Set Remote Desktop, IEESec, Windows Firewall and MPIO using PowerShell

As I add more virtual machines and physical servers to my Microsoft environment there are a few Windows features/settings I tend to always tweak for my own needs:

  • Remote Desktop — I use non network level authentication for connectivity with remote desktop because I am contained within my own private cloud but these settings can be changed based on your environment needs.
  • Internet Explorer Enhanced Security Configuration (IEESec) — Because I actually use the server desktop environment quite a bit the IE settings for IEESec tend to drive me nuts so I turn both Admin and User off. The script allows you to set either of these to On or Off.
  • Windows Firewall — I turn these off in my environment since I am in my own private cloud but within the script you can set Public, Private and Domain to your desired state.
  • Adding Windows Features — The only feature I always add is Multipath I/O.
Import-Module NetSecurity

# Set-RemoteDesktopConfig
#    -NonNLA       Allow remote connections without requiring Network Level Authentication (NLA)
#    -Disable      Disable remote desktop connections.
Function Set-RemoteDesktopConfig {
    Param ([switch]$NonNLA, [switch]$Disable) 
 
    If ($Disable) {
        Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name 'fDenyTSConnections' -Value 1 -ErrorAction SilentlyContinue 
        If (-not $?) { New-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name 'fDenyTSConnections' -Value 1 -PropertyType Dword }
        Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name 'UserAuthentication' -Value 1 -ErrorAction SilentlyContinue
        If (-not $?) { New-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name 'UserAuthentication' -Value 1 -PropertyType Dword } 
    } Else {
        Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name 'fDenyTSConnections' -Value 0 -ErrorAction SilentlyContinue
        If (-not $?) { New-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name 'fDenyTSConnections' -Value 0 -PropertyType Dword }
            If ($NonNLA) {
                Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name 'UserAuthentication' -Value 0 -ErrorAction SilentlyContinue
                If (-not $?) { New-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name 'UserAuthentication' -Value 0 -PropertyType Dword }
            }
    } 
}

# Set IEHardendmin and IEHardenUser for IE Enhanced Security Configuration.
Function Set-IEESec {
    Param(
        [Parameter(Mandatory=$True, Position=1)]
            [string]$IEHardenAdmin,
        [Parameter(Mandatory=$True, Position=2)] 
            [string]$IEHardenUser
    )
    # IEESec is On by default, so use the switch to turn it Off.
    Switch ($IEHardenAdmin) {
        "Off" { Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}' -Name 'IsInstalled' -Value 0 }
        "On" { Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}' -Name 'IsInstalled' -Value 1 }
    }

    Switch ($IEHardenUser) {
        "Off" { Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}' -Name 'IsInstalled' -Value 0 }
        "On" { Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}' -Name 'IsInstalled' -Value 1 }
    }
}

# Disable Public/Domain/Private profiles.
Set-NetfirewallProfile -Name Public -Enabled False
Set-NetfirewallProfile -Name Domain -Enabled False
Set-NetfirewallProfile -Name Private -Enabled False

# Enable Remote Desktop connections.
Set-RemoteDesktopConfig -NonNLA #-Disable

# Add Windows feature(s)
Add-WindowsFeature -Name "Multipath-IO"

# Turn IE Enhanced Security Off.
Set-IEESec -IEHardenAdmin Off -IEHardenUser Off

 


			
  • Robert Marcroft

    Great power shell script, would it be possible to also have it configure mpio parameters as well?

    Set-MPIOSetting -NewPathRecoveryInterval 20
    Set-MPIOSetting -CustomPathRecovery Enabled
    Set-MPIOSetting -NewPDORemovePeriod 30
    Set-MPIOSetting -NewDiskTimeout 60