services/console-proxy/rdpconsole/src/test/doc/dev-rdp-config.bat - cloudstack - Git at Google

 rem Licensed to the Apache Software Foundation (ASF) under one
 rem or more contributor license agreements.  See the NOTICE file
 rem distributed with this work for additional information
 rem regarding copyright ownership.  The ASF licenses this file
 rem to you under the Apache License, Version 2.0 (the
 rem "License"); you may not use this file except in compliance
 rem with the License.  You may obtain a copy of the License at
 rem
 rem   http://www.apache.org/licenses/LICENSE-2.0
 rem
 rem Unless required by applicable law or agreed to in writing,
 rem software distributed under the License is distributed on an
 rem "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 rem KIND, either express or implied.  See the License for the
 rem specific language governing permissions and limitations
 rem under the License.

 rem
 rem Configure and start RDP service.
 rem Configure RPD service to use custom key instead of autogenerated for Wireshark and Network Monitor Decrypt Expert.
 rem rdp.pfx is necessary because it fingerprints are hardcoded in this script.
 rem

 rem Turn off firewall

 netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes

 rem Enable TS connections
 rem
 rem Windows Registry Editor Version 5.00
 rem
 rem [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
 rem "AllowTSConnections"=dword:00000001
 rem "fDenyTSConnections"=dword:00000000

 reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 1 /f
 reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f

 rem Disable RDP NLA

 reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f

 rem Enable TS service

 sc config TermService start=auto

 rem Certificate Generation

 rem Make self-signed certificate

 rem makecert -r -pe -n "CN=%COMPUTERNAME%" -eku 1.3.6.1.5.5.7.3.1 -ss my -sr LocalMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12

 rem Import certificate

 certutil -p test -importPFX "Remote Desktop" rdp.pfx

 rem Configure RDP server to use certificate:

 rem Windows Registry Editor Version 5.00
 rem
 rem [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]
 rem "SSLCertificateSHA1Hash"=hex:c1,70,84,70,bc,56,42,0a,bb,f4,35,35,ba,a6,09,b0,4e,98,4a,47
 reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "SSLCertificateSHA1Hash" /t REG_HEX /d "" /f

 rem  Grant permissions on certificate for everyone

 rem  certutil -repairstore My "bcb40fb84ac891bd41068fe686864559" D:PAI(A;;GA;;;BA)(A;;GA;;;SY)(A;;GR;;;NS)
 certutil -repairstore "Remote Desktop" "bcb40fb84ac891bd41068fe686864559" D:PAI(A;;GA;;;BA)(A;;GA;;;SY)(A;;GR;;;NS)

 rem confirm with

 rem certutil -store -v My
 certutil -store -v "Remote Desktop"

 rem Disable TLS 1.1 (for Network Monitor Decrypt Expert)
 rem
 rem Windows Registry Editor Version 5.00
 rem
 rem [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
 rem "Enabled"=dword:00000000
 rem "DisabledByDefault"=dword:00000001
 rem
 rem [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
 rem "Enabled"=dword:00000000
 rem "DisabledByDefault"=dword:00000001

 reg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v "Enabled" /t REG_DWORD /d 0 /f
 reg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v "DisabledByDefault" /t REG_DWORD /d 1 /f
 reg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v "Enabled" /t REG_DWORD /d 0 /f
 reg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v "DisabledByDefault" /t REG_DWORD /d 1 /f


 rem Disable TLS 1.2 (for Network Monitor Decrypt Expert)
 rem
 rem Windows Registry Editor Version 5.00
 rem
 rem [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
 rem "Enabled"=dword:00000000
 rem "DisabledByDefault"=dword:00000001
 rem
 rem [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
 rem "Enabled"=dword:00000000
 rem "DisabledByDefault"=dword:00000001

 reg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v "Enabled" /t REG_DWORD /d 0 /f
 reg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v "DisabledByDefault" /t REG_DWORD /d 1 /f
 reg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v "Enabled" /t REG_DWORD /d 0 /f
 reg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v "DisabledByDefault" /t REG_DWORD /d 1 /f

 rem Start TS service

 net start Termservice

 rem Enable logs

 wevtutil sl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin /enabled:true /quiet:true
 wevtutil sl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic /enabled:true /quiet:true
 wevtutil sl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug /enabled:true /quiet:true
 wevtutil sl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational /enabled:true /quiet:true
 wevtutil sl Microsoft-Windows-TerminalServices-SessionBroker-Client/Admin /enabled:true /quiet:true
 wevtutil sl Microsoft-Windows-TerminalServices-SessionBroker-Client/Analytic /enabled:true /quiet:true
 wevtutil sl Microsoft-Windows-TerminalServices-SessionBroker-Client/Debug /enabled:true /quiet:true
 wevtutil sl Microsoft-Windows-TerminalServices-SessionBroker-Client/Operational /enabled:true /quiet:true
 wevtutil sl Microsoft-Windows-NTLM/Operational /enabled:true /quiet:true


 rem For Network Monitor Decrypt Expert.

