Created
September 22, 2020 11:58
-
-
Save ausarb/269751657c9f07b81c92e552dd003b6d to your computer and use it in GitHub Desktop.
Simple MFA protected Windows spot instance jump host
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<powershell> | |
$rdpTemplate = @" | |
screen mode id:i:2 | |
use multimon:i:0 | |
desktopwidth:i:1920 | |
desktopheight:i:1200 | |
session bpp:i:32 | |
winposstr:s:0,3,0,0,800,600 | |
compression:i:1 | |
keyboardhook:i:2 | |
audiocapturemode:i:0 | |
videoplaybackmode:i:1 | |
connection type:i:7 | |
networkautodetect:i:1 | |
bandwidthautodetect:i:1 | |
displayconnectionbar:i:1 | |
enableworkspacereconnect:i:0 | |
disable wallpaper:i:0 | |
allow font smoothing:i:0 | |
allow desktop composition:i:0 | |
disable full window drag:i:1 | |
disable menu anims:i:1 | |
disable themes:i:0 | |
disable cursor setting:i:0 | |
bitmapcachepersistenable:i:1 | |
full address:s:THEADDRESS | |
audiomode:i:0 | |
redirectprinters:i:1 | |
redirectcomports:i:0 | |
redirectsmartcards:i:1 | |
redirectclipboard:i:1 | |
redirectposdevices:i:0 | |
autoreconnection enabled:i:1 | |
authentication level:i:2 | |
prompt for credentials:i:0 | |
negotiate security layer:i:1 | |
remoteapplicationmode:i:0 | |
alternate shell:s: | |
shell working directory:s: | |
gatewayhostname:s: | |
gatewayusagemethod:i:4 | |
gatewaycredentialssource:i:4 | |
gatewayprofileusagemethod:i:0 | |
promptcredentialonce:i:0 | |
gatewaybrokeringtype:i:0 | |
use redirection server name:i:0 | |
rdgiskdcproxy:i:0 | |
kdcproxyname:s: | |
"@ | |
function Output-RdpShortcut { | |
param([string]$shortcutName, [string]$address) | |
Set-Content -Path "C:\Users\Public\Desktop\$($shortcutName).rdp" -Value $rdpTemplate.replace("THEADDRESS", $address) | |
} | |
Output-RdpShortcut -shortcutName 'another-jump1' -address 'another-jump1.example.com' | |
Output-RdpShortcut -shortcutName 'another-jump2' -address 'another-jump2.example.com' | |
Write-Host "Installing Chocolatey." | |
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')) | |
refreshenv | |
# sdelete to clean up log files later | |
choco install sdelete -y | |
# Install DUO security first so that we're protected before creating any local users. | |
# The admin user is safe because the instance isn't even created with a key pair. | |
$duo_creds = (Get-SECSecretValue -SecretId duo-security-jump-host-integration).SecretString | ConvertFrom-Json | |
choco install duo-authentication -y --package-parameters="'/IKEY:$($duo_creds.integration_key) /SKEY:$($duo_creds.secret_key) /HOST:$($duo_creds.api_hostname) /AUTOPUSH:#1 /FAILOPEN:#1 /RDPONLY:#0'" | |
$duo_creds = $null | |
# Only the commercial version of choco supports securely passing parameters to installers, so sdelete the logs to hide the sensitive DUO info | |
sdelete "C:\ProgramData\chocolatey\logs\*.log" | |
Write-Host "Creating local user" | |
$creds = (Get-SECSecretValue -SecretId jump-host-local-user-creds).SecretString | ConvertFrom-Json | |
$password = ConvertTo-SecureString $creds.password -AsPlainText -Force | |
$username = $creds.username | |
$creds = $null | |
New-LocalUser -Name $username -Password $password -PasswordNeverExpires | |
Add-LocalGroupMember -Group "Administrators" -Member $username | |
Add-LocalGroupMember -Group "Remote Desktop Users" -Member $username | |
choco install googlechrome -y | |
choco install notepadplusplus -y | |
choco install vscode -y | |
choco install sourcetree -y | |
choco install mobaxterm -y | |
choco install awscli -y | |
choco install docker-desktop -y | |
# Enable automatic updates and installs | |
Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -Name AUOptions -Value 4 | |
Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -Name AutomaticMaintenanceEnabled -Value 1 | |
Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -Name NoAutoUpdate -Value 0 | |
Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -Name ScheduledInstallDay -Value 0 | |
Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -Name ScheduledInstallEveryWeek -Value 1 | |
Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -Name ScheduledInstallTime -Value 3 | |
Restart-Computer -Force # Reboot is required for docker-desktop but it's good practice to do it at the end anyways | |
Add-LocalGroupMember -Group "docker-users" -Member $username | |
</powershell> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment