From 8c548afe3188007aa7485c04e4cd8b508b98c935 Mon Sep 17 00:00:00 2001 From: Luke Heath Date: Tue, 12 Dec 2023 12:04:23 -0600 Subject: [PATCH] Add Windows scripts and set scripts table width --- .../hosts/details/cards/Scripts/_styles.scss | 12 +++ .../mdm/windows/windows-change-password.ps1 | 52 +++++++++++++ .../windows/windows-disable-administrator.ps1 | 8 ++ .../windows/windows-enable-administrator.ps1 | 29 +++++++ scripts/mdm/windows/windows-lock.ps1 | 35 +++++++++ scripts/mdm/windows/windows-unlock.ps1 | 14 ++++ scripts/mdm/windows/windows-wipe.ps1 | 76 +++++++++++++++++++ 7 files changed, 226 insertions(+) create mode 100644 scripts/mdm/windows/windows-change-password.ps1 create mode 100644 scripts/mdm/windows/windows-disable-administrator.ps1 create mode 100644 scripts/mdm/windows/windows-enable-administrator.ps1 create mode 100644 scripts/mdm/windows/windows-lock.ps1 create mode 100644 scripts/mdm/windows/windows-unlock.ps1 create mode 100644 scripts/mdm/windows/windows-wipe.ps1 diff --git a/frontend/pages/hosts/details/cards/Scripts/_styles.scss b/frontend/pages/hosts/details/cards/Scripts/_styles.scss index 0c4f9ccfc3..0bdc86c03c 100644 --- a/frontend/pages/hosts/details/cards/Scripts/_styles.scss +++ b/frontend/pages/hosts/details/cards/Scripts/_styles.scss @@ -9,6 +9,18 @@ line-height: 1.5; } + .table-container { + .name__header { + width: 50%; + } + .last_execution__header { + width: 25%; + } + .actions__header { + width: 25%; + } + } + .table-container__header-left { display: block; } diff --git a/scripts/mdm/windows/windows-change-password.ps1 b/scripts/mdm/windows/windows-change-password.ps1 new file mode 100644 index 0000000000..43cca1128e --- /dev/null +++ b/scripts/mdm/windows/windows-change-password.ps1 @@ -0,0 +1,52 @@ +# PowerShell script to log off all users and change their passwords + +# Function to generate a random password +function Generate-Password { + param ( + [int]$length = 12 + ) + $chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_-+=<>?/" + $password = -join ((1..$length) | ForEach-Object { Get-Random -Maximum $chars.length } | ForEach-Object { $chars[$_]} ) + return $password +} + +# Log off all non-administrative users +$loggedOffUsers = @{} +Get-WmiObject -Class Win32_UserProfile | Where-Object { $_.Special -eq $false } | ForEach-Object { + $username = $_.LocalPath.Split('\')[-1] + if ($username -ne "Administrator" -and $username -ne $env:USERNAME -and -not $loggedOffUsers.ContainsKey($username)) { + try { + $userSessions = query user | Where-Object { $_ -match "\b$username\b" } + foreach ($session in $userSessions) { + if ($session -match "\s+(\d+)\s+Disc\s+") { + # Disconnected sessions can't be logged off + continue + } + elseif ($session -match "\s+(\d+)\s+") { + $sessionID = $matches[1] + logoff $sessionID + $loggedOffUsers[$username] = $true + Write-Host "Logged out user: $username" + } + } + } catch { + Write-Host "Could not log off user: $username. Error: $($_.Exception.Message)" + } + } +} + +# Get all local user accounts except built-in accounts like 'Administrator' +$users = Get-LocalUser | Where-Object { $_.Name -notlike "Administrator" -and $_.PrincipalSource -eq "Local" } + +# Change password for each user and output the new password +foreach ($user in $users) { + $newPassword = Generate-Password -length 12 + $securePassword = ConvertTo-SecureString $newPassword -AsPlainText -Force + + try { + Set-LocalUser -Name $user.Name -Password $securePassword + Write-Host "Password for user $($user.Name) changed successfully. New Password: $newPassword" + } catch { + Write-Host "Failed to change password for user $($user.Name)" + } +} diff --git a/scripts/mdm/windows/windows-disable-administrator.ps1 b/scripts/mdm/windows/windows-disable-administrator.ps1 new file mode 100644 index 0000000000..de66080e7b --- /dev/null +++ b/scripts/mdm/windows/windows-disable-administrator.ps1 @@ -0,0 +1,8 @@ +# PowerShell script to disable the Administrator account + +# Run this script as an administrator + +# Disable the Administrator account +Disable-LocalUser -Name "Administrator" + +Write-Host "Administrator account has been disabled." diff --git a/scripts/mdm/windows/windows-enable-administrator.ps1 b/scripts/mdm/windows/windows-enable-administrator.ps1 new file mode 100644 index 0000000000..13c48b04fe --- /dev/null +++ b/scripts/mdm/windows/windows-enable-administrator.ps1 @@ -0,0 +1,29 @@ +# PowerShell script to enable the Administrator account and set a random, secure password + +# Run this script as an administrator + +# Function to generate a random password +function Generate-Password { + param ( + [int]$length = 12 + ) + $chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_-+=<>?/" + $password = -join ((1..