Windows Hardening and WinRM
223 views
Skip to first unread message
Mathias Woringer
Jan 6, 2018, 4:35:41 PM1/6/18
to Packer
Hello everyone,
After this recipe has been "cooked", I want to run some windows-shell scripts, but when I try, WinRM triggers an error. If I disable this recipe, it works without an itch.
I'm trying to build a Windows Server 2012 r2 virtualbox vm with some hardening using Chef-Solo.
There was an issue using Chef-Solo and WinRM, but Packer version 1.1.4 solves the issue.
I'm not a Windows expert and am using the hardening cookbooks from this project:
There is one cookbook recipe which uses the following security attributes:
# General security policy settingsdefault['security_policy']['template']['location'] = 'C:\Windows\security\templates'default['security_policy']['database']['location'] = 'C:\Windows\security\database'default['security_policy']['database']['name'] = 'hardening.sdb'
# System access settings# Nil value means nothing will be written to the security policy template.default['security_policy']['access']['PasswordComplexity'] = 1default['security_policy']['access']['LockoutBadCount'] = 3default['security_policy']['access']['ResetLockoutCount'] = 15default['security_policy']['access']['LockoutDuration'] = 15
# Security policy rights / privileges settings.default['security_policy']['rights']['SeRemoteInteractiveLogonRight'] = '*S-1-5-32-544'default['security_policy']['rights']['SeTcbPrivilege'] = '*S-1-0-0'default['security_policy']['rights']['SeMachineAccountPrivilege'] = '*S-1-5-32-544'default['security_policy']['rights']['SeTrustedCredManAccessPrivilege'] = '*S-1-0-0'default['security_policy']['rights']['SeNetworkLogonRight'] = '*S-1-0-0'
After this recipe has been "cooked", I want to run some windows-shell scripts, but when I try, WinRM triggers an error. If I disable this recipe, it works without an itch.
So there must be some policy here which prevents WinRM to function properly afterwards.
If someone can point to me which policy it is and maybe how to solve the issue, this would be really appreciated.
Thank you very much in advance for your help.
Jordan Borean
Jan 6, 2018, 7:31:05 PM1/6/18
to Packer
I would say the SeNetworkLogonRight is causing the issue, SID S-1-0-0 is Nobody which means that no user will be able to access resources of the host through the network. This can include things like WinRM and file/print services.
I would change that to be the WinRM user you are working with at the least and potentially expand that to Administrators as per the MS best practices https://docs.microsoft.com/en-us/windows/device-security/security-policy-settings/access-this-computer-from-the-network.
Thanks
Jordan
Mathias Woringer
Jan 9, 2018, 1:41:57 PM1/9/18
to Packer
Thank you very much
That did the trick.
Reply all
Reply to author
Forward
0 new messages