| rem Licensed to the Apache Software Foundation (ASF) under one |
| rem or more contributor license agreements. See the NOTICE file |
| rem distributed with this work for additional information |
| rem regarding copyright ownership. The ASF licenses this file |
| rem to you under the Apache License, Version 2.0 (the |
| rem "License"); you may not use this file except in compliance |
| rem with the License. You may obtain a copy of the License at |
| rem |
| rem http://www.apache.org/licenses/LICENSE-2.0 |
| rem |
| rem Unless required by applicable law or agreed to in writing, |
| rem software distributed under the License is distributed on an |
| rem "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| rem KIND, either express or implied. See the License for the |
| rem specific language governing permissions and limitations |
| rem under the License. |
| |
| rem |
| rem Configure and start RDP service. |
| rem Configure RPD service to use custom key instead of autogenerated for Wireshark and Network Monitor Decrypt Expert. |
| rem rdp.pfx is necessary because it fingerprints are hardcoded in this script. |
| rem |
| |
| rem Turn off firewall |
| |
| netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes |
| |
| rem Enable TS connections |
| rem |
| rem Windows Registry Editor Version 5.00 |
| rem |
| rem [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] |
| rem "AllowTSConnections"=dword:00000001 |
| rem "fDenyTSConnections"=dword:00000000 |
| |
| reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 1 /f |
| reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f |
| |
| rem Disable RDP NLA |
| |
| reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f |
| |
| rem Enable TS service |
| |
| sc config TermService start=auto |
| |
| rem Certificate Generation |
| |
| rem Make self-signed certificate |
| |
| rem makecert -r -pe -n "CN=%COMPUTERNAME%" -eku 1.3.6.1.5.5.7.3.1 -ss my -sr LocalMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 |
| |
| rem Import certificate |
| |
| certutil -p test -importPFX "Remote Desktop" rdp.pfx |
| |
| rem Configure RDP server to use certificate: |
| |
| rem Windows Registry Editor Version 5.00 |
| rem |
| rem [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] |
| rem "SSLCertificateSHA1Hash"=hex:c1,70,84,70,bc,56,42,0a,bb,f4,35,35,ba,a6,09,b0,4e,98,4a,47 |
| reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "SSLCertificateSHA1Hash" /t REG_HEX /d "" /f |
| |
| rem Grant permissions on certificate for everyone |
| |
| rem certutil -repairstore My "bcb40fb84ac891bd41068fe686864559" D:PAI(A;;GA;;;BA)(A;;GA;;;SY)(A;;GR;;;NS) |
| certutil -repairstore "Remote Desktop" "bcb40fb84ac891bd41068fe686864559" D:PAI(A;;GA;;;BA)(A;;GA;;;SY)(A;;GR;;;NS) |
| |
| rem confirm with |
| |
| rem certutil -store -v My |
| certutil -store -v "Remote Desktop" |
| |
| rem Disable TLS 1.1 (for Network Monitor Decrypt Expert) |
| rem |
| rem Windows Registry Editor Version 5.00 |
| rem |
| rem [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] |
| rem "Enabled"=dword:00000000 |
| rem "DisabledByDefault"=dword:00000001 |
| rem |
| rem [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] |
| rem "Enabled"=dword:00000000 |
| rem "DisabledByDefault"=dword:00000001 |
| |
| reg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v "Enabled" /t REG_DWORD /d 0 /f |
| reg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v "DisabledByDefault" /t REG_DWORD /d 1 /f |
| reg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v "Enabled" /t REG_DWORD /d 0 /f |
| reg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v "DisabledByDefault" /t REG_DWORD /d 1 /f |
| |
| |
| rem Disable TLS 1.2 (for Network Monitor Decrypt Expert) |
| rem |
| rem Windows Registry Editor Version 5.00 |
| rem |
| rem [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] |
| rem "Enabled"=dword:00000000 |
| rem "DisabledByDefault"=dword:00000001 |
| rem |
| rem [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] |
| rem "Enabled"=dword:00000000 |
| rem "DisabledByDefault"=dword:00000001 |
| |
| reg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v "Enabled" /t REG_DWORD /d 0 /f |
| reg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v "DisabledByDefault" /t REG_DWORD /d 1 /f |
| reg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v "Enabled" /t REG_DWORD /d 0 /f |
| reg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v "DisabledByDefault" /t REG_DWORD /d 1 /f |
| |
| rem Start TS service |
| |
| net start Termservice |
| |
| rem Enable logs |
| |
| wevtutil sl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin /enabled:true /quiet:true |
| wevtutil sl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic /enabled:true /quiet:true |
| wevtutil sl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug /enabled:true /quiet:true |
| wevtutil sl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational /enabled:true /quiet:true |
| wevtutil sl Microsoft-Windows-TerminalServices-SessionBroker-Client/Admin /enabled:true /quiet:true |
| wevtutil sl Microsoft-Windows-TerminalServices-SessionBroker-Client/Analytic /enabled:true /quiet:true |
| wevtutil sl Microsoft-Windows-TerminalServices-SessionBroker-Client/Debug /enabled:true /quiet:true |
| wevtutil sl Microsoft-Windows-TerminalServices-SessionBroker-Client/Operational /enabled:true /quiet:true |
| wevtutil sl Microsoft-Windows-NTLM/Operational /enabled:true /quiet:true |
| |
| |
| |
| rem For Network Monitor Decrypt Expert. |
| |
| rem Install .Net 3.5 |
| |
| rem dism /online /enable-feature /featurename:NetFx3ServerFeatures |
| rem dism /online /enable-feature /featurename:NetFx3 |
| |
| rem PS. |
| rem Don't forget to set Windows profile as active in Network Monitor, so SSL traffic branch will appear under |
| rem svnchost.exe, so you will be able to decrypt it (don't forget to save and reopen captured traffic to file first). |
| rem |
| |