From fce7f6792af5eef609d5d27c46b2c00a85a225bd Mon Sep 17 00:00:00 2001 From: vfedosevich Date: Fri, 3 Apr 2015 03:44:00 -0700 Subject: [PATCH] RDS Powershell disabled by GPO --- .../RdsServerSettings.cs | 3 + .../Windows2012.cs | 46 +++++++- .../SettingsRdsPolicy.ascx.resx | 3 + .../RDSEditUserExperience.ascx.resx | 3 + .../RDS/RDSEditUserExperience.ascx | 14 +++ .../RDS/RDSEditUserExperience.ascx.cs | 103 ++++++------------ .../RDSEditUserExperience.ascx.designer.cs | 36 ++++++ .../WebsitePanel/SettingsRdsPolicy.ascx | 14 +++ .../WebsitePanel/SettingsRdsPolicy.ascx.cs | 9 ++ .../SettingsRdsPolicy.ascx.designer.cs | 36 ++++++ 10 files changed, 195 insertions(+), 72 deletions(-) diff --git a/WebsitePanel/Sources/WebsitePanel.Providers.Base/RemoteDesktopServices/RdsServerSettings.cs b/WebsitePanel/Sources/WebsitePanel.Providers.Base/RemoteDesktopServices/RdsServerSettings.cs index beddb245..ad175a46 100644 --- a/WebsitePanel/Sources/WebsitePanel.Providers.Base/RemoteDesktopServices/RdsServerSettings.cs +++ b/WebsitePanel/Sources/WebsitePanel.Providers.Base/RemoteDesktopServices/RdsServerSettings.cs @@ -45,6 +45,9 @@ namespace WebsitePanel.EnterpriseServer.Base.RDS public const string RDS_CONTROL_WITHOUT_PERMISSION = "RDSControlWithoutPermission"; public const string RDS_CONTROL_WITHOUT_PERMISSION_ADMINISTRATORS = "RDSControlWithoutPermissionAdministrators"; public const string RDS_CONTROL_WITHOUT_PERMISSION_Users = "RDSControlWithoutPermissionUsers"; + public const string DISABLE_CMD = "DisableCMD"; + public const string DISABLE_CMD_ADMINISTRATORS = "DisableCMDAdministrators"; + public const string DISABLE_CMD_USERS = "DisableCMDUsers"; public string SettingsName { get; set; } public int ServerId { get; set; } diff --git a/WebsitePanel/Sources/WebsitePanel.Providers.TerminalServices.Windows2012/Windows2012.cs b/WebsitePanel/Sources/WebsitePanel.Providers.TerminalServices.Windows2012/Windows2012.cs index 1f3b46ce..3fc744bf 100644 --- a/WebsitePanel/Sources/WebsitePanel.Providers.TerminalServices.Windows2012/Windows2012.cs +++ b/WebsitePanel/Sources/WebsitePanel.Providers.TerminalServices.Windows2012/Windows2012.cs @@ -95,6 +95,11 @@ namespace WebsitePanel.Providers.RemoteDesktopServices private const string HideCDriveGpoValueName = "NoDrives"; private const string RDSSessionGpoKey = @"HKCU\Software\Policies\Microsoft\Windows NT\Terminal Services"; private const string RDSSessionGpoValueName = "Shadow"; + private const string DisableCmdGpoKey = @"HKCU\Software\Policies\Microsoft\Windows\System"; + private const string DisableCmdGpoValueName = "DisableCMD"; + private const string DisallowRunParentKey = @"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"; + private const string DisallowRunKey = @"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun"; + private const string DisallowRunValueName = "DisallowRun"; #endregion @@ -1136,7 +1141,13 @@ namespace WebsitePanel.Providers.RemoteDesktopServices RemoveRegistryValue(runspace, RemoveRestartGpoKey, administratorsGpo); RemoveRegistryValue(runspace, RemoveRestartGpoKey, usersGpo); RemoveRegistryValue(runspace, DisableTaskManagerGpoKey, administratorsGpo); - RemoveRegistryValue(runspace, DisableTaskManagerGpoKey, usersGpo); + RemoveRegistryValue(runspace, DisableTaskManagerGpoKey, usersGpo); + RemoveRegistryValue(runspace, DisableCmdGpoKey, usersGpo); + RemoveRegistryValue(runspace, DisableCmdGpoKey, administratorsGpo); + RemoveRegistryValue(runspace, DisallowRunKey, usersGpo); + RemoveRegistryValue(runspace, DisallowRunParentKey, usersGpo); + RemoveRegistryValue(runspace, DisallowRunKey, administratorsGpo); + RemoveRegistryValue(runspace, DisallowRunParentKey, administratorsGpo); var setting = serverSettings.Settings.FirstOrDefault(s => s.PropertyName.Equals(RdsServerSettings.SCREEN_SAVER_DISABLED)); SetRegistryValue(setting, runspace, ScreenSaverGpoKey, administratorsGpo, usersGpo, ScreenSaverValueName, "0", "string"); @@ -1153,6 +1164,9 @@ namespace WebsitePanel.Providers.RemoteDesktopServices setting = serverSettings.Settings.FirstOrDefault(s => s.PropertyName.Equals(RdsServerSettings.HIDE_C_DRIVE)); SetRegistryValue(setting, runspace, HideCDriveGpoKey, administratorsGpo, usersGpo, HideCDriveGpoValueName, "4", "DWord"); + setting = serverSettings.Settings.FirstOrDefault(s => s.PropertyName.Equals(RdsServerSettings.DISABLE_CMD)); + SetRegistryValue(setting, runspace, DisableCmdGpoKey, administratorsGpo, usersGpo, DisableCmdGpoValueName, "1", "DWord"); + setting = serverSettings.Settings.FirstOrDefault(s => s.PropertyName.Equals(RdsServerSettings.LOCK_SCREEN_TIMEOUT)); double result; @@ -1162,6 +1176,7 @@ namespace WebsitePanel.Providers.RemoteDesktopServices } SetRdsSessionHostPermissions(runspace, serverSettings, usersGpo, administratorsGpo); + SetPowershellPermissions(runspace, serverSettings.Settings.FirstOrDefault(s => s.PropertyName.Equals(RdsServerSettings.REMOVE_POWERSHELL_COMMAND)), usersGpo, administratorsGpo); } finally { @@ -1169,6 +1184,24 @@ namespace WebsitePanel.Providers.RemoteDesktopServices } } + private void SetPowershellPermissions(Runspace runspace, RdsServerSetting setting, string usersGpo, string administratorsGpo) + { + if (setting != null) + { + SetRegistryValue(setting, runspace, DisallowRunParentKey, administratorsGpo, usersGpo, DisallowRunValueName, "1", "Dword"); + + if (setting.ApplyAdministrators) + { + SetRegistryValue(runspace, DisallowRunKey, administratorsGpo, "powershell.exe", "string"); + } + + if (setting.ApplyUsers) + { + SetRegistryValue(runspace, DisallowRunKey, usersGpo, "powershell.exe", "string"); + } + } + } + private void SetRdsSessionHostPermissions(Runspace runspace, RdsServerSettings settings, string usersGpo, string administratorsGpo) { var viewSetting = settings.Settings.FirstOrDefault(s => s.PropertyName.Equals(RdsServerSettings.RDS_VIEW_WITHOUT_PERMISSION)); @@ -1233,6 +1266,17 @@ namespace WebsitePanel.Providers.RemoteDesktopServices } } + private void SetRegistryValue(Runspace runspace, string key, string gpoName, string value, string type) + { + Command cmd = new Command("Set-GPRegistryValue"); + cmd.Parameters.Add("Name", gpoName); + cmd.Parameters.Add("Key", string.Format("\"{0}\"", key)); + cmd.Parameters.Add("Value", value); + cmd.Parameters.Add("Type", type); + + Collection result = ExecuteRemoteShellCommand(runspace, PrimaryDomainController, cmd); + } + private void SetRegistryValue(Runspace runspace, string key, string gpoName, string value, string valueName, string type) { Command cmd = new Command("Set-GPRegistryValue"); diff --git a/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/App_LocalResources/SettingsRdsPolicy.ascx.resx b/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/App_LocalResources/SettingsRdsPolicy.ascx.resx index 837eae3e..4e783a67 100644 --- a/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/App_LocalResources/SettingsRdsPolicy.ascx.resx +++ b/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/App_LocalResources/SettingsRdsPolicy.ascx.resx @@ -129,6 +129,9 @@ Control RDS Session without Users's Permission + + Disable Command Prompt + Drive Space Threshold diff --git a/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/RDS/App_LocalResources/RDSEditUserExperience.ascx.resx b/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/RDS/App_LocalResources/RDSEditUserExperience.ascx.resx index a6355f92..1ba5fff1 100644 --- a/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/RDS/App_LocalResources/RDSEditUserExperience.ascx.resx +++ b/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/RDS/App_LocalResources/RDSEditUserExperience.ascx.resx @@ -129,6 +129,9 @@ Control RDS Session without Users's Permission + + Disable Command Prompt + Drive Space Threshold diff --git a/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/RDS/RDSEditUserExperience.ascx b/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/RDS/RDSEditUserExperience.ascx index 44b5384b..c7cf7553 100644 --- a/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/RDS/RDSEditUserExperience.ascx +++ b/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/RDS/RDSEditUserExperience.ascx @@ -190,6 +190,20 @@
+ + + + + + + +
+ + + +
+
+
diff --git a/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/RDS/RDSEditUserExperience.ascx.cs b/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/RDS/RDSEditUserExperience.ascx.cs index 6fc1f396..e413b313 100644 --- a/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/RDS/RDSEditUserExperience.ascx.cs +++ b/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/RDS/RDSEditUserExperience.ascx.cs @@ -53,77 +53,16 @@ namespace WebsitePanel.Portal.RDS cbTimeoutUsers.Checked = setting.ApplyUsers; } - setting = GetServerSetting(settings, RdsServerSettings.REMOVE_RUN_COMMAND); - - if (setting != null) - { - cbRunCommandAdministrators.Checked = setting.ApplyAdministrators; - cbRunCommandUsers.Checked = setting.ApplyUsers; - } - - setting = GetServerSetting(settings, RdsServerSettings.REMOVE_POWERSHELL_COMMAND); - - if (setting != null) - { - cbPowershellAdministrators.Checked = setting.ApplyAdministrators; - cbPowershellUsers.Checked = setting.ApplyUsers; - } - - setting = GetServerSetting(settings, RdsServerSettings.HIDE_C_DRIVE); - - if (setting != null) - { - cbHideCDriveAdministrators.Checked = setting.ApplyAdministrators; - cbHideCDriveUsers.Checked = setting.ApplyUsers; - } - - setting = GetServerSetting(settings, RdsServerSettings.REMOVE_SHUTDOWN_RESTART); - - if (setting != null) - { - cbShutdownAdministrators.Checked = setting.ApplyAdministrators; - cbShutdownUsers.Checked = setting.ApplyUsers; - } - - setting = GetServerSetting(settings, RdsServerSettings.DISABLE_TASK_MANAGER); - - if (setting != null) - { - cbTaskManagerAdministrators.Checked = setting.ApplyAdministrators; - cbTaskManagerUsers.Checked = setting.ApplyUsers; - } - - setting = GetServerSetting(settings, RdsServerSettings.CHANGE_DESKTOP_DISABLED); - - if (setting != null) - { - cbDesktopAdministrators.Checked = setting.ApplyAdministrators; - cbDesktopUsers.Checked = setting.ApplyUsers; - } - - setting = GetServerSetting(settings, RdsServerSettings.SCREEN_SAVER_DISABLED); - - if (setting != null) - { - cbScreenSaverAdministrators.Checked = setting.ApplyAdministrators; - cbViewSessionUsers.Checked = setting.ApplyUsers; - } - - setting = GetServerSetting(settings, RdsServerSettings.RDS_VIEW_WITHOUT_PERMISSION); - - if (setting != null) - { - cbViewSessionAdministrators.Checked = setting.ApplyAdministrators; - cbScreenSaverUsers.Checked = setting.ApplyUsers; - } - - setting = GetServerSetting(settings, RdsServerSettings.RDS_CONTROL_WITHOUT_PERMISSION); - - if (setting != null) - { - cbControlSessionAdministrators.Checked = setting.ApplyAdministrators; - cbControlSessionUsers.Checked = setting.ApplyUsers; - } + SetCheckboxes(settings, RdsServerSettings.REMOVE_RUN_COMMAND, cbRunCommandAdministrators, cbRunCommandUsers); + SetCheckboxes(settings, RdsServerSettings.REMOVE_POWERSHELL_COMMAND, cbPowershellAdministrators, cbPowershellUsers); + SetCheckboxes(settings, RdsServerSettings.HIDE_C_DRIVE, cbHideCDriveAdministrators, cbHideCDriveUsers); + SetCheckboxes(settings, RdsServerSettings.REMOVE_SHUTDOWN_RESTART, cbShutdownAdministrators, cbShutdownUsers); + SetCheckboxes(settings, RdsServerSettings.DISABLE_TASK_MANAGER, cbTaskManagerAdministrators, cbTaskManagerUsers); + SetCheckboxes(settings, RdsServerSettings.CHANGE_DESKTOP_DISABLED, cbDesktopAdministrators, cbDesktopUsers); + SetCheckboxes(settings, RdsServerSettings.SCREEN_SAVER_DISABLED, cbScreenSaverAdministrators, cbScreenSaverUsers); + SetCheckboxes(settings, RdsServerSettings.RDS_VIEW_WITHOUT_PERMISSION, cbViewSessionAdministrators, cbViewSessionUsers); + SetCheckboxes(settings, RdsServerSettings.RDS_CONTROL_WITHOUT_PERMISSION, cbControlSessionAdministrators, cbControlSessionUsers); + SetCheckboxes(settings, RdsServerSettings.DISABLE_CMD, cbDisableCmdAdministrators, cbDisableCmdUsers); setting = GetServerSetting(settings, RdsServerSettings.DRIVE_SPACE_THRESHOLD); @@ -133,6 +72,17 @@ namespace WebsitePanel.Portal.RDS } } + private void SetCheckboxes(RdsServerSettings settings, string settingName, CheckBox cbAdministrators, CheckBox cbUsers) + { + var setting = GetServerSetting(settings, settingName); + + if (setting != null) + { + cbAdministrators.Checked = setting.ApplyAdministrators; + cbUsers.Checked = setting.ApplyUsers; + } + } + private RdsServerSetting GetServerSetting(RdsServerSettings settings, string propertyName) { return settings.Settings.FirstOrDefault(s => s.PropertyName.Equals(propertyName)); @@ -230,6 +180,14 @@ namespace WebsitePanel.Portal.RDS ApplyUsers = cbControlSessionUsers.Checked }); + settings.Settings.Add(new RdsServerSetting + { + PropertyName = RdsServerSettings.DISABLE_CMD, + PropertyValue = "", + ApplyAdministrators = cbDisableCmdAdministrators.Checked, + ApplyUsers = cbDisableCmdUsers.Checked + }); + return settings; } @@ -265,6 +223,9 @@ namespace WebsitePanel.Portal.RDS cbControlSessionAdministrators.Checked = Convert.ToBoolean(settings[RdsServerSettings.RDS_CONTROL_WITHOUT_PERMISSION_ADMINISTRATORS]); cbControlSessionUsers.Checked = Convert.ToBoolean(settings[RdsServerSettings.RDS_CONTROL_WITHOUT_PERMISSION_Users]); + cbDisableCmdAdministrators.Checked = Convert.ToBoolean(settings[RdsServerSettings.DISABLE_CMD_ADMINISTRATORS]); + cbDisableCmdUsers.Checked = Convert.ToBoolean(settings[RdsServerSettings.DISABLE_CMD_USERS]); + ddTreshold.SelectedValue = settings[RdsServerSettings.DRIVE_SPACE_THRESHOLD_VALUE]; } diff --git a/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/RDS/RDSEditUserExperience.ascx.designer.cs b/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/RDS/RDSEditUserExperience.ascx.designer.cs index 953e340e..b12d745a 100644 --- a/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/RDS/RDSEditUserExperience.ascx.designer.cs +++ b/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/RDS/RDSEditUserExperience.ascx.designer.cs @@ -462,6 +462,42 @@ namespace WebsitePanel.Portal.RDS { /// protected global::System.Web.UI.WebControls.CheckBox cbControlSessionAdministrators; + /// + /// secDisableCmd control. + /// + /// + /// Auto-generated field. + /// To modify move field declaration from designer file to code-behind file. + /// + protected global::WebsitePanel.Portal.CollapsiblePanel secDisableCmd; + + /// + /// disableCmdPanel control. + /// + /// + /// Auto-generated field. + /// To modify move field declaration from designer file to code-behind file. + /// + protected global::System.Web.UI.WebControls.Panel disableCmdPanel; + + /// + /// cbDisableCmdUsers control. + /// + /// + /// Auto-generated field. + /// To modify move field declaration from designer file to code-behind file. + /// + protected global::System.Web.UI.WebControls.CheckBox cbDisableCmdUsers; + + /// + /// cbDisableCmdAdministrators control. + /// + /// + /// Auto-generated field. + /// To modify move field declaration from designer file to code-behind file. + /// + protected global::System.Web.UI.WebControls.CheckBox cbDisableCmdAdministrators; + /// /// buttonPanel control. /// diff --git a/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/SettingsRdsPolicy.ascx b/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/SettingsRdsPolicy.ascx index 4d22c2e1..1f3300e5 100644 --- a/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/SettingsRdsPolicy.ascx +++ b/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/SettingsRdsPolicy.ascx @@ -166,4 +166,18 @@
+ + + + + + + + +
+ + + +
+
\ No newline at end of file diff --git a/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/SettingsRdsPolicy.ascx.cs b/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/SettingsRdsPolicy.ascx.cs index ed9bab8c..3e28ef23 100644 --- a/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/SettingsRdsPolicy.ascx.cs +++ b/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/SettingsRdsPolicy.ascx.cs @@ -49,6 +49,9 @@ namespace WebsitePanel.Portal cbControlSessionAdministrators.Checked = Convert.ToBoolean(settings[RdsServerSettings.RDS_CONTROL_WITHOUT_PERMISSION_ADMINISTRATORS]); cbControlSessionUsers.Checked = Convert.ToBoolean(settings[RdsServerSettings.RDS_CONTROL_WITHOUT_PERMISSION_Users]); + cbDisableCmdAdministrators.Checked = Convert.ToBoolean(settings[RdsServerSettings.DISABLE_CMD_ADMINISTRATORS]); + cbDisableCmdUsers.Checked = Convert.ToBoolean(settings[RdsServerSettings.DISABLE_CMD_USERS]); + ddTreshold.SelectedValue = settings[RdsServerSettings.DRIVE_SPACE_THRESHOLD_VALUE]; } @@ -72,6 +75,12 @@ namespace WebsitePanel.Portal settings[RdsServerSettings.SCREEN_SAVER_DISABLED_ADMINISTRATORS] = cbScreenSaverAdministrators.Checked.ToString(); settings[RdsServerSettings.SCREEN_SAVER_DISABLED_USERS] = cbScreenSaverUsers.Checked.ToString(); settings[RdsServerSettings.DRIVE_SPACE_THRESHOLD_VALUE] = ddTreshold.SelectedValue; + settings[RdsServerSettings.RDS_VIEW_WITHOUT_PERMISSION_ADMINISTRATORS] = cbViewSessionAdministrators.Checked.ToString(); + settings[RdsServerSettings.RDS_VIEW_WITHOUT_PERMISSION_Users] = cbViewSessionUsers.Checked.ToString(); + settings[RdsServerSettings.RDS_CONTROL_WITHOUT_PERMISSION_ADMINISTRATORS] = cbControlSessionAdministrators.Checked.ToString(); + settings[RdsServerSettings.RDS_CONTROL_WITHOUT_PERMISