Musangano randinoshanda, basa riri kure rinorambidzwa mumusimboti. Was. Kusvika svondo rapfuura. Zvino taifanira kukurumidza kuita mhinduro. Kubva kubhizinesi - kugadzirisa maitiro kune nyowani fomati yebasa, kubva kwatiri - PKI ine maPIN makodhi uye tokeni, VPN, yakadzama matanda uye zvimwe zvakawanda.
Pakati pezvimwe zvinhu, ini ndaimisikidza Remote Desktop Infrastructure aka Terminal Services. Isu tine akati wandei RDS deployments munzvimbo dzakasiyana dzedata. Chimwe chezvinangwa chaive chekugonesa vamwe vaunoshanda navo kubva kumadhipatimendi ane hukama neIT kuti vabatane kumasesheni evashandisi vachipindirana. Sezvaunoziva, kune yakajairwa RDS Shadow michina yeiyi, uye nzira iri nyore yekuigovera ndeyekupa mvumo yemuno maneja pamaseva eRSS.
Ini ndinoremekedza uye ndinokoshesa vandinoshanda navo, asi ndine makaro kana tosvika pakupa kodzero dze admin. π Kune avo vanobvumirana neni, ndapota tevera kucheka.
Zvakanaka, basa rakajeka, zvino ngatiburukei kubhizinesi.
vanotsika 1
Ngatigadzire boka rekuchengetedza mu Active Directory RDP_Operators uye sanganisira mariri maakaundi evashandisi avo vatinoda kupa kodzero kwavari:
$Users = @(
"UserLogin1",
"UserLogin2",
"UserLogin3"
)
$Group = "RDP_Operators"
New-ADGroup -Name $Group -GroupCategory Security -GroupScope DomainLocal
Add-ADGroupMember -Identity $Group -Members $Users
Kana iwe uine akawanda AD masaiti, iwe unozofanirwa kumirira kusvika yadzokororwa kune ese madomasi controller usati waenda kune inotevera nhanho. Izvi kazhinji hazvitore maminitsi anopfuura gumi nemashanu.
vanotsika 2
Ngatipei kodzero yeboka kuti ribate materminal sessions pane yega yega RDSH maseva:
Set-RDSPermissions.ps1
$Group = "RDP_Operators"
$Servers = @(
"RDSHost01",
"RDSHost02",
"RDSHost03"
)
ForEach ($Server in $Servers) {
#ΠΠ΅Π»Π΅Π³ΠΈΡΡΠ΅ΠΌ ΠΏΡΠ°Π²ΠΎ Π½Π° ΡΠ΅Π½Π΅Π²ΡΠ΅ ΡΠ΅ΡΡΠΈΠΈ
$WMIHandles = Get-WmiObject `
-Class "Win32_TSPermissionsSetting" `
-Namespace "rootCIMV2terminalservices" `
-ComputerName $Server `
-Authentication PacketPrivacy `
-Impersonation Impersonate
ForEach($WMIHandle in $WMIHandles)
{
If ($WMIHandle.TerminalName -eq "RDP-Tcp")
{
$retVal = $WMIHandle.AddAccount($Group, 2)
$opstatus = "ΡΡΠΏΠ΅ΡΠ½ΠΎ"
If ($retVal.ReturnValue -ne 0) {
$opstatus = "ΠΎΡΠΈΠ±ΠΊΠ°"
}
Write-Host ("ΠΠ΅Π»Π΅Π³ΠΈΡΠΎΠ²Π°Π½ΠΈΠ΅ ΠΏΡΠ°Π² Π½Π° ΡΠ΅Π½Π΅Π²ΠΎΠ΅ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ΠΈΠ΅ Π³ΡΡΠΏΠΏΠ΅ " +
$Group + " Π½Π° ΡΠ΅ΡΠ²Π΅ΡΠ΅ " + $Server + ": " + $opstatus + "`r`n")
}
}
}
vanotsika 3
Wedzera boka kuboka renzvimbo Remote Desktop Vashandisi pane imwe neimwe yemaseva eRDSH. Kana maseva ako akasanganiswa kuita muunganidzwa wechikamu, saka tinoita izvi padanho rekuunganidza:
$Group = "RDP_Operators"
$CollectionName = "MyRDSCollection"
