Packer Windows WinRM 加固后連接失敗

Question

我可以使用使用 LGPO.exe 的打包程序來加固 Windows 2019 標准映像但是，在加固之后，打包程序無法連接到 EC2，我認為這是由於 CIS 本身的加固造成的。 我到處搜索，但找不到解決方法。 下面是錯誤信息

錯誤：

==> amazon-ebs: Provisioning with windows-shell...
2020/12/29 05:52:11 packer-provisioner-windows-shell plugin: Found command: C:\Users\Administrator\AppData\Local\Temp\cis-benchmark-gpos\LGPO.exe /g C:\Users\Administrator\AppData\Local\Temp\cis-benchmark-gpos\cis\USER-L1\{DD55FCFF-4FC0-4FA0-9ABC-9D8402B8089E}
==> amazon-ebs: Provisioning with shell script: /tmp/windows-shell-provisioner364133423
2020/12/29 05:52:11 packer-provisioner-windows-shell plugin: Opening /tmp/windows-shell-provisioner364133423 for reading
2020/12/29 05:52:11 packer-provisioner-windows-shell plugin: [INFO] 185 bytes written for 'uploadData'
2020/12/29 05:52:11 [INFO] 185 bytes written for 'uploadData'
2020/12/29 05:52:11 packer-builder-amazon-ebs plugin: Uploading file to 'c:/Windows/Temp/script.bat'
2020/12/29 05:52:12 packer-provisioner-windows-shell plugin: Retryable error: Error uploading script: Error uploading file to $env:TEMP\winrmcp-045c91af-61af-451d-7bf1-daf1bb11e107.tmp: Couldn't create shell: http response error: 401 - invalid content type
2020/12/29 05:52:14 packer-provisioner-windows-shell plugin: [INFO] 185 bytes written for 'uploadData'
2020/12/29 05:52:14 [INFO] 185 bytes written for 'uploadData'
2020/12/29 05:52:14 packer-builder-amazon-ebs plugin: Uploading file to 'c:/Windows/Temp/script.bat'
2020/12/29 05:52:44 packer-provisioner-windows-shell plugin: Retryable error: Error uploading script: Error uploading file to $env:TEMP\winrmcp-2024a9bd-4e71-42c1-481c-ad7221d86d92.tmp: Couldn't create shell: unknown error Post "https://10.0.1.118:5986/wsman": dial tcp 10.0.1.118:5986: i/o timeout

{
    "builders": [
      {
        "type": "amazon-ebs",
        "region": "ap-southeast-2",
        "source_ami": "AMI_ID",
        "instance_type": "t3a.micro",
        "ami_name": "windows-2019-s-cis-l1-{{timestamp}}",
        "communicator": "winrm",
        "ssh_interface": "private_ip",
        "winrm_username": "Administrator",
        "winrm_timeout": "15m",
        "winrm_insecure": true,
        "winrm_use_ntlm": true,
        "winrm_use_ssl": true,
        "iam_instance_profile": "ami-factory-SSMStack",
        "vpc_id": "vpc-3231",
        "subnet_id": "subnet-1312",
        "security_group_id": "sg-213123",
        "associate_public_ip_address": true,
        "user_data_file": "setup-winrm.txt",
        "launch_block_device_mappings": [
          {
             "device_name": "/dev/xvda",
             "volume_size": 50,
             "delete_on_termination": true,
             "volume_type": "gp2"
          }
        ],
        "run_volume_tags": {
          "Name": "windows-2019-s-cis-level1-ami-{{timestamp}}",
          "CostCentre": "38367695/20005"
        },        
        "run_tags": {
          "Name": "windows-2019-s-cis-level1-ami-{{timestamp}}",
          "CostCentre": "38367695/20005"
        },
        "tags": {
          "Name": "windows-2019-s-cis-level1-ami-{{timestamp}}",
          "CostCentre": "38367695/20005"
        }
      }
    ],
  "provisioners": [
    {
      "type": "file",
      "source": "builder/cis-benchmark-gpos",
      "destination": "C:\\Users\\Administrator\\AppData\\Local\\Temp",
      "direction": "upload"
    },
    {
      "type": "windows-shell",
      "inline": ["certutil -decode \"C:\\Users\\Administrator\\AppData\\Local\\Temp\\cis-benchmark-gpos\\LGPO.exe.txt\" \"C:\\Users\\Administrator\\AppData\\Local\\Temp\\cis-benchmark-gpos\\LGPO.exe\""]
    },
    {
      "type": "windows-shell",
      "inline": ["C:\\Users\\Administrator\\AppData\\Local\\Temp\\cis-benchmark-gpos\\LGPO.exe  /g C:\\Users\\Administrator\\AppData\\Local\\Temp\\cis-benchmark-gpos\\cis\\MS-L1\\{6B8FB17A-45D6-456D-9099-EB04F0100DE2}"]
    },
    {
      "type": "windows-shell",
      "inline": ["C:\\Users\\Administrator\\AppData\\Local\\Temp\\cis-benchmark-gpos\\LGPO.exe /g C:\\Users\\Administrator\\AppData\\Local\\Temp\\cis-benchmark-gpos\\cis\\USER-L1\\{DD55FCFF-4FC0-4FA0-9ABC-9D8402B8089E}"]
    },  
    {
      "type": "windows-shell",
      "remote_path": "C:\\Users\\Administrator\\AppData\\Local\\Temp\\script.vbs",
      "execute_command": "cscript C:\\Users\\Administrator\\AppData\\Local\\Temp\\script.vbs",
      "scripts": [
        "./builder/setup-scripts/updates.vbs"
      ]
    }
  ]
}

用戶數據：

<powershell>
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
write-output "Running User Data Script"

Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force -ErrorAction Ignore

# Don't set this before Set-ExecutionPolicy as it throws an error
$ErrorActionPreference = "stop"

# Remove HTTP listener
Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse

# Create a self-signed certificate to let ssl work
$Cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName "packer"
New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint -Force

# WinRM
write-output "Setting up WinRM"
write-host "(host) setting up WinRM"

cmd.exe /c winrm quickconfig -q
cmd.exe /c winrm set "winrm/config" '@{MaxTimeoutms="1800000"}'
cmd.exe /c winrm set "winrm/config/winrs" '@{MaxMemoryPerShellMB="1024"}'
cmd.exe /c winrm set "winrm/config/service" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/client" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/client/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{CredSSP="true"}'
cmd.exe /c winrm set winrm/config/winrs '@{MaxShellsPerUser="100"}'
cmd.exe /c winrm set winrm/config/winrs '@{MaxConcurrentUsers="30"}'
cmd.exe /c winrm set winrm/config/winrs '@{MaxProcessesPerShell="100"}'
cmd.exe /c winrm set "winrm/config/listener?Address=*+Transport=HTTPS" "@{Port=`"5986`";Hostname=`"packer`";CertificateThumbprint=`"$($Cert.Thumbprint)`"}"
cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes
cmd.exe /c netsh firewall add portopening TCP 5986 "Port 5986"
cmd.exe /c net stop winrm
cmd.exe /c sc config winrm start=auto
cmd.exe /c net start winrm
# Configure UAC to allow privilege elevation in remote shells
$Key = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
$Setting = 'LocalAccountTokenFilterPolicy'
Set-ItemProperty -Path $Key -Name $Setting -Value 1 -Force
Install-Module -Name PolicyFileEditor -RequiredVersion 3.0.0
</powershell>

Answer 1

我可以使用使用 LGPO.exe 的打包程序來加固 Windows 2019 標准映像但是，在加固之后，打包程序無法連接到 EC2，我認為這是由於 CIS 本身的加固造成的。 我到處搜索，但找不到解決方法。 下面是錯誤信息

錯誤：

==> amazon-ebs: Provisioning with windows-shell...
2020/12/29 05:52:11 packer-provisioner-windows-shell plugin: Found command: C:\Users\Administrator\AppData\Local\Temp\cis-benchmark-gpos\LGPO.exe /g C:\Users\Administrator\AppData\Local\Temp\cis-benchmark-gpos\cis\USER-L1\{DD55FCFF-4FC0-4FA0-9ABC-9D8402B8089E}
==> amazon-ebs: Provisioning with shell script: /tmp/windows-shell-provisioner364133423
2020/12/29 05:52:11 packer-provisioner-windows-shell plugin: Opening /tmp/windows-shell-provisioner364133423 for reading
2020/12/29 05:52:11 packer-provisioner-windows-shell plugin: [INFO] 185 bytes written for 'uploadData'
2020/12/29 05:52:11 [INFO] 185 bytes written for 'uploadData'
2020/12/29 05:52:11 packer-builder-amazon-ebs plugin: Uploading file to 'c:/Windows/Temp/script.bat'
2020/12/29 05:52:12 packer-provisioner-windows-shell plugin: Retryable error: Error uploading script: Error uploading file to $env:TEMP\winrmcp-045c91af-61af-451d-7bf1-daf1bb11e107.tmp: Couldn't create shell: http response error: 401 - invalid content type
2020/12/29 05:52:14 packer-provisioner-windows-shell plugin: [INFO] 185 bytes written for 'uploadData'
2020/12/29 05:52:14 [INFO] 185 bytes written for 'uploadData'
2020/12/29 05:52:14 packer-builder-amazon-ebs plugin: Uploading file to 'c:/Windows/Temp/script.bat'
2020/12/29 05:52:44 packer-provisioner-windows-shell plugin: Retryable error: Error uploading script: Error uploading file to $env:TEMP\winrmcp-2024a9bd-4e71-42c1-481c-ad7221d86d92.tmp: Couldn't create shell: unknown error Post "https://10.0.1.118:5986/wsman": dial tcp 10.0.1.118:5986: i/o timeout

