Autoremediation with Scripts and Monitors Part 1
When you find yourself manually fixing a problem time and time again, you will probably start thinking of automating the problem away. You wouldn’t be here if you didn’t. Automate provides a whole lot of great systems to make problems go away forever. Today we are going to tackle one such example. I love using real world examples, so todays target will be NLA on RDP. Ensuring it is enabled is a simple but important step to keeping your clients secure. Automate actually makes this pretty easy with scripts. As any seasoned Automate administrator knows, the scripting engine in Automate is as powerful as it is terrible. So let’s tackle this problem with a script, why not?
Let’s start by outlining what we want to achieve.
- Check if a computer has NLA turned off. The Internet tells me the registry key for that is
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SecurityLayer
- Turn it on. The internet tells me that
SecurityLayer
needs to be set to a DWORD of 1.
Well, that’s easy enough to start with. Go to Automation > View Scripts to see your existing scripts. As always, I recommend creating a branded folder so you don’t have to hunt for the folder when you need it. I recommend creating one called ___[CompanyInitials] - Scripts in Production
, obviously replacing [CompanyInitials]
with your own company. The ___ is there to ensure your newly created folder comes first. Then a sub folder, something along the lines of “Config Tweaks”. Now that the folders are created, go to them and create your new script.
I recommend branding your scripts too, making them easier to find and if there are factory ones that have similar names, you always know which ones you created. I’m going to name this one [CompanyInitials] - Enable NLA on Windows Machines
. It’s descriptive of what we are doing, while not being too long. Before going any further, go ahead and hit the “Create” button. That will now turn into a save button. “Save early, save often” my momma always told me.
Let’s get down to business. At the beginning of the script part, you see an “IF” with a dropdown right next to it saying “True”. That divides your script into two results of the initial if, “Then” and “Else”. This if statement works exactly like every if statement you have ever wrote. Don’t get used to it though, this is the only one in the scripting engine that does work the way you expect. Let’s drop that down and choose “Registry Check”. Some new boxes popped up. This is pretty self explanatory. Put the registry key we listed above in the Registry Key
box. Switch Compare to =
, and lastly, lets put 0
in the To
box. That’s going to split the script between the Then and Else sections. If the registry equals 0, we know that NLA is disabled, and the then processes.
Let’s get the simply case out of the way first, the Else. This is for when the registry key turning of NLA isn’t set to 0
. We need to add just a simple note in there, stating the script is exiting because NLA is already turned on. Right click on the white space below Else and click Add. Now there’s a new screen. And what a screen it is. Important things to note are: Function, this is a list of things to do. Below function, these input boxes change depending on what function you choose. OS, this will make a commany only apply to certain OSs, we’ll use this later. Continue on Failure Checkbox, if the function errors, normally the entire script comes to an end, but often this is not the right thing, so checking this will keep the script going, even on failure.
Time to drop down that function box. The function we want right now is Script Log Message
. This will place whatever you put in the Message box into the script log on the machine it is ran on. That’s super important to give feedback to the result of a script. In this case, simply write something like “NLA is already disabled on this machine, Exiting script”.
Moving back to the Then section, let’s finally do what we came here to do. Add a new function and swap the function to Registry Set Value
. Registry Value
is pretty self explanatory, so is Data
, but don’t forget to set the proper Data Type
. In this case we want Reg_DWORD
.
Great, but as we did in the Else section, we really should note that we made the change in the script log. Add a Script Log Message
and note that you made the change. Go ahead and save the script again.
And that’s it, a basic script. Nothing fancy, but it does the job. Just run this script on any machine that needs to be fixed.
Coming in part 2, detecting the bad state, and automatically triggering the script to fix it.