DSCResources/xRemoteDesktopAdmin/xRemoteDesktopAdmin.psm1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
<#
This sample DSC Resource allows you to configure the Remote Desktop settings (under Remote Settings).
Leveraging the xFirewall resource (included in MSFT_xNetworking), firewall rules can also be configured.
Leveraging the Group resource (included in Windows), the "Remote Desktop Users" group can also be configured.
This sample has been tested with Windows Server 2012 R2 and WMF 5.0 Preview
Author: Tiander Turpijn, Microsoft Corporation
 
Used parameters:
Ensure [string] translates to reg value fDenyTSConnections [Int] - Allow RDP connection: Present = 0 "Enabled", Absent = 1 "Disabled"
UserAuthentication [string] translates to reg value UserAuthentication [Int] - Allow only Network Level Authentication - connections: Secure = 1 "Secure", NonSecure = 0 "NonSecure"
#>


#region GET RDP Settings
function Get-TargetResource
{
    [CmdletBinding()]
    [OutputType([System.Collections.Hashtable])]
    param
    (
        [Parameter(Mandatory)]
        [ValidateSet("Present","Absent")]
        [System.String]$Ensure,

        [ValidateSet("NonSecure", "Secure")]
        [System.String]$UserAuthentication
    )

    switch ($Ensure) {
        "Present" {[System.Byte]$fDenyTSConnections = 0}
        "Absent" {[System.Byte]$fDenyTSConnections = 1}
        }

    switch ($UserAuthentication) {
        "NonSecure" {[System.Byte]$UserAuthentication = 0}
        "Secure" {[System.Byte]$UserAuthentication = 1}
        }    

    $GetDenyTSConnections = Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections"
    $GetUserAuth = Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication"

        $returnValue = @{
            Ensure = switch ($GetDenyTSConnections.fDenyTSConnections) {
                                    0 {"Present"}
                                    1 {"Absent"}
                                    }
            UserAuthentication =     switch ($GetUserAuth.UserAuthentication) {
                                        0 {"NonSecure"}
                                        1 {"Secure"}
                                        } 
            }
    
    $returnValue
    }

# Get-TargetResource 'Present' 'Secure' -Verbose
# Expectation is a hashtable with configuration of the machine.

#endregion

#region SET RDP Settings
function Set-TargetResource
{
    [CmdletBinding()]
    param
    (
        [Parameter(Mandatory)]
        [ValidateSet("Present","Absent")]
        [System.String]$Ensure,

        [ValidateSet("NonSecure", "Secure")]
        [System.String]$UserAuthentication
    )

    switch ($Ensure) {
        "Present" {[System.Byte]$fDenyTSConnections = 0}
        "Absent" {[System.Byte]$fDenyTSConnections = 1}
        }

    switch ($UserAuthentication) {
        "NonSecure" {[System.Byte]$UserAuthentication = 0}
        "Secure" {[System.Byte]$UserAuthentication = 1}
        }  

    $GetEnsure = (Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections").fDenyTSConnections
    $GetUserAuthentiation = (Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication").UserAuthentication
    
    #The make it so section
    if ($fDenyTSConnections -ne $GetEnsure) {
        Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value $fDenyTSConnections        
        }
    if ($UserAuthentication -ne $GetUserAuthentication) {
        Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value $UserAuthentication
        }
    }

# Set-TargetResource 'Present' 'Secure' -Verbose
# Expectation is the computer will be configured to accept secure RDP connections. To verify, right click on the Windows button and open System - Remote Settings.

#endregion

#region TEST RDP Settings
function Test-TargetResource
{
    [CmdletBinding()]
    [OutputType([System.Boolean])]
    param
    (
        [Parameter(Mandatory)]
        [ValidateSet("Present","Absent")]
        [System.String]$Ensure,

        [ValidateSet("NonSecure", "Secure")]
        [System.String]$UserAuthentication
    )

    switch ($Ensure) {
        "Present" {[System.Byte]$fDenyTSConnections = 0}
        "Absent" {[System.Byte]$fDenyTSConnections = 1}
        }

    switch ($UserAuthentication) {
        "NonSecure" {[System.Byte]$UserAuthentication = 0}
        "Secure" {[System.Byte]$UserAuthentication = 1}
        } 

    $GetfDenyTSConnections = (Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections").fDenyTSConnections
    $GetUserAuthentiation = (Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication").UserAuthentication
    
    $bool = $false

    if ($fDenyTSConnections -eq $GetfDenyTSConnections -and $UserAuthentication -eq $GetUserAuthentiation)
        {
            Write-Verbose "RDP settings are matching the desired state"
            $bool = $true
        }
    else
        {
            Write-Verbose "RDP settings are Non-Compliant!"
            if ($fDenyTSConnections -ne $GetfDenyTSConnections) {
                    Write-Verbose "DenyTSConnections settings are non-compliant, Value should be $fDenyTSConnections - Detected value is: $GetfDenyTSConnections"   
                    }
            if ($UserAuthentication -ne $GetUserAuthentiation) {
                    Write-Verbose "UserAuthentication settings are non-compliant, Value should be $UserAuthentication - Detected value is: $GetUserAuthentiation" 
                    }
        }
    
    $bool
    }

# Test-TargetResource 'Present' 'Secure' -Verbose
# Expectation is a true/false output based on whether the machine matches the declared configuration.

#endregion


Export-ModuleMember -Function *-TargetResource