Design Approach To Facilitate Community Contribution for Undo-WinRMConfig

[DarwinJS]

It looks like this is going to be an exercise in reverse engineering.

I've done a lot of that, but I don't really have the bandwidth to do it for every Windows OS out there. I work more with server OSes and from Server 2012 R2 and later.
So I would like the community to be able to easily add undo configurations for Windows versions they
need to engineer it for (e.g. Server 2008 R2).

So this is what I am thinking for a possible approach:

1. The main code will use a broad OS detection routine (I will probably grab it from the one in the (Windows PowerShell Chocolatey Package)[https://github.com/DarwinJS/ChocoPackages/blob/master/PowerShell/v5.1/tools/ChocolateyInstall.ps1#L46-L73] or the (OpenSSH Chocolatey Package)[https://github.com/DarwinJS/ChocoPackages/blob/master/openssh/tools/chocolateyinstall.ps1#L13-L24].
2. When the main script signatures the OS it looks for a matching set of .REG files (e.g. "*6.3.9600.reg" for OS version 6.3.9600)
3. If I can't find anything for that OS it will error out "Sorry, no undo profile exists for your os signature . If you would like to create one and contribute it, please see here: ."
4. If it finds something it will proceed to build a script that includes code that is known to work on all OSes and then add code to execute any applicable .REG files in sorted order.

I will be trying to publish the undo profiles for Server 2012 R2 and Server 2016 soon.

If the complexity of handling individual OSes goes beyond what can be done in a .REG, we can add .PS1 execution to the mix.

I am hoping this will:

• make the code for each OS variant visible and easy for users and potential contributors and security professionals to review
• make it easier to contribute by simply following the existing patterns for other OS variants
• make pull requests for net new variants and updates to existing variants easier to review
• make the code easy to use for those who need to create a specific os variant - whether or not they wish to contribute it back to the repository.

Yeah, Yeah I Know

While technically the above approach does arbitrary code execution - I think the very special circumstances under which this code will be used (on a nearly pristine system that has just been automated for an initial image setup) makes the likelyhood of an "in use" attack. If someone can attack you at that time - then the won't need to use this code to get in.

Why Use This Package If You have Such a Code Set for Each Variant?

1. As explained in the readme of this repository it is hard to get a system to undo winrm if you are using winrm to ask it to do that. So the harness around these OS specific routines does the magic to accomplish that.
2. If you consume the chocolatey package - you get all the filesets transported for free - no matter many files there are (standard packaged artifact benefit).

/cc @SteveL-MSFT, @LeeHolmes

[SteveL-MSFT]

@DarwinJS you should invite https://github.com/manojampalam to this repo as although he's best known for the OpenSSH port, he's also the expert and one of the owners of WinRM

[DarwinJS]

@SteveL-MSFT - Done! I also edited my original comment on this thread to simplify to just Pristine .REG files for each OS.

If and only if everything can't be done by .REG files we can add back the ability to process .ps1's per OS as well.

I am also doing snapshots of where changes for commands like "Enable-WsmanCredSSP" and "Enable-PSRemoting" go so we know if they are covered by reseting the WSMAN reg key or if they have other changes they've made. Getting my list of commands by collecting common methods for configuring winrm for packer. Storing that source info in the repo under the Research folder.

/cc @manojampalam

[DarwinJS]

Please read https://github.com/DarwinJS/Undo-WinRMConfig/blob/master/CONTRIBUTING.md to find out about a fast, simple, compatible registry / file systems snapshot utility.

[DarwinJS]

First release is done: https://github.com/DarwinJS/Undo-WinRMConfig/releases/tag/v1.1.8