Do you want the code for this? No problem. Just skip down to the heading that says “Code here”.
Yeah yeah yeah. I know that I have given out plenty about Ironman Software and their PowerShell Universal product very strongly on a few different sites. But unfortunately for me, There’s just nothing else on the market that can wrap a nice easy(ish) UI around PowerShell scripts. So stick with me while I explain what I’m doing here.
My need:
Hey, first, lookup something called the star principal. It’s an Amazon Interview technique and I’m going to use it here to explain the last few days quickly and easily.
Star stands for:
- Situation
- Target
- Action
- Result
So the Situation is:
I need to provide a comprehensive, up to date, reproduceable and accurate report of the status of Windows firewalls on servers.
The Target is:
Re-use a script that I wrote two years ago, warap it in a UI and give that to the director so he can run this report or ask someone else to do it without coming to me any more than one time.
Action:
Ah. here’s where it get’s fun.
Firstly, here is how it hangs together:
- . I have all the processing in a PowerShell module. I’m comfortable working in the command line so having it in a module full of functions that I have written to get me through the day by removing repeditive tasks suits me well. But it doesn’t suit anyone else. Having PowerShell vomit out text to the director wouldn’t put me on his Christmas list. In fact, I’m already not on his Christmas list. Maybe I should go back to plain text? Pondering for a different day. Sorry. I went off on one there. Anyway, what I’m saying is I want to wrap that in a UI but I don’t want to rewrite code. Re-use and Re-cycle.
- I went in to look around PowerShell Universal for the first time in ages. I was getting weird errors when using powerShell5 where it wasn’t recognising stored secrets. But it turns out that the maximum time you can store a secret for is one year. So I suppose that’s just something I missed in some bit of documentation somewhere.
- Then, sometime over the past year, I tightened security on all of the service accounts so by by to storing Kerberos tickets in an active user session. This made me rethink how I was handling permissions for this script.
- Sometime in the past two years since I wrote this really great function, I got too clever for my own good. In other words, I over complicated it. Initially, I was just passing in a string as a parameter but then sometime, I must have decided that I wanted to throw custom objects with servers in it and I also started using the pipeline. What am I talking about? Okay. I’ll explain briefly.
This is how you would pass something to a script using a parameter:
First, let’s say we have an array called $MyWonderfulArray[] with several fields in it. ServerName and TrafficDirection. If the function doesn’t support taking the fields out of the pipeline, we need to explicitly loop through every item in this array and pass it the values for ServerName and TrafficDirection. That sounds kind of slow doesn’t it? Yeah. It is! Here’s an example:$ServerVariable = $MyCoolArray[0].ServerName$InboundOrOutbound = $MyWonderfulArray[0].TrafficDirectionMyCoolFunction -Server $ServerVariable -TrafficDirection $InboundOrOutbound
Now. firstly. You might ask what the idea of the [0] is. That’s just getting the first item in that array. I could loop over the array but this wasn’t meant to be a PowerShell tutorial.
But now let’s take a quick look at using the pipeline. Let’s say your function expects two parameters. ServerName and TrafficDirection. Well, because these are already specified as fields in my array, I don’t need to explicitly pass them as parameters to the function assuming of course that I have configured the parameter section at the top of the function to support grabbing these fields through the pipeline. So now without needing to loop or even explicitly pass over the fields, I do this:$MyWonderfulArray | MyCoolFunction
See? The pipeline is cool.
But because I had changed the function, I was encountering infinit loops and some ocasional errors. That wasn’t too difficult to fix. I got it sorted within a few minutes. - I found that tens of thousands of lines were added for some particular servers. Turns out that when ever a user logs into an RDS session host server running 2019, it creates a hole lot of firewall rules for that session. Okay. Anyway, I fixed that. It required painfully removing tens of thousands of rules then applying a registry fix to each session host server so that the problem doesn’t repeat in the future. Still, this took a good three hours tonight because as I was deleting so many rules each time, the MMC snapin kept freezing? Why didn’t I use PowerShell? Well, because there are about 40 other rules in there specific to the applications running on those session host servers and the last thing I want is someone from that facalty calling me on Monday morning with a room full of students anxiously waiting to start their labs while I try to figure out what rule in the tens of thousands that I removed caused this particularly horrible delay to their teaching and learning. so that really wasn’t fun.
