[英]Packer Windows WinRM fails to connect after Hardening
我可以使用使用 LGPO.exe 的打包程序來加固 Windows 2019 標准映像但是,在加固之后,打包程序無法連接到 EC2,我認為這是由於 CIS 本身的加固造成的。 我到處搜索,但找不到解決方法。 下面是錯誤信息
錯誤:
==> amazon-ebs: Provisioning with windows-shell...
2020/12/29 05:52:11 packer-provisioner-windows-shell plugin: Found command: C:\Users\Administrator\AppData\Local\Temp\cis-benchmark-gpos\LGPO.exe /g C:\Users\Administrator\AppData\Local\Temp\cis-benchmark-gpos\cis\USER-L1\{DD55FCFF-4FC0-4FA0-9ABC-9D8402B8089E}
==> amazon-ebs: Provisioning with shell script: /tmp/windows-shell-provisioner364133423
2020/12/29 05:52:11 packer-provisioner-windows-shell plugin: Opening /tmp/windows-shell-provisioner364133423 for reading
2020/12/29 05:52:11 packer-provisioner-windows-shell plugin: [INFO] 185 bytes written for 'uploadData'
2020/12/29 05:52:11 [INFO] 185 bytes written for 'uploadData'
2020/12/29 05:52:11 packer-builder-amazon-ebs plugin: Uploading file to 'c:/Windows/Temp/script.bat'
2020/12/29 05:52:12 packer-provisioner-windows-shell plugin: Retryable error: Error uploading script: Error uploading file to $env:TEMP\winrmcp-045c91af-61af-451d-7bf1-daf1bb11e107.tmp: Couldn't create shell: http response error: 401 - invalid content type
2020/12/29 05:52:14 packer-provisioner-windows-shell plugin: [INFO] 185 bytes written for 'uploadData'
2020/12/29 05:52:14 [INFO] 185 bytes written for 'uploadData'
2020/12/29 05:52:14 packer-builder-amazon-ebs plugin: Uploading file to 'c:/Windows/Temp/script.bat'
2020/12/29 05:52:44 packer-provisioner-windows-shell plugin: Retryable error: Error uploading script: Error uploading file to $env:TEMP\winrmcp-2024a9bd-4e71-42c1-481c-ad7221d86d92.tmp: Couldn't create shell: unknown error Post "https://10.0.1.118:5986/wsman": dial tcp 10.0.1.118:5986: i/o timeout
{
"builders": [
{
"type": "amazon-ebs",
"region": "ap-southeast-2",
"source_ami": "AMI_ID",
"instance_type": "t3a.micro",
"ami_name": "windows-2019-s-cis-l1-{{timestamp}}",
"communicator": "winrm",
"ssh_interface": "private_ip",
"winrm_username": "Administrator",
"winrm_timeout": "15m",
"winrm_insecure": true,
"winrm_use_ntlm": true,
"winrm_use_ssl": true,
"iam_instance_profile": "ami-factory-SSMStack",
"vpc_id": "vpc-3231",
"subnet_id": "subnet-1312",
"security_group_id": "sg-213123",
"associate_public_ip_address": true,
"user_data_file": "setup-winrm.txt",
"launch_block_device_mappings": [
{
"device_name": "/dev/xvda",
"volume_size": 50,
"delete_on_termination": true,
"volume_type": "gp2"
}
],
"run_volume_tags": {
"Name": "windows-2019-s-cis-level1-ami-{{timestamp}}",
"CostCentre": "38367695/20005"
},
"run_tags": {
"Name": "windows-2019-s-cis-level1-ami-{{timestamp}}",
"CostCentre": "38367695/20005"
},
"tags": {
"Name": "windows-2019-s-cis-level1-ami-{{timestamp}}",
"CostCentre": "38367695/20005"
}
}
],
"provisioners": [
{
"type": "file",
"source": "builder/cis-benchmark-gpos",
"destination": "C:\\Users\\Administrator\\AppData\\Local\\Temp",
"direction": "upload"
},
{
"type": "windows-shell",
"inline": ["certutil -decode \"C:\\Users\\Administrator\\AppData\\Local\\Temp\\cis-benchmark-gpos\\LGPO.exe.txt\" \"C:\\Users\\Administrator\\AppData\\Local\\Temp\\cis-benchmark-gpos\\LGPO.exe\""]
},
{
"type": "windows-shell",
"inline": ["C:\\Users\\Administrator\\AppData\\Local\\Temp\\cis-benchmark-gpos\\LGPO.exe /g C:\\Users\\Administrator\\AppData\\Local\\Temp\\cis-benchmark-gpos\\cis\\MS-L1\\{6B8FB17A-45D6-456D-9099-EB04F0100DE2}"]
},
{
"type": "windows-shell",
"inline": ["C:\\Users\\Administrator\\AppData\\Local\\Temp\\cis-benchmark-gpos\\LGPO.exe /g C:\\Users\\Administrator\\AppData\\Local\\Temp\\cis-benchmark-gpos\\cis\\USER-L1\\{DD55FCFF-4FC0-4FA0-9ABC-9D8402B8089E}"]
},
{
"type": "windows-shell",
"remote_path": "C:\\Users\\Administrator\\AppData\\Local\\Temp\\script.vbs",
"execute_command": "cscript C:\\Users\\Administrator\\AppData\\Local\\Temp\\script.vbs",
"scripts": [
"./builder/setup-scripts/updates.vbs"
