PowerShell | Script for Standardize Server Builds
Standard server build policies outline the guidelines and procedures for setting up and configuring servers within an organization. These policies ensure consistency, security, and compliance across all server deployments. Key components typically included in standard server build policies are:
1. Hardware Specifications:
-
Minimum Requirements: Define minimum hardware specifications such as CPU, RAM, storage, and network interface cards.
-
Hardware Compatibility List: Ensure all hardware components are compatible and supported by the chosen operating system and applications.
​
2. Operating System Installation:
-
Supported OS Versions: Specify the approved operating system versions and editions.
-
Installation Procedures: Provide step-by-step instructions for OS installation, including partitioning schemes, file system types, and installation media.
-
Service Packs and Updates: Ensure the latest service packs and updates are applied during the installation.
​
3. Network Configuration:
-
IP Address Assignment: Define whether servers will use static or dynamic IP addresses and the process for assigning them.
-
DNS Settings: Configure DNS servers and domain names.
-
Network Segmentation: Ensure servers are placed in appropriate network segments based on their role and security requirements.
​
4. Security Settings:
-
Patch Management: Establish a schedule and process for applying security patches and updates.
-
User Accounts and Permissions: Define policies for creating user accounts, assigning permissions, and managing administrator access.
-
Firewall and Antivirus: Configure firewall rules and ensure antivirus software is installed and updated.
​
5. Software Installation:
-
Standard Software Packages: List mandatory software packages and versions to be installed on all servers (e.g., monitoring agents, backup software).
-
Configuration Management: Use configuration management tools (e.g., Ansible, Puppet, Chef) to automate and standardize software installation and configuration.
​
6. Logging and Monitoring:
-
Log Configuration: Define logging policies, including which logs to retain, log rotation schedules, and log storage locations.
-
Monitoring Tools: Install and configure monitoring tools to track server performance, availability, and security events.
​
7. Backup and Recovery:
-
Backup Policies: Specify backup schedules, types (full, incremental, differential), and retention periods.
-
Recovery Procedures: Provide detailed steps for restoring data and services in the event of a failure.
​
8. Documentation:
-
Configuration Documentation: Maintain up-to-date documentation for each server, including hardware specs, network settings, installed software, and configuration details.
-
Change Management: Document all changes made to the server post-deployment, following the organization's change management process.
​
9. Compliance and Auditing:
-
Compliance Standards: Ensure servers comply with relevant industry standards and regulations (e.g., GDPR, HIPAA, PCI-DSS).
-
Audit Trails: Maintain audit logs for all critical activities and regularly review them for compliance and security purposes.
​
10. Decommissioning:
-
Decommission Procedures: Outline the steps for securely decommissioning and disposing of servers, including data wiping and hardware disposal.
These standard server build policies help maintain a consistent and secure server environment, reduce the risk of misconfigurations, and ensure that all servers meet organizational and regulatory requirements.
PowerShell Script Default Build
<#
.SYNOPSIS
PowerShell Scriptto Setup Server Default Build Settings Best Practices
.DESCRIPTION
Reset Guest & Default Local Admin Password
Renamed Local Admin Account to Company Standard
Disabled Windows Firewall
Starts Windows Service Remote Regstry
Optional Setting, Change Service Startup Mode
.Author
Scott Head
ScriptsbyScott.com
#>
​
#=====================================================
#======== Set Local Admin and Guest Account ==========
#=====================================================
$Admin_Password = Read-Host "Enter Local Admin Password"
$Guest_Password = Read-Host "Enter Guest Account Password"
$Admin_Password | Out-File C:\temp\CheckMe.txt
#Reset Local Admin Password
Try {
$account = [ADSI]("WinNT://$Env:ComputerName/Administrator,user")
$account.psbase.invoke("setpassword",$Admin_Password)
}
Catch {
Return "$Env:Computername | Administrator | --ERROR-- | $TimeStamp | $_"
}
#Reset Local Guest Password
Try {
$account = [ADSI]("WinNT://$Env:ComputerName/Guest,user")
$account.psbase.invoke("setpassword",$Guest_Password)
}
Catch {
Return "$Env:Computername | Guest | --ERROR-- | $TimeStamp | $_"
}
#=====================================================
#======== Test Local Admin and Guest Account =========
#=====================================================
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$obj = New-Object System.DirectoryServices.AccountManagement.PrincipalContext('machine',$Env:Computername)
$AdminPasswordResetResult=$obj.ValidateCredentials("Administrator",$Admin_Password)
#--------------------------------------------
#Return Results of Password Test Local Admin
#--------------------------------------------
If($AdminPasswordResetResult){
Return "$Env:Computername | Administrator | $Admin_Password | $TimeStamp | Admin Password Reset Passed ===================="
}Else{
Return "$Env:Computername | Administrator | --ERROR-- | $TimeStamp | Admin Password Reset FAILED ==================== "
}
#=====================================================
#============= Rename Local Admin Account ============
#=====================================================
$CompName = "PrefixHere" + $Env:ComputerName
Rename-LocalUser "Administrator" $CompName
$Name_Checker=Get-LocalUser | Where{$_.SID -like "S-1-5-21*-500*"} | Select -ExpandProperty Name
#-------------------------------
#Test and Display Rename Results
#-------------------------------
If($Name_Checker -ne $CompName){Write-Host "Local Admin Name Mismatch ================"}Else{Write-Host " Local Admin Rename Complete =============="}
#=====================================================
#============= Disable Windows Firewall ==============
#=====================================================
Set-NetFirewallProfile -profile Domain,Public,Private -Enabled False
$Results=Get-NetFirewallProfile -profile Domain,Public,Private | Select -ExpandProperty Enabled
Foreach($State in $Results){
If($State -eq "False"){"Windows Firewall Profile Passed ================"}Else{" Windows Firewall Profile Failed =================="}
}
#============================================================
#============= Enabled Remote Registry Service ==============
#============================================================
Get-service remoteregistry | Start-Service
$Services=Get-service remoteregistry | Select -ExpandProperty Status
If($Services -ne "Running"){Write-host "Windows Remote Registry Service Failed ================="}else{Write-Host "Windows Remote Registry Service Passed =================="}
<# Optional Change Startmode
$UpdateServiceName = "RemoteRegistry"
$Mode1=Get-WmiObject -Class Win32_Service -Namespace root\cimv2 | Where-Object{$_.Name -eq $UpdateServiceName}
$Mode1.changestartmode("Automatic")
#>
Pause
CLS
Write-host `n `n "Move the File to File Share and Place in main Password File C:\Temp\CheckMe.txt" `n `n