Install-SecureMFA_RDG_OTP_AuthenticationProvider.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
#Requires -RunAsAdministrator

<#
     .SYNOPSIS
        Installs SecureMFA RD Gateway OTP Authentication Provider.
    .DESCRIPTION
        SecureMFA RD Gateway OTP Authentication Provider plugin allows Microsoft RDS Gateway server to work with One-Time Pass codes which are elivered by RDP client as authentication cookie during user�s logon.
 
        Dependencies:
            * SecureMFA Tools COM extensions are required to be present on RDS gateway server to enable extraction of OTP codes for this service from SecureMFA database.
            * System which executes a script must have Microsoft Framework 4.6.1 and above installed.
            * SecureMFA_SupportTools.dll file must be present in script directory.
 
  
    .NOTES
        Version: 2.0.0.1
        Author: SecureMfa.com
        Creation Date: 15/07/2020
        Purpose/Change: Major changes
   
    .EXAMPLE
        C:\PS> Install-SecureMFA_RDG_OTP_AuthenticationProvider
 
        This command will install SecureMFA RD Gateway OTP Authentication Provider plugin on the server.
    
#>


$dllpath = (Join-Path -Path $PSScriptRoot -ChildPath sMFARDGAuthenticationProvider.dll)

#Check if windows events source for application log exist, if not create one.
if ([System.Diagnostics.EventLog]::SourceExists("SecureMFA_SupportTools") -eq $False) {New-EventLog -LogName "Application" -Source "SecureMFA_SupportTools" ; Write-Host "SecureMFA_SupportTools Log Source Created."}


Function Install-SecureMFA_RDG_OTP_AuthenticationProvider {
Param
(
    [Parameter(Mandatory=$false)][string]$anchordnsname = "adatum.labnet",
    [Parameter(Mandatory=$false)][string]$serialkey = "m000000",
    [Parameter(Mandatory=$false)][string]$subscriptionid = "1000000000000000000000001",
    [Parameter(Mandatory=$false)][string]$sqlserver = "asqlaol1.adatum.labnet",
    [Parameter(Mandatory=$false)][string]$sqldbname = "SecureMfaOTP",
    [Parameter(Mandatory=$false)][bool]$sqlintegratedsecurity = $true,
    [Parameter(Mandatory=$false)][string]$sqluseraccount = "sa",
    [Parameter(Mandatory=$false)][string]$sqluserpassword = "",
    [Parameter(Mandatory=$false)][bool]$data_encryption = $false,
    [Parameter(Mandatory=$false)][string]$data_encryption_passphrase = "d9GhT=7=Ox8-+LaZ",
    [Parameter(Mandatory=$false)][int]$timeout = 0,
    [Parameter(Mandatory=$false)][ValidateSet('0','1')][int]$timeoutaction = 0,
    [Parameter(Mandatory=$false)][int]$ui_login_failures = 0,
    [Parameter(Mandatory=$false)][int]$ui_lockout_minutes = 0,
    [Parameter(Mandatory=$false)][int]$totp_validity_seconds = 30,
    [Parameter(Mandatory=$false)][Switch]$NoServiceResart,
    [Parameter(Mandatory=$false)][Switch]$NoSamplePolicies,
    [Parameter(Mandatory=$false)][Switch]$Force
)
    
    #Check if TSGateway existi on the system
    if(((Get-Service tsgateway -ErrorAction SilentlyContinue).Status -eq $null) -and (!($Force))) {write-host "RD Gateway Authentication Provider requires RDS Gateway service to be installed. TS Gateway services doesn't exist on $env:COMPUTERNAME" -ForegroundColor Yellow; break}
    
    #Check if SecureMFA COM Extensions have been registered
    if((Test-Path -LiteralPath "HKLM:\SOFTWARE\Classes\SecureMFA_SupportTools.SecureMFACOM_Class") -ne $true) {  write-host "SecureMFA COM Extensions have not been installed on $env:COMPUTERNAME . Please use Install-SecureMFA_COM_Extensions command to register required COM extensions." -ForegroundColor Yellow; break };
     
    try
    {
        $Error.Clear()
        if (!(Test-Path $dllpath -Type Leaf) ) { throw "$dllpath does not exist" ; break}

        #Start deployment
        write-host "Creating SecureMFA RD Gateway OTPAuthentication Provider registry entries" -ForegroundColor Cyan

        if((Test-Path -LiteralPath "HKLM:\SOFTWARE\SecureMFA") -ne $true) {  New-Item "HKLM:\SOFTWARE\SecureMFA" -force -ea SilentlyContinue };
        New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\SecureMFA' -Name 'rds_sqlserver' -Value $sqlserver -PropertyType String -Force -ea SilentlyContinue;
        New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\SecureMFA' -Name 'rds_sqldbname' -Value $sqldbname -PropertyType String -Force -ea SilentlyContinue;
        New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\SecureMFA' -Name 'rds_sqlintegratedsecurity' -Value $sqlintegratedsecurity -PropertyType String -Force -ea SilentlyContinue;
        New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\SecureMFA' -Name 'rds_sqluseraccount' -Value $sqluseraccount -PropertyType String -Force -ea SilentlyContinue;
        New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\SecureMFA' -Name 'rds_sqluserpassword' -Value $sqluserpassword -PropertyType String -Force -ea SilentlyContinue;
        New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\SecureMFA' -Name 'rds_data_encryption' -Value ([Int32]$data_encryption) -PropertyType String -Force -ea SilentlyContinue;
        New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\SecureMFA' -Name 'rds_data_encryption_passphrase' -Value $data_encryption_passphrase -PropertyType String -Force -ea SilentlyContinue;
        New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\SecureMFA' -Name 'rds_ui_login_failures' -Value $ui_login_failures -PropertyType String -Force -ea SilentlyContinue;
        New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\SecureMFA' -Name 'rds_ui_lockout_minutes' -Value $ui_lockout_minutes -PropertyType String -Force -ea SilentlyContinue;
        New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\SecureMFA' -Name 'rds_totp_validity_seconds' -Value $totp_validity_seconds -PropertyType String -Force -ea SilentlyContinue;
        New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\SecureMFA' -Name 'rds_timeout' -Value $timeout -PropertyType String -Force -ea SilentlyContinue;
        New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\SecureMFA' -Name 'rds_timeoutaction' -Value $timeoutaction -PropertyType String -Force -ea SilentlyContinue;
        New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\SecureMFA' -Name 'rds_anchordnsname' -Value $anchordnsname -PropertyType String -Force -ea SilentlyContinue;
        New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\SecureMFA' -Name 'rds_serialkey' -Value $serialkey -PropertyType String -Force -ea SilentlyContinue;
        New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\SecureMFA' -Name 'rds_subscriptionid' -Value $subscriptionid -PropertyType String -Force -ea SilentlyContinue;

