Merge pull request #13 from sbaerlocher/develop/0.0.7

add change
sbaerlocher · Sep 13, 2020 · 5d5c547 · 5d5c547
2 parents 02f4b4e + cb8cf21
commit 5d5c547
Show file tree

Hide file tree

Showing 4 changed files with 111 additions and 26 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,16 @@ and [human-readable changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## master
 
+## 0.0.7
+
+### Added
+
+- Add module win_policyfile
+
+### Changed
+
+- Change to the module win_policyfile in the Role remote_desktop
+
 ## 0.0.6
 
 ### Added

diff --git a/galaxy.yml b/galaxy.yml
@@ -1,7 +1,7 @@
 ---
 namespace: 'sbaerlocher'
 name: 'windows'
-version: 0.0.6
+version: 0.0.7
 readme: README.md
 authors:
   - 'Simon Baerlocher (https://sbaerlocher.ch)'

diff --git a/plugins/modules/win_policyfile.ps1 b/plugins/modules/win_policyfile.ps1
@@ -0,0 +1,61 @@
+#!powershell
+
+# Copyright: (c) 2020, Simon Baerlocher <[email protected]>
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+#AnsibleRequires -CSharpUtil Ansible.Basic
+
+$spec = @{
+    options             = @{
+        path  = @{ type = 'str'; required = $true; }
+        key   = @{ type = 'str'; required = $true; aliases = 'key' }
+        name  = @{ type = 'str'; aliases = 'entry', 'value' }
+        data  = @{ type = 'raw' }
+        type  = @{
+            type    = 'str'
+            default = 'string'
+            choices = 'none', 'binary', 'dword', 'expandstring', 'multistring', 'string', 'qword'
+            aliases = 'datatype'
+        }
+        state = @{ type = 'str'; default = 'present'; choices = 'present', 'absent' }
+
+    }
+    supports_check_mode = $true
+}
+
+$module = [Ansible.Basic.AnsibleModule]::Create($args, $spec)
+
+$path = $module.Params.path
+$key = $module.Params.key
+$name = $module.Params.name
+$data = $module.Params.data
+$type = $module.Params.type
+$state = $module.Params.state
+
+$module.Result.reboot_required = $false
+
+if (-not (Get-Command -Name Get-PolicyFileEntry -ErrorAction SilentlyContinue)) {
+    $module.FailJson("This version of Windows does not support the Get-PolicyFileEditor.")
+}
+
+try {
+    $policy_state = Get-PolicyFileEntry -Path $path -Key $key -ValueName $Name
+}
+catch [System.Runtime.InteropServices.COMException] {
+    $policy_state = $null
+}
+
+if ($state -eq "present" -and ($policy_state).data -notlike $data) {
+    if (-not $module.CheckMode) {
+        Set-PolicyFileEntry -Path $path -Key $key -ValueName $name -Data $data -Type $type
+    }
+    $module.Result.changed = $true
+}
+elseif ($state -eq "absent") {
+    if (-not $module.CheckMode) {
+        Remove-PolicyFileEntry -Path $path -Key $key -ValueName $name
+    }
+    $module.Result.changed = $true
+}
+
+$module.ExitJson()
diff --git a/roles/remote_desktop/tasks/main.yml b/roles/remote_desktop/tasks/main.yml
@@ -1,25 +1,39 @@
 ---
 # tasks file for remote_desktop
 
+- name: Add a PowerShell module
+  win_psmodule:
+    name: PolicyFileEditor
+    state: present
+
 # https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.TerminalServer::TS_DISABLE_CONNECTIONS
 - name: Allow users to connect remotely by using Remote Desktop Services
-  win_regedit:
-    path: '{{ item }}'
+  sbaerlocher.windows.win_policyfile:
+    path: "C:\\Windows\\system32\\GroupPolicy\\Machine\\registry.pol"
+    key: 'SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
     name: fDenyTSConnections
-    data: 00000000
-    type: dword
+    data: '0'
+    type: 'dword'
     state: "{{ 'present' if remote_desktop_enabled else 'absent' }}"
   register: register_remote_desktop_enabled
-  with_items:
-    - "HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\"
-    - "HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services"
 
-- name: Firewall Enable or Disable rule for Remote Desktop Services
-  win_shell: >
-    "{{ 'Enable-NetFirewallRule' if rd_enable else 'Disable-NetFirewallRule' }}
-    -DisplayGroup 'Remotedesktop'"
-  vars:
-    rd_enable: '{{ remote_desktop_enabled }}'
+- name: Firewall Enable or Disable for Remote Desktop Services
+  sbaerlocher.windows.win_policyfile:
+    path: "C:\\Windows\\system32\\GroupPolicy\\Machine\\registry.pol"
+    key: 'SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\RemoteDesktop'
+    name: Enabled
+    data: '1'
+    type: 'dword'
+    state: "{{ 'present' if remote_desktop_enabled else 'absent' }}"
+
+- name: Firewall Remote Address for Remote Desktop Services
+  sbaerlocher.windows.win_policyfile:
+    path: "C:\\Windows\\system32\\GroupPolicy\\Machine\\registry.pol"
+    key: 'SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\RemoteDesktop'
+    name: 'RemoteAddresses'
+    data: '*'
+    type: 'string'
+    state: "{{ 'present' if remote_desktop_enabled else 'absent' }}"
 
 - name: Set then Remote Desktop Port
   win_regedit:
@@ -32,17 +46,19 @@
 
 # https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.TerminalServer::TS_SECURITY_LAYER_POLICY
 - name: Require use of specific security layer for remote (RDP) connections
-  win_regedit:
-    path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
-    name: SecurityLayer
+  sbaerlocher.windows.win_policyfile:
+    path: "C:\\Windows\\system32\\GroupPolicy\\Machine\\registry.pol"
+    key: 'SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
+    name: 'SecurityLayer'
     data: '{{ remote_desktop_securitylayer }}'
-    type: dword
+    type: 'dword'
     state: "{{ 'present' if remote_desktop_enabled else 'absent' }}"
 
 # https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.TerminalServer::TS_ENCRYPTION_POLICY
 - name: Set client connection encryption level
-  win_regedit:
-    path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
+  sbaerlocher.windows.win_policyfile:
+    path: "C:\\Windows\\system32\\GroupPolicy\\Machine\\registry.pol"
+    key: 'SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
     name: MinEncryptionLevel
     data: '{{ remote_desktop_minencryptionLevel }}'
     type: dword
@@ -56,15 +72,13 @@
 
 # https://www.winfaq.de/faq_html/Content/tip1000/onlinefaq.php?h=tip1368.htm
 - name: Disable Shutdown Butten from Windows Start
-  win_regedit:
-    path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
+  sbaerlocher.windows.win_policyfile:
+    path: "C:\\Windows\\system32\\GroupPolicy\\User\\registry.pol"
+    key: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer'
     name: NoClose
     data: '1'
     type: dword
-    state: "{{ 'present' if rd_enable and rd_shutdown_disable else 'absent' }}"
-  vars:
-    rd_enable: '{{ remote_desktop_enabled }}'
-    rd_shutdown_disable: '{{ remote_desktop_shutdown_disable }}'
+    state: "{{ 'present' if remote_desktop_enabled and remote_desktop_shutdown_disable else 'absent' }}"
 
 # https://www.howtogeek.com/246728/how-to-remove-the-shutdown-button-from-the-windows-login-screen/
 - name: Disable Shutdown Butten from Windows login screen