仅允许RemoteApp,不允许远程桌面


11

我发现以下具有类似前提的问题,但是对于该问题的答案是将该问题改写为陈述!

RemoteApp阻止用户运行远程桌面

如何允许RemoteApp但不允许远程桌面?为了允许远程应用程序,我似乎不得不将用户添加到“远程桌面用户”组中。这允许远程桌面。

我尝试使用“ TS Web访问计算机”组,但是这并没有赋予他们运行RemoteApp的权限。

禁用远程桌面,同时保持RemoteApp功能不变的配置在哪里?


RemoteApp仍为TS / RDS;您仍然必须同样保护服务器。
克里斯·S

同意,尽管我们提供服务,但只允许他们使用该应用程序。他们没有完全登录桌面,以减少系统开销。如果他们像埃文(Evan)所述那样解决问题,那么我们可以逐案处理。这是资源问题,而不是棘手的安全问题。
Brett Allen 2010年

Answers:


12

没有这样做的“官方认可”方法,因为从根本上来说,TS RemoteApp功能只是利用现有的远程桌面代码。您可以做一些愚蠢的事情,例如使用组策略将用户的外壳程序设置为“ logoff.exe”,这样,如果他们尝试访问计算机的桌面,则将立即注销。但是,使用通用“文件/打开”对话框的任何应用程序都可以用来获取命令提示符或在服务器的桌面上打开其他程序。

最好确保遵循最低特权原则,并为TS RemoteApp用户提供运行所需软件所需的尽可能少的权限。如果它们确实出现在服务器计算机的桌面上,则其受限制的权限应防止它们对服务器计算机造成任何损害。


众所周知,该软件是我们自己的,我们为客户提供了一种无需拥有自己的服务器即可运行它的方法。但是,我们试图将它们限制为仅使用该应用程序。将尝试该想法并查看其进展。
Brett Allen 2010年

此政策的位置在哪里?我可以在托管这些应用程序的服务器的本地安全策略中执行此操作吗?如果我需要在域级别执行此操作,则需要引入公司所有者并逐步引导他。
Brett Allen 2010年

2
@Aequitarum保管人,我相信他说的是User Configuration/Policies/Administrative Templates/System/Custom User Interface
Zoredache

1
不要忘记设置软件限制策略,使它们只能运行您期望它们运行的​​内容。(+1将shell设置为logoff.exe:我已经做了同样的事情并推荐它)
Skyhawk,2010年

@Aequitarum不,您不需要在域级别执行此操作。如果只想在一台计算机上本地编辑组策略,只需运行gpedit.msc。
天鹰


1

这就是我将桌面锁定为仅服务器管理员和命名AD组可以访问的方式。不属于给定AD组成员的用户将收到一条消息,告诉他们使用RDWeb,而不是台式机/标准mstsc。

  1. 创建一个vbscript并将其放在服务器上的所有用户都可以读取并执行的文件夹中
  2. 将以下行添加到 %windir%\system32\USRLOGON.CMD

    cscript <sourcefolder>\DesktopUserCheck.vbs
    

vbscript代码(请在下面的<>条目中添加您的个人信息)

'Script created by Tord Bergset, Jan 2014
'This script is called from the file called C:\Windows\System32\USRLOGON.CMD
'The script check if a user logging on to the server desktop is a allowed to do this.
'The string called StrGroupName controls the access group to check for. 
'AD group used for this script = "G WTS Grant Desktop Access"
'---------------------------------------------------------------------------------------

Const strComputer = "."
Const EWX_LOGOFF = 0 

Dim objShell, objWMIService, colProcessList, objNetwork, StrGroupName, strUsername, strUserIsMember, strUserFullName

Set objShell = WScript.CreateObject ("WScript.Shell")
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colProcessList = objWMIService.ExecQuery("SELECT * FROM Win32_Process WHERE Name = 'userinit.exe'")
Set objNetwork = CreateObject("Wscript.Network")
strUsername = EnvString("username")

' Mention any AD Group Name Here. Also works for Domain Admins, Enterprise Admins etc.
' -------------------------------------------------------------------------------------
StrGroupName = "G WTS Grant Desktop Access"
' -------------------------------------------------------------------------------------

If IsAdmin = 0 Then wscript.Quit

CheckADGroupMembership()

If strUserIsMember = "YES" Then
    ' Do something here if user is a member of the group
    'MsgBox "Is member"
    Wscript.Quit
Else
    ' Do something here if user is NOT a member of the group
    'MsgBox "Is not member" 
    For Each objProcess in colProcessList
        MsgBox "You (" & strUsername & " ) are not allowed to log in to the server desktop." & VBLF & "Please connect through the Remote Desktop Web Page (RDWeb):" & VBLF & VBLF & "<rdweb server address>", vbExclamation + vbSystemModal, strUsername & " - Access Denied !"
        objShell.run "logoff"
        WScript.Quit
    Next    
End If

Wscript.Quit 


' *****************************************************
'This function checks to see if the logged on user has local admin rights
Function IsAdmin()
    With CreateObject("Wscript.Shell")
        IsAdmin = .Run("%comspec% /c OPENFILES > nul", 0, True)
    End With
End Function

' *****************************************************
'This function checks to see if the passed group name contains the current user as a member. Returns True or False
Function IsMember(groupName)
    If IsEmpty(groupListD) then
        Set groupListD = CreateObject("Scripting.Dictionary")
        groupListD.CompareMode = TextCompare
        ADSPath = EnvString("userdomain") & "/" & EnvString("username")
        Set userPath = GetObject("WinNT://" & ADSPath & ",user")
        For Each listGroup in userPath.Groups
            groupListD.Add listGroup.Name, "-"
        Next
    End if
    IsMember = CBool(groupListD.Exists(groupName))
End Function

' *****************************************************
'This function returns a particular environment variable's value.
' for example, if you use EnvString("username"), it would return the value of %username%.
Function EnvString(variable)
    variable = "%" & variable & "%"
    EnvString = objShell.ExpandEnvironmentStrings(variable)
End Function


' *****************************************************
Sub CheckADGroupMembership()
    ' =============================================================
    ' List All Members of a Group; Including Nested Members
    ' =============================================================
    Dim ObjRootDSE, ObjConn, ObjRS, ObjCustom
    Dim StrDomainName, StrGroupName, StrSQL
    Dim StrGroupDN, StrEmptySpace

    strUserIsMember = ""

    Set ObjRootDSE = GetObject("LDAP://RootDSE")
    StrDomainName = Trim(ObjRootDSE.Get("DefaultNamingContext"))
    Set ObjRootDSE = Nothing

    StrSQL = "Select ADsPath From 'LDAP://" & StrDomainName & "' Where ObjectCategory = 'Group' AND Name = '" & StrGroupName & "'"

    Set ObjConn = CreateObject("ADODB.Connection")
    ObjConn.Provider = "ADsDSOObject":  ObjConn.Open "Active Directory Provider"
    Set ObjRS = CreateObject("ADODB.Recordset")
    ObjRS.Open StrSQL, ObjConn
    If ObjRS.EOF Then
        'WScript.Echo VbCrLf & "This Group: " & StrGroupName & " does not exist in Active Directory"
    End If
    If Not ObjRS.EOF Then   
        WScript.Echo vbNullString
        ObjRS.MoveLast: ObjRS.MoveFirst
        'WScript.Echo "Total No of Groups Found: " & ObjRS.RecordCount
        'WScript.Echo "List of Members In " & StrGroupName & " are: " & VbCrLf
        While Not ObjRS.EOF     
            StrGroupDN = Trim(ObjRS.Fields("ADsPath").Value)
            Set ObjCustom = CreateObject("Scripting.Dictionary")
            StrEmptySpace = " "
            GetAllNestedMembers StrGroupDN, StrEmptySpace, ObjCustom
            Set ObjCustom = Nothing
            ObjRS.MoveNext
        Wend
    End If
    ObjRS.Close:    Set ObjRS = Nothing
    ObjConn.Close:  Set ObjConn = Nothing
End Sub

Private Function GetAllNestedMembers (StrGroupADsPath, StrEmptySpace, ObjCustom)
    Dim ObjGroup, ObjMember
    Set ObjGroup = GetObject(StrGroupADsPath)
    For Each ObjMember In ObjGroup.Members      
        'WScript.Echo Trim(ObjMember.CN) & " --- " & Trim(ObjMember.DisplayName) & " (" & Trim(ObjMember.Class) & ")" & " (" & Trim(ObjMember.sAMAccountName) & ")"
        strThisUser = Trim(ObjMember.sAMAccountName)

        If lCase(strUsername) = lCase(strThisUser) Then 
            strUserIsMember = "YES"
            strUserFullName = Trim(ObjMember.DisplayName)
            Exit Function
        End If

        If Strcomp(Trim(ObjMember.Class), "Group", vbTextCompare) = 0 Then
            If ObjCustom.Exists(ObjMember.ADsPath) Then 
                'WScript.Echo StrEmptySpace & " -- Already Checked Group-Member " & "(Stopping Here To Escape Loop)"
            Else
                ObjCustom.Add ObjMember.ADsPath, 1  
                GetFromHere ObjMember.ADsPath, StrEmptySpace & " ", ObjCustom
            End If
        End If
    Next
End Function

Private Sub GetFromHere(StrGroupADsPath, StrEmptySpace, ObjCustom)
    Dim ObjThisGroup, ObjThisMember
    Set ObjThisGroup = GetObject(StrGroupADsPath)
    'WScript.Echo vbNullString
    'WScript.Echo "  ** Members of this Group are:"
    For Each ObjThisMember In ObjThisGroup.Members      
        'WScript.Echo "    >> " & Trim(ObjThisMember.CN) & " --- " & Trim(ObjThisMember.DisplayName) & " (" & Trim(ObjThisMember.Class) & ")" & " (" & Trim(ObjThisMember.sAMAccountName) & ")"
        strThisUser = Trim(ObjThisMember.sAMAccountName)

        If lCase(strUsername) = lCase(strThisUser) Then 
            strUserIsMember = "YES"
            strUserFullName = Trim(ObjThisMember.DisplayName)
            Exit Sub
        End If

    Next
    'WScript.Echo vbNullString
End Sub


0

您可以利用以下事实:完全用户会话启动该userinit.exe过程,而RemoteApp会话启动该rdpshell.exe过程。AppLocker可用于禁止userinit.exe标准用户执行。

By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.