[String[]]$CurrentCollectionGroups = @(Get-RDSessionCollectionConfiguration -CollectionName $CollectionName -UserGroup).UserGroup
Set-RDSessionCollectionConfiguration -CollectionName $CollectionName -UserGroup ($CurrentCollectionGroups + $Group)
Kune maseva ega atinoshandisa
vanotsika 4
Ngatigadzirirei inotevera PS script ye "maneja":
RDSMmanagement.ps1
$Servers = @(
"RDSHost01",
"RDSHost02",
"RDSHost03"
)
function Invoke-RDPSessionLogoff {
Param(
[parameter(Mandatory=$True, Position=0)][String]$ComputerName,
[parameter(Mandatory=$true, Position=1)][String]$SessionID
)
$ErrorActionPreference = "Stop"
logoff $SessionID /server:$ComputerName /v 2>&1
}
function Invoke-RDPShadowSession {
Param(
[parameter(Mandatory=$True, Position=0)][String]$ComputerName,
[parameter(Mandatory=$true, Position=1)][String]$SessionID
)
$ErrorActionPreference = "Stop"
mstsc /shadow:$SessionID /v:$ComputerName /control 2>&1
}
Function Get-LoggedOnUser {
Param(
[parameter(Mandatory=$True, Position=0)][String]$ComputerName="localhost"
)
$ErrorActionPreference = "Stop"
Test-Connection $ComputerName -Count 1 | Out-Null
quser /server:$ComputerName 2>&1 | Select-Object -Skip 1 | ForEach-Object {
$CurrentLine = $_.Trim() -Replace "s+"," " -Split "s"
$HashProps = @{
UserName = $CurrentLine[0]
ComputerName = $ComputerName
}
If ($CurrentLine[2] -eq "Disc") {
$HashProps.SessionName = $null
$HashProps.Id = $CurrentLine[1]
$HashProps.State = $CurrentLine[2]
$HashProps.IdleTime = $CurrentLine[3]
$HashProps.LogonTime = $CurrentLine[4..6] -join " "
$HashProps.LogonTime = $CurrentLine[4..($CurrentLine.GetUpperBound(0))] -join " "
}
else {
$HashProps.SessionName = $CurrentLine[1]
$HashProps.Id = $CurrentLine[2]
$HashProps.State = $CurrentLine[3]
$HashProps.IdleTime = $CurrentLine[4]
$HashProps.LogonTime = $CurrentLine[5..($CurrentLine.GetUpperBound(0))] -join " "
}
New-Object -TypeName PSCustomObject -Property $HashProps |
Select-Object -Property UserName, ComputerName, SessionName, Id, State, IdleTime, LogonTime
}
}
$UserLogin = Read-Host -Prompt "ΠΠ²Π΅Π΄ΠΈΡΠ΅ Π»ΠΎΠ³ΠΈΠ½ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ"
Write-Host "ΠΠΎΠΈΡΠΊ RDP-ΡΠ΅ΡΡΠΈΠΉ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ Π½Π° ΡΠ΅ΡΠ²Π΅ΡΠ°Ρ
..."
$SessionList = @()
ForEach ($Server in $Servers) {
$TargetSession = $null
Write-Host " ΠΠΏΡΠΎΡ ΡΠ΅ΡΠ²Π΅ΡΠ° $Server"
Try {
$TargetSession = Get-LoggedOnUser -ComputerName $Server | Where-Object {$_.UserName -eq $UserLogin}
}
Catch {
Write-Host "ΠΡΠΈΠ±ΠΊΠ°: " $Error[0].Exception.Message -ForegroundColor Red
Continue
}
If ($TargetSession) {
Write-Host " ΠΠ°ΠΉΠ΄Π΅Π½Π° ΡΠ΅ΡΡΠΈΡ Ρ ID $($TargetSession.ID) Π½Π° ΡΠ΅ΡΠ²Π΅ΡΠ΅ $Server" -ForegroundColor Yellow
Write-Host " Π§ΡΠΎ Π±ΡΠ΄Π΅ΠΌ Π΄Π΅Π»Π°ΡΡ?"
