static DisablePSRemotingCommand()
{
string localSddl = PSSessionConfigurationCommandBase.GetLocalSddl();
disableRemotingSb = ScriptBlock.Create(string.Format(CultureInfo.InvariantCulture, "\r\nfunction Disable-PSRemoting\r\n{{\r\n[CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact=\"High\")]\r\nparam(\r\n [Parameter()]\r\n [switch]\r\n $force,\r\n\r\n [Parameter()]\r\n [string]\r\n $queryForSet,\r\n \r\n [Parameter()]\r\n [string]\r\n $captionForSet,\r\n\r\n [Parameter()]\r\n [string]\r\n $restartWinRMMessage\r\n)\r\n\r\n begin\r\n {{\r\n if ($force -or $pscmdlet.ShouldProcess($restartWinRMMessage))\r\n {{\r\n $svc = get-service winrm\r\n if ($svc.Status -match \"Stopped\")\r\n {{\r\n Restart-Service winrm -force -confirm:$false\r\n }}\r\n }}\r\n }} # end of begin block\r\n\r\n end\r\n {{\r\n # Disable the network for all Session Configurations\r\n Get-PSSessionConfiguration | % {{\r\n \r\n if ($_.Enabled)\r\n {{\r\n $sddl = $null\r\n if ($_.psobject.members[\"SecurityDescriptorSddl\"])\r\n {{\r\n $sddl = $_.psobject.members[\"SecurityDescriptorSddl\"].Value\r\n }}\r\n\r\n if (!$sddl)\r\n {{\r\n # Disable network users from accessing this configuration\r\n $sddl = \"{0}\"\r\n }}\r\n else\r\n {{\r\n # Construct SID for network users\r\n [system.security.principal.wellknownsidtype]$evst = \"NetworkSid\"\r\n $networkSID = new-object system.security.principal.securityidentifier $evst,$null\r\n \r\n # Add disable network to the existing sddl\r\n $sd = new-object system.security.accesscontrol.commonsecuritydescriptor $false,$false,$sddl\r\n $disableNetworkExists = $false\r\n $sd.DiscretionaryAcl | % {{\r\n if (($_.acequalifier -eq \"accessdenied\") -and ($_.securityidentifier -match $networkSID) -and ($_.AccessMask -eq 268435456))\r\n {{\r\n $disableNetworkExists = $true \r\n }}\r\n }}\r\n\r\n if (!$disableNetworkExists)\r\n {{\r\n $sd.DiscretionaryAcl.AddAccess(\"deny\", $networkSID, 268435456, \"None\", \"None\")\r\n $sddl = $sd.GetSddlForm(\"all\")\r\n }}\r\n else\r\n {{\r\n # since disable network GA already exists, we dont need to change anything.\r\n $sddl = $null\r\n }}\r\n }} ## end of if(!$sddl)\r\n\r\n $qMessage = $queryForSet -f $_.name,$sddl\r\n if (($sddl) -and ($force -or $pscmdlet.ShouldProcess($qMessage, $captionForSet)))\r\n {{\r\n $null = Set-PSSessionConfiguration -Name $_.Name -SecurityDescriptorSddl $sddl -NoServiceRestart -force -WarningAction 0\r\n }}\r\n }} ## end of if($_.Enabled)\r\n }} ## end of %\r\n }} ## end of Process block\r\n}}\r\n\r\nDisable-PSRemoting -force:$args[0] -queryForSet $args[1] -captionForSet $args[2] -restartWinRMMessage $args[3] -whatif:$args[4] -confirm:$args[5]\r\n", new object[] { localSddl }));
disableRemotingSb.LanguageMode = 0;
}
static EnablePSRemotingCommand()
{
string str = string.Format(CultureInfo.InvariantCulture, "\r\n<PlugInConfiguration xmlns='http://schemas.microsoft.com/wbem/wsman/1/config/PluginConfiguration'\r\n Name='Microsoft.Powershell.Workflow'\r\n Filename='%windir%\\system32\\pwrshplugin.dll'\r\n SDKVersion='2'\r\n XmlRenderingType='text'\r\n UseSharedProcess='true'\r\n ProcessIdleTimeoutSec='28800'\r\n OutputBufferingMode='Block'\r\n Enabled='True'\r\n>\r\n<InitializationParameters>\r\n<Param Name='PSVersion' Value='3.0' />\r\n<Param Name='AssemblyName' Value='Microsoft.PowerShell.Workflow.ServiceCore, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL'/>\r\n<Param Name='PSSessionConfigurationTypeName' Value='Microsoft.PowerShell.Workflow.PSWorkflowSessionConfiguration'/>\r\n<Param Name='SessionConfigurationData'\r\n Value ='\r\n <SessionConfigurationData>\r\n <Param Name="ModulesToImport" Value="%windir%\\system32\\windowspowershell\\v1.0\\Modules\\PSWorkflow" />\r\n <Param Name="PrivateData">\r\n <PrivateData>\r\n <Param Name="enablevalidation" Value="true" />\r\n </PrivateData>\r\n </Param>\r\n </SessionConfigurationData>\r\n '\r\n/>\r\n</InitializationParameters> \r\n<Resources>\r\n <Resource ResourceUri='http://schemas.microsoft.com/powershell/Microsoft.Powershell.Workflow' SupportsOptions='true' ExactMatch='true'>\r\n <Security Uri='http://schemas.microsoft.com/powershell/Microsoft.PowerShell.Workflow' Sddl='{0}' ExactMatch='False'/>\r\n <Capability Type='Shell' /> \r\n </Resource>\r\n</Resources>\r\n<Quotas MaxMemoryPerShellMB='1024' MaxIdleTimeoutms='2147483647' MaxConcurrentUsers='5' IdleTimeoutms='7200000' MaxProcessesPerShell='15' MaxConcurrentCommandsPerShell='1000' MaxShells='25' MaxShellsPerUser='******' />\r\n</PlugInConfiguration>\r\n", new object[] { PSSessionConfigurationCommandBase.GetLocalSddl() });
enableRemotingSb = ScriptBlock.Create(string.Format(CultureInfo.InvariantCulture, "\r\nfunction Enable-PSRemoting\r\n{{\r\n[CmdletBinding(SupportsShouldProcess=$true, ConfirmImpact=\"High\")]\r\nparam(\r\n [Parameter()] [bool] $Force,\r\n [Parameter()] [string] $queryForRegisterDefault, \r\n [Parameter()] [string] $captionForRegisterDefault,\r\n [Parameter()] [string] $queryForSet, \r\n [Parameter()] [string] $captionForSet,\r\n [Parameter()] [bool] $skipNetworkProfileCheck\r\n)\r\n\r\n end\r\n {{\r\n # Enable all Session Configurations\r\n try {{\r\n $null = $PSBoundParameters.Remove(\"queryForRegisterDefault\") \r\n $null = $PSBoundParameters.Remove(\"captionForRegisterDefault\") \r\n $null = $PSBoundParameters.Remove(\"queryForSet\") \r\n $null = $PSBoundParameters.Remove(\"captionForSet\") \r\n\r\n $PSBoundParameters.Add(\"Name\",\"*\")\r\n\r\n # first try to enable all the sessions\r\n Enable-PSSessionConfiguration @PSBoundParameters\r\n\r\n # make sure default powershell end points exist \r\n # ie., Microsoft.PowerShell\r\n # and Microsoft.PowerShell32 (wow64)\r\n \r\n $errorCount = $error.Count\r\n $endPoint = Get-PSSessionConfiguration {0} -ErrorAction silentlycontinue 2>&1\r\n $newErrorCount = $error.Count\r\n\r\n # remove the 'No Session Configuration matches criteria' errors\r\n for ($index = 0; $index -lt ($newErrorCount - $errorCount); $index ++)\r\n {{\r\n $error.RemoveAt(0)\r\n }}\r\n\r\n $qMessage = $queryForRegisterDefault -f \"{0}\",\"Register-PSSessionConfiguration {0} -force\"\r\n if ((!$endpoint) -and \r\n ($force -or $pscmdlet.ShouldProcess($qMessage, $captionForRegisterDefault)))\r\n {{\r\n $null = Register-PSSessionConfiguration {0} -force\r\n set-item -WarningAction SilentlyContinue wsman:\\localhost\\plugin\\{0}\\Quotas\\MaxShellsPerUser -value \"25\" -confirm:$false\r\n set-item -WarningAction SilentlyContinue wsman:\\localhost\\plugin\\{0}\\Quotas\\MaxIdleTimeoutms -value {3} -confirm:$false\r\n restart-service winrm -confirm:$false\r\n }} \r\n\r\n # Check Microsoft.PowerShell.Workflow endpoint\r\n $errorCount = $error.Count\r\n $endPoint = Get-PSSessionConfiguration {0}.workflow -ErrorAction silentlycontinue 2>&1\r\n $newErrorCount = $error.Count\r\n\r\n # remove the 'No Session Configuration matches criteria' errors\r\n for ($index = 0; $index -lt ($newErrorCount - $errorCount); $index ++)\r\n {{\r\n $error.RemoveAt(0)\r\n }}\r\n\r\n if (!$endpoint)\r\n {{\r\n $qMessage = $queryForRegisterDefault -f \"Microsoft.PowerShell.Workflow\",\"Register-PSSessionConfiguration Microsoft.PowerShell.Workflow -force\"\r\n if ($force -or $pscmdlet.ShouldProcess($qMessage, $captionForRegisterDefault)) {{\r\n $tempxmlfile = [io.path]::Gettempfilename()\r\n \"{1}\" | out-file -force -filepath $tempxmlfile -confirm:$false\r\n $null = winrm create winrm/config/plugin?Name=Microsoft.PowerShell.Workflow -file:$tempxmlfile\r\n remove-item -path $tempxmlfile -force -confirm:$false\r\n restart-service winrm -confirm:$false\r\n }}\r\n }}\r\n\r\n $pa = $env:PROCESSOR_ARCHITECTURE\r\n if ($pa -eq \"x86\")\r\n {{\r\n # on 64-bit platforms, wow64 bit process has the correct architecture\r\n # available in processor_architew6432 varialbe\r\n $pa = $env:PROCESSOR_ARCHITEW6432\r\n }}\r\n if ((($pa -eq \"amd64\")) -and (test-path $env:windir\\syswow64\\pwrshplugin.dll))\r\n {{\r\n # Check availability of WOW64 endpoint. Register if not available.\r\n $errorCount = $error.Count\r\n $endPoint = Get-PSSessionConfiguration {0}32 -ErrorAction silentlycontinue 2>&1\r\n $newErrorCount = $error.Count\r\n\r\n # remove the 'No Session Configuration matches criteria' errors\r\n for ($index = 0; $index -lt ($newErrorCount - $errorCount); $index ++)\r\n {{\r\n $error.RemoveAt(0)\r\n }}\r\n\r\n $qMessage = $queryForRegisterDefault -f \"{0}32\",\"Register-PSSessionConfiguration {0}32 -processorarchitecture x86 -force\"\r\n if ((!$endpoint) -and \r\n ($force -or $pscmdlet.ShouldProcess($qMessage, $captionForRegisterDefault)))\r\n {{\r\n $null = Register-PSSessionConfiguration {0}32 -processorarchitecture x86 -force\r\n set-item -WarningAction SilentlyContinue wsman:\\localhost\\plugin\\{0}32\\Quotas\\MaxShellsPerUser -value \"25\" -confirm:$false\r\n set-item -WarningAction SilentlyContinue wsman:\\localhost\\plugin\\{0}32\\Quotas\\MaxIdleTimeoutms -value {3} -confirm:$false\r\n restart-service winrm -confirm:$false\r\n }}\r\n }}\r\n\r\n # remove the 'network deny all' tag\r\n Get-PSSessionConfiguration | % {{\r\n $sddl = $null\r\n if ($_.psobject.members[\"SecurityDescriptorSddl\"])\r\n {{\r\n $sddl = $_.psobject.members[\"SecurityDescriptorSddl\"].Value\r\n }}\r\n\r\n if ($sddl)\r\n {{\r\n # Construct SID for network users\r\n [system.security.principal.wellknownsidtype]$evst = \"NetworkSid\"\r\n $networkSID = new-object system.security.principal.securityidentifier $evst,$null\r\n \r\n $securityIdentifierToPurge = $null\r\n $sd = new-object system.security.accesscontrol.commonsecuritydescriptor $false,$false,$sddl\r\n $sd.DiscretionaryAcl | % {{\r\n if (($_.acequalifier -eq \"accessdenied\") -and ($_.securityidentifier -match $networkSID) -and ($_.AccessMask -eq 268435456))\r\n {{\r\n $securityIdentifierToPurge = $_.securityidentifier\r\n }}\r\n }}\r\n\r\n if ($securityIdentifierToPurge)\r\n {{\r\n # Remove the specific ACE\r\n $sd.discretionaryacl.RemoveAccessSpecific('Deny', $securityIdentifierToPurge, 268435456, 'none', 'none')\r\n\r\n # if there is no discretionaryacl..add Builtin Administrators and Remote Management Users\r\n # to the DACL group as this is the default WSMan behavior\r\n if ($sd.discretionaryacl.count -eq 0)\r\n {{\r\n # Built-in administrators.\r\n [system.security.principal.wellknownsidtype]$bast = \"BuiltinAdministratorsSid\"\r\n $basid = new-object system.security.principal.securityidentifier $bast,$null\r\n $sd.DiscretionaryAcl.AddAccess('Allow',$basid, 268435456, 'none', 'none')\r\n\r\n # Remote Management Users, Win8+ only\r\n if ([System.Environment]::OSVersion.Version.Major -ge 6 -and [System.Environment]::OSVersion.Version.Minor -ge 2)\r\n {{\r\n $rmSidId = new-object system.security.principal.securityidentifier \"{2}\"\r\n $sd.DiscretionaryAcl.AddAccess('Allow', $rmSidId, 268435456, 'none', 'none')\r\n }}\r\n }}\r\n\r\n $sddl = $sd.GetSddlForm(\"all\")\r\n }}\r\n }} ## end of if($sddl)\r\n\r\n $qMessage = $queryForSet -f $_.name,$sddl\r\n if (($sddl) -and ($force -or $pscmdlet.ShouldProcess($qMessage, $captionForSet)))\r\n {{\r\n $null = Set-PSSessionConfiguration -Name $_.Name -SecurityDescriptorSddl $sddl -NoServiceRestart -force -WarningAction 0\r\n }}\r\n }} ## end of foreach-object\r\n }} \r\n catch {{\r\n throw\r\n }} # end of catch \r\n }} # end of end block\r\n}} # end of Enable-PSRemoting\r\n\r\nEnable-PSRemoting -force $args[0] -queryForRegisterDefault $args[1] -captionForRegisterDefault $args[2] -queryForSet $args[3] -captionForSet $args[4] -whatif:$args[5] -confirm:$args[6] -skipNetworkProfileCheck $args[7]\r\n", new object[] { "Microsoft.PowerShell", str, "S-1-5-32-580", "2147483647" }));
enableRemotingSb.LanguageMode = 0;
}