]
}
]
}
用戶數據:
<powershell>
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
write-output "Running User Data Script"
Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force -ErrorAction Ignore
# Don't set this before Set-ExecutionPolicy as it throws an error
$ErrorActionPreference = "stop"
# Remove HTTP listener
Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse
# Create a self-signed certificate to let ssl work
$Cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName "packer"
New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint -Force
# WinRM
write-output "Setting up WinRM"
write-host "(host) setting up WinRM"
cmd.exe /c winrm quickconfig -q
cmd.exe /c winrm set "winrm/config" '@{MaxTimeoutms="1800000"}'
cmd.exe /c winrm set "winrm/config/winrs" '@{MaxMemoryPerShellMB="1024"}'
cmd.exe /c winrm set "winrm/config/service" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/client" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/client/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{CredSSP="true"}'
cmd.exe /c winrm set winrm/config/winrs '@{MaxShellsPerUser="100"}'
cmd.exe /c winrm set winrm/config/winrs '@{MaxConcurrentUsers="30"}'
cmd.exe /c winrm set winrm/config/winrs '@{MaxProcessesPerShell="100"}'
cmd.exe /c winrm set "winrm/config/listener?Address=*+Transport=HTTPS" "@{Port=`"5986`";Hostname=`"packer`";CertificateThumbprint=`"$($Cert.Thumbprint)`"}"
cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes
cmd.exe /c netsh firewall add portopening TCP 5986 "Port 5986"
cmd.exe /c net stop winrm
cmd.exe /c sc config winrm start=auto
cmd.exe /c net start winrm
# Configure UAC to allow privilege elevation in remote shells
$Key = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
$Setting = 'LocalAccountTokenFilterPolicy'
Set-ItemProperty -Path $Key -Name $Setting -Value 1 -Force
Install-Module -Name PolicyFileEditor -RequiredVersion 3.0.0
</powershell>
我可以使用使用 LGPO.exe 的打包程序來加固 Windows 2019 標准映像但是,在加固之后,打包程序無法連接到 EC2,我認為這是由於 CIS 本身的加固造成的。 我到處搜索,但找不到解決方法。 下面是錯誤信息
錯誤:
==> amazon-ebs: Provisioning with windows-shell...
2020/12/29 05:52:11 packer-provisioner-windows-shell plugin: Found command: C:\Users\Administrator\AppData\Local\Temp\cis-benchmark-gpos\LGPO.exe /g C:\Users\Administrator\AppData\Local\Temp\cis-benchmark-gpos\cis\USER-L1\{DD55FCFF-4FC0-4FA0-9ABC-9D8402B8089E}
==> amazon-ebs: Provisioning with shell script: /tmp/windows-shell-provisioner364133423
2020/12/29 05:52:11 packer-provisioner-windows-shell plugin: Opening /tmp/windows-shell-provisioner364133423 for reading
2020/12/29 05:52:11 packer-provisioner-windows-shell plugin: [INFO] 185 bytes written for 'uploadData'
2020/12/29 05:52:11 [INFO] 185 bytes written for 'uploadData'
2020/12/29 05:52:11 packer-builder-amazon-ebs plugin: Uploading file to 'c:/Windows/Temp/script.bat'
2020/12/29 05:52:12 packer-provisioner-windows-shell plugin: Retryable error: Error uploading script: Error uploading file to $env:TEMP\winrmcp-045c91af-61af-451d-7bf1-daf1bb11e107.tmp: Couldn't create shell: http response error: 401 - invalid content type
2020/12/29 05:52:14 packer-provisioner-windows-shell plugin: [INFO] 185 bytes written for 'uploadData'
2020/12/29 05:52:14 [INFO] 185 bytes written for 'uploadData'
2020/12/29 05:52:14 packer-builder-amazon-ebs plugin: Uploading file to 'c:/Windows/Temp/script.bat'
2020/12/29 05:52:44 packer-provisioner-windows-shell plugin: Retryable error: Error uploading script: Error uploading file to $env:TEMP\winrmcp-2024a9bd-4e71-42c1-481c-ad7221d86d92.tmp: Couldn't create shell: unknown error Post "https://10.0.1.118:5986/wsman": dial tcp 10.0.1.118:5986: i/o timeout
{
"builders": [
{
"type": "amazon-ebs",
"region": "ap-southeast-2",
"source_ami": "AMI_ID",
"instance_type": "t3a.micro",
"ami_name": "windows-2019-s-cis-l1-{{timestamp}}",
"communicator": "winrm",
"ssh_interface": "private_ip",
"winrm_username": "Administrator",
"winrm_timeout": "15m",
"winrm_insecure": true,
"winrm_use_ntlm": true,
"winrm_use_ssl": true,
"iam_instance_profile": "ami-factory-SSMStack",
"vpc_id": "vpc-3231",
"subnet_id": "subnet-1312",
"security_group_id": "sg-213123",
"associate_public_ip_address": true,
"user_data_file": "setup-winrm.txt",
"launch_block_device_mappings": [
{
"device_name": "/dev/xvda",
"volume_size": 50,
"delete_on_termination": true,
"volume_type": "gp2"
}
],
"run_volume_tags": {
"Name": "windows-2019-s-cis-level1-ami-{{timestamp}}",
"CostCentre": "38367695/20005"
},
"run_tags": {
"Name": "windows-2019-s-cis-level1-ami-{{timestamp}}",
"CostCentre": "38367695/20005"
},
"tags": {
"Name": "windows-2019-s-cis-level1-ami-{{timestamp}}",
"CostCentre": "38367695/20005"
}
}
],
"provisioners": [
{
"type": "file",
"source": "builder/cis-benchmark-gpos",
"destination": "C:\\Users\\Administrator\\AppData\\Local\\Temp",
"direction": "upload"
},
{
"type": "windows-shell",
"inline": ["certutil -decode \"C:\\Users\\Administrator\\AppData\\Local\\Temp\\cis-benchmark-gpos\\LGPO.exe.txt\" \"C:\\Users\\Administrator\\AppData\\Local\\Temp\\cis-benchmark-gpos\\LGPO.exe\""]
},
{
"type": "windows-shell",
"inline": ["C:\\Users\\Administrator\\AppData\\Local\\Temp\\cis-benchmark-gpos\\LGPO.exe /g C:\\Users\\Administrator\\AppData\\Local\\Temp\\cis-benchmark-gpos\\cis\\MS-L1\\{6B8FB17A-45D6-456D-9099-EB04F0100DE2}"]
},
{
"type": "windows-shell",
"inline": ["C:\\Users\\Administrator\\AppData\\Local\\Temp\\cis-benchmark-gpos\\LGPO.exe /g C:\\Users\\Administrator\\AppData\\Local\\Temp\\cis-benchmark-gpos\\cis\\USER-L1\\{DD55FCFF-4FC0-4FA0-9ABC-9D8402B8089E}"]
},
{
"type": "windows-shell",
"remote_path": "C:\\Users\\Administrator\\AppData\\Local\\Temp\\script.vbs",
"execute_command": "cscript C:\\Users\\Administrator\\AppData\\Local\\Temp\\script.vbs",
"scripts": [
"./builder/setup-scripts/updates.vbs"
]
}
]
}
用戶數據:
<powershell>
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
write-output "Running User Data Script"
Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force -ErrorAction Ignore
# Don't set this before Set-ExecutionPolicy as it throws an error
$ErrorActionPreference = "stop"
# Remove HTTP listener
Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse
# Create a self-signed certificate to let ssl work
$Cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName "packer"
New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint -Force
# WinRM
write-output "Setting up WinRM"
write-host "(host) setting up WinRM"
cmd.exe /c winrm quickconfig -q
cmd.exe /c winrm set "winrm/config" '@{MaxTimeoutms="1800000"}'
cmd.exe /c winrm set "winrm/config/winrs" '@{MaxMemoryPerShellMB="1024"}'
cmd.exe /c winrm set "winrm/config/service" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/client" '@{AllowUnencrypted="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/client/auth" '@{Basic="true"}'
cmd.exe /c winrm set "winrm/config/service/auth" '@{CredSSP="true"}'
cmd.exe /c winrm set winrm/config/winrs '@{MaxShellsPerUser="100"}'
cmd.exe /c winrm set winrm/config/winrs '@{MaxConcurrentUsers="30"}'
cmd.exe /c winrm set winrm/config/winrs '@{MaxProcessesPerShell="100"}'
cmd.exe /c winrm set "winrm/config/listener?Address=*+Transport=HTTPS" "@{Port=`"5986`";Hostname=`"packer`";CertificateThumbprint=`"$($Cert.Thumbprint)`"}"
cmd.exe /c netsh advfirewall firewall set rule group="remote administration" new enable=yes
cmd.exe /c netsh firewall add portopening TCP 5986 "Port 5986"
cmd.exe /c net stop winrm
cmd.exe /c sc config winrm start=auto
cmd.exe /c net start winrm
# Configure UAC to allow privilege elevation in remote shells
$Key = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
$Setting = 'LocalAccountTokenFilterPolicy'
Set-ItemProperty -Path $Key -Name $Setting -Value 1 -Force
Install-Module -Name PolicyFileEditor -RequiredVersion 3.0.0
</powershell>
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.