Write-Host " 1 - ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠΈΡΡΡΡ ΠΊ ΡΠ΅ΡΡΠΈΠΈ"
Write-Host " 2 - Π·Π°Π²Π΅ΡΡΠΈΡΡ ΡΠ΅ΡΡΠΈΡ"
Write-Host " 0 - Π½ΠΈΡΠ΅Π³ΠΎ"
$Action = Read-Host -Prompt "ΠΠ²Π΅Π΄ΠΈΡΠ΅ Π΄Π΅ΠΉΡΡΠ²ΠΈΠ΅"
If ($Action -eq "1") {
Invoke-RDPShadowSession -ComputerName $Server -SessionID $TargetSession.ID
}
ElseIf ($Action -eq "2") {
Invoke-RDPSessionLogoff -ComputerName $Server -SessionID $TargetSession.ID
}
Break
}
Else {
Write-Host " ΡΠ΅ΡΡΠΈΠΉ Π½Π΅ Π½Π°ΠΉΠ΄Π΅Π½ΠΎ"
}
}
Kuita kuti script script iite nyore kumhanya, isu tichagadzira goko rayo muchimiro checmd faira rine zita rakafanana nerePS script:
RDSMmanagement.cmd
@ECHO OFF
powershell -NoLogo -ExecutionPolicy Bypass -File "%~d0%~p0%~n0.ps1" %*
Isu tinoisa mafaera ese ari maviri mufolda ichave inowanikwa kune "mamaneja" uye tovakumbira kuti vapinde zvakare. Ikozvino, nekumhanyisa iyo cmd faira, ivo vanozokwanisa kubatana nezvikamu zvevamwe vashandisi muRSS Shadow modhi uye kuvamanikidza kuti vabude (izvi zvinogona kubatsira kana mushandisi asingakwanise kumisa "yakarembera" chikamu).
Zvinotaridzika seizvi:
Ku "maneja"
Zvemushandisi
Mhinduro shoma dzekupedzisira
Nuance 1. Kana chikamu chemushandisi chatiri kuedza kuwana kutonga chakatangwa isati yaitwa Set-RDSPermissions.ps1 script pasevha, ipapo "maneja" achawana kukanganisa kwekuwana. Mhinduro iri pano iripachena: mirira kusvika mushandisi anogadziriswa apinda.
Nuance 2. Mushure memazuva akati wandei ekushanda neRDP Shadow, takaona bhagi kana chimiro chinonakidza: mushure mekupera kwechikamu chemumvuri, bhara remutauro mutireyi rinonyangarika kuti mushandisi abatanidzwe, uye kuti aidzose, mushandisi anofanira kudzorera. -login. Sezvazvinoitika, isu hatisi toga:
Ndizvo zvose. Ndinoshuvira iwe nemaseva ako hutano hwakanaka. Senguva dzose, ndinotarisira kumhinduro yako mune zvakataurwa uye ndinokumbira kuti utore ongororo pfupi pazasi.
Sources
RDS Mvuri - mumvuri wekubatanidza kune RDP mushandisi masesheni muWindows Server 2016 / 2012 R2 Windows Server 2012 Shadowing - Kugovera Kodzero Kune Vasiri-Admin Get-LoggedOnUser Inounganidza ruzivo rwevakapinda pane vashandisi pane ari kure masisitimu Iyo yakanakisa nzira yekutanga PowerShell PS1 zvinyorwa Kuwedzera vashandisi vedomeni kuboka rekuchengetedza renzvimbo GPMC - Simba gpupdate pamakomputa ese ari muOU
Vashandisi vakanyoresa chete ndivo vanogona kutora chikamu muongororo.
Unoshandisa chii?
-
8,1%AMMYY Admin5
-
17,7%CheroDesk11
-
9,7%DameWare6
-
24,2%Radmin15
-
14,5%RDS Shadow9
-
1,6%Kurumidza Kubatsira / Windows Remote Rubatsiro1
-
38,7%TeamViewer24
-
32,3%VNC20
-
32,3%zvimwe20
-
3,2%LiteManager2
62 vashandisi vakavhota. 22 vashandisi vakaramba.
Source: www.habr.com