diff --git a/CHANGELOG.md b/CHANGELOG.md index 4138fbc..948c081 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,12 @@ and [human-readable changelog](https://keepachangelog.com/en/1.0.0/). ## master +## 0.0.5 + +### Changed + +- Refactoring of ansible role remote_desktop. + ## 0.0.4 ### Added diff --git a/galaxy.yml b/galaxy.yml index 5234cca..fdc40b1 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -1,7 +1,7 @@ --- namespace: 'sbaerlocher' name: 'windows' -version: 0.0.4 +version: 0.0.5 readme: README.md authors: - 'Simon Baerlocher (https://sbaerlocher.ch)' diff --git a/roles/remote_desktop/tasks/distribution/Microsoft Windows 10 Enterprise Evaluation.yml b/roles/remote_desktop/tasks/distribution/Microsoft Windows 10 Enterprise Evaluation.yml deleted file mode 100644 index d36e616..0000000 --- a/roles/remote_desktop/tasks/distribution/Microsoft Windows 10 Enterprise Evaluation.yml +++ /dev/null @@ -1,113 +0,0 @@ ---- -# tasks file for sbaerlocher.remote-desktop - -# https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.TerminalServer::TS_DISABLE_CONNECTIONS -- name: Allow users to connect remotely by using Remote Desktop Services - win_regedit: - path: '{{ item }}' - name: fDenyTSConnections - data: 00000000 - type: dword - state: "{{ 'present' if remote_desktop_enabled else 'absent' }}" - register: register_remote_desktop_enabled - with_items: - - "HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\" - - "HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services" - tags: - - configuration - -- name: Firewall Enable or Disable rule for Remote Desktop Services - win_shell: > - "{{ 'Enable-NetFirewallRule' if rd_enable else 'Disable-NetFirewallRule' }} - -DisplayGroup 'Remotedesktop'" - vars: - rd_enable: '{{ remote_desktop_enabled }}' - tags: - - configuration - -- name: Set then Remote Desktop Port - win_regedit: - path: "{{ path }}\\Control\\Terminal Server\\WinStations\\RDP-Tcp" - name: PortNumber - data: '{{ remote_desktop_port }}' - type: dword - vars: - path: "HKLM:\\SYSTEM\\CurrentControlSet" - tags: - - configuration - -- name: Firewall rule to allow RDP on TCP port 3389 - win_firewall_rule: - name: '{{ item.name }}' - description: '{{ item.description }}' - localport: '{{ remote_desktop_port }}' - action: allow - direction: in - protocol: '{{ item.protocol }}' - profiles: domain,private,public - state: present - enabled: "{{ 'true' if remote_desktop_enabled else 'false' }}" - service: termservice - program: C:\Windows\system32\svchost.exe - with_items: - - name: Remotedesktop - Benutzermodus (TCP eingehend) - description: > - Eingehende Regel für den Remotedesktopdienst, - die RDP-Datenverkehr zulässt. [TCP 3389] - protocol: tcp - - name: Remotedesktop - Benutzermodus (UDP eingehend) - description: > - Eingehende Regel für den Remotedesktopdienst, - die RDP-Datenverkehr zulässt. [UDP 3389] - protocol: udp - tags: - - configuration - -# https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.TerminalServer::TS_SECURITY_LAYER_POLICY -- name: Require use of specific security layer for remote (RDP) connections - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services - name: SecurityLayer - data: '{{ remote_desktop_securitylayer }}' - type: dword - state: "{{ 'present' if remote_desktop_enabled else 'absent' }}" - tags: - - configuration - -# https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.TerminalServer::TS_ENCRYPTION_POLICY -- name: Set client connection encryption level - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services - name: MinEncryptionLevel - data: '{{ remote_desktop_minencryptionLevel }}' - type: dword - state: "{{ 'present' if remote_desktop_enabled else 'absent' }}" - tags: - - configuration - -# https://www.winfaq.de/faq_html/Content/tip1000/onlinefaq.php?h=tip1368.htm -- name: Disable Shutdown Butten from Windows Start - win_regedit: - path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer - name: NoClose - data: '1' - type: dword - state: "{{ 'present' if rd_enable and rd_shutdown_disable else 'absent' }}" - vars: - rd_enable: '{{ remote_desktop_enabled }}' - rd_shutdown_disable: '{{ remote_desktop_shutdown_disable }}' - tags: - - configuration - -# https://www.howtogeek.com/246728/how-to-remove-the-shutdown-button-from-the-windows-login-screen/ -- name: Disable Shutdown Butten from Windows login screen - win_regedit: - path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - name: shutdownwithoutlogon - data: "{{ '0' if rd_enable and rd_shutdown_disable else '1' }}" - type: dword - vars: - rd_enable: '{{ remote_desktop_enabled }}' - rd_shutdown_disable: '{{ remote_desktop_shutdown_disable }}' - tags: - - configuration diff --git a/roles/remote_desktop/tasks/distribution/Microsoft Windows 10 Pro.yml