Selective IP ban on cloudy Windows Server 2012 via RDP
The company consists of an office and remote stores. Once an employee took a customer base on a flash drive. After that, everyone immediately went to the remote desktop with the local interface disabled. But you need even more control for admins! Under the cat described a way to slightly improve security and control of the situation.
Windows Server 2012 R2 Standard.
PowerShell version
PSVersion 4.0
WSManStackVersion 3.0
SerializationVersion 1.1.0.1
CLRVersion 4.0.30319.42000
BuildVersion 6.3.9600.18773
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0}
PSRemotingProtocolVersion 2.2
WSManStackVersion 3.0
SerializationVersion 1.1.0.1
CLRVersion 4.0.30319.42000
BuildVersion 6.3.9600.18773
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0}
PSRemotingProtocolVersion 2.2
All this was done in haste by the previous administrator, so now the entire infrastructure is on crutches. Then I came to support all this. One of the new tasks is that office managers can enter the cloud desktop only from the office. Houses can not be. At the same time, leave an opportunity to work from home. And do not touch remote stores at all. This is usually done through firewall policies or through a domain. Since the lock is needed selectively, there is no domain, and the server is cloudy, we had to look for unusual solutions.
')
I never wrote to PowerShell, so I made a paid request to our hosting technicians. But while they were thinking, I sketched a quick and working solution. Here is the diagram:
Create a daddy for scripts. Add the script itself:
#saved as UTF8 # $username = "username" # $localnet = "1.2.3.4" # IP $lastevent = Get-EventLog Security -Message "*$username*:*.*.*.*" -Newest 1 # $IP = $lastevent.message.substring($lastevent.message.indexof(" :")+15,$lastevent.message.indexof(":")-$lastevent.message.indexof(" :")-18) $IDbyName = ((query session $username)[1] -split '\s+')[3] # "" if ($IDbyName -notlike $null) {if ($IP -notlike $localnet) { # logoff $IDbyName "`n---------" | Out-File "C:\SCRIPTFOLDER\Scripts\log.txt" -Append Get-Date | Out-File "C:\SCRIPTFOLDER\Scripts\log.txt" -Append " RDP `nUSER: $username `nIP: $ip" | Out-File "C:\SCRIPTFOLDER\Scripts\log.txt" -Append }} The script is not the most flexible, but it works with a bang. Now about automation. Go to the task scheduler. We manually create an event, and it is better to import through this task.xml
task.xml
<?xml version="1.0" encoding="UTF-16"?> <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2018-08-09T15:44:22.8651577</Date> <Author>ServerName\AdminUser</Author> <Description> IP</Description> </RegistrationInfo> <Triggers> <EventTrigger> <Enabled>false</Enabled> <Subscription><QueryList><Query Id="0" Path="Security"><Select Path="Security">*[System[(Level=4 or Level=0) and (band(Keywords,9007199254740992)) and (EventID=4648) and TimeCreated[timediff(@SystemTime) <= 3600000]]]</Select></Query></QueryList></Subscription> </EventTrigger> <SessionStateChangeTrigger> <Enabled>true</Enabled> <StateChange>RemoteConnect</StateChange> <UserId>ServerName\username</UserId> </SessionStateChangeTrigger> <LogonTrigger> <Enabled>true</Enabled> <UserId>ServerName\username</UserId> </LogonTrigger> </Triggers> <Principals> <Principal id="Author"> <UserId>ServerName\AdminUser</UserId> <LogonType>Password</LogonType> <RunLevel>HighestAvailable</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>false</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT1H</ExecutionTimeLimit> <Priority>7</Priority> <RestartOnFailure> <Interval>PT1M</Interval> <Count>3</Count> </RestartOnFailure> </Settings> <Actions Context="Author"> <Exec> <Command>PowerShell</Command> <Arguments>-File "C:\SCRIPTFOLDER\Scripts\kickUsername.ps1"</Arguments> </Exec> </Actions> </Task> Do not forget to forward ServerName to the system name of the server, AdminUser to the system name of the executing admin and username to the system name of the user you want to restrict.
After creating a task, a window appears:
Triggers run:
- When connecting remotely to a user session, username
- When logging in username
Action: Start the PowerShell program with the argument -File "C: \ SCRIPTFOLDER \ Scripts \ kickUsername.ps1"
Be sure to perform from the admin with the highest rights. Click OK, enter the admin password. The task is ready! Now, when trying to connect a restricted user from someone else's IP addresses, he will be thrown out, and we will write a log to the daddy with the scripts.
To restrict the new user, you need to repeat the process (I wanted to make a list of bans in the file, but I lacked experience and time). That's all.
Criticism is very welcome, because This is my first PowersHell code. I also realize that this method does not protect 100% of valuable information. But dishonest employees will be forced to do their dark things in the workplace, and this is more dangerous for them. Enjoy using!
Source: https://habr.com/ru/post/423301/
All Articles