$length) | ForEach-Object { Get-Random -Maximum $chars.length } | ForEach-Object { $chars[$_]} ) + return $password +} + +# Generate a random password +$password = Generate-Password -length 12 + +# Convert the password to a SecureString +$securePassword = ConvertTo-SecureString $password -AsPlainText -Force + +# Enable the Administrator account +Enable-LocalUser -Name "Administrator" + +# Set the generated password for the Administrator account +Set-LocalUser -Name "Administrator" -Password $securePassword + +# Output the password +Write-Host "Administrator account has been enabled." +Write-Host "Generated Password: $password" diff --git a/scripts/mdm/windows/windows-lock.ps1 b/scripts/mdm/windows/windows-lock.ps1 new file mode 100644 index 0000000000..e4d9809fee --- /dev/null +++ b/scripts/mdm/windows/windows-lock.ps1 @@ -0,0 +1,35 @@ +# PowerShell script to log off all non-administrative users and disable their accounts + +# Log off all non-administrative users +$loggedOffUsers = @{} +Get-WmiObject -Class Win32_UserProfile | Where-Object { $_.Special -eq $false } | ForEach-Object { + $username = $_.LocalPath.Split('\')[-1] + if ($username -ne "Administrator" -and $username -ne $env:USERNAME -and -not $loggedOffUsers.ContainsKey($username)) { + try { + $userSessions = query user | Where-Object { $_ -match "\b$username\b" } + foreach ($session in $userSessions) { + if ($session -match "\s+(\d+)\s+Disc\s+") { + # Disconnected sessions can't be logged off + continue + } + elseif ($session -match "\s+(\d+)\s+") { + $sessionID = $matches[1] + logoff $sessionID + $loggedOffUsers[$username] = $true + Write-Host "Logged out user: $username" + } + } + } catch { + Write-Host "Could not log off user: $username. Error: $($_.Exception.Message)" + } + } +} + +# Disable all non-administrative local user accounts +Get-LocalUser | Where-Object { $_.Enabled -eq $true -and $_.Name -ne "Administrator" } | ForEach-Object { + $username = $_.Name + Disable-LocalUser -Name $username + Write-Host "Disabled account for $username" +} + +Write-Host "All non-administrative users have been logged out and their accounts disabled." diff --git a/scripts/mdm/windows/windows-unlock.ps1 b/scripts/mdm/windows/windows-unlock.ps1 new file mode 100644 index 0000000000..6a10c00fb3 --- /dev/null +++ b/scripts/mdm/windows/windows-unlock.ps1 @@ -0,0 +1,14 @@ +# PowerShell script to enable all disabled local user accounts + +# Get all local user accounts +$localUsers = Get-LocalUser + +# Enable each disabled user account +foreach ($user in $localUsers) { + if ($user.Enabled -eq $false) { + Enable-LocalUser -Name $user.Name + Write-Host "Enabled user account: $($user.Name)" + } +} + +Write-Host "All disabled user accounts have been enabled." diff --git a/scripts/mdm/windows/windows-wipe.ps1 b/scripts/mdm/windows/windows-wipe.ps1 new file mode 100644 index 0000000000..aa27fc52bb --- /dev/null +++ b/scripts/mdm/windows/windows-wipe.ps1 @@ -0,0 +1,76 @@ +# PowerShell script to wipe user data and then make the Windows system inoperable + +# Function to delete user data +function Wipe-UserData { + $userFolders = Get-ChildItem C:\Users -Directory + + foreach ($folder in $userFolders) { + if ($folder.Name -notlike "Public" -and $folder.Name -notlike "Default*" -and $folder.Name -notlike "Administrator") { + $path = $folder.FullName + Write-Host "Wiping user data in $path" + Remove-Item -Path $path -Recurse -Force + } + } +} + +# Function to delete critical system files and directories +function Wipe-SystemFiles { + $criticalPaths = @( + "C:\Program Files", + "C:\Program Files (x86)", + "C:\Windows\System32", + "C:\Windows\SysWOW64" + # Add other critical paths as necessary + ) + + foreach ($path in $criticalPaths) { + if (Test-Path $path) { + try { + Takeown /f $path /r /d y + Icacls $path /grant administrators:F /t + Remove-Item -Path $path -Recurse -Force + Write-Host "Wiped $path" + } catch { + Write-Host "Failed to wipe $path" + } + } + } +} + +# Log off all non-administrative users +$loggedOffUsers = @{} +Get-WmiObject -Class Win32_UserProfile | Where-Object { $_.Special -eq $false } | ForEach-Object { + $username = $_.LocalPath.Split('\')[-1] + if ($username -ne "Administrator" -and $username -ne $env:USERNAME -and -not $loggedOffUsers.ContainsKey($username)) { + try { + $userSessions = query user | Where-Object { $_ -match "\b$username\b" } + foreach ($session in $userSessions) { + if ($session -match "\s+(\d+)\s+Disc\s+") { + # Disconnected sessions can't be logged off + continue + } + elseif ($session -match "\s+(\d+)\s+") { + $sessionID = $matches[1] + logoff $sessionID + $loggedOffUsers[$username] = $true + Write-Host "Logged out user: $username" + } + } + } catch { + Write-Host "Could not log off user: $username. Error: $($_.Exception.Message)" + } + } +} + +# Disable all non-administrative local user accounts +Get-LocalUser | Where-Object { $_.Enabled -eq $true -and $_.Name -ne "Administrator" } | ForEach-Object { + $username = $_.Name + Disable-LocalUser -Name $username + Write-Host "Disabled account for $username" +} + +# Start the wiping process +Wipe-UserData +Wipe-SystemFiles + +Write-Host "Wiping process completed."