager.net;quicktips.skypeforbusiness.com;swx.cdn.skype.com;*.api.skype.com;*.users.storage.live.com;skypegraph.skype.com;*.broadcast.skype.com;broadcast.skype.com;browser.pipe.aria.microsoft.com;aka.ms;amp.azure.net;*.keydelivery.mediaservices.windows.net;*.msecnd.net;*.streaming.mediaservices.windows.net;ajax.aspnetcdn.com;mlccdn.blob.core.windows.net;crl.godaddy.com
 95 | ```
 96 | 
 97 | Click OK
 98 | 
 99 | Back on the *LAN Settings* screen, click *F5* to underline each field with a green line.  See [this site](https://blogs.technet.microsoft.com/grouppolicy/2008/10/13/red-green-gp-preferences-doesnt-work-even-though-the-policy-applied-and-after-gpupdate-force/) for details on what this means.
100 | 
101 | Click OK twice
102 | 
103 | Close the policy window.
104 | 
105 | On the scope tab:
106 | * Link this GPO to all the OUs that contain PAW computers (Company\Computers\Corporate\LocationA\PAW)
107 | * Ensure the Link to the PAW Accounts OU is Enabled.
108 | * Ensure **Authenticated Users** shows up under *Security Filtering*.
109 | * Ensure there is no WMI filter applied
110 | 
111 | On the Details tab:
112 | * Set GPO status to: **Computer configuration settings disabled**
113 | 
114 | ## Loopback Processing
115 | 
116 | The above steps will affect only the Tier 0/1/2 admin account no matter what machine they log into.  This is needed for when admins login to servers and attempt to browse the web, which would break the *Clean Source Principal*.  Since we don't actually use any of the PAW admin accounts when we log into our PAWs, we somehow need to apply the policy to the PAW computer objects.  How do we do this when the GPO is a user based policy (i.e., all the settings are under User configuration)?  Answer: loopback processing.
117 | 
118 | In short, loopback processing allows us to take settings that are configured for users and apply them to ANY user that logs into a specific machine.  In our case, we want to apply proxy settings to any user that logs into a PAW.
119 | 
120 | Create a new GPO on the DOMAIN.COM\Company\Computers\ ... \PAW OU called **Configuration - Loopback processing** with the following settings:
121 | 
122 | ***Computer Configuration > Policies > Administrative Templates > System > Group Policy***
123 | * Configure user group policy loopback processing mode: **Enabled**
124 | 	* Mode: **Merge**
125 | 
126 | Close the policy window.
127 | 
128 | On the scope tab:
129 | * Ensure the Link to the PAW Computer OU is Enabled.
130 | * Ensure **Authenticated Users** shows up under *Security Filtering*.
131 | * Ensure there is no WMI filter applied
132 | 
133 | On the Details tab:
134 | * Set GPO status to: **User configuration settings disabled**
135 | 
136 | ## Knowing what URLs to exempt from the Proxy
137 | You must understand that in many cases, you cannot simply add each domain you see to the whitelist and have it work every time.  Sometimes a website depends on resources hosted under a different domain.  Visit the website in a browser that is unaffected by the proxy and open Developer Tools (default Ctrl+Shift+i).  In Chrome, go to the *Sources* tab.  In Firefox, go to the *Debugger* tab.   You must get good at identifying advertising domains and ***NOT*** add these to your lists.  That is outside the scope of this article.  
138 | 
139 | ## Additional Resources and information
140 | For more information on Loopback processing:
141 | * [Loopback processing of Group Policy](https://support.microsoft.com/en-us/help/231287/loopback-processing-of-group-policy)
142 | * [Sometimes learning by video is better](https://www.youtube.com/watch?v=2bZGMtOCXN0)
143 | 
144 | For more information on proxy.pac formatting and making your own custom rules:
145 | * [findproxyforurl.com](http://findproxyforurl.com/example-pac-file/)
146 | * [Best practices for proxy.pac](https://www.websense.com/content/support/library/web/v76/pac_file_best_practices/PAC_best_pract.aspx)
147 | * [More best practices](https://www.websense.com/content/support/library/web/v76/pac_file_best_practices/pac_file_best_practices.pdf)


--------------------------------------------------------------------------------
/xx - User Proxy/proxy.pac:
--------------------------------------------------------------------------------
  1 | function FindProxyForURL(url, host) {
  2 | 
  3 | // Company owned domains
  4 | if (shExpMatch(host, "*.domain1.com") ||
  5 | 	shExpMatch(host == "domain1.com") ||
  6 | 	shExpMatch(host, "*.domain2.com") ||
  7 | 	shExpMatch(host == "domain2.com") ||
  8 | 	shExpMatch(host, "*.domain3.com") ||
  9 | 	shExpMatch(host == "domain3.com") ||
 10 | 	shExpMatch(host, "*.domain4.com") ||
 11 | 	shExpMatch(host == "domain5.com"))
 12 | 	{ return "DIRECT"; }
 13 | 
 14 | // Do not proxy non-routable addresses (RFC 3300)
 15 | if (isInNet(hostIP, '0.0.0.0', '255.0.0.0') ||
 16 | 	isInNet(hostIP, '10.0.0.0', '255.0.0.0') ||
 17 | 	isInNet(hostIP, '127.0.0.0', '255.0.0.0') ||
 18 | 	isInNet(hostIP, '169.254.0.0', '255.255.0.0') ||
 19 | 	isInNet(hostIP, '172.16.0.0', '255.240.0.0') ||
 20 | 	isInNet(hostIP, '192.0.2.0', '255.255.255.0') ||
 21 | 	isInNet(hostIP, '192.88.99.0', '255.255.255.0') ||
 22 | 	isInNet(hostIP, '192.168.0.0', '255.255.0.0') ||
 23 | 	isInNet(hostIP, '198.18.0.0', '255.254.0.0') ||
 24 | 	isInNet(hostIP, '224.0.0.0', '240.0.0.0') ||
 25 | 	isInNet(hostIP, '240.0.0.0', '240.0.0.0'))
 26 | 	{ return 'DIRECT'; }
 27 |  
 28 | // Microsoft Domains
 29 | if (shExpMatch(host, "*.aspnetcdn.com") ||
 30 | 	shExpMatch(host, "*.aadrm.com") ||
 31 | 	shExpMatch(host, "*.appex.bing.com") ||
 32 | 	shExpMatch(host, "*.appex-rf.msn.com") ||
 33 | 	shExpMatch(host, "*.assets-yammer.com") ||
 34 | 	shExpMatch(host, "*.azure.com") ||
 35 | 	shExpMatch(host, "*.azurecomcdn.net") ||
 36 | 	shExpMatch(host, "*.cloudappsecurity.com") ||
 37 | 	shExpMatch(host, "*.c.bing.com") ||
 38 | 	shExpMatch(host, "*.gfx.ms") ||
 39 | 	shExpMatch(host, "*.live.com") ||
 40 | 	shExpMatch(host, "*.live.net") ||
 41 | 	shExpMatch(host, "*.lync.com") ||
 42 | 	shExpMatch(host, "maodatafeedsservice.cloudapp.net") ||
 43 | 	shExpMatch(host, "*.microsoft.com") ||
 44 | 	shExpMatch(host, "*.microsoftonline.com") ||
 45 | 	shExpMatch(host, "*.microsoftonline-p.com") ||
 46 | 	shExpMatch(host, "*.microsoftonline-p.net") ||
 47 | 	shExpMatch(host, "*.microsoftonlineimages.com") ||
 48 | 	shExpMatch(host, "*.microsoftonlinesupport.net") ||
 49 | 	shExpMatch(host, "ms.tific.com") ||
 50 | 	shExpMatch(host, "*.msecnd.net") ||
 51 | 	shExpMatch(host, "*.msedge.net") ||
 52 | 	shExpMatch(host, "*.msft.net") ||
 53 | 	shExpMatch(host, "*.msocdn.com") ||
 54 | 	shExpMatch(host, "*.onenote.com") ||
 55 | 	shExpMatch(host, "*.outlook.com") ||
 56 | 	shExpMatch(host, "*.office365.com") ||
 57 | 	shExpMatch(host, "*.office.com") ||
 58 | 	shExpMatch(host, "*.office.net") ||
 59 | 	shExpMatch(host, "*.onmicrosoft.com") ||
 60 | 	shExpMatch(host, "partnerservices.getmicrosoftkey.com") ||
 61 | 	shExpMatch(host, "*.passport.net") ||
 62 | 	shExpMatch(host, "*.phonefactor.net") ||
 63 | 	shExpMatch(host, "products.office.com")) ||
 64 | 	shExpMatch(host, "*.s-microsoft.com") ||
 65 | 	shExpMatch(host, "*.s-msn.com") ||
 66 | 	shExpMatch(host, "*.sharepoint.com") ||
 67 | 	shExpMatch(host, "*.sharepointonline.com") ||
 68 | 	shExpMatch(host, "*.s-msn.com") ||
 69 | 	shExpMatch(host, "*.symcb.com") ||
 70 | 	shExpMatch(host, "*.yammer.com") ||
 71 | 	shExpMatch(host, "*.yammerusercontent.com") ||
 72 | 	shExpMatch(host, "*.verisign.com") ||
 73 | 	shExpMatch(host, "*.windows.com") ||
 74 | 	shExpMatch(host, "*.windows.net") ||
 75 | 	shExpMatch(host, "*.windowsazure.com") ||
 76 | 	shExpMatch(host, "*.windowsupdate.com")	
 77 | 	{ return "DIRECT"; }
 78 | 
 79 | // Skype for Buisiness 
 80 | if (shExpMatch(host, "*.lync.com") ||
 81 | 	shExpMatch(host, "*.cqd.lync.com") ||
 82 | 	shExpMatch(host, "*.infra.lync.com") ||
 83 | 	shExpMatch(host, "*.online.lync.com") ||
 84 | 	shExpMatch(host, "*.resources.lync.com") ||
 85 | 	shExpMatch(host, "*.config.skype.com") ||
 86 | 	shExpMatch(host, "*.skypeforbusiness.com") ||
 87 | 	shExpMatch(host, "*.pipe.aria.microsoft.com") ||
 88 | 	shExpMatch(host, "config.edge.skype.com") ||
 89 | 	shExpMatch(host, "pipe.skype.com") ||
 90 | 	shExpMatch(host, "s-0001.s-msedge.net") ||
 91 | 	shExpMatch(host, "s-0004.s-msedge.net") ||
 92 | 	shExpMatch(host, "*.azureedge.net") ||
 93 | 	shExpMatch(host, "*.sfbassets.com") ||
 94 | 	shExpMatch(host, "*.urlp.sfbassets.com") ||
 95 | 	shExpMatch(host, "skypemaprdsitus.trafficmanager.ne") ||
 96 | 	shExpMatch(host, "quicktips.skypeforbusiness.com") ||
 97 | 	shExpMatch(host, "swx.cdn.skype.com") ||
 98 | 	shExpMatch(host, "*.api.skype.com") ||
 99 | 	shExpMatch(host, "*.users.storage.live.com") ||
100 | 	shExpMatch(host, "skypegraph.skype.com") ||
101 | 	shExpMatch(host, "*.broadcast.skype.com") ||
102 | 	shExpMatch(host, "broadcast.skype.com") ||
103 | 	shExpMatch(host, "browser.pipe.aria.microsoft.com") ||
104 | 	shExpMatch(host, "aka.ms") ||
105 | 	shExpMatch(host, "amp.azure.net") ||
106 | 	shExpMatch(host, "*.keydelivery.mediaservices.windows.net") ||
107 | 	shExpMatch(host, "*.msecnd.net") ||
108 | 	shExpMatch(host, "*.streaming.mediaservices.windows.net") ||
109 | 	shExpMatch(host, "ajax.aspnetcdn.com") ||
110 | 	shExpMatch(host, "mlccdn.blob.core.windows.net")) 
111 | 	{ return "DIRECT"; }
112 | 
113 | // Certificate CRL for exchange
114 | if (shExpMatch(host, "*.godaddy.com")) { return "DIRECT"; }
115 | 
116 | // DEFAULT RULE: All other traffic, use below proxy
117 | return "PROXY 127.0.0.2:8080";
118 | }


--------------------------------------------------------------------------------
/xx - Windows Firewall with Advanced Security and IPSec Domain Isolation/README.md:
--------------------------------------------------------------------------------
  1 | ## What is this?