 rem Install .Net 3.5

 rem dism /online /enable-feature /featurename:NetFx3ServerFeatures
 rem dism /online /enable-feature /featurename:NetFx3

 rem PS.
 rem Don't forget to set Windows profile as active in Network Monitor, so SSL traffic branch will appear under
 rem svnchost.exe, so you will be able to decrypt it (don't forget to save and reopen captured traffic to file first).
 rem
	rem Licensed to the Apache Software Foundation (ASF) under one
	rem or more contributor license agreements. See the NOTICE file
	rem distributed with this work for additional information
	rem regarding copyright ownership. The ASF licenses this file
	rem to you under the Apache License, Version 2.0 (the
	rem "License"); you may not use this file except in compliance
	rem with the License. You may obtain a copy of the License at
	rem
	rem http://www.apache.org/licenses/LICENSE-2.0
	rem
	rem Unless required by applicable law or agreed to in writing,
	rem software distributed under the License is distributed on an
	rem "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	rem KIND, either express or implied. See the License for the
	rem specific language governing permissions and limitations
	rem under the License.

	rem
	rem Configure and start RDP service.
	rem Configure RPD service to use custom key instead of autogenerated for Wireshark and Network Monitor Decrypt Expert.
	rem rdp.pfx is necessary because it fingerprints are hardcoded in this script.
	rem

	rem Turn off firewall

	netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes

	rem Enable TS connections
	rem
	rem Windows Registry Editor Version 5.00
	rem
	rem [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
	rem "AllowTSConnections"=dword:00000001
	rem "fDenyTSConnections"=dword:00000000

	reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 1 /f
	reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f

	rem Disable RDP NLA

	reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f

	rem Enable TS service

	sc config TermService start=auto

	rem Certificate Generation

	rem Make self-signed certificate

	rem makecert -r -pe -n "CN=%COMPUTERNAME%" -eku 1.3.6.1.5.5.7.3.1 -ss my -sr LocalMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12

	rem Import certificate

	certutil -p test -importPFX "Remote Desktop" rdp.pfx

	rem Configure RDP server to use certificate:

	rem Windows Registry Editor Version 5.00
	rem
	rem [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]
	rem "SSLCertificateSHA1Hash"=hex:c1,70,84,70,bc,56,42,0a,bb,f4,35,35,ba,a6,09,b0,4e,98,4a,47
	reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "SSLCertificateSHA1Hash" /t REG_HEX /d "" /f

	rem Grant permissions on certificate for everyone

	rem certutil -repairstore My "bcb40fb84ac891bd41068fe686864559" D:PAI(A;;GA;;;BA)(A;;GA;;;SY)(A;;GR;;;NS)
	certutil -repairstore "Remote Desktop" "bcb40fb84ac891bd41068fe686864559" D:PAI(A;;GA;;;BA)(A;;GA;;;SY)(A;;GR;;;NS)

	rem confirm with

	rem certutil -store -v My
	certutil -store -v "Remote Desktop"

	rem Disable TLS 1.1 (for Network Monitor Decrypt Expert)
	rem
	rem Windows Registry Editor Version 5.00
	rem
	rem [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
	rem "Enabled"=dword:00000000
	rem "DisabledByDefault"=dword:00000001
	rem
	rem [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
	rem "Enabled"=dword:00000000
	rem "DisabledByDefault"=dword:00000001

	reg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v "Enabled" /t REG_DWORD /d 0 /f
	reg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v "DisabledByDefault" /t REG_DWORD /d 1 /f
	reg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v "Enabled" /t REG_DWORD /d 0 /f
	reg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v "DisabledByDefault" /t REG_DWORD /d 1 /f


	rem Disable TLS 1.2 (for Network Monitor Decrypt Expert)
	rem
	rem Windows Registry Editor Version 5.00
	rem
	rem [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
	rem "Enabled"=dword:00000000
	rem "DisabledByDefault"=dword:00000001
	rem
	rem [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
	rem "Enabled"=dword:00000000
	rem "DisabledByDefault"=dword:00000001

	reg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v "Enabled" /t REG_DWORD /d 0 /f
	reg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v "DisabledByDefault" /t REG_DWORD /d 1 /f
	reg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v "Enabled" /t REG_DWORD /d 0 /f
	reg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v "DisabledByDefault" /t REG_DWORD /d 1 /f

	rem Start TS service

	net start Termservice

	rem Enable logs

	wevtutil sl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin /enabled:true /quiet:true
	wevtutil sl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic /enabled:true /quiet:true
	wevtutil sl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug /enabled:true /quiet:true
	wevtutil sl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational /enabled:true /quiet:true
	wevtutil sl Microsoft-Windows-TerminalServices-SessionBroker-Client/Admin /enabled:true /quiet:true
	wevtutil sl Microsoft-Windows-TerminalServices-SessionBroker-Client/Analytic /enabled:true /quiet:true
	wevtutil sl Microsoft-Windows-TerminalServices-SessionBroker-Client/Debug /enabled:true /quiet:true
	wevtutil sl Microsoft-Windows-TerminalServices-SessionBroker-Client/Operational /enabled:true /quiet:true
	wevtutil sl Microsoft-Windows-NTLM/Operational /enabled:true /quiet:true



	rem For Network Monitor Decrypt Expert.

	rem Install .Net 3.5

	rem dism /online /enable-feature /featurename:NetFx3ServerFeatures
	rem dism /online /enable-feature /featurename:NetFx3

	rem PS.
	rem Don't forget to set Windows profile as active in Network Monitor, so SSL traffic branch will appear under
	rem svnchost.exe, so you will be able to decrypt it (don't forget to save and reopen captured traffic to file first).
	rem