packer-examples-for-vsphere icon indicating copy to clipboard operation
packer-examples-for-vsphere copied to clipboard
verified publisher icon vmware-samples

Add support to disable WinRM on Windows images upon build completion

Open danielhanaj opened this issue 3 years ago • 3 comments

Code of Conduct

  • [X] I have read and agree to the project's Code of Conduct.

Description

WinRM is default communicator for Windows templates. Windows-init.ps1 is the file that sets WinRM to basic authentication and allows WinRM unencrypted traffic. This is acceptable for non-production images, but not for production ones.

I have found a good blog and PowerShell script that brings the WinRM to default state.

PowerShell Script that reverts WinRM to pristine state.

Think it would be great to implement this script or similar under provisioner section at the very end of building process. This would improve security for images that are being created.

Use Case(s)

Improves Windows image security.

Potential Configuration

provisioner "powershell" {
    scripts = ["Undo-WinRMConfig.ps1"]
  }

References

No response

danielhanaj avatar Aug 30 '22 10:08 danielhanaj

I'll take this one into consideration as an optional configuration very soon.

If you like the repository, please consider giving it a GitHub Star ⭐ - it really helps to justify some of the personal time and effort I put into the project. 😄

Ryan Johnson Senior Staff Solutions Architect | Product Engineering @ VMware, Inc.

tenthirtyam avatar Sep 07 '22 11:09 tenthirtyam

@danielhanaj - have you tested the proposed configuration? I would suspect that running the script to disable WinRM, whilst WinRM is being used by the provisioner would fail and therefore inhibit the ability to gracefully shutdown the host.

An alternative solution may be to instead to add a RunOnce for he first-boot of the guest operating system once provisioned.

Ryan

tenthirtyam avatar Sep 07 '22 11:09 tenthirtyam

One option might be to adjust the shutdown_command to simply run a script that disables remote access with Disable-PSRemoting, stops and disables WinRM service on startup, deletes the listener, and so forth and then performs the shutdown.

Untested example:

disable_remoting.ps1:


Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse

Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system -Name LocalAccountTokenFilterPolicy -Value 0

$service = Get-Service -Name WinRM

if ($service.Status -eq "Running"){
    Disable-PSRemoting -Force
}

Stop-Service winrm

Set-Service -Name winrm -StartupType Disabled

Set-NetFirewallRule -DisplayName 'Windows Remote Management (HTTP-In)' -Enabled False -PassThru

shutdown /s /t 10 /f /d p:4:1 /c \"Shutdown by Packer\"

Packer:

shutdown_command = "%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe -File F:\disable-remoting.ps1"

tenthirtyam avatar Sep 07 '22 13:09 tenthirtyam

Hello,

There is 2 differents situations :

  1. Windows Server WinRM is enable by default but custom configuration done by packer need to be removed No need to disable WinRM here but just remove the custom configuration.

  2. Windows Client WinRM is disabled by default. Here WinRM need to be disable

DamienCommenge avatar Nov 05 '22 17:11 DamienCommenge

Undoing the configuration is one option. I just decided to to use WinRM over SSL, eliminating the need to allow unencrypted, and basic authentication. I used the following as a reference: https://gist.github.com/jaymecd/71e75fde7cc14e174dfff0a20f2262aa

Bocephus avatar Dec 15 '22 19:12 Bocephus

Undoing the configuration is one option. I just decided to to use WinRM over SSL, eliminating the need to allow unencrypted, and basic authentication. I used the following as a reference: https://gist.github.com/jaymecd/71e75fde7cc14e174dfff0a20f2262aa

@Bocephus, just tested it and your approach works really great. Thank you very much for replying and sharing your solution. This really improves security on Windows artifacts. @tenthirtyam, would be great to add it as main approach for building Windows Templates on this project.

danielhanaj avatar Dec 16 '22 12:12 danielhanaj

@tenthirtyam, would be great to add it as main approach for building Windows Templates on this project.

I'll take this under consideration for an update. Unfortunately, the method used above would not translate well to Windows 11/10. What I may look into is:

  • Since WinRM is already configured in Windows Server 2019 and 2022, update WinRM to use HTTPS during and post build vs HTTP (default).
  • Enable WinRM on Windows 11 and 10 with HTTP for the build and reset it back to disabled (default) upon completion.

tenthirtyam avatar Dec 21 '22 03:12 tenthirtyam

Scope Change:

  • Add support to reset WinRM on Windows Desktop images upon build completion.
  • Add support to use WinRM over HTTPS on Windows Server images instead of the default unencrypted HTTP.

tenthirtyam avatar Dec 21 '22 16:12 tenthirtyam

@gcblack will be picking this one up and it will be done in Ansible as we transition the cleanup and configuration to Ansible like is done for Linux.

tenthirtyam avatar Nov 16 '23 22:11 tenthirtyam

I'm going to lock this issue because it has been closed for 30 days. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

github-actions[bot] avatar Jan 14 '24 00:01 github-actions[bot]