  2 | We want to ensure that the only traffic entering a PAW is traffic we can verify comes from a source that is trusted.  This typically includes all equivalent Tier traffic and higher.  For example, a Tier 0 PAW should only allow inbound traffic from Tier 0 devices.  A Tier 1 PAW should only allow inbound traffic from Tier 1 device and Tier 0 devices.  It might even be said that the only traffic that should be allowed to all PAWs is authenticated traffic from Tier 0 devices only.  It depends on your environment.
  3 | 
  4 | To authenticate traffic means we must use IPSec to ensure traffic comes from specific devices and/or users.  This means simple inbound/outbound rules based on IP address or ports are out!
  5 | 
  6 | NOTE: It is outside the scope of this document to explain how IPSec works in Windows Firewall.  Go Google stuff.
  7 | 
  8 | ## What this guide will provide
  9 | This guide will help achieve the following:
 10 | 1. For all servers, configure a Windows Firewall baseline policy (adapted from the CIS baseline for Server 2016)
 11 | 2. On Domain Controllers, configure Domain Isolation policies
 12 | 3. On Tier 0 servers, configure Domain Isolation policies
 13 | 4. On Tier 1 servers, configure Domain Isolation policies
 14 | 5. On all workstations, configure a Windows Firewall baseline policy (adapted from the CIS baseline for Windows 10 1709)
 15 | 6. On all workstations, configure Domain Isolation policies
 16 | 7. On all PAWs, configure Domain Isolation policies
 17 | 8. Configure authentication exception policies for RADIUS
 18 | 9. Configure authentication exception policies for Certificate Authorities
 19 | 
 20 | 
 21 | Of course, there will be more things you will want to do in your production environment, but I am afraid if I share all the steps I take in my environment, it will not work in yours.  Instead, we will just build the above items, then I will refer you to several online resources.
 22 | 
 23 | # Word of Warning
 24 | 
 25 | ### Regarding Domain Controllers
 26 | It is important to know that IPSec rules can be configured to *require inbound/outbound authentication* or *request inbound/outbound authentication*.  If you require authentication on the domain controllers, you will most likely kill all network traffic to and from devices that are not joined to the domain.  Don't do this.  Ensure any policy that is set on the domain controllers is configured to *request inbound/outbound authentication* only.
 27 | 
 28 | ### Regarding Require vs. Request (on domain clients, member servers & workstations)
 29 | Due to the nature of how machines refresh group policy (randomly at 90-120 minute intervals) it is recommended that you set all your policies to request inbound and outbound authentication first.  If you set it to require first, it will be likely that machines will not have received the update and authentication will fail, effectively stopping network traffic.  Only after you have confirmed all machines are authenticating correctly, set the policies to require.  
 30 | 
 31 | Consider Require inbound and request outbound.  If you set it to require inbound and outbound, you wont be able to do much if you take your PAW off the corporate network.  In this case you could set require inbound and outbound on only the domain profile then request outbound on public/private profiles.  However, we will not be covering this in this guide.
 32 | 
 33 | ## 1. For all servers, configure a Windows Firewall baseline policy
 34 | 
 35 | Create a new GPO and link it to the DOMAIN.COM\Domain Controllers OU called **Security - CIS Baseline - Server 2016 - Windows Firewall** with the following settings:
 36 | 
 37 | ***Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security***
 38 | 
 39 | Right click **Windows Firewall with Advanced Security - LDAP://...** and select **Import Policy...**.  Import the "firewall_2016.wfw" configuration file.
 40 | 
 41 | ### What does this policy set?  
 42 | You will notice that there are no Inbound or Outbound rules, nor Connection Security Rules.  Instead, we are simply creating the baseline firewall properties found under the *Windows Firewall Properties* link.  
 43 | 
 44 | #### Under the *Domain Profile* tab, we set:
 45 | * Firewall State: **On (recommended)**
 46 | * Inbound connections: **Block (default)**
 47 | * Outbound connections: **Allow (default)**
 48 | * Settings > Customize ...
 49 |  	* Display a notification: **No**
 50 | 	* Allow unicast response: **Not configured**
 51 | 	* Apply local firewall rules: **Yes (default)** (Note: this will be over-ridden with the IPSec policy later.  This is simply a baseline.)
 52 | 	* Apply local connection security rules: **No**
 53 | * Logging > Customize ...
 54 | 	* Name: **%systemroot%\System32\LogFiles\Firewall\domain.txt**
 55 | 	* Not configured: **unchecked**
 56 | 	* Size limit (KB): 16384
 57 | 	* Not configured: **unchecked**
 58 | 	* Log dropped packets: **Yes**
 59 | 	* Log successful connections: **Yes**
 60 | 
 61 | #### Under the *Private Profile* tab, we set:
 62 | * Firewall State: **On (recommended)**
 63 | * Inbound connections: **Block (default)**
 64 | * Outbound connections: **Allow (default)**
 65 | * Settings > Customize ...
 66 |  	* Display a notification: **No**
 67 | 	* Allow unicast response: **Not configured**
 68 | 	* Apply local firewall rules: **Yes (default)** (Note: this will be over-ridden with the IPSec policy later.  This is simply a baseline.)
 69 | 	* Apply local connection security rules: **No**
 70 | * Logging > Customize ...
 71 | 	* Name: **%systemroot%\System32\LogFiles\Firewall\private.txt**
 72 | 	* Not configured: **unchecked**
 73 | 	* Size limit (KB): 16384
 74 | 	* Not configured: **unchecked**
 75 | 	* Log dropped packets: **Yes**
 76 | 	* Log successful connections: **Yes**
 77 | 
 78 | #### Under the *Public Profile* tab, we set:
 79 | * Firewall State: **On (recommended)**
 80 | * Inbound connections: **Block (default)**
 81 | * Outbound connections: **Allow (default)**
 82 | * Settings > Customize ...
 83 |  	* Display a notification: **No**
 84 | 	* Allow unicast response: **Not configured**
 85 | 	* Apply local firewall rules: **No** (Note: this will be over-ridden with the IPSec policy later.  This is simply a baseline.)
 86 | 	* Apply local connection security rules: **No**
 87 | * Logging > Customize ...
 88 | 	* Name: **%systemroot%\System32\LogFiles\Firewall\public.txt**
 89 | 	* Not configured: **unchecked**
 90 | 	* Size limit (KB): 16384
 91 | 	* Not configured: **unchecked**
 92 | 	* Log dropped packets: **Yes**
 93 | 	* Log successful connections: **Yes**
 94 | 
 95 | Close the policy window.
 96 | 
 97 | On the scope tab:
 98 | * Ensure the Link to the **Domain Controllers** OU is Enabled.
 99 | * Ensure the Link to the **Computers** OU is Enabled.
100 | * Ensure **Authenticated Users** is listed under Security Filtering
101 | * Since this will be used to target all Server 2016 machines, you want a WMI filter that does exactly that:
102 | 
103 | Namespace: root\CIMv2
104 | Query: select * from Win32_OperatingSystem where Name like "%Server 2016%"
105 | 
106 | On the Details tab:
107 | * Set GPO status to: **User configuration settings disabled**
108 | 
109 | ## 2. On Domain Controllers, configure Domain Isolation policies
110 | 
111 | Create a new GPO and link it to the DOMAIN.COM\Domain Controllers OU called **Security - Firewall - IPSec - Domain Controllers** with the following settings:
112 | 
113 | ***Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security***
114 | 
115 | Right click **Windows Firewall with Advanced Security - LDAP://...** and select **Import Policy...**.  Import the "firewall_ipsec_dc.wfw" configuration file.
116 | 
117 | ### What does this policy set?  
118 | Under the *Windows Firewall Properties* link, we override several settings we set in the baseline.  Namely, under the *Domain and Private Profile > Settings > Customize ...* we set:
119 | * Apply local firewall rules: **No**
120 | 
121 | This forces you to set all inbound rules via group policy and effectively disables any default rules created.  Once this is set, navigate to *Inbound Rules* to see the rules we are creating.  
122 | 
123 | ***NOTE*** *These policies are best viewed from a Domain Controller.  Otherwise you may see things like* ***@ntdsmsg.dll*** *in the policy name.*
124 | 
125 | Ensure that management of the DCs is performed from Tier 0 PAWs, and all other inbound traffic is unauthenticated.  Review the Policies to ensure the correct groups are set in the *Authorized Users* and *Authorized Computers* fields of the IPSec rules (lock icon).
126 | 
127 | You can see there is only one setting under Connection Security Rules called **Computer and User - Request inbound and outbound**.  Double click on this rule to open the properties and click on the *Authentication* tab.  Notice it is configured to Request inbound and outbound, and applies to Users and Computers.  This allows us to use inbound/outbound rules that can target specific users/groups for computers and users.  Everything else is default.
128 | 
129 | Close the policy window.
130 | 
131 | On the scope tab:
132 | * Ensure the Link to the **Domain Controllers** OU is Enabled.
133 | * Ensure **Authenticated Users** is listed under Security Filtering
134 | * Ensure that **WMI Filtering** is set to **None**.
135 | 
136 | On the Details tab:
137 | * Set GPO status to: **User configuration settings disabled**
138 | 
139 | ## 3. On Tier 0 servers, configure Domain Isolation policies
140 | 
141 | Create a new GPO and link it to the DOMAIN.COM\Domain Controllers OU called **Security - Firewall - IPSec - Servers Tier 0** with the following settings:
142 | 
143 | ***Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security***
144 | 
145 | Right click **Windows Firewall with Advanced Security - LDAP://...** and select **Import Policy...**.  Import the "firewall_ipsec_tier0.wfw" configuration file.