- Next, I ran the script again but found that for some reason, one of the filters for traffic direction wasn’t working. I’m running this code using invoke-remote and it’s a non-native PowerShell command so sometimes they can behave in unexpected ways. Again, that wasn’t really difficult to sort. A where-object to only return the output that I wanted got around the problem. But you must understand oh most patient reader that each time I ran this script, it could take up to an hour or even two. It’s going across quite a lot of servers and really diving deep into the firewall rules, what they allow and what they reject. So each thing I changed even if it was minor took a long time for it to process.
- I had messed around with creating a UI for this a few years ago but I tidied it up tonight. I had a stupid bug in it. It was using the entire count of servers when reporting on the number of bad / dangerous rules. Now I have a separate variable with the count. Why I didn’t just do that a few years ago, I don’t know.
Result:
It all works. It took a lot longer than I would have liked but I’m really happy with the result. Something that anyone with the right level of permissions can independently use without my input.
Absolutely nothing in my life has gone to plan this week. Well, all I have had time for is technology problems so I suppose my life has just been technology. still though. I still need to get to another job tomorrow where I installed Cuda but the GPU isn’t found after a reboot. I spent three hours on that on Wednesday evening but now the person just wants me to install Docker and use Cuda and Kaldi through containers instead. That’s going to be another truck lode of fun but it’s going to have to wait until tomorrow because I’m tired.
Hey, for the record, I’m not really a fan of Nvidia at the moment either. Their documentation is out of date, their drivers are out of date and they mis and match terms. For example, at the top of the driver support page, they talk about Tesla T4 but then down the page they say how the driver only supports series 9 and above. How the hell am I meant to know what series the Tesla T4 is? Anyway, sorry. I’m rambling again.
Because I’m feeling very generous, here’s some code that will just change your life if you are administering a lot of Windows servers and you need to audit all the firewall configs.
The Code!
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 |
####################################### # UI file for Powershell Universal ## ####################################### $Job = Get-UAScript -ComputerName https://YourServerRunningPowerShellUniversal -AppToken $StoredAppToken -Name 'GetFirewallRulesForReachableServers.ps1' | Get-UAJob -ComputerName https://YourServerRunningPowerShellUniversal -AppToken $StoredAppToken -OrderDirection Descending -First 1 $FirewallRules = Get-UAJobPipelineOutput -Job $Job -ComputerName https://YourServerRunningPowerShellUniversal -AppToken $StoredAppToken $Servers = $FirewallRules | Select -Unique Server $NumberOfServers = $Servers.Count New-UDDynamic -Id 'content' -Content { if ($Session:SessionPageLoaded) { New-UDGrid -Container -Content { $ServersWithBadRules = 0 $ReportOutput = @() ForEach ($Server in $Servers) { $LogEntry = New-Object -TypeName PSObject $ServerName = $Server.Server $ThisServer = $FirewallRules | Where-Object { $_.Server -eq $ServerName -and $_.Direction -eq 'Inbound' } $BadRules = ($ThisServer | Select 'Rule Name', 'Remote Addresses' | Where-object { "$_.Rule Name" -like "*Remote Desktop*" -or "$_.Rule Name" -like "*Windows Remote