Ururka aan ka shaqeeyo, shaqada fog waa mamnuuc mabda'a ahaan. ahaa Ilaa usbuucii hore. Hadda waxay ahayd inaan si degdeg ah xal u hirgelinno. Laga bilaabo ganacsiga - habraacyada la qabsiga qaab shaqo oo cusub, anaga - PKI oo leh koodka PIN iyo calaamadaha, VPN, gaynta faahfaahsan iyo wax ka badan.
Waxyaabo kale, waxaan dejinayay Kaabayaasha Desktop Fog aka Adeegyada Terminal. Waxaan haynaa meelo badan oo RDS ah oo la geeyay xarumo xogeed oo kala duwan. Mid ka mid ah yoolalka ayaa ahaa in la oggolaado asxaabta ka socota waaxaha IT-ga ee laxiriira inay ku xirmaan fadhiyada isticmaalaha si wada jir ah. Sidaad ogtahay, waxaa jira habka caadiga ah ee RDS Shadow ee tan, iyo habka ugu fudud ee loo wakiisho waa in la siiyo xuquuqda maamulaha maxalliga ah ee server-yada RDS.
Waan ixtiraamaa waanan qiimeeyaa asxaabtayda, laakiin aad ayaan u hungureeyaa marka ay timaado bixinta xuquuqda maamulka. 🙂 Kuwa igu raacsan, fadlan raac goynta.
Hagaag, hawshu way caddahay, hadda aynu u dhaadhacno ganacsiga.
talaabo 1
Aynu ka abuurno koox ammaan ah Hagaha Firfircoon Hawl-wadeenada RDP oo ku dar akoonada isticmaalayaasha aan rabno inaan u wakiino xuquuqaha:
$Users = @(
"UserLogin1",
"UserLogin2",
"UserLogin3"
)
$Group = "RDP_Operators"
New-ADGroup -Name $Group -GroupCategory Security -GroupScope DomainLocal
Add-ADGroupMember -Identity $Group -Members $Users
Haddii aad leedahay goobo badan oo AD, waxaad u baahan doontaa inaad sugto ilaa lagu soo koobo dhammaan maamulayaasha domain ka hor intaadan u gudbin tallaabada xigta. Tani waxay badanaa qaadanaysaa wax aan ka badnayn 15 daqiiqo.
talaabo 2
Aan siino kooxda xuquqaha ay ku maareeyaan fadhiyada dhamaadka mid kasta oo ka mid ah server-yada RDSH:
Deji-RDSPermissions.ps1
$Group = "RDP_Operators"
$Servers = @(
"RDSHost01",
"RDSHost02",
"RDSHost03"
)
ForEach ($Server in $Servers) {
#Делегируем право на теневые сессии
$WMIHandles = Get-WmiObject `
-Class "Win32_TSPermissionsSetting" `
-Namespace "rootCIMV2terminalservices" `
-ComputerName $Server `
-Authentication PacketPrivacy `
-Impersonation Impersonate
ForEach($WMIHandle in $WMIHandles)
{
If ($WMIHandle.TerminalName -eq "RDP-Tcp")
{
$retVal = $WMIHandle.AddAccount($Group, 2)
$opstatus = "успешно"
If ($retVal.ReturnValue -ne 0) {
$opstatus = "ошибка"
}
Write-Host ("Делегирование прав на теневое подключение группе " +
$Group + " на сервере " + $Server + ": " + $opstatus + "`r`n")
}
}
}
talaabo 3
Ku dar kooxda kooxda deegaanka Isticmaalayaasha Desktop Fog mid kasta oo ka mid ah server-yada RDSH Haddii serfaradaada lagu daro ururinta fadhiga, markaa waxaanu ku samaynaa tan heerka ururinta:
$Group = "RDP_Operators"
$CollectionName = "MyRDSCollection"
[String[]]$CurrentCollectionGroups = @(Get-RDSessionCollectionConfiguration -CollectionName $CollectionName -UserGroup).UserGroup
Set-RDSessionCollectionConfiguration -CollectionName $CollectionName -UserGroup ($CurrentCollectionGroups + $Group)
Hal server ayaan u isticmaalnaa , sugaya in lagu dabaqo server-yada. Kuwa caajiska ah si ay u sugaan waxay dedejin karaan habka iyagoo isticmaalaya gpupdate duug ah oo wanaagsan, la doorbidayo .
talaabo 4
Aan u diyaarino qoraalka PS ee soo socda ee "maareeyayaasha":
RDSManagement.ps1
$Servers = @(
"RDSHost01",
"RDSHost02",
"RDSHost03"
)
function Invoke-RDPSessionLogoff {
Param(
[parameter(Mandatory=$True, Position=0)][String]$ComputerName,
[parameter(Mandatory=$true, Position=1)][String]$SessionID
)
$ErrorActionPreference = "Stop"
logoff $SessionID /server:$ComputerName /v 2>&1
}
function Invoke-RDPShadowSession {
Param(
[parameter(Mandatory=$True, Position=0)][String]$ComputerName,
[parameter(Mandatory=$true, Position=1)][String]$SessionID
)
$ErrorActionPreference = "Stop"
mstsc /shadow:$SessionID /v:$ComputerName /control 2>&1
}
Function Get-LoggedOnUser {
Param(
[parameter(Mandatory=$True, Position=0)][String]$ComputerName="localhost"
)
$ErrorActionPreference = "Stop"
Test-Connection $ComputerName -Count 1 | Out-Null
quser /server:$ComputerName 2>&1 | Select-Object -Skip 1 | ForEach-Object {
$CurrentLine = $_.Trim() -Replace "s+"," " -Split "s"
$HashProps = @{
UserName = $CurrentLine[0]
ComputerName = $ComputerName
}
If ($CurrentLine[2] -eq "Disc") {
$HashProps.SessionName = $null
$HashProps.Id = $CurrentLine[1]
$HashProps.State = $CurrentLine[2]
$HashProps.IdleTime = $CurrentLine[3]
$HashProps.LogonTime = $CurrentLine[4..6] -join " "
$HashProps.LogonTime = $CurrentLine[4..($CurrentLine.GetUpperBound(0))] -join " "
}
else {
$HashProps.SessionName = $CurrentLine[1]
$HashProps.Id = $CurrentLine[2]
$HashProps.State = $CurrentLine[3]
$HashProps.IdleTime = $CurrentLine[4]
$HashProps.LogonTime = $CurrentLine[5..($CurrentLine.GetUpperBound(0))] -join " "
}
New-Object -TypeName PSCustomObject -Property $HashProps |
Select-Object -Property UserName, ComputerName, SessionName, Id, State, IdleTime, LogonTime
}
}
$UserLogin = Read-Host -Prompt "Введите логин пользователя"
Write-Host "Поиск RDP-сессий пользователя на серверах..."
$SessionList = @()
ForEach ($Server in $Servers) {
$TargetSession = $null
Write-Host " Опрос сервера $Server"
Try {
$TargetSession = Get-LoggedOnUser -ComputerName $Server | Where-Object {$_.UserName -eq $UserLogin}
}
Catch {
Write-Host "Ошибка: " $Error[0].Exception.Message -ForegroundColor Red
Continue
}
If ($TargetSession) {
Write-Host " Найдена сессия с ID $($TargetSession.ID) на сервере $Server" -ForegroundColor Yellow
Write-Host " Что будем делать?"
Write-Host " 1 - подключиться к сессии"
Write-Host " 2 - завершить сессию"
Write-Host " 0 - ничего"
$Action = Read-Host -Prompt "Введите действие"
If ($Action -eq "1") {
Invoke-RDPShadowSession -ComputerName $Server -SessionID $TargetSession.ID
}
ElseIf ($Action -eq "2") {
Invoke-RDPSessionLogoff -ComputerName $Server -SessionID $TargetSession.ID
}
Break
}
Else {
Write-Host " сессий не найдено"
}
}
Si qoraalka PS looga dhigo mid ku habboon in lagu shaqeeyo, waxaan u abuuri doonaa qolof qaab faylka cmd oo leh magac la mid ah qoraalka PS:
RDSManagement.cmd
@ECHO OFF
powershell -NoLogo -ExecutionPolicy Bypass -File "%~d0%~p0%~n0.ps1" %*
Waxaan labada fayl gelinay gal ay heli karaan "maareeyayaasha" oo waydiina inay dib u soo galaan. Hadda, iyaga oo socodsiinaya faylka cmd, waxay awoodi doonaan inay ku xidhmaan fadhiyada isticmaaleyaasha kale ee qaabka Shadow RDS oo ay ku qasbaan inay ka baxaan (tani waxay noqon kartaa mid faa'iido leh marka isticmaaluhu aanu si madax-banaan u joojin karin fadhiga "daldalida").
Waxay u egtahay sidan:
"maamulaha"
Isticmaalaha
Dhawr faallood oo u dambeeya
Nuance 1. Haddii kalfadhiga isticmaalaha ee aan isku dayeyno inaan xakameyno ayaa la bilaabay ka hor inta aan Set-RDSPermissions.ps1 lagu fulin server-ka, markaa "maamulaha" wuxuu heli doonaa cilad gelitaanka. Xalka halkan waa cad yahay: sug ilaa isticmaale la maareeyay uu galo.
Nuance 2. Dhowr maalmood ka dib markii aan la shaqeynay RDP Shadow, waxaan ogaanay bug ama muuqaal xiiso leh: ka dib dhammaadka fadhiga hadh, baarka luqadda ee saxanka ayaa meesha ka baxaya isticmaalaha lagu xirayo, iyo si loo soo celiyo, isticmaaluhu wuxuu u baahan yahay inuu dib u soo celiyo. -galitaanka. Sida ay soo baxday, keligood ma nihin: , , .
Waa intaas. Waxaan idiin rajaynayaa caafimaad wanaagsan adiga iyo adeegayaashaada Sida had iyo jeer, waxaan rajaynayaa ra'yi-celintaada faallooyinka waxaanan ku weydiinayaa inaad qaadato sahanka gaaban ee hoose.
Ilaha
Isticmaalayaasha diiwaangashan oo keliya ayaa ka qaybqaadan kara sahanka. , soo dhawoow.
maxaad isticmaashaa?
-
8,1%AMMYY Admin5
-
17,7%AnyDesk11
-
9,7%DameWare6
-
24,2%Radmin15
-
14,5%Hooska RDS9
-
1,6%Caawinta Degdegga ah / Caawinta Fog ee Daaqadaha1
-
38,7%TeamViewer24
-
32,3%VNC20
-
32,3%kale20
-
3,2%LiteManager2
62 isticmaale ayaa u codeeyay. 22 isticmaale ayaa ka aamusay.
Source: www.habr.com