146 | 
147 | ### What does this policy set?  
148 | Under the *Windows Firewall Properties* link, we override several settings we set in the baseline.  Namely, under the *Domain and Private Profile > Settings > Customize ...* we set:
149 | * Apply local firewall rules: **No**
150 | 
151 | Not all servers in a corporate network can force inbound authentication when remote hosts attempt to access resources on the server.  Here are a few examples:
152 | 
153 | * A mac client connects to a Windows file share (unless you are using something like Centrify)
154 | * A non-domain joined server (think DMZ) needs access to a domain resource
155 | * Contractors or guests that need internal resources like printers through the print servers
156 | * A standalone server that has a agent on it that communicates to the master server which is domain joined
157 | 
158 | Because of this, I find it best practice to not force inbound authentication.  But rather, request inbound and outbound and force inbound authentication on management protocols like RDP or WMI.  We do this be creating IPSec rules that require authentication over these management ports, and use standard inbound rules for everything else that is benign. In this GPO we have a small handful of rules that require authentication:
159 | 
160 | * Allow Tier 0 PAWs/admins -- Any: allows all traffic so long as it comes from a Tier 0 admin on a Tier 0 PAWs
161 | * Allow Tier 0 Servers -- Any: allows all traffic from Tier 0 server, regardless of who is logged in.  
162 | * Remote Desktop: allows any Tier 0 PAW to RDP regardless of who is logged in.  I have noticed sometimes RDP does not connect if I dont have this rule.  So it's more of a backup for when the top rule above fails.
163 | 
164 | And a handful of rules that do not require authentication.
165 | 
166 | Review the Policies to ensure the correct groups are set in the *Authorized Users* and *Authorized Computers* fields of the IPSec rules (lock icon).
167 | 
168 | You can see there is only one setting under Connection Security Rules called **Computer and User - Request inbound and outbound**.  Double click on this rule to open the properties and click on the *Authentication* tab.  Notice it is configured to Request inbound and outbound, and applies to Users and Computers.
169 | 
170 | Close the policy window.
171 | 
172 | On the scope tab:
173 | * Ensure the Link to the **Computers** OU is Enabled.
174 | * Ensure **All-Tier0-Servers** is listed under Security Filtering
175 | * Ensure that **WMI Filtering** is set to **None**.
176 | 
177 | On the Details tab:
178 | * Set GPO status to: **User configuration settings disabled**
179 | 
180 | On the Delegation tab:
181 | * Add **Authenticated Users** and give it READ permissions.
182 | 
183 | ## 4. On Tier 1 servers, configure Domain Isolation policies
184 | 
185 | Create a new GPO and link it to the DOMAIN.COM\Domain Controllers OU called **Security - Firewall - IPSec - Servers Tier 1** with the following settings:
186 | 
187 | ***Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security***
188 | 
189 | Right click **Windows Firewall with Advanced Security - LDAP://...** and select **Import Policy...**.  Import the "firewall_ipsec_tier1.wfw" configuration file.
190 | 
191 | ### What does this policy set?  
192 | Under the *Windows Firewall Properties* link, we override several settings we set in the baseline.  Namely, under the *Domain and Private Profile > Settings > Customize ...* we set:
193 | * Apply local firewall rules: **No**
194 | 
195 | Not all servers in a corporate network can force inbound authentication when remote hosts attempt to access resources on the server.  Here are a few examples:
196 | 
197 | * A mac client connects to a Windows file share (unless you are using something like Centrify)
198 | * A non-domain joined server (think DMZ) needs access to a domain resource
199 | * Contractors or guests that need internal resources like printers through the print servers
200 | * A standalone server that has a agent on it that communicates to the master server which is domain joined
201 | 
202 | Because of this, I find it best practice to not force inbound authentication.  But rather, request inbound and outbound and force inbound authentication on management protocols like RDP or WMI.  We do this be creating IPSec rules that require authentication over these management ports, and use standard inbound rules for everything else that is benign. In this GPO we have a small handful of rules that require authentication:
203 | 
204 | * Allow Tier 0 PAWs/admins -- Any: allows all traffic so long as it comes from a Tier 0 admin on a Tier 0 PAWs
205 | * Allow Tier 1 PAWs/admins -- Any: allows all traffic so long as it comes from a Tier 1 admin on a Tier 1 PAWs
206 | * Allow Tier 0 Servers -- Any: allows all traffic from Tier 0 server, regardless of who is logged in.  
207 | * Windows Defender Firewall Remote Management ...: ALlows management of the server's firewall from a Tier0/Tier1 PAW.
208 | 
209 | And a handful of rules that do not require authentication.
210 | 
211 | Review the Policies to ensure the correct groups are set in the *Authorized Users* and *Authorized Computers* fields of the IPSec rules (lock icon).
212 | 
213 | You can see there is only one setting under Connection Security Rules called **Computer and User - Request inbound and outbound**.  Double click on this rule to open the properties and click on the *Authentication* tab.  Notice it is configured to Request inbound and outbound, and applies to Users and Computers.
214 | 
215 | Close the policy window.
216 | 
217 | On the scope tab:
218 | * Ensure the Link to the **Computers** OU is Enabled.
219 | * Ensure **All-Tier1-Servers** is listed under Security Filtering
220 | * Ensure that **WMI Filtering** is set to **None**.
221 | 
222 | On the Details tab:
223 | * Set GPO status to: **User configuration settings disabled**
224 | 
225 | On the Delegation tab:
226 | * Add **Authenticated Users** and give it READ permissions.