Management*" -or "$_.Rule Name" -like "*Core Networking - *" -and "$_.Remote Addresses".Contains("*") }) If ($BadRules -ne $Null) { $BadRules = "Yes" $ServersWithBadRules ++ } else { $BadRules = "No" } If ($RuleCount -lt 1) { $RuleCount = 0 } $RuleCount = ($ThisServer).Count # Count of rules $LogEntry | Add-Member -Type NoteProperty ` -Name ServerName -Value $ServerName $LogEntry | Add-Member -Type NoteProperty ` -Name BadRules -Value $BadRules.ToString() $LogEntry | Add-Member -Type NoteProperty ` -Name RuleCount -Value $RuleCount $ReportOutput += $LogEntry } if ($ReportOutput.count -lt 10) { $Counter = $ReportOutput.count } else { $Counter = $ReportOutput.Count } New-UDGrid -Container -content { New-UDGrid -Item -ExtraSmallSize 4 -content { new-udcard -Title 'Report created' -Content { $Job.CreatedTime.DateTime } } New-UDGrid -Item -ExtraSmallSize 4 -content { new-udcard -Title 'Risky servers' -Content { "There are " + $ServersWithBadRules.ToString() + " found" } } New-UDGrid -Item -ExtraSmallSize 4 -content { new-udcard -Title 'Tip' -Content { "Click or tap a row to show all rules" } } } $Columns = @( New-UDTableColumn -Property ServerName -Title "Server Name" -ShowSort -IncludeInExport -IncludeInSearch -ShowFilter -FilterType text New-UDTableColumn -Property BadRules -Title "Bad Rules" -ShowSort -DefaultSortColumn -IncludeInExport -IncludeInSearch -ShowFilter -FilterType select New-UDTableColumn -Property RuleCount -Title "Rule Count" -ShowSort -IncludeInExport -ShowFilter -FilterType select ) New-UDTable -Id 'firewall_table' -Data $ReportOutput -Columns $Columns -Title 'Server Summary' -PageSize $Counter -ShowSearch -ShowPagination -ShowSelection -Dense -OnRowSelection { $Item = $EventData.ServerName Show-UDModal -Content { $RulesForServer = ($FirewallRules | select * | Where-Object { $_.Server -eq $Item -and $_.Direction -eq 'Inbound' -and $_.Enabled -eq 'True' }) If ($RulesForServer.count -gt 5) { $Counter = $RulesForServer.count } else { $Counter = $RulesForServer.count } If ($RulesForServer.count -gt 20) { $Counter = 20 } $ModalColumns = @( New-UDTableColumn -Property Server -Title "Server Name" -ShowSort -IncludeInExport -IncludeInSearch -ShowFilter -FilterType text New-UDTableColumn -Property "Rule Name" -Title "Rule Name" -ShowSort -DefaultSortColumn -IncludeInExport -IncludeInSearch -ShowFilter -FilterType text New-UDTableColumn -Property Protocol -Title "Protocol" -IncludeInExport -ShowFilter -FilterType select New-UDTableColumn -Property "Local Ports" -Title "Local Ports" -IncludeInExport -ShowFilter -FilterType text New-UDTableColumn -Property "Remote Addresses" -Title "Remote Addresses" -IncludeInExport -ShowFilter -FilterType text ) New-UDTable -Id 'firewall-rules' -Data $RulesForServer -Columns $ModalColumns -Title 'Rules for server' -PageSize $Counter -ShowSearch -ShowPagination -Dense } } } } else { New-Progress -Text 'Loading firewall tables ...' New-UDElement -Tag 'div' -Endpoint { Start-Sleep 5 $Session:SessionPageLoaded = $true $Session:SessionData = Get-Random Sync-UDElement -Id 'content' } } } ################################################## ## Script that I call in PowerShell Universal ## ################################################## import-module "c:\program files\WindowsPowershell\modules\YourModuleFolder\YorModuleName.psd1" $Job = Get-UAScript -ComputerName https://YourPowerShellUniversalServer -AppToken $StoredAppToken -Name 'AllServers.ps1' | Get-UAJob -ComputerName https://YourPowerShellUniversalServer -AppToken $StoredAppToken -OrderDirection Descending -First 1 $AllWindowsServers = Get-UAJobPipelineOutput -Job $Job -ComputerName https://YourPowerShellUniversalServer -AppToken $StoredAppToken $ActiveServers = $AllWindowsServers | Where-Object {$_.Active -eq 'true'} | select Servername WRITE-HOST "Checking rules on" $ActiveServers.count " servers" Get-RemoteInboundFirewallRules -Servers $ActiveServers.ServerName -RuleType "Inbound" ########################################### ## Get all servers in active directory ## ########################################### import-module "C:\Program Files\WindowsPowerShell\Modules\YourModuleFolder\YourModuleName.psd1" $AllServers = Get-AllWindowsServerNames $AllServers ############################################################## ## Get all the active inbound firewall rules for a server ## ############################################################## Function Get-RemoteInboundFirewallRules { [CmdletBinding()] # Parameters used in this function param ( [Parameter(Position = 0, Mandatory = $false, HelpMessage = "Provide server names", ValueFromPipeline = $true)] $Servers = $env:computername, [Parameter(Position = 1, Mandatory = $false, HelpMessage = "Rule enabled (True, False)", ValueFromPipeline = $true)][ValidateSet("True", "False")][string] $Enabled = $null, [Parameter(Position = 2, Mandatory = $false, HelpMessage = "Select rule type (Inbound, Outbound)", ValueFromPipeline = $true)][ValidateSet("Inbound", "Outbound")][string] $RuleType = $null ) # Error action set to Stop $ErrorActionPreference = "Stop" If ($Servers -eq $env:computername) { # Write-Host "`nChecking $Servers" -ForegroundColor Yellow Try { If (!$Enabled) { $Firewall = (New-Object -ComObject hnetcfg.fwpolicy2).rules } Else { $Firewall = (New-Object -ComObject hnetcfg.fwpolicy2).rules | Where-Object { $_.enabled -like $enabled } } If (!$Firewall) { Throw "Failed to get FW rules" } } Catch { Write-Host $_.Exception.Message Break } # Array with alerts $FWArray = @() # Looping each alert $Firewall | ForEach-Object { $Rule = $_ Switch ($Rule.Direction) { "1" { $Direction = "Inbound" } "2" { $Direction = "Outbound" } } Switch ($Rule.Action) { "0" { $Action = "Block" } "1" { $Action = "Allow" } } Switch ($Rule.Profiles) { "1" { $Profile = "Domain" } "2" { $Profile = "Private" } "4" { $Profile = "Public" } "2147483647" { $Profile = "All" } } Switch ($Rule.Protocol) { "6" { $Protocol = "TCP" } "17" { $Protocol = "UDP" } "1" { $Protocol = "ICMPv4" } "58" { $Protocol = "ICMPv6" } } # Create a custom object $Object = New-Object PSObject $Object | Add-Member -MemberType NoteProperty -Name "Server" -Value $Servers $Object | Add-Member -MemberType NoteProperty -Name "Direction" -Value $Direction $Object | Add-Member -MemberType NoteProperty -Name "Action" -Value $Action $Object | Add-Member -MemberType NoteProperty -Name "Rule Name" -Value $Rule.name $Object | Add-Member -MemberType NoteProperty -Name "Profile" -Value $Profile $Object | Add-Member -MemberType NoteProperty -Name "Enabled" -Value $Rule.Enabled $Object | Add-Member -MemberType NoteProperty -Name "Protocol" -Value $Protocol $Object | Add-Member -MemberType NoteProperty -Name "Local Ports" -Value $Rule.Localports # Add custom object to our array $FWArray += $Object } If (!$RuleType) { $FWArray # $FWArray | Sort-Object enabled -Descending | ft -Wrap -AutoSize #$FWArray | Sort-Object enabled -Descending | Out-GridView -Title "Firewall rules for $Servers" } Else { $FWArray # $FWArray | Where-Object {$_.Direction -eq $Ruletype} | Sort-Object direction,enabled | ft -Wrap -AutoSize #$FWArray | Where-Object {$_.Direction -eq $Ruletype} | Sort-Object direction,enabled | Out-GridView -Title "Firewall rules for $Servers" } } Else { ForEach ($Server in $Servers) { # Write-Host "`nChecking $Server" -ForegroundColor Yellow Try { If (!$Enabled) { $Firewall = Invoke-Command $Server -ScriptBlock { (New-Object -ComObject hnetcfg.fwpolicy2).rules | where-object {$_.Direction -eq 1} } } Else { $Firewall = Invoke-Command $Server -ScriptBlock { (New-Object -ComObject hnetcfg.fwpolicy2).rules | Where-Object { $_.enabled -like $enabled } } } If (!$Firewall) { Throw "Failed to get FW rules" } } Catch { Write-Host $_.Exception.Message Continue } # Array with alerts $FWArray = @() # Looping each alert $Firewall | ForEach-Object { $Rule = $_ Switch ($Rule.Direction) { "1" { $Direction = "Inbound" } "2" { $Direction = "Outbound" } } Switch ($Rule.Action) { "0" { $Action = "Block" } "1" { $Action = "Allow" } } Switch ($Rule.Profiles) { "1" { $Profile = "Domain" } "2" { $Profile = "Private" } "4" { $Profile = "Public" } "2147483647" { $Profile = "All" } } Switch ($Rule.Protocol) { "6" { $Protocol = "TCP" } "17" { $Protocol = "UDP" } "1" { $Protocol = "ICMPv4" } "58" { $Protocol = "ICMPv6" } } $Object = New-Object PSCustomObject $Object | Add-Member -MemberType NoteProperty -Name "Server" -Value $Server $Object | Add-Member -MemberType NoteProperty -Name "Direction" -Value $Direction $Object | Add-Member -MemberType NoteProperty -Name "Action" -Value $Action $Object | Add-Member -MemberType NoteProperty -Name "Rule Name" -Value $Rule.name $Object | Add-Member -MemberType NoteProperty -Name "Profile" -Value $Profile $Object | Add-Member -MemberType NoteProperty -Name "Enabled" -Value $Rule.Enabled $Object | Add-Member -MemberType NoteProperty -Name "Protocol" -Value $Protocol $Object | Add-Member -MemberType NoteProperty -Name "Local Ports" -Value $Rule.Localports $Object | Add-Member -MemberType NoteProperty -Name "Remote Addresses" -Value $Rule.RemoteAddresses # Add custom object to our array $FWArray += $Object } If (!$RuleType) { $FWArray # $FWArray | Sort-Object enabled -Descending | ft -Wrap -AutoSize #$FWArray | Sort-Object enabled -Descending | Out-GridView -Title "Firewall rules for $Server" } Else { $FWArray # $FWArray | Where-Object {$_.Direction -eq $Ruletype} | Sort-Object direction,enabled | ft -Wrap -AutoSize #$FWArray | Where-Object {$_.Direction -eq $Ruletype} | Sort-Object direction,enabled | Out-GridView -Title "Firewall rules for $Server" } } } } #################################################### ## Get a clean list of all Windows server names ## #################################################### Function Get-AllWindowsServerNames { $OutputObject = @() $WindowsServers = Get-ADComputer -Properties Description -Filter * -SearchBase "OU=OU=SomeOU,CN=YourDomain,DC=Local" | Where-Object { $_.Enabled -eq 'true' } | Select DNSHostName, Description ForEach ($Server in $WindowsServers) { $LogEntry = New-Object -TypeName PSObject if ((Test-Connection -BufferSize 32 -Count 1 -ComputerName $Server.DNSHostName -Quiet) -eq 'true') { $LogEntry | Add-Member -Type NoteProperty ` -Name ServerName -Value $Server.DNSHostName $LogEntry | Add-Member -Type NoteProperty ` -Name Active -Value 'true' $LogEntry | Add-Member -Type NoteProperty ` -Name Description -Value $Server.Description $OutputObject += $LogEntry } else { $LogEntry | Add-Member -Type NoteProperty ` -Name ServerName -Value $Server.DNSHostName $LogEntry | Add-Member -Type NoteProperty ` -Name Active -Value 'false' $LogEntry | Add-Member -Type NoteProperty ` -Name Description -Value $Server.Description $OutputObject += $LogEntry } } $OutputObject } |
0 Comments