Skip to content

Instantly share code, notes, and snippets.

@ausarb
Created Sep 22, 2020
Embed
What would you like to do?
Simple MFA protected Windows spot instance jump host
<powershell>
$rdpTemplate = @"
screen mode id:i:2
use multimon:i:0
desktopwidth:i:1920
desktopheight:i:1200
session bpp:i:32
winposstr:s:0,3,0,0,800,600
compression:i:1
keyboardhook:i:2
audiocapturemode:i:0
videoplaybackmode:i:1
connection type:i:7
networkautodetect:i:1
bandwidthautodetect:i:1
displayconnectionbar:i:1
enableworkspacereconnect:i:0
disable wallpaper:i:0
allow font smoothing:i:0
allow desktop composition:i:0
disable full window drag:i:1
disable menu anims:i:1
disable themes:i:0
disable cursor setting:i:0
bitmapcachepersistenable:i:1
full address:s:THEADDRESS
audiomode:i:0
redirectprinters:i:1
redirectcomports:i:0
redirectsmartcards:i:1
redirectclipboard:i:1
redirectposdevices:i:0
autoreconnection enabled:i:1
authentication level:i:2
prompt for credentials:i:0
negotiate security layer:i:1
remoteapplicationmode:i:0
alternate shell:s:
shell working directory:s:
gatewayhostname:s:
gatewayusagemethod:i:4
gatewaycredentialssource:i:4
gatewayprofileusagemethod:i:0
promptcredentialonce:i:0
gatewaybrokeringtype:i:0
use redirection server name:i:0
rdgiskdcproxy:i:0
kdcproxyname:s:
"@
function Output-RdpShortcut {
param([string]$shortcutName, [string]$address)
Set-Content -Path "C:\Users\Public\Desktop\$($shortcutName).rdp" -Value $rdpTemplate.replace("THEADDRESS", $address)
}
Output-RdpShortcut -shortcutName 'another-jump1' -address 'another-jump1.example.com'
Output-RdpShortcut -shortcutName 'another-jump2' -address 'another-jump2.example.com'
Write-Host "Installing Chocolatey."
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
refreshenv
# sdelete to clean up log files later
choco install sdelete -y
# Install DUO security first so that we're protected before creating any local users.
# The admin user is safe because the instance isn't even created with a key pair.
$duo_creds = (Get-SECSecretValue -SecretId duo-security-jump-host-integration).SecretString | ConvertFrom-Json
choco install duo-authentication -y --package-parameters="'/IKEY:$($duo_creds.integration_key) /SKEY:$($duo_creds.secret_key) /HOST:$($duo_creds.api_hostname) /AUTOPUSH:#1 /FAILOPEN:#1 /RDPONLY:#0'"
$duo_creds = $null
# Only the commercial version of choco supports securely passing parameters to installers, so sdelete the logs to hide the sensitive DUO info
sdelete "C:\ProgramData\chocolatey\logs\*.log"
Write-Host "Creating local user"
$creds = (Get-SECSecretValue -SecretId jump-host-local-user-creds).SecretString | ConvertFrom-Json
$password = ConvertTo-SecureString $creds.password -AsPlainText -Force
$username = $creds.username
$creds = $null
New-LocalUser -Name $username -Password $password -PasswordNeverExpires
Add-LocalGroupMember -Group "Administrators" -Member $username
Add-LocalGroupMember -Group "Remote Desktop Users" -Member $username
choco install googlechrome -y
choco install notepadplusplus -y
choco install vscode -y
choco install sourcetree -y
choco install mobaxterm -y
choco install awscli -y
choco install docker-desktop -y
# Enable automatic updates and installs
Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -Name AUOptions -Value 4
Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -Name AutomaticMaintenanceEnabled -Value 1
Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -Name NoAutoUpdate -Value 0
Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -Name ScheduledInstallDay -Value 0
Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -Name ScheduledInstallEveryWeek -Value 1
Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -Name ScheduledInstallTime -Value 3
Restart-Computer -Force # Reboot is required for docker-desktop but it's good practice to do it at the end anyways
Add-LocalGroupMember -Group "docker-users" -Member $username
</powershell>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment