ProHoster > Блог > Kev tswj hwm > Tshem tawm cov lus ceeb toom ntxhov siab thaum nkag mus rau hauv lub davhlau ya nyob twg server

Tshem tawm cov lus ceeb toom ntxhov siab thaum nkag mus rau hauv lub davhlau ya nyob twg server

Tshem tawm cov lus ceeb toom ntxhov siab thaum nkag mus rau hauv lub davhlau ya nyob twg server

Tsis ntev dhau los peb tau siv cov kev daws teeb meem ntawm Windows terminal server. Raws li ib txwm muaj, lawv tau cuam tshuam kev sib txuas mus rau cov neeg ua haujlwm lub rooj thiab hais kom lawv ua haujlwm. Tab sis cov neeg siv tau dhau los ua kev hem thawj ntawm Cyber ​​​​Security. Thiab thaum txuas mus rau lub server, pom cov lus zoo li: “Koj puas ntseeg tus neeg rau zaub mov no? Tiag?”, lawv ntshai thiab tig los rau peb - ​​puas yog txhua yam, peb puas tuaj yeem nyem rau ntawm OK? Tom qab ntawd nws tau txiav txim siab ua txhua yam kom zoo nkauj, kom tsis txhob muaj lus nug lossis ntshai.

Yog tias koj cov neeg siv tseem tuaj rau koj nrog kev ntshai zoo sib xws, thiab koj nkees ntawm kos lub thawv "Tsis txhob nug dua", txais tos rau miv.

Kauj ruam xoom. Kev npaj thiab kev ntseeg siab

Yog li, peb cov neeg siv nyem rau ntawm cov ntaub ntawv khaws tseg nrog .rdp txuas ntxiv thiab tau txais cov lus thov hauv qab no:

Tshem tawm cov lus ceeb toom ntxhov siab thaum nkag mus rau hauv lub davhlau ya nyob twg server

"Malicious" kev twb kev txuas.

Txhawm rau tshem tawm lub qhov rais no, siv lub tshuab hluav taws xob tshwj xeeb hu ua RDPSign.exe ua. Cov ntaub ntawv tag nrho muaj, raws li niaj zaus, ntawm official website, thiab peb yuav saib ib qho piv txwv ntawm kev siv.

Ua ntej, peb yuav tsum nqa daim ntawv pov thawj los kos npe rau cov ntaub ntawv. Nws tuaj yeem yog:

  • Pej xeem.
  • Tshaj tawm los ntawm Internal Certificate Authority service.
  • Ua tiav tus kheej kos npe.

Qhov tseem ceeb tshaj plaws yog daim ntawv pov thawj muaj peev xwm kos npe (yog, koj tuaj yeem xaiv
accountants muaj digital kos npe), thiab cov neeg siv PCs ntseeg nws. Ntawm no kuv yuav siv daim ntawv pov thawj tus kheej kos npe.

Cia kuv ceeb toom rau koj tias kev ntseeg siab rau daim ntawv pov thawj tus kheej kos npe tuaj yeem raug teeb tsa siv cov cai hauv pawg. Ib me ntsis ntxiv cov ntsiab lus nyob rau hauv lub spoiler.

Yuav Ua Li Cas Ua Daim Ntawv Pov Thawj Ntseeg Siv Khawv koob ntawm GPO

Ua ntej, koj yuav tsum nqa daim ntawv pov thawj uas twb muaj lawm yam tsis muaj tus yuam sij ntiag tug hauv .cer hom (qhov no tuaj yeem ua tiav los ntawm kev xa tawm daim ntawv pov thawj los ntawm Daim Ntawv Pov Thawj snap-in) thiab muab tso rau hauv lub network folder uas cov neeg siv tau nyeem. Tom qab no, koj tuaj yeem teeb tsa Pawg Txoj Cai.

Daim ntawv pov thawj ntshuam tau teeb tsa hauv ntu: Khoos phis tawj teeb tsa - Txoj Cai - Windows Configuration - Kev Ruaj Ntseg - Txoj Cai Tswjfwm Ntiag Tug - Trusted Root Certification Authority. Tom ntej no, right-click rau import daim ntawv pov thawj.

Tshem tawm cov lus ceeb toom ntxhov siab thaum nkag mus rau hauv lub davhlau ya nyob twg server

Configured txoj cai.

Cov neeg siv PCs tam sim no yuav tso siab rau daim ntawv pov thawj tus kheej kos npe.

Yog tias cov teeb meem kev ntseeg tau raug daws, peb txav ncaj qha mus rau qhov teeb meem kos npe.

Kauj ruam ib. Peb kos npe rau cov ntaub ntawv nyob rau hauv ib tug cheb yam

Muaj ib daim ntawv pov thawj, tam sim no koj yuav tsum paub nws tus ntiv tes. Tsuas yog qhib nws hauv "Certificate" snap-in thiab luam nws mus rau "Composition" tab.

Tshem tawm cov lus ceeb toom ntxhov siab thaum nkag mus rau hauv lub davhlau ya nyob twg server

Cov ntiv tes peb xav tau.

Nws yog qhov zoo dua los nqa tam sim ntawd mus rau hauv daim ntawv kom zoo - tsuas yog cov ntawv loj thiab tsis muaj qhov chaw, yog tias muaj. Qhov no tuaj yeem ua tau yooj yim hauv PowerShell console nrog cov lus txib:

("6b142d74ca7eb9f3d34a2fe16d1b949839dba8fa").ToUpper().Replace(" ","")

Tom qab tau txais tus ntiv tes nyob rau hauv hom ntawv xav tau, koj tuaj yeem kos npe rau rdp cov ntaub ntawv:

rdpsign.exe /sha256 6B142D74CA7EB9F3D34A2FE16D1B949839DBA8FA .contoso.rdp

Qhov twg .contoso.rdp yog qhov tseeb lossis txheeb ze txoj hauv kev rau peb cov ntaub ntawv.

