As I add more virtual machines and physical servers to my Microsoft environment there are a few Windows features/settings I tend to always tweak for my own needs:
- Remote Desktop — I use non network level authentication for connectivity with remote desktop because I am contained within my own private cloud but these settings can be changed based on your environment needs.
- Internet Explorer Enhanced Security Configuration (IEESec) — Because I actually use the server desktop environment quite a bit the IE settings for IEESec tend to drive me nuts so I turn both Admin and User off. The script allows you to set either of these to On or Off.
- Windows Firewall — I turn these off in my environment since I am in my own private cloud but within the script you can set Public, Private and Domain to your desired state.
- Adding Windows Features — The only feature I always add is Multipath I/O.
Import-Module NetSecurity # Set-RemoteDesktopConfig # -NonNLA Allow remote connections without requiring Network Level Authentication (NLA) # -Disable Disable remote desktop connections. Function Set-RemoteDesktopConfig { Param ([switch]$NonNLA, [switch]$Disable) If ($Disable) { Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name 'fDenyTSConnections' -Value 1 -ErrorAction SilentlyContinue If (-not $?) { New-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name 'fDenyTSConnections' -Value 1 -PropertyType Dword } Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name 'UserAuthentication' -Value 1 -ErrorAction SilentlyContinue If (-not $?) { New-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name 'UserAuthentication' -Value 1 -PropertyType Dword } } Else { Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name 'fDenyTSConnections' -Value 0 -ErrorAction SilentlyContinue If (-not $?) { New-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name 'fDenyTSConnections' -Value 0 -PropertyType Dword } If ($NonNLA) { Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name 'UserAuthentication' -Value 0 -ErrorAction SilentlyContinue If (-not $?) { New-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name 'UserAuthentication' -Value 0 -PropertyType Dword } } } } # Set IEHardendmin and IEHardenUser for IE Enhanced Security Configuration. Function Set-IEESec { Param( [Parameter(Mandatory=$True, Position=1)] [string]$IEHardenAdmin, [Parameter(Mandatory=$True, Position=2)] [string]$IEHardenUser ) # IEESec is On by default, so use the switch to turn it Off. Switch ($IEHardenAdmin) { "Off" { Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}' -Name 'IsInstalled' -Value 0 } "On" { Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}' -Name 'IsInstalled' -Value 1 } } Switch ($IEHardenUser) { "Off" { Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}' -Name 'IsInstalled' -Value 0 } "On" { Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}' -Name 'IsInstalled' -Value 1 } } } # Disable Public/Domain/Private profiles. Set-NetfirewallProfile -Name Public -Enabled False Set-NetfirewallProfile -Name Domain -Enabled False Set-NetfirewallProfile -Name Private -Enabled False # Enable Remote Desktop connections. Set-RemoteDesktopConfig -NonNLA #-Disable # Add Windows feature(s) Add-WindowsFeature -Name "Multipath-IO" # Turn IE Enhanced Security Off. Set-IEESec -IEHardenAdmin Off -IEHardenUser Off
Great power shell script, would it be possible to also have it configure mpio parameters as well?
Set-MPIOSetting -NewPathRecoveryInterval 20
Set-MPIOSetting -CustomPathRecovery Enabled
Set-MPIOSetting -NewPDORemovePeriod 30
Set-MPIOSetting -NewDiskTimeout 60
Hi Robert – I am working on an update to the PowerShell-Toolkit (https://github.com/PureStorage-OpenConnect/PowerShell-Toolkit) that will have a Best Practice cmdlet for setting up Windows Servers.