        write-host "Registering Authentication provider: $dllpath" -ForegroundColor Cyan

        #Set TS Gataway Authentication Plugin
        (get-WMIObject "Win32_TSGatewayServerSettings" -computer "." -Namespace "ROOT\CIMV2\TerminalServices").SetAuthenticationPluginAndRecycleRpcApplicationPools("SecureMFARdgAuthenticationProvider")
        
        #Register Authentication providers DLL
        $Result = Invoke-Command -ScriptBlock { regsvr32 /s $args[0] } -ArgumentList $dllpath        
        
        #Restart RDS Gateway service
        if((Get-Service tsgateway -ErrorAction SilentlyContinue).Status -ne $null -and (!($NoServiceResart))) {
        write-host "Restarting tsgateway service." -ForegroundColor Green
        Stop-Service tsgateway
        Start-Service tsgateway}


        if(!($NoServiceResart)){
        write-host "Configuring TS Gateway sample CAP and RAP policies." -ForegroundColor Green
        
        Import-Module RemoteDesktopServices
        $rds_gtw_CAP_name = 'CAP_Sample_All_Admins'
        $rds_gtw_RAP_name = 'RAP_Sample_All_Resources'

        if (!(Test-Path -Path "RDS:\GatewayServer\CAP\$rds_gtw_CAP_name") -and (!($NoSamplePolicies))) {
            #Create CAP for Administrators with passwrod authentication
            write-host "Creating: $rds_gtw_CAP_name" -ForegroundColor Green
            New-Item -Path "RDS:\GatewayServer\CAP" -Name $rds_gtw_CAP_name -UserGroups 'Administrators@BUILTIN' -AuthMethod 1

            #Enable session timeout (disconnect after 10h)
            set-item "RDS:\GatewayServer\CAP\$rds_gtw_CAP_name\SessionTimeout" -Value "600" -SessionTimeoutAction 0
            #Idle timeout sessions after 2h
            set-item "RDS:\GatewayServer\CAP\$rds_gtw_CAP_name\IdleTimeout" -Value "120"

            #Disable device redirections and allow only Clipboard copy.
            set-item "RDS:\GatewayServer\CAP\$rds_gtw_CAP_name\DeviceRedirection\DiskDrives" -Value 0
            set-item "RDS:\GatewayServer\CAP\$rds_gtw_CAP_name\DeviceRedirection\Printers" -Value 0
            set-item "RDS:\GatewayServer\CAP\$rds_gtw_CAP_name\DeviceRedirection\SerialPorts" -Value 0
            set-item "RDS:\GatewayServer\CAP\$rds_gtw_CAP_name\DeviceRedirection\PlugAndPlayDevices" -Value 0
            set-item "RDS:\GatewayServer\CAP\$rds_gtw_CAP_name\DeviceRedirection\Clipboard" -Value 1
        }
        ElseIf ($NoSamplePolicies) {write-host "$rds_gtw_CAP_name CAP rule creation skipping..." -ForegroundColor Yellow}
        else {write-host "$rds_gtw_CAP_name CAP rule exist skipping creation..." -ForegroundColor Yellow}

        if (!(Test-Path -Path "RDS:\GatewayServer\RAP\$rds_gtw_RAP_name") -and (!($NoSamplePolicies))) {
        #RAP Allow connections to any netwrok resource on port 3389
        write-host "Creating: $rds_gtw_RAP_name" -ForegroundColor Green
        New-Item -Path "RDS:\GatewayServer\RAP" -Name $rds_gtw_RAP_name -UserGroups 'Administrators@BUILTIN' -ComputerGroupType 2
        set-item "RDS:\GatewayServer\RAP\$rds_gtw_RAP_name\Description" -Value "Allow access to all resources"
        set-item "RDS:\GatewayServer\RAP\$rds_gtw_RAP_name\PortNumbers" -Value @("3389")
        }
        ElseIf  ($NoSamplePolicies) {write-host "$rds_gtw_RAP_name RAP rule creation skipping..." -ForegroundColor Yellow}
        else {write-host "$rds_gtw_RAP_name RAP rule exist skipping creation..." -ForegroundColor Yellow}

        };

        Write-host "RD Gateway Authentication Plugig has been configured: "(Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Terminal Server Gateway\Authentication plug-ins').'(default)' -ForegroundColor Cyan
        
    }
    catch
    {
        Write-Host "$($MyInvocation.InvocationName): $_" -ForegroundColor red
    }    


}