227 | 
228 | ## 5. On all workstations, configure a Windows Firewall baseline policy
229 | 
230 | Create a new GPO on the DOMAIN.COM\Company\Computers OU called **Security - CIS baseline - Win 10 - Windows Firewall** with the following settings:
231 | 
232 | ***Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security***
233 | 
234 | Right click **Windows Firewall with Advanced Security - LDAP://...** and select **Import Policy...**.  Import the firewall_win10.wfw configuration file.
235 | 
236 | ### What does this policy set?
237 | This policy configures the firewall to be enabled on all three profiles, and sets logging parameters for each.
238 | 
239 | Click on *Windows Firewall Properties*.  Under the each profile tab, notice we make the following settings:
240 | #### Under the *Domain Profile* tab, we set:
241 | * Firewall State: **On (recommended)**
242 | * Inbound connections: **Block (default)**
243 | * Outbound connections: **Allow (default)**
244 | * Settings > Customize ...
245 |  	* Display a notification: **No**
246 | 	* Allow unicast response: **Yes (default)**
247 | 	* Apply local firewall rules: **Yes (default)** (Note: this will be over-ridden with the IPSec policy later.  This is simply a baseline.)
248 | 	* Apply local connection security rules: **No**
249 | * Logging > Customize ...
250 | 	* Name: **%systemroot%\System32\LogFiles\Firewall\domain.txt**
251 | 	* Not configured: **unchecked**
252 | 	* Size limit (KB): 16384
253 | 	* Not configured: **unchecked**
254 | 	* Log dropped packets: **Yes**
255 | 	* Log successful connections: **Yes**
256 | 
257 | #### Under the *Private Profile* tab, we set:
258 | * Firewall State: **On (recommended)**
259 | * Inbound connections: **Block (default)**
260 | * Outbound connections: **Allow (default)**
261 | * Settings > Customize ...
262 |  	* Display a notification: **No**
263 | 	* Allow unicast response: **Not configured**
264 | 	* Apply local firewall rules: **Yes (default)** (Note: this will be over-ridden with the IPSec policy later.  This is simply a baseline.)
265 | 	* Apply local connection security rules: **No**
266 | * Logging > Customize ...
267 | 	* Name: **%systemroot%\System32\LogFiles\Firewall\private.txt**
268 | 	* Not configured: **unchecked**
269 | 	* Size limit (KB): 16384
270 | 	* Not configured: **unchecked**
271 | 	* Log dropped packets: **Yes**
272 | 	* Log successful connections: **Yes**
273 | 
274 | #### Under the *Public Profile* tab, we set:
275 | * Firewall State: **On (recommended)**
276 | * Inbound connections: **Block (default)**
277 | * Outbound connections: **Allow (default)**
278 | * Settings > Customize ...
279 |  	* Display a notification: **No**
280 | 	* Allow unicast response: **Not configured**
281 | 	* Apply local firewall rules: **No**
282 | 	* Apply local connection security rules: **No**
283 | * Logging > Customize ...
284 | 	* Name: **%systemroot%\System32\LogFiles\Firewall\public.txt**
285 | 	* Not configured: **unchecked**
286 | 	* Size limit (KB): 16384
287 | 	* Not configured: **unchecked**
288 | 	* Log dropped packets: **Yes**
289 | 	* Log successful connections: **Yes**
290 | 
291 | Close the policy window.
292 | 
293 | On the scope tab:
294 | * Ensure the Link to the **Computers** OU is Enabled.
295 | * Ensure **Authenticated Users** is added in the **Security Filtering** section.
296 | * Since this will be used to target all Windows 10 machines, you want a WMI filter that does exactly that:
297 | 
298 | Namespace: root\CIMv2
299 | Query: select * from Win32_OperatingSystem where Name like "%Windows 10%"
300 | 
301 | On the Details tab:
302 | * Set GPO status to: **User configuration settings disabled**
303 | 
304 | ## 6. On all workstations, configure Domain Isolation policies
305 | 
306 | Create a new GPO and link it to the DOMAIN.COM\Domain Controllers OU called **Security - Firewall - IPSec - Workstations Tier 2** with the following settings:
307 | 
308 | ***Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security***
309 | 
310 | Right click **Windows Firewall with Advanced Security - LDAP://...** and select **Import Policy...**.  Import the "firewall_ipsec_tier2.wfw" configuration file.
311 | 
312 | ### What does this policy set?  
313 | Under the *Windows Firewall Properties* link, we override several settings we set in the baseline.  Namely, under the *Domain and Private Profile > Settings > Customize ...* we set:
314 | * Apply local firewall rules: **No**
315 | 
316 | In previous IPSec policies, we configured the host to request inbound and outbound authentication, and then only forced authentication over management protocols, like RDP.  In this policy I will show you a second way to do the same thing.  First, notice under **Connection Security Rules** that we have two rules:
317 | 
318 | * **Computer and User - Require inbound and request outbound**: This policy is set to require inbound.  That means nothing can communicate with the host unless it is authenticated.
319 | * **Authentication exception - Allow Surface Hub connection**: we exempt the subnet where surface hubs exist since hubs use miracast, which is a protocol that initiates a connection from the host to the Surface Hub, then the Hub connects back to the host.  At this time, Surface Hubs are unable to authenticate with IPSec.
