Txhua tus neeg uas tau sim khiav lub tshuab virtual hauv huab tau paub zoo tias tus qauv RDP chaw nres nkoj, yog tias qhib qhib, yuav luag tam sim ntawd raug tawm tsam los ntawm nthwv dej ntawm lo lus zais yuam kev sim los ntawm ntau qhov chaw nyob IP thoob ntiaj teb.
Hauv tsab xov xwm no kuv yuav qhia yuav ua li cas Koj tuaj yeem teeb tsa qhov tsis siv neeg teb rau lo lus zais brute quab yuam los ntawm kev ntxiv txoj cai tshiab rau firewall. InTrust yog rau kev sau, txheeb xyuas thiab khaws cia cov ntaub ntawv tsis tsim nyog, uas twb muaj ntau pua qhov kev tawm tsam ua ntej rau ntau hom kev tawm tsam.
Hauv Quest InTrust koj tuaj yeem teeb tsa cov lus teb thaum muaj txoj cai tshwm sim. Los ntawm tus neeg sawv cev sau cov cav, InTrust tau txais cov lus hais txog qhov kev tso cai ua tsis tiav ntawm lub chaw ua haujlwm lossis lub server. Txhawm rau teeb tsa ntxiv qhov chaw nyob IP tshiab rau firewall, koj yuav tsum tau luam ib txoj cai uas twb muaj lawm rau kev txheeb xyuas ntau qhov kev tso cai ua tsis tiav thiab qhib ib daim qauv ntawm nws rau kev kho:
Cov xwm txheej hauv Windows cav siv qee yam hu ua InsertionString. (qhov no yog kev nkag mus rau qhov system tsis ua tiav) thiab koj yuav pom tias cov teb peb xav tau khaws cia hauv InsertionString14 (Workstation Name) thiab InsertionString20 (Qhov Chaw Nyob Network). yuav npliag, yog li qhov chaw no tseem ceeb hloov tus nqi los ntawm Qhov Chaw Nyob Network.
Nov yog cov ntawv nyeem ntawm qhov xwm txheej 4625 zoo li:
An account failed to log on.
Subject:
Security ID: S-1-5-21-1135140816-2109348461-2107143693-500
Account Name: ALebovsky
Account Domain: LOGISTICS
Logon ID: 0x2a88a
Logon Type: 2
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: Paul
Account Domain: LOGISTICS
Failure Information:
Failure Reason: Account locked out.
Status: 0xc0000234
Sub Status: 0x0
Process Information:
Caller Process ID: 0x3f8
Caller Process Name: C:WindowsSystem32svchost.exe
Network Information:
Workstation Name: DCC1
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: seclogo
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Tsis tas li ntawd, peb yuav ntxiv qhov Source Network Address tus nqi rau cov ntawv nyeem.
Tom qab ntawd koj yuav tsum ntxiv ib tsab ntawv uas yuav thaiv tus IP chaw nyob hauv Windows Firewall. Hauv qab no yog ib qho piv txwv uas yuav siv tau rau qhov no.
Tsab ntawv rau kev teeb tsa lub firewall
param(
[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[string]
$SourceAddress
)
$SourceAddress = $SourceAddress.Trim()
$ErrorActionPreference = 'Stop'
$ruleName = 'Quest-InTrust-Block-Failed-Logons'
$ruleDisplayName = 'Quest InTrust: Blocks IP addresses from failed logons'
function Get-BlockedIps {
(Get-NetFirewallRule -Name $ruleName -ErrorAction SilentlyContinue | get-netfirewalladdressfilter).RemoteAddress
}
$blockedIps = Get-BlockedIps
$allIps = [array]$SourceAddress + [array]$blockedIps | Select-Object -Unique | Sort-Object
if (Get-NetFirewallRule -Name $ruleName -ErrorAction SilentlyContinue) {
Set-NetFirewallRule -Name $ruleName -RemoteAddress $allIps
} else {
New-NetFirewallRule -Name $ruleName -DisplayName $ruleDisplayName -Direction Inbound -Action Block -RemoteAddress $allIps
}
Tam sim no koj tuaj yeem hloov txoj cai lub npe thiab cov lus piav qhia kom tsis txhob muaj kev ntxhov siab tom qab.
Tam sim no koj yuav tsum tau ntxiv tsab ntawv no ua cov lus teb rau txoj cai, pab txoj cai, thiab xyuas kom meej tias txoj cai sib raug tau qhib rau hauv txoj cai saib xyuas lub sijhawm. Tus neeg sawv cev yuav tsum tau qhib kom khiav ib tsab ntawv teb thiab yuav tsum muaj qhov tseeb parameter teev tseg.
Tom qab kev teeb tsa tiav lawm, tus naj npawb ntawm kev tso cai tsis ua tiav tau txo qis los ntawm 80%. Cov txiaj ntsig? Zoo kawg li os!
Qee zaum qhov kev nce me me tshwm sim dua, tab sis qhov no yog vim qhov tshwm sim ntawm qhov chaw tshiab ntawm kev tawm tsam. Ces txhua yam pib poob dua.
Hauv ib lub lim tiam ntawm kev ua haujlwm, 66 qhov chaw nyob IP tau ntxiv rau txoj cai firewall.
Hauv qab no yog ib lub rooj nrog 10 tus neeg siv cov npe uas tau siv rau kev tso cai sim.
username
Cov naj npawb ntawm
Hauv feem pua
khiav dej num
1220235
40.78
admin
672109
22.46
cov neeg siv
219870
7.35
contoso
126088
4.21
contoso.com
73048
2.44
tus thawj coj
55319
1.85
neeg rau zaub mov
39403
1.32
sgazlabdc01.contoso.com
32177
1.08
neeg khiav dej num
32377
1.08
swb 01
31259
1.04
Qhia rau peb hauv cov lus hais tias koj teb li cas rau cov ntaub ntawv kev nyab xeeb kev hem thawj. Koj siv qhov system twg thiab nws yooj yim npaum li cas?
Yog tias koj xav pom InTrust hauv kev nqis tes ua, nyob rau hauv daim ntawv tawm tswv yim ntawm peb lub vev xaib lossis sau rau kuv hauv cov lus ntawm tus kheej.
Nyeem peb lwm cov lus hais txog kev ruaj ntseg cov ntaub ntawv:
(txoj kev nrov)
Tau qhov twg los: www.hab.com