b/roles/remote_desktop/tasks/distribution/Microsoft Windows 10 Pro.yml deleted file mode 100644 index ee894b5..0000000 --- a/roles/remote_desktop/tasks/distribution/Microsoft Windows 10 Pro.yml +++ /dev/null @@ -1,121 +0,0 @@ ---- -# tasks file for sbaerlocher.remote-desktop - -# https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.TerminalServer::TS_DISABLE_CONNECTIONS -- name: Allow users to connect remotely by using Remote Desktop Services - win_regedit: - path: '{{ item }}' - name: fDenyTSConnections - data: 00000000 - type: dword - state: "{{ 'present' if remote_desktop_enabled else 'absent' }}" - register: register_remote_desktop_enabled - with_items: - - "HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\" - - "HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services" - tags: - - configuration - -- name: Firewall Enable or Disable rule for Remote Desktop Services - win_shell: > - "{{ 'Enable-NetFirewallRule' if rd_enable else 'Disable-NetFirewallRule' }} - -DisplayGroup 'Remotedesktop'" - vars: - rd_enable: '{{ remote_desktop_enabled }}' - tags: - - configuration - -- name: Set then Remote Desktop Port - win_regedit: - path: "{{ path }}\\Control\\Terminal Server\\WinStations\\RDP-Tcp" - name: PortNumber - data: '{{ remote_desktop_port }}' - type: dword - vars: - path: "HKLM:\\SYSTEM\\CurrentControlSet" - tags: - - configuration - -- name: Firewall rule to allow RDP on TCP port 3389 - win_firewall_rule: - name: '{{ item.name }}' - description: '{{ item.description }}' - localport: '{{ remote_desktop_port }}' - action: allow - direction: in - protocol: '{{ item.protocol }}' - profiles: domain,private,public - state: present - enabled: "{{ 'true' if remote_desktop_enabled else 'false' }}" - service: termservice - program: C:\Windows\system32\svchost.exe - with_items: - - name: Remotedesktop - Benutzermodus (TCP eingehend) - description: > - Eingehende Regel für den Remotedesktopdienst, - die RDP-Datenverkehr zulässt. [TCP 3389] - protocol: tcp - - name: Remotedesktop - Benutzermodus (UDP eingehend) - description: > - Eingehende Regel für den Remotedesktopdienst, - die RDP-Datenverkehr zulässt. [UDP 3389] - protocol: udp - tags: - - configuration - -# https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.TerminalServer::TS_SECURITY_LAYER_POLICY -- name: Require use of specific security layer for remote (RDP) connections - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services - name: SecurityLayer - data: '{{ remote_desktop_securitylayer }}' - type: dword - state: "{{ 'present' if remote_desktop_enabled else 'absent' }}" - tags: - - configuration - -# https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.TerminalServer::TS_ENCRYPTION_POLICY -- name: Set client connection encryption level - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services - name: MinEncryptionLevel - data: '{{ remote_desktop_minencryptionLevel }}' - type: dword - state: "{{ 'present' if remote_desktop_enabled else 'absent' }}" - tags: - - configuration - -- name: Add User or Group to Login group for Remote Desktop - win_group_membership: - name: '{{ remote_desktop_group }}' - members: '{{ remote_desktop_members }}' - state: present - tags: - - configuration - -# https://www.winfaq.de/faq_html/Content/tip1000/onlinefaq.php?h=tip1368.htm -- name: Disable Shutdown Butten from Windows Start - win_regedit: - path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer - name: NoClose - data: '1' - type: dword - state: "{{ 'present' if rd_enable and rd_shutdown_disable else 'absent' }}" - vars: - rd_enable: '{{ remote_desktop_enabled }}' - rd_shutdown_disable: '{{ remote_desktop_shutdown_disable }}' - tags: - - configuration - -# https://www.howtogeek.com/246728/how-to-remove-the-shutdown-button-from-the-windows-login-screen/ -- name: Disable Shutdown Butten from Windows login screen - win_regedit: - path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - name: shutdownwithoutlogon - data: "{{ '0' if rd_enable and rd_shutdown_disable else '1' }}" - type: dword - vars: - rd_enable: '{{ remote_desktop_enabled }}' - rd_shutdown_disable: '{{ remote_desktop_shutdown_disable }}' - tags: - - configuration diff --git a/roles/remote_desktop/tasks/distribution/Microsoft Windows Server 2016 Standard.yml b/roles/remote_desktop/tasks/distribution/Microsoft Windows Server 2016 Standard.yml deleted file mode 100644 index ac78322..0000000 --- a/roles/remote_desktop/tasks/distribution/Microsoft Windows Server 2016 Standard.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# tasks file for sbaerlocher.remote-desktop - -- name: Add User or Group to Login group for Remote Desktop - win_group_membership: - name: '{{ remote_desktop_group }}' - members: '{{ remote_desktop_members }}' - state: present - tags: - - configuration diff --git a/roles/remote_desktop/tasks/distribution/Microsoft Windows Server 2019 Standard.yml b/roles/remote_desktop/tasks/distribution/Microsoft Windows Server 2019 Standard.yml deleted file mode 100644 index ac78322..0000000 --- a/roles/remote_desktop/tasks/distribution/Microsoft Windows Server 2019 Standard.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# tasks file for sbaerlocher.remote-desktop - -- name: Add User or Group to Login group for Remote Desktop - win_group_membership: - name: '{{ remote_desktop_group }}' - members: '{{ remote_desktop_members }}' - state: present - tags: - - configuration diff --git a/roles/remote_desktop/tasks/distribution/defaults.yml b/roles/remote_desktop/tasks/distribution/defaults.yml deleted file mode 100644 index dab7d1d..0000000 --- a/roles/remote_desktop/tasks/distribution/defaults.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -# tasks file for sbaerlocher.remote-desktop - -- name: Message - debug: - msg: 'Your {{ ansible_system }} is not supported' diff --git a/roles/remote_desktop/tasks/main.yml b/roles/remote_desktop/tasks/main.yml index f13625c..300e1be 100644 --- a/roles/remote_desktop/tasks/main.yml +++ b/roles/remote_desktop/tasks/main.yml @@ -1,24 +1,78 @@ --- # tasks file for remote_desktop -- name: include distribution tasks - include_tasks: '{{ loop_distribution }}' - with_first_found: - - files: - - '{{ distribution }}-{{ distribution_verion }}.yml' - - '{{ distribution }}-{{ distribution_major_version }}.yml' - - '{{ distribution }}.yml' - - '{{ ansible_os_family }}.yml' - - '{{ ansible_system }}.yml' - - 'defaults.yml' - paths: - - 'distribution' - loop_control: - loop_var: loop_distribution +# https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.TerminalServer::TS_DISABLE_CONNECTIONS +- name: Allow users to connect remotely by using Remote Desktop Services + win_regedit: + path: '{{ item }}' + name: fDenyTSConnections + data: 00000000 + type: dword + state: "{{ 'present' if remote_desktop_enabled else 'absent' }}" + register: register_remote_desktop_enabled + with_items: + - "HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\" + - "HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services" + +- name: Firewall Enable or Disable rule for Remote Desktop Services + win_shell: > + "{{ 'Enable-NetFirewallRule' if rd_enable else 'Disable-NetFirewallRule' }} + -DisplayGroup 'Remotedesktop'" + vars: + rd_enable: '{{ remote_desktop_enabled }}' + +- name: Set then Remote Desktop Port + win_regedit: + path: "{{ path }}\\Control\\Terminal Server\\WinStations\\RDP-Tcp" + name: PortNumber + data: '{{ remote_desktop_port }}' + type: dword + vars: + path: "HKLM:\\SYSTEM\\CurrentControlSet" + +# https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.TerminalServer::TS_SECURITY_LAYER_POLICY +- name: Require use of specific security layer for remote (RDP) connections + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services + name: SecurityLayer + data: '{{ remote_desktop_securitylayer }}' + type: dword + state: "{{ 'present' if remote_desktop_enabled else 'absent' }}" + +# https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.TerminalServer::TS_ENCRYPTION_POLICY +- name: Set client connection encryption level + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services + name: MinEncryptionLevel + data: '{{ remote_desktop_minencryptionLevel }}' + type: dword + state: "{{ 'present' if remote_desktop_enabled else 'absent' }}" + +- name: Add User or Group to Login group for Remote Desktop + win_group_membership: + name: '{{ remote_desktop_group }}' + members: '{{ remote_desktop_members }}' + state: present + +# https://www.winfaq.de/faq_html/Content/tip1000/onlinefaq.php?h=tip1368.htm +- name: Disable Shutdown Butten from Windows Start + win_regedit: + path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer + name: NoClose + data: '1' + type: dword + state: "{{ 'present' if rd_enable and rd_shutdown_disable else 'absent' }}" + vars: + rd_enable: '{{ remote_desktop_enabled }}' + rd_shutdown_disable: '{{ remote_desktop_shutdown_disable }}' + +# https://www.howtogeek.com/246728/how-to-remove-the-shutdown-button-from-the-windows-login-screen/ +- name: Disable Shutdown Butten from Windows login screen + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + name: shutdownwithoutlogon + data: "{{ '0' if rd_enable and rd_shutdown_disable else '1' }}" + type: dword vars: - distribution: '{{ ansible_distribution }}' - distribution_verion: '{{ ansible_distribution_version }}' - distribution_major_version: '{{ ansible_distribution_major_version }}' - tags: - - configuration - - packages + rd_enable: '{{ remote_desktop_enabled }}' + rd_shutdown_disable: '{{ remote_desktop_shutdown_disable }}'