320 | 
321 | Looking at the Inbound Rules, we see the following rules that require authentication:
322 | 
323 | * **Allow Tier 0 and 1 Servers -- Any**: Allows all servers inbound for management purposes
324 | * **Allow Tier 0 or 2 PAWs -- Any**: Allows Tier 0 and 2 PAW admins to manage workstations
325 | * **File and Print Shareing...**: Allows any PAW to access file or print shares on workstations
326 | * **Windows Defender Firewall Remote Management**: Allows PAW admins remote firewall management
327 | 
328 | There is one rule that must not require authentication:
329 | 
330 | * **Allow Surface Hubs to connect to WUDFHost.exe**: Remember our CSR exempted the whole subnet of surface hubs from requiring authentitation.  Here we are limiting what that subnet can talk to a single process on the host.  So, it's not like if the user had a home network the same as the exempted hub network, they would have full firewall access to their work machine.  
331 | 
332 | Close the policy window.
333 | 
334 | On the scope tab:
335 | * Ensure the Link to the **Computers** OU is Enabled.
336 | * Ensure **All-Workstations** is listed under Security Filtering
337 | * Ensure that **WMI Filtering** is set to **None**.
338 | 
339 | On the Details tab:
340 | * Set GPO status to: **User configuration settings disabled**
341 | 
342 | On the Delegation tab:
343 | * Add **Authenticated Users** and give it READ permissions.
344 | 
345 | ## 8. Configure authentication exception policies for RADIUS
346 | 
347 | 
348 | 
349 | ## 9. Configure authentication exception policies for Certificate Authorities
350 | 
351 | 
352 | 
353 | 
354 | 
355 | 
356 | ## 7. On all PAWs, configure Domain Isolation policies
357 | 
358 | Create a new GPO on the DOMAIN.COM\Company\Computers OU called **Security - Firewall - IPSec - PAW** with the following settings:
359 | 
360 | ***Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security***
361 | 
362 | Right click **Windows Firewall with Advanced Security - LDAP://...** and select **Import Policy...**.  Import the firewall_paw.wfw configuration file.
363 | 
364 | ### What does this policy set?  
365 | You can see there is only one Connection Security Rule called **Computer and User - Require inbound and request outbound**.  Double click on this rule to open the properties and click on the *Authentication* tab.  Notice it is configured to Require inbound and reqwuest outbound, and applies to Users and Computers.  This allows us to use inbound/outbound rules that can target specific users/groups for computers and users.  Everything else is default.
366 | 
367 | Click on Inbound Rules.  Notice there are two rules:
368 | * **File and Printer Sharing (Echo Request - ICMPv4-In)**: Allows anyone with a PAW to ping.  Useful for troubleshooting for those that need it.
369 | * **Allow connections from all Tier 0 Devices -- Any**: Open this rule. Notice under *General > Action* there is a bullet in *Allow the connection if it is secure*.  Click on *Customize...*.  Notice we are only requiring connections to be authenticated and not encrypted, and we are overriding the above **Deny All -- Any** rule incase there ever needs to be a block rule, this will need to work.  Click *OK* on this window and navigate to the *Remote Computers* tab.  Notice we have checked *Only allow connections from these computers:* and we have selected the **DOMAIN\All-Tier0-Servers** and **DOMAIN\PAW-Tier0-Computers** groups.  If you imported this policy, you may have to update the group and point it to your group since the SID will be incorrect for your environment.
370 | 
371 | Close the policy window.
372 | 
373 | On the scope tab:
374 | * Ensure the Link to the **Computers** OU is Enabled.
375 | * Remove **Authenticated Users** from the **Security Filtering** section and add the **PAW-AllPAWComputers** group.
376 | * Ensure there is no WMI filter applied
377 | 
378 | On the Details tab:
379 | * Set GPO status to: **User configuration settings disabled**
380 | 
381 | On the Delegation tab:
382 | * Add **Authenticated Users** and give it READ permissions.
383 | 
384 | 
385 | ## 8. Configure authentication exception policies for RADIUS
386 | Create a new GPO on the DOMAIN.COM\Company\Computers OU called **Security - Firewall - IPSec - Servers Tier 0 - RADIUS** with the following settings:
387 | 
388 | ***Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security***
389 | 
390 | Right click **Windows Firewall with Advanced Security - LDAP://...** and select **Import Policy...**.  Import the firewall_ipsec_radius.wfw configuration file.
391 | 
392 | ### What does this policy set?
393 | You can see there are two Connection Security Rules:
394 | 1. **Exempt Authentication -- RADIUS TCP**. Double click on this rule to open the properties and click on the *Protocols and Ports* tab.  Notice we are setting the RADIUS ports 1812 and 1813 in the *Endpoint 2 port* field.  Click on the *Authentication* tab.  Notice we set Authentication mode to *Do not authenticate*.  Because our RADIUS clients are not on the domain (mainly WAPs and switches), we must exempt them from having to authenticate to the RADIUS servers.  
395 | 2. **Exempt Authentication -- RADIUS UDP**. Same setting as TCP except for UDP ports (RADIUS uses both TCP and UDP).
396 | 
397 | There are three Inbound Rules:
398 | * **Allow Any -- RADIUS**: This allows inbound unauthenticated RADIUS connections
399 | * **Network Policy Server (2 rules)**: Should allow inbound management of the NPS server from Tier 0 admins on Tier 0 PAWs.
400 | 
401 | Close the policy window.
402 | 
403 | On the scope tab:
404 | * Ensure the Link to the **Computers** OU is Enabled.
405 | * Remove **Authenticated Users** from the **Security Filtering** section and add the default AD group **RAS and IAS Servers**.
406 | * Ensure there is no WMI filter applied
407 | 
408 | On the Details tab:
409 | * Set GPO status to: **User configuration settings disabled**
410 | 
411 | On the Delegation tab:
412 | * Add **Authenticated Users** and give it READ permissions.
413 | 
414 | ## 9. Configure authentication exception policies for Certificate Authorities
415 | Create a new GPO on the DOMAIN.COM\Company\Computers OU called **Security - Firewall - IPSec - Servers Tier 0 - Certificate Authorities** with the following settings:
416 | 
417 | ***Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security***
418 | 
419 | Right click **Windows Firewall with Advanced Security - LDAP://...** and select **Import Policy...**.  Import the firewall_ipsec_ca.wfw configuration file.
420 | 
421 | ### What does this policy set?
422 | You can see there is one Connection Security Rule:
423 | 1. **Exempt Authentication - Certificate Services**. Double click on this rule to open the properties and click on the *Protocols and Ports* tab.  Notice we are setting the TCP ports 135, 49152-65535 in the *Endpoint 2 port* field.  Click on the *Authentication* tab.  Notice we set Authentication mode to *Do not authenticate*.  Because our clients (especially MacOS) don't yet have a certificate when they request one, the request must be done unauthenticated.
424 | 
425 | There are six Inbound Rules:
426 | * **Allow HTTP/HTTPS**: This forces clients that want to use the certificate enrollment web page to be authenticated.
427 | * **Certificate Authority Enrollment and Management Protocol...**: These rules allow clients to request a certificate unauthenticated.
428 | 
429 | Close the policy window.
430 | 
431 | On the scope tab:
432 | * Ensure the Link to the **Computers** OU is Enabled.
433 | * Remove **Authenticated Users** from the **Security Filtering** section and either add your CA servers directly or add the AD group if you created one.
434 | * Ensure there is no WMI filter applied
435 | 
436 | On the Details tab:
437 | * Set GPO status to: **User configuration settings disabled**
438 | 
439 | On the Delegation tab:
440 | * Add **Authenticated Users** and give it READ permissions.
441 | 
442 | ## Resources
443 | * [Configuring a test environment](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754522%28v%3dws.10%29)
444 | * [Because sometimes people learn better via video](https://www.youtube.com/watch?v=taUdRQHfjMQ)
445 | 
446 | ## Notes
447 | * I have found if you configure the **Allow access to this computer from the network** Group policy, IPSec policies will not work.  Or maybe I just did it wrong.
448 | 


--------------------------------------------------------------------------------
/xx - Windows Firewall with Advanced Security and IPSec Domain Isolation/firewall_2016.wfw:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/utsecnet/PAW/c5bb0fac1e2f5751fdc582a75d97518d9bc5ba40/xx - Windows Firewall with Advanced Security and IPSec Domain Isolation/firewall_2016.wfw


--------------------------------------------------------------------------------
/xx - Windows Firewall with Advanced Security and IPSec Domain Isolation/firewall_ipsec_ca.wfw:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/utsecnet/PAW/c5bb0fac1e2f5751fdc582a75d97518d9bc5ba40/xx - Windows Firewall with Advanced Security and IPSec Domain Isolation/firewall_ipsec_ca.wfw


--------------------------------------------------------------------------------
/xx - Windows Firewall with Advanced Security and IPSec Domain Isolation/firewall_ipsec_dc.wfw:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/utsecnet/PAW/c5bb0fac1e2f5751fdc582a75d97518d9bc5ba40/xx - Windows Firewall with Advanced Security and IPSec Domain Isolation/firewall_ipsec_dc.wfw


--------------------------------------------------------------------------------
/xx - Windows Firewall with Advanced Security and IPSec Domain Isolation/firewall_ipsec_radius.wfw:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/utsecnet/PAW/c5bb0fac1e2f5751fdc582a75d97518d9bc5ba40/xx - Windows Firewall with Advanced Security and IPSec Domain Isolation/firewall_ipsec_radius.wfw


--------------------------------------------------------------------------------
/xx - Windows Firewall with Advanced Security and IPSec Domain Isolation/firewall_ipsec_tier0.wfw:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/utsecnet/PAW/c5bb0fac1e2f5751fdc582a75d97518d9bc5ba40/xx - Windows Firewall with Advanced Security and IPSec Domain Isolation/firewall_ipsec_tier0.wfw


--------------------------------------------------------------------------------
/xx - Windows Firewall with Advanced Security and IPSec Domain Isolation/firewall_ipsec_tier1.wfw:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/utsecnet/PAW/c5bb0fac1e2f5751fdc582a75d97518d9bc5ba40/xx - Windows Firewall with Advanced Security and IPSec Domain Isolation/firewall_ipsec_tier1.wfw


--------------------------------------------------------------------------------
/xx - Windows Firewall with Advanced Security and IPSec Domain Isolation/firewall_ipsec_tier2.wfw:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/utsecnet/PAW/c5bb0fac1e2f5751fdc582a75d97518d9bc5ba40/xx - Windows Firewall with Advanced Security and IPSec Domain Isolation/firewall_ipsec_tier2.wfw


--------------------------------------------------------------------------------
/xx - Windows Firewall with Advanced Security and IPSec Domain Isolation/firewall_paw.wfw:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/utsecnet/PAW/c5bb0fac1e2f5751fdc582a75d97518d9bc5ba40/xx - Windows Firewall with Advanced Security and IPSec Domain Isolation/firewall_paw.wfw


--------------------------------------------------------------------------------
/xx - Windows Firewall with Advanced Security and IPSec Domain Isolation/firewall_win10.wfw:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/utsecnet/PAW/c5bb0fac1e2f5751fdc582a75d97518d9bc5ba40/xx - Windows Firewall with Advanced Security and IPSec Domain Isolation/firewall_win10.wfw


--------------------------------------------------------------------------------