Ukukhushulwa kwelungelo ukusetshenziswa umhlaseli wamalungelo wamanje we-akhawunti ukuze azuze okwengeziwe, ngokuvamile izinga eliphezulu lokufinyelela kusistimu. Nakuba ukukhuphuka kwelungelo kungase kube umphumela wokusebenzisa ubungozi bosuku oluyiziro, noma umsebenzi wabagebengu bendawo abahlaselayo, noma uhlelo olungayilungele ikhompuyutha olucashwe kahle, ngokuvamile kungenxa yokungalungiselelwa kahle kwekhompyutha noma i-akhawunti. Ukuthuthukisa ukuhlasela ngokuqhubekayo, abahlaseli basebenzisa inani elithile lobuthakathaka obubodwa, obuhlangene obungaholela ekuputshuzweni kwedatha okuyinhlekelele.
Kungani abasebenzisi kungafanele babe namalungelo omlawuli wendawo?
Uma uchwepheshe wezokuphepha, kungase kubonakale kusobala ukuthi abasebenzisi akufanele babe namalungelo omlawuli wendawo, njengalokhu:
- Yenza ama-akhawunti abo abe sengozini yokuhlaselwa okuhlukahlukene
- Kwenza lokho kuhlasela okufanayo kube nzima kakhulu
Ngeshwa, ezinhlanganweni eziningi lokhu kusewudaba oluyimpikiswano futhi ngezinye izikhathi luhambisana nezingxoxo ezishisayo (bheka, isibonelo, ). Ngaphandle kokungena emininingwaneni yale ngxoxo, sikholwa ukuthi umhlaseli uthole amalungelo okuphatha wendawo ohlelweni oluphenywayo, ngokuxhashazwa noma ngenxa yokuthi imishini ibingavikelwe ngendlela efanele.
Isinyathelo 1Hlehlisa Ukulungiswa kwe-DNS nge-PowerShell
Ngokuzenzakalelayo, i-PowerShell ifakwe ezindaweni zokusebenza eziningi zasendaweni kanye namaseva amaningi e-Windows. Futhi nakuba kungenalo ihaba ukuthi kuthathwa njengethuluzi elisebenza ngokuzenzakalelayo nokulawula eliwusizo ngendlela emangalisayo, iyakwazi ngokufanayo ukuziguqula ibe into ecishe ingabonakali. (uhlelo lokugebenga olungashiyi iminonjana yokuhlasela).
Esimweni sethu, umhlaseli uqala ukwenza uphenyo lwenethiwekhi esebenzisa iskripthi se-PowerShell, ephindaphinda ngokulandelana endaweni yekheli le-IP yenethiwekhi, ezama ukunquma ukuthi i-IP enikeziwe ixazulula yini kumsingathi, futhi uma kunjalo, lithini igama lenethiwekhi yalo msingathi.
Kunezindlela eziningi zokwenza lo msebenzi, kodwa usebenzisa i-cmdlet I-ADComputer iyinketho eqinile ngoba ibuyisela isethi ecebile ngempela yedatha mayelana nendawo ngayinye:
import-module activedirectory Get-ADComputer -property * -filter { ipv4address -eq β10.10.10.10β}Uma isivinini kumanethiwekhi amakhulu siyinkinga, ukushayela emuva kwe-DNS kungasetshenziswa:
[System.Net.Dns]::GetHostEntry(β10.10.10.10β).HostName
Le ndlela yokufakwa kuhlu yabasingathi kunethiwekhi idume kakhulu, njengoba amanethiwekhi amaningi engasebenzisi imodeli yokuphepha ye-zero-trust futhi angaqapheli imibuzo ye-DNS yangaphakathi ngokuqhuma okusolisayo komsebenzi.
Isinyathelo sesi-2: Khetha okuqondiwe
Umphumela walesi sinyathelo uwukuthola uhlu lweseva namagama omethuleli wesiteshi sokusebenzela angasetshenziswa ukuqhubeka nokuhlasela.
Kusukela egameni, iseva ye-'HUB-FILER' ibonakala njengethagethi efanelekayo, kusukela lapho ngokuhamba kwesikhathi, amaseva wefayela, njengomthetho, aqongelela inani elikhulu lamafolda enethiwekhi nokufinyelela ngokweqile kuwo ngabantu abaningi.
Ukuphequlula nge-Windows Explorer kusivumela ukuthi sibone ukuba khona kwefolda okwabelwana ngayo, kodwa i-akhawunti yethu yamanje ayikwazi ukuyithola (mhlawumbe sinamalungelo okufakwa ohlwini kuphela).
Isinyathelo sesi-3: Funda ama-ACL
Manje, kumsingathi wethu we-HUB-FILER kanye nesabelo esiqondiwe, singasebenzisa umbhalo we-PowerShell ukuze sithole i-ACL. Singakwenza lokhu ngomshini wendawo, njengoba sesivele sinamalungelo omlawuli wendawo:
(get-acl hub-filershare).access | ft IdentityReference,FileSystemRights,AccessControlType,IsInherited,InheritanceFlags βautoUmphumela wokwenza:
Kuyo siyabona ukuthi iqembu labasebenzisi besizinda linokufinyelela kuphela ohlwini, kodwa iqembu le-Helpdesk nalo linamalungelo okushintsha.
Isinyathelo sesi-4: Ubunikazi be-akhawunti
Ukugijima , singathola wonke amalungu aleli qembu:
Get-ADGroupMember -identity Helpdesk
Kulolu hlu sibona i-akhawunti yekhompyutha esesivele siyihlonze futhi esesivele siyitholile:
Isinyathelo sesi-5: Sebenzisa i-PSExec ukuze uqalise njenge-akhawunti yekhompyutha
evela ku-Microsoft Sysinternals ikuvumela ukuthi ukhiphe imiyalo kumongo we-akhawunti yesistimu ethi SYSTEM@HUB-SHAREPOINT, esazi ukuthi iyilungu leqembu eliqondiswe kwi-Helpdesk. Okusho ukuthi, sidinga nje ukwenza:
PsExec.exe -s -i cmd.exeNokho, usukwazi ukufinyelela ngokugcwele ifolda eqondiwe ethi HUB-FILERshareHR, njengoba usebenza kumongo we-akhawunti yekhompyutha ye-HUB-SHAREPOINT. Futhi ngalokhu kufinyelela, idatha ingakopishelwa kudivayisi yokugcina ephathekayo noma ibuyiswe futhi idluliselwe kunethiwekhi.
Isinyathelo sesi-6: Ukuthola lokhu kuhlasela
Lokhu kuba sengozini yokushuna i-akhawunti ethile (ama-akhawunti ekhompyutha afinyelela amasheya enethiwekhi esikhundleni sama-akhawunti omsebenzisi noma ama-akhawunti wesevisi) angatholwa. Nokho, ngaphandle kwamathuluzi afanele, lokhu kunzima kakhulu ukukwenza.
Ukuthola nokuvimbela lesi sigaba sokuhlasela, singasebenzisa ukuhlonza amaqembu anama-akhawunti ekhompyutha kuwo, bese wenqabela ukufinyelela kuwo. iya phambili futhi ikuvumela ukuthi udale isaziso ngqo salolu hlobo lwesimo.
Isithombe-skrini esingezansi sibonisa isaziso sangokwezifiso esizovutha njalo uma i-akhawunti yekhompyutha ifinyelela idatha kuseva egadiwe.
Izinyathelo ezilandelayo nge-PowerShell
Ufuna ukwazi okwengeziwe? Sebenzisa ikhodi yokuvula "yebhulogi" ukuze ufinyelele ngokugcwele ngokugcwele .
Source: www.habr.com