functions/Get-DbaExtendedProtection.ps1
function Get-DbaExtendedProtection { <# .SYNOPSIS Get the Extended Protection setting of the SQL Server network configuration. .DESCRIPTION Get the Extended Protection setting of the SQL Server network configuration. This setting requires access to the Windows Server and not the SQL Server instance. The setting is found in SQL Server Configuration Manager under the properties of SQL Server Network Configuration > Protocols for "InstanceName". .PARAMETER SqlInstance The target SQL Server instance or instances. .PARAMETER Credential Allows you to login to the computer (not SQL Server instance) using alternative Windows credentials .PARAMETER WhatIf If this switch is enabled, no actions are performed but informational messages will be displayed that explain what would happen if the command were to run. .PARAMETER Confirm If this switch is enabled, you will be prompted for confirmation before executing any operations that change state. .PARAMETER EnableException By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message. This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting. Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch. .NOTES Tags: Instance, Security Author: Cláudio Silva (@claudioessilva), https://claudioessilva.eu Website: https://dbatools.io Copyright: (c) 2019 by dbatools, licensed under MIT License: MIT https://opensource.org/licenses/MIT .LINK https://dbatools.io/Get-DbaExtendedProtection .EXAMPLE PS C:\> Get-DbaExtendedProtection Gets Extended Protection on the default (MSSQLSERVER) instance on localhost - requires (and checks for) RunAs admin. .EXAMPLE PS C:\> Get-DbaExtendedProtection -SqlInstance sql01\SQL2008R2SP2 Set Extended Protection of SQL Engine for the SQL2008R2SP2 on sql01 to "Off". Uses Windows Credentials to both connect and modify the registry. Gets Extended Protection for the SQL2008R2SP2 on sql01. Uses Windows Credentials to both login and view the registry. #> [CmdletBinding(SupportsShouldProcess, ConfirmImpact = "Low", DefaultParameterSetName = 'Default')] param ( [Parameter(ValueFromPipeline)] [DbaInstanceParameter[]]$SqlInstance = $env:COMPUTERNAME, [PSCredential]$Credential, [switch]$EnableException ) process { foreach ($instance in $sqlinstance) { Write-Message -Level VeryVerbose -Message "Processing $instance." -Target $instance if ($instance.IsLocalHost) { $null = Test-ElevationRequirement -ComputerName $instance -Continue } try { $resolved = Resolve-DbaNetworkName -ComputerName $instance -Credential $Credential -EnableException } catch { try { $resolved = Resolve-DbaNetworkName -ComputerName $instance -Credential $Credential -Turbo -EnableException } catch { Stop-Function -Message "Issue resolving $instance" -Target $instance -Category InvalidArgument -Continue } } try { $sqlwmi = Invoke-ManagedComputerCommand -ComputerName $resolved.FullComputerName -ScriptBlock { $wmi.Services } -Credential $Credential -EnableException | Where-Object DisplayName -eq "SQL Server ($($instance.InstanceName))" } catch { Stop-Function -Message "Failed to access $instance" -Target $instance -Continue -ErrorRecord $_ } $regroot = ($sqlwmi.AdvancedProperties | Where-Object Name -eq REGROOT).Value $vsname = ($sqlwmi.AdvancedProperties | Where-Object Name -eq VSNAME).Value try { $instancename = $sqlwmi.DisplayName.Replace('SQL Server (', '').Replace(')', '') } catch { $null = 1 } $serviceaccount = $sqlwmi.ServiceAccount if ([System.String]::IsNullOrEmpty($regroot)) { $regroot = $sqlwmi.AdvancedProperties | Where-Object { $_ -match 'REGROOT' } $vsname = $sqlwmi.AdvancedProperties | Where-Object { $_ -match 'VSNAME' } if (![System.String]::IsNullOrEmpty($regroot)) { $regroot = ($regroot -Split 'Value\=')[1] $vsname = ($vsname -Split 'Value\=')[1] } else { Stop-Function -Message "Can't find instance $vsname on $instance." -Continue -Category ObjectNotFound -Target $instance } } if ([System.String]::IsNullOrEmpty($vsname)) { $vsname = $instance } Write-Message -Level Verbose -Message "Regroot: $regroot" -Target $instance Write-Message -Level Verbose -Message "ServiceAcct: $serviceaccount" -Target $instance Write-Message -Level Verbose -Message "InstanceName: $instancename" -Target $instance Write-Message -Level Verbose -Message "VSNAME: $vsname" -Target $instance $scriptblock = { $regpath = "Registry::HKEY_LOCAL_MACHINE\$($args[0])\MSSQLServer\SuperSocketNetLib" $ExtendedProtection = (Get-ItemProperty -Path $regpath -Name ExtendedProtection).ExtendedProtection [pscustomobject]@{ ComputerName = $env:COMPUTERNAME InstanceName = $args[2] SqlInstance = $args[1] ExtendedProtection = "$ExtendedProtection - $(switch ($ExtendedProtection) { 0 { "Off" } 1 { "Allowed" } 2 { "Required" } })" } } if ($PScmdlet.ShouldProcess("local", "Connecting to $instance to modify the ExtendedProtection value in $regroot for $($instance.InstanceName)")) { try { Invoke-Command2 -ComputerName $resolved.FullComputerName -Credential $Credential -ArgumentList $regroot, $vsname, $instancename -ScriptBlock $scriptblock -ErrorAction Stop | Select-Object -Property * -ExcludeProperty PSComputerName, RunspaceId, PSShowComputerName } catch { Stop-Function -Message "Failed to connect to $($resolved.FullComputerName) using PowerShell remoting" -ErrorRecord $_ -Target $instance -Continue } } } } } |