diff --git a/docs/docsite/rst/user_guide/windows_setup.rst b/docs/docsite/rst/user_guide/windows_setup.rst index 604897b2ead..015e7fdf478 100644 --- a/docs/docsite/rst/user_guide/windows_setup.rst +++ b/docs/docsite/rst/user_guide/windows_setup.rst @@ -107,39 +107,11 @@ For more details, please refer to the `Hotfix document `_ -can be used to set up the basics. This script sets up both HTTP and HTTPS -listeners with a self-signed certificate and enables the ``Basic`` -authentication option on the service. - -To use this script, run the following in PowerShell: - -.. code-block:: powershell - - [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - $url = "https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1" - $file = "$env:temp\ConfigureRemotingForAnsible.ps1" - - (New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file) - - powershell.exe -ExecutionPolicy ByPass -File $file - -There are different switches and parameters (like ``-EnableCredSSP`` and -``-ForceNewSSLCert``) that can be set alongside this script. The documentation -for these options are located at the top of the script itself. - -.. Note:: The ConfigureRemotingForAnsible.ps1 script is intended for training and - development purposes only and should not be used in a - production environment, since it enables settings (like ``Basic`` authentication) - that can be inherently insecure. Kerberos is considered a safer production setup. See :ref:`winrm_kerberos` for details. - - WinRM Listener -------------- The WinRM services listens for requests on one or more ports. Each of these ports must have a @@ -467,7 +439,6 @@ this problems is to either: See `KB4076842 `_ for more information on this problem. - Windows SSH Setup ````````````````` Ansible 2.8 has added an experimental SSH connection for Windows managed nodes. diff --git a/docs/docsite/rst/user_guide/windows_winrm.rst b/docs/docsite/rst/user_guide/windows_winrm.rst index 6e9e5d0ce8a..6a1ffec4302 100644 --- a/docs/docsite/rst/user_guide/windows_winrm.rst +++ b/docs/docsite/rst/user_guide/windows_winrm.rst @@ -631,9 +631,8 @@ The WinRM protocol considers the channel to be encrypted if using TLS over HTTP recommended option as it works with all authentication options, but requires a certificate to be created and used on the WinRM listener. -The ``ConfigureRemotingForAnsible.ps1`` creates a self-signed certificate and -creates the listener with that certificate. If in a domain environment, ADCS -can also create a certificate for the host that is issued by the domain itself. +If in a domain environment, ADCS can create a certificate for the host that +is issued by the domain itself. If using HTTPS is not an option, then HTTP can be used when the authentication option is ``NTLM``, ``Kerberos`` or ``CredSSP``. These protocols will encrypt diff --git a/examples/scripts/ConfigureRemotingForAnsible.ps1 b/examples/scripts/ConfigureRemotingForAnsible.ps1 index 1fcbaabc37f..7cc86abd7ce 100644 --- a/examples/scripts/ConfigureRemotingForAnsible.ps1 +++ b/examples/scripts/ConfigureRemotingForAnsible.ps1 @@ -7,6 +7,21 @@ # the necessary changes to allow Ansible to connect, authenticate and # execute PowerShell commands. # +# IMPORTANT: This script uses self-signed certificates and authentication mechanisms +# that are intended for development environments and evaluation purposes only. +# Production environments and deployments that are exposed on the network should +# use CA-signed certificates and secure authentication mechanisms such as Kerberos. +# +# To run this script in Powershell: +# +# [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 +# $url = "https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1" +# $file = "$env:temp\ConfigureRemotingForAnsible.ps1" +# +# (New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file) +# +# powershell.exe -ExecutionPolicy ByPass -File $file +# # All events are logged to the Windows EventLog, useful for unattended runs. # # Use option -Verbose in order to see the verbose output messages. diff --git a/test/lib/ansible_test/_util/target/setup/ConfigureRemotingForAnsible.ps1 b/test/lib/ansible_test/_util/target/setup/ConfigureRemotingForAnsible.ps1 index 1fcbaabc37f..7cc86abd7ce 100644 --- a/test/lib/ansible_test/_util/target/setup/ConfigureRemotingForAnsible.ps1 +++ b/test/lib/ansible_test/_util/target/setup/ConfigureRemotingForAnsible.ps1 @@ -7,6 +7,21 @@ # the necessary changes to allow Ansible to connect, authenticate and # execute PowerShell commands. # +# IMPORTANT: This script uses self-signed certificates and authentication mechanisms +# that are intended for development environments and evaluation purposes only. +# Production environments and deployments that are exposed on the network should +# use CA-signed certificates and secure authentication mechanisms such as Kerberos. +# +# To run this script in Powershell: +# +# [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 +# $url = "https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1" +# $file = "$env:temp\ConfigureRemotingForAnsible.ps1" +# +# (New-Object -TypeName System.Net.WebClient).DownloadFile($url, $file) +# +# powershell.exe -ExecutionPolicy ByPass -File $file +# # All events are logged to the Windows EventLog, useful for unattended runs. # # Use option -Verbose in order to see the verbose output messages.