PowerShell: machine vs man
Some time ago I inherited a terminal server farm. And the management set me a task - to eradicate skype, chrome, firefox and mail.ru agents on all terminal servers. Historically, the company uses thin clients and only privileged users have a full-fledged PC, and the above-mentioned programs are allowed there, and on the terminals - no, no.
')
I demolished all the programs, screwed AD policies that restrict the launch of specified applications and decided that this is probably all. But a day later I found that users are using the program again, but already a portable version, and the exe-files were renamed 123 * .exe. I confess I was surprised by the awareness and preparedness of users.
The issue of closing the Internet or banning absolutely all programs except those that were allowed was not suitable due to the specifics of the office. There was a sports interest and I decided to use powershell:
1. determine the running processes
2. Further, only those that are interesting to us are required - here we pay attention to the fact that if the process is renamed to 123.exe and in the process list it will hang like 123, and this is bad, because it is not clear whether this is a good process or a bad one, so we look at the description field - even though the skype file is renamed 123 and 123 hangs in the processes, but here’s an old description - skype
3. stop the found processes:
In the dry residue we have a design of the form:
You can put this in a ps1 script and screw it to something, but then you will need to sign it or disable the security requirement — do not run unsigned scripts.
I acted differently - I created a task in the scheduler, where I indicated to run the program:
with parameter
In this case, the launch takes place and the script signature is not required. Now the task can be launched at least every minute and nail down programs that we don’t want. And if you add refined filtering to this solution , then in general it is possible to wean users from using any given programs in the entire domain (without refined search, the renamed files will not work).
')
I demolished all the programs, screwed AD policies that restrict the launch of specified applications and decided that this is probably all. But a day later I found that users are using the program again, but already a portable version, and the exe-files were renamed 123 * .exe. I confess I was surprised by the awareness and preparedness of users.
The issue of closing the Internet or banning absolutely all programs except those that were allowed was not suitable due to the specifics of the office. There was a sports interest and I decided to use powershell:
1. determine the running processes
get-process2. Further, only those that are interesting to us are required - here we pay attention to the fact that if the process is renamed to 123.exe and in the process list it will hang like 123, and this is bad, because it is not clear whether this is a good process or a bad one, so we look at the description field - even though the skype file is renamed 123 and 123 hangs in the processes, but here’s an old description - skype
where-object { $_.Description -match 'skype' }3. stop the found processes:
Stop-Process -ForceIn the dry residue we have a design of the form:
get-process | where-object { $_.Description -match "skype" } | Stop-Process -ForceYou can put this in a ps1 script and screw it to something, but then you will need to sign it or disable the security requirement — do not run unsigned scripts.
I acted differently - I created a task in the scheduler, where I indicated to run the program:
C:\Windows\...\powershell.exewith parameter
get-process | where-object { $_.Description -match 'skype' } | Stop-Process -ForceIn this case, the launch takes place and the script signature is not required. Now the task can be launched at least every minute and nail down programs that we don’t want. And if you add refined filtering to this solution , then in general it is possible to wean users from using any given programs in the entire domain (without refined search, the renamed files will not work).
Source: https://habr.com/ru/post/120434/
All Articles