search

dsccommunity / xPSDesiredStateConfiguration

DSC resources for configuring common operating systems features, files and settings.
https://dsccommunity.org
MIT License
205 stars 132 forks source link

Example files and setting up HTTPS Real Certificate DSC Pull Server + Client - xPSDesiredStateConfiguration Module version 8.0.0.0 #376

Open MarioParty1 opened 6 years ago

MarioParty1 commented 6 years ago

I posted the following comment on: https://docs.microsoft.com/en-us/powershell/dsc/pullserver

Hi,

https://docs.microsoft.com/en-us/powershell/dsc/pullserver Comment on point 4: configuration Sample_xDscPullServer The Example configuration seems not up-2-date anymore and the example name file changed

The up-2-date example seems to be: https://github.com/PowerShell/xPSDesiredStateConfiguration/blob/dev/Examples/Sample_xDscWebServiceRegistration.ps1 https://github.com/PowerShell/xPSDesiredStateConfiguration/blob/dev/Examples/Sample_xDscWebServiceRegistrationWithSecurityBestPractices.ps1

I will post this on Github too.

MarioParty1 commented 6 years ago

Sample_xDscWebServiceRegistrationWithSecurityBestPractices.ps1

Psscriptanalyzer: The variable 'thumbprint' is assigned but never used. (PSUseDeclaredVarsMoreThanAssignments)

Own analyse: parameter mismatch: $thumbprint on line 14 should be $certificateThumbPrint to match the $certificateThumbPrint parameters on line 49 and 68

line 14: $thumbprint = (New-SelfSignedCertificate -Subject "TestPullServer").Thumbprint

line 49: CertificateThumbPrint = $certificateThumbPrint

line 68: Sample_xDscWebServiceRegistrationWithSecurityBestPractices -RegistrationKey $registrationkey -certificateThumbPrint $certificateThumbPrint

MarioParty1 commented 6 years ago

Sample_xDscWebServiceRegistrationWithSecurityBestPractices.ps1

After running the corrected Sample_xDscWebServiceRegistrationWithSecurityBestPractices.ps1 a warning pop-ups that the refers to the 'PSDesiredStateConfiguration' module while the experimental 'xPSDesiredStateConfiguration' is still used.

I don't even have the non-experimental 'PSDesiredStateConfiguration' module installed but i still got the Pull server running now

Powershell: Sample_xDscWebServiceRegistrationWithSecurityBestPractices -RegistrationKey $registrationkey -certificatethumbprint -$certificatethumbprint WARNING: The configuration 'Sample_xDscWebServiceRegistrationWithSecurityBestPractices' is loading one or more built-in resources without explicitly importing associated modules. Add Impo rt-DscResource –ModuleName 'PSDesiredStateConfiguration' to your configuration to avoid this message.

I install and import both modules now in my DSC installation: Import-DSCResource -ModuleName xPSDesiredStateConfiguration Import-DSCResource -ModuleName PSDesiredStateConfiguration

MarioParty1 commented 6 years ago

Sample_xDscWebServiceRegistrationWithSecurityBestPractices.ps1

New? parameter is missing in example file and can be added:

Enable32BitAppOnWin64

MarioParty1 commented 6 years ago

Sample_xDscWebServiceRegistrationWithSecurityBestPractices.ps1

Please use the same case sensitive style for the following parameters + comments everywhere in the example file:

CertificateThumbPrint RegistrationKey

Here below some line examples where case sensitive is not consistent

45 CertificateThumbPrint = $certificateThumbPrint 68 # Sample_xDscWebServiceRegistration -RegistrationKey $registrationkey -certificateThumbPrint $thumbprint

67 # $registrationkey = [guid]::NewGuid() 68 # Sample_xDscWebServiceRegistration -RegistrationKey $registrationkey -certificateThumbPrint $thumbprint 111 # Sample_MetaConfigurationToRegisterWithLessSecurePullServer -RegistrationKey $registrationkey

MarioParty1 commented 6 years ago

Sample_xDscWebServiceRegistrationWithSecurityBestPractices.ps1

It seems like i am facing SSL/TLS issues with the Security settings based on the Example file https://powershell.org/forums/topic/dsc-pull-server-with-ssl/

I am trying these settings now and play around with the Schannel SSL/TLS registry keys because of the Client Agent fails to register.

--> So i add parameter "DisableSecurityBestPractices"

        DisableSecurityBestPractices ='SecureTLSProtocols'

Update: I never got the DSC Pull Server + DSC LCM Agent running with a self-signed certificate. The DSC Agent Service fails to register. With a real SSL certificate i got the setup running. DSC LCM Agent Registers perfect and i got an MOF file applying some configuration on the agent.

Currently i use the following parameters with an SSL certificate. Will try to to do the same with the real certificate with $false for AcceptSelfSignedCertificates = $true So, the configuration below did NOT work with self-signed (agent register fails)

        AcceptSelfSignedCertificates = $true
        UseSecurityBestPractices     = $false # Caution: Setting this property to $true will reset registry values under "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL". 
        DisableSecurityBestPractices ='SecureTLSProtocols'

I also tried playing with ports 80/8080 and 443 in the DSC configuration and in IIS management / website port bindings, without result for the self-signed certificate setup. The setup with a real SSL certificate got running on 443, didn't try 80 or 8080 for the real SSL setup

    xDscWebService PSDSCPullServer
    {
        Port                         = 443

According to the example file self-signed should work fine over https

MarioParty1 commented 6 years ago

Sample_xDscWebServiceRegistrationWithSecurityBestPractices.ps1

The following parameter is missing in the example file:

For the DSC LCM Client, when the DSC Pull server is running with a SSL Website, the LCM agent example file needs the following parameter.

    ConfigurationRepositoryWeb PSDSCPullServer
    {
        CertificateID      =  'certificatethumbprinthere'
MarioParty1 commented 6 years ago

Sample_xDscWebServiceRegistrationWithSecurityBestPractices.ps1

The following points are not part of some ReadMe at all:

1: Clarify generating and applying the .MOF file better to install the DSC server in the Example file or ReadMe. Currently there is nothing described.

Example clarify:

This scripts only generates a <$NodeName>.MOF file. Checksum on the .MOF file is currently not used.

The following parameters for the DSC configuration are environment/customer specific to create the .MOF file. The parameters are in the argments section. Invoke the DSC configuration script with these parameters:

-RegistrationKey $RegistrationKey -CertificateThumbPrint $CertificateThumbPrint With the .MOF file you can apply the DSC Pull Server configuration with the Start-DscConfiguration command here below. Start-DscConfiguration -Path -ComputerName <$NodeName target server in this script> -force -verbose -wait Start-DscConfiguration -Path C:\Temp -ComputerName WTST0055 -force -verbose -wait
MarioParty1 commented 6 years ago

Sample_xDscWebServiceRegistrationWithSecurityBestPractices.ps1

Line 18: Should be "Section DSC Pull Server" instead of "Section DSC Client"

MarioParty1 commented 6 years ago

Sample_xDscWebServiceRegistrationWithSecurityBestPractices.ps1

Line 68: Sample_xDscWebServiceRegistrationWithSecurityBestPractices -RegistrationKey $registrationkey -certificateThumbPrint $certificateThumbPrint

Line 109: Sample_MetaConfigurationToRegisterWithSecurePullServer -RegistrationKey $registrationkey

These lines affect the Arguments Section line 13/16: $thumbprint = (New-SelfSignedCertificate -Subject "TestPullServer").Thumbprint $registrationkey = [guid]::NewGuid()

The parameters are customer specific, is is not very clear that the default arguments generate a self-signed certificate and create a new registrationkey (both each run)

Better use arguments like a note what it does, and expand the parameter section.

I described it like this:

======================================== Arguments ============================================

$CertificateThumbPrint = (New-SelfSignedCertificate -Subject "").Thumbprint # Creates new self-signed Certificate and add "CertificateThumbPrint" parameter value to .MOF file.

$RegistrationKey = [guid]::NewGuid() # Generates new RegistrationKey and add parameter value to the text file in "File RegistrationKeyFile" and "DestinationPath".