Thaum cov ntaub ntawv tau kos npe lawm, nws yuav tsis tuaj yeem hloov qee qhov tsis dhau los ntawm kev sib cuam tshuam graphical, xws li lub npe neeg rau zaub mov (tiag tiag, txwv tsis pub kos npe yog dab tsi?) Thiab yog tias koj hloov cov chaw nrog cov ntawv nyeem, kos npe "flies off".

Tam sim no thaum koj ob npaug nias rau ntawm qhov shortcut cov lus yuav txawv:

Tshem tawm cov lus ceeb toom ntxhov siab thaum nkag mus rau hauv lub davhlau ya nyob twg server

Xov xwm tshiab. Cov xim tsis txaus ntshai, twb tau nce lawm.

Cia peb tshem nws thiab.

Kauj ruam ob. Thiab dua cov lus nug ntawm kev ntseeg siab

Txhawm rau tshem tawm cov lus no peb yuav xav tau Pawg Txoj Cai dua. Lub sij hawm no txoj kev nyob rau hauv seem Khoos phib tawj Configuration - Txoj Cai - Tswj Cov Qauv - Cov Khoom Siv Hauv Windows - Cov Kev Pabcuam Desktop - Cov Chaw Taws Teeb Txuas Txuas Cov Neeg Siv Khoom - Qhia SHA1 ntiv tes ntawm daim ntawv pov thawj sawv cev rau cov tshaj tawm RDP ntseeg.

Tshem tawm cov lus ceeb toom ntxhov siab thaum nkag mus rau hauv lub davhlau ya nyob twg server

Txoj cai peb xav tau.

Hauv kev nom kev tswv, nws yog qhov txaus los ntxiv cov ntiv tes uas twb paub rau peb los ntawm cov kauj ruam dhau los.

Nws yog ib qho tsim nyog sau cia tias txoj cai no overrides Tso cai RDP cov ntaub ntawv los ntawm cov neeg tshaj tawm siv tau thiab kev cai RDP teeb tsa txoj cai.

Tshem tawm cov lus ceeb toom ntxhov siab thaum nkag mus rau hauv lub davhlau ya nyob twg server

Configured txoj cai.

Voila, tam sim no tsis muaj lus nug txawv txawv - tsuas yog thov rau tus ID nkag mus thiab lo lus zais. Hmo…

Kauj ruam peb. Pob tshab nkag mus rau lub server

Tseeb tiag, yog tias peb twb tau nkag mus rau hauv thaum nkag mus rau hauv lub khoos phis tawj sau npe, yog vim li cas peb thiaj li yuav tsum rov nkag mus rau tib tus ID nkag mus thiab lo lus zais? Cia peb hloov cov ntawv pov thawj mus rau lub server "pob tshab". Nyob rau hauv cov ntaub ntawv ntawm RDP yooj yim (tsis siv RDS Gateway), ... Yog lawm, pab pawg neeg txoj cai yuav los pab peb.

Mus rau ntu: Khoos phis tawj Configuration - Txoj Cai - Cov Qauv Tswj - System - Hloov Cov Ntawv Pov Thawj - Tso Cai Hloov Cov Ntawv Pov Thawj Ua Haujlwm.

Ntawm no koj tuaj yeem ntxiv cov servers xav tau rau hauv daim ntawv lossis siv daim ntawv cim npe. Nws yuav zoo li TERMSRV/trm.contoso.com los yog TERMSRV/*.contoso.com.

Tshem tawm cov lus ceeb toom ntxhov siab thaum nkag mus rau hauv lub davhlau ya nyob twg server

Configured txoj cai.

Tam sim no, yog tias koj saib peb daim ntawv lo, nws yuav zoo li no:

Tshem tawm cov lus ceeb toom ntxhov siab thaum nkag mus rau hauv lub davhlau ya nyob twg server

Lub username tsis tuaj yeem hloov pauv.

Yog tias koj siv RDS Gateway, koj tseem yuav tau qhib cov ntaub ntawv hloov mus rau nws. Txhawm rau ua qhov no, hauv IIS Tus Thawj Coj, hauv "Authentication Methods" koj yuav tsum tau lov tes taw kev pov thawj tsis qhia npe thiab pab Windows Authentication.

Tshem tawm cov lus ceeb toom ntxhov siab thaum nkag mus rau hauv lub davhlau ya nyob twg server

Configured IIS.

Tsis txhob hnov ​​​​qab rov pib lub vev xaib kev pabcuam thaum ua tiav nrog cov lus txib:

iisreset /noforce

Tam sim no txhua yam zoo, tsis muaj lus nug lossis lus nug.

Tsuas yog cov neeg siv sau npe tuaj yeem koom nrog hauv daim ntawv ntsuam xyuas. Kos npe rau hauvthov.

Qhia rau kuv, koj puas kos npe rau RDP daim ntawv lo rau koj cov neeg siv?

  • 43%Tsis yog, lawv tau siv los nyem "OK" hauv cov lus yam tsis tau nyeem lawv, qee tus txawm kos lub thawv lawv tus kheej kom "Tsis txhob nug dua." 28

  • 29.2%Kuv ua tib zoo tso daim ntawv lo nrog kuv txhais tes thiab ua thawj tus ID nkag mus rau server ua ke nrog txhua tus neeg siv.19

  • 6.1%Tau kawg, kuv nyiam kev txiav txim hauv txhua yam.4

  • 21.5%Kuv tsis siv terminal servers.14

65 cov neeg siv pov npav. 14 cov neeg siv txwv tsis pub siv.

Tau qhov twg los: www.hab.com

Ntxiv ib saib