{
    "builders": [
      {
        "type": "amazon-ebs",
        "region": "ap-southeast-2",
        "source_ami": "AMI_ID",
        "instance_type": "t3a.micro",
        "ami_name": "windows-2019-s-cis-l1-{{timestamp}}",
        "communicator": "winrm",
        "ssh_interface": "private_ip",
        "winrm_username": "Administrator",
        "winrm_timeout": "15m",
        "winrm_insecure": true,
        "winrm_use_ntlm": true,
        "winrm_use_ssl": true,
        "iam_instance_profile": "ami-factory-SSMStack",
        "vpc_id": "vpc-3231",
        "subnet_id": "subnet-1312",
        "security_group_id": "sg-213123",
        "associate_public_ip_address": true,
        "user_data_file": "setup-winrm.txt",
        "launch_block_device_mappings": [
          {
             "device_name": "/dev/xvda",
             "volume_size": 50,
             "delete_on_termination": true,
             "volume_type": "gp2"
          }
        ],
        "run_volume_tags": {
          "Name": "windows-2019-s-cis-level1-ami-{{timestamp}}",
          "CostCentre": "38367695/20005"
        },        
        "run_tags": {
          "Name": "windows-2019-s-cis-level1-ami-{{timestamp}}",
          "CostCentre": "38367695/20005"
        },
        "tags": {
          "Name": "windows-2019-s-cis-level1-ami-{{timestamp}}",
          "CostCentre": "38367695/20005"
        }
      }
    ],
  "provisioners": [
    {
      "type": "file",
      "source": "builder/cis-benchmark-gpos",
      "destination": "C:\\Users\\Administrator\\AppData\\Local\\Temp",
      "direction": "upload"
    },
    {
      "type": "windows-shell",
      "inline": ["certutil -decode \"C:\\Users\\Administrator\\AppData\\Local\\Temp\\cis-benchmark-gpos\\LGPO.exe.txt\" \"C:\\Users\\Administrator\\AppData\\Local\\Temp\\cis-benchmark-gpos\\LGPO.exe\""]
    },
    {
      "type": "windows-shell",
      "inline": ["C:\\Users\\Administrator\\AppData\\Local\\Temp\\cis-benchmark-gpos\\LGPO.exe  /g C:\\Users\\Administrator\\AppData\\Local\\Temp\\cis-benchmark-gpos\\cis\\MS-L1\\{6B8FB17A-45D6-456D-9099-EB04F0100DE2}"]
    },
    {
      "type": "windows-shell",
      "inline": ["C:\\Users\\Administrator\\AppData\\Local\\Temp\\cis-benchmark-gpos\\LGPO.exe /g C:\\Users\\Administrator\\AppData\\Local\\Temp\\cis-benchmark-gpos\\cis\\USER-L1\\{DD55FCFF-4FC0-4FA0-9ABC-9D8402B8089E}"]
    },  
    {
      "type": "windows-shell",
      "remote_path": "C:\\Users\\Administrator\\AppData\\Local\\Temp\\script.vbs",
      "execute_command": "cscript C:\\Users\\Administrator\\AppData\\Local\\Temp\\script.vbs",
      "scripts": [
        "./builder/setup-scripts/updates.vbs"
      ]
    }
  ]
}

用戶數據：

<powershell>
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
write-output "Running User Data Script"

Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force -ErrorAction Ignore

# Don't set this before Set-ExecutionPolicy as it throws an error
$ErrorActionPreference = "stop"

# Remove HTTP listener
Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse

# Create a self-signed certificate to let ssl work
$Cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName "packer"
New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint -Force

# WinRM
write-output "Setting up WinRM"
write-host "(host) setting up WinRM"

cmd.exe /c winrm quickconfig -q
cmd.exe /c winrm set "winrm/config" '@{MaxTimeoutms="1800000"}'
cmd.exe /c winrm set "winrm/config/winrs" '@{MaxMemoryPerShellMB="1024"}'
cmd.exe /c winrm set "winrm/config/service" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/client" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/client/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{CredSSP="true"}'
cmd.exe /c winrm set winrm/config/winrs '@{MaxShellsPerUser="100"}'
cmd.exe /c winrm set winrm/config/winrs '@{MaxConcurrentUsers="30"}'
cmd.exe /c winrm set winrm/config/winrs '@{MaxProcessesPerShell="100"}'
cmd.exe /c winrm set "winrm/config/listener?Address=*+Transport=HTTPS" "@{Port=`"5986`";Hostname=`"packer`";CertificateThumbprint=`"$($Cert.Thumbprint)`"}"
cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes
cmd.exe /c netsh firewall add portopening TCP 5986 "Port 5986"
cmd.exe /c net stop winrm
cmd.exe /c sc config winrm start=auto
cmd.exe /c net start winrm
# Configure UAC to allow privilege elevation in remote shells
$Key = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
$Setting = 'LocalAccountTokenFilterPolicy'
Set-ItemProperty -Path $Key -Name $Setting -Value 1 -Force
Install-Module -Name PolicyFileEditor -RequiredVersion 3.0.0
</powershell>