================================== Section DSC Pull Server ====================================

configuration { param ( [string[]]$NodeName = '', 

    [ValidateNotNullOrEmpty()]
    [string] $CertificateThumbPrint  = '<THUMBPRINTHERE>',            # Generated self-signed certificate by default

    [Parameter(HelpMessage='This should be a string with enough entropy (randomness) to protect the registration of clients to the pull server.  We will use new GUID by default.')]
    [ValidateNotNullOrEmpty()]
    [string] $RegistrationKey        = '<KEYHERE>'                 # A guid that clients use to initiate conversation with pull server
MarioParty1 commented 6 years ago

Sample_xDscWebServiceRegistrationWithSecurityBestPractices.ps1

Line 46: EndpointName = "PSDSCPullServer"

Clarify the parameter: Name that is used for the IIS Website + "Issued To" and "Issued By" for a self signed certificate.

MarioParty1 commented 6 years ago

Sample_xDscWebServiceRegistrationWithSecurityBestPractices.ps1

Line 14+15: $CertificateThumbPrint = (New-SelfSignedCertificate -Subject "ITN_PSDSCPullServer").Thumbprint $RegistrationKey = [guid]::NewGuid()

Clarify what the arguments do: $CertificateThumbPrint Example 2b6e5914d236d594ddce355d7a6779b563932c34. Creates new Certificate + Thumbprint each run and add parameter value to new .MOF file.

$RegistrationKey Example 201dd1e3-53d6-4265-9992-6647c2ab2152. Generates new RegistrationKey each run and parameter value to new .MOF file.

MarioParty1 commented 6 years ago

Sample_xDscWebServiceRegistrationWithSecurityBestPractices.ps1

Line 43: xDscWebService PSDSCPullServer

Clarify what it installs: Installs WindowsFeature "DSCServiceFeature" which includes the IIS Web Server Role (without Management Tools)

MarioParty1 commented 6 years ago

Readme.md: xDscWebService •CertificateThumbPrint: Certificate thumbprint for creating an HTTPS endpoint. Use "AllowUnencryptedTraffic" for setting up a non SSL based endpoint.

This parameter is not part of the example file: Sample_xDscWebServiceRegistrationWithSecurityBestPractices.ps1

Add parameter example: AllowUnencryptedTraffic = $false

But is seems like the parameter is invalid, i looked a bit into the module but it seems like some link is missing, the parameter does pop up in some files:

The member 'AllowUnencryptedTraffic' is not valid. Valid members are 'AcceptSelfSignedCertificates', 'CertificateThumbPrint', 'ConfigurationPath', 'DatabasePath', 'DependsOn ', 'DisableSecurityBestPractices', 'Enable32BitAppOnWin64', 'EndpointName', 'Ensure', 'ModulePath', 'PhysicalPath', 'Port', 'PsDscRunAsCredential', 'RegistrationKeyPath', 'State', 'UseSecurityBestPractices'.

MarioParty1 commented 6 years ago

Sample_xDscWebServiceRegistrationWithSecurityBestPractices.ps1

It may be usefull to mention that Remote IIS Administration is by default disabled which is needed for the DSC Pull Server.

Enabling:

    # Enable IIS remote management
    WindowsFeature Web-Mgmt-Service
    {
        Ensure    = "Present"
        Name      = "Web-Mgmt-Service"
        DependsOn = "[WindowsFeature]DSCServiceFeature"
    }

    Registry EnableRemoteManagement # By default installing the WindowsFeature Web-Mgmt-Service does not set this registry value
    {
        Ensure      = "Present"
        Key         = "HKLM:\SOFTWARE\Microsoft\WebManagement\Server"
        Valuename   = "EnableRemoteManagement"
        Valuetype   = "Dword"
        Valuedata   = "1"
        DependsOn   = "[WindowsFeature]DSCServiceFeature"
    }

    Service WMSVC # Remote Administration for IIS Manager
    {
        Ensure      = "Present"
        Name        = "WMSVC"
        StartupType = "Automatic" # Default state is manual
        State       = "Running"
        DependsOn   = "[WindowsFeature]DSCServiceFeature"
    }
MarioParty1 commented 6 years ago

Readme.md and/or Sample_xDscWebServiceRegistrationWithSecurityBestPractices.ps1

Clarify/Notice would be nice about the option to use MOF File Checksum

MarioParty1 commented 6 years ago

Sample_xDscWebServiceRemoval.ps1

Also needs module (otherwise error): Import-DSCResource -ModuleName PSDesiredStateConfiguration

Also need invoke at the end of the script: xDscWebServiceRemoval