Skip to content

Instantly share code, notes, and snippets.

@natemccurdy
Created October 22, 2015 17:17
Show Gist options
  • Save natemccurdy/1298e0f9f8660c8108b4 to your computer and use it in GitHub Desktop.
Save natemccurdy/1298e0f9f8660c8108b4 to your computer and use it in GitHub Desktop.
Puppet profiles for managing basic Windows settings
# This will disable the windows firewall
#
# Requires: puppetlabs/registry
#
class profile::windows::disable_firewall {
registry::value { 'Disable DomainProfile firewall':
key => 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile',
value => 'EnableFirewall',
data => '0',
type => 'dword',
}
registry::value { 'Disable PublicProfile firewall':
key => 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile',
value => 'EnableFirewall',
data => '0',
type => 'dword',
}
registry::value { 'Disable StandardProfile firewall':
key => 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile',
value => 'EnableFirewall',
data => '0',
type => 'dword',
}
}
# This will disable Internet Explorer Enhanced Security Configuration
#
# Requires: puppetlabs/registry
#
class profile::windows::disable_ieesc {
registry::value { 'Disable IE ESC for Administrators':
key => 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}',
value => 'IsInstalled',
data => '0',
type => 'dword',
}
registry::value { 'Disable IE ESC for Users':
key => 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}',
value => 'IsInstalled',
data => '0',
type => 'dword',
}
}
# This will turn off ipv6 for Windows nodes
class profile::windows::disable_ipv6 {
registry::value { 'Disable IPv6':
key => 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters',
value => 'DisabledComponents',
data => '255',
type => 'dword',
}
}
# This will disable UAC
#
# Requires: puppetlabs/registry
#
class profile::windows::disable_uac {
registry::value { 'Disable UAC':
key => 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System',
value => 'EnableLUA',
data => '0',
type => 'dword',
}
# Refer to the link below to determine what different values do.
# Valid data values are 0 - 5.
# https://msdn.microsoft.com/en-us/library/Cc232761.aspx
registry::value { 'Set UAC Consent Prompt Level':
key => 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System',
value => 'ConsentPromptBehaviorAdmin',
data => '5',
type => 'dword',
}
}
# A profile to manage IIS on Windows
#
# - Sets up the IIS role
# - Manages an IIS Site and App Pool
#
class profile::windows::iis {
# Add the Web Manamanget Tools
windowsfeature { 'Web-Mgmt-Tools':
ensure => present,
installsubfeatures => true,
}
# Add the IIS Role
windowsfeature { 'Web-WebServer':
ensure => present,
installmanagementtools => true,
}
# Remove the default IIS web site
iis::manage_site { 'Default Web Site':
ensure => absent,
site_path => 'any',
app_pool => 'DefaultAppPool',
require => Windowsfeature['Web-WebServer'],
}
service { 'w3svc':
ensure => running,
enable => true,
require => Windowsfeature['Web-WebServer'],
}
# Manage an IIS Site
#iis::manage_site {'internal.company.com':
# site_path => 'C:\inetpub\wwwroot\apple',
# port => '80',
# ip_address => '*',
# host_header => 'internal.company.com',
# app_pool => 'application_pool'
#}
## Manage an App Pool
#iis::manage_app_pool {'application_pool':
# enable_32_bit => true,
# managed_runtime_version => 'v4.0',
#}
#iis::manage_virtual_application {'application1':
# site_name => 'internal.company.com',
# site_path => 'C:\inetpub\wwwroot\application1',
# app_pool => 'application_pool'
#}
}
# This profile will enable remote desktop connections
#
class profile::windows::remote_desktop {
registry::value { 'Enable Terminal Services connections':
key => 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server',
value => 'fDenyTSConnections',
data => '0',
type => 'dword',
}
registry::value { 'Enable TS Network Level Authentication':
key => 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp',
value => 'SecurityLayer',
data => '1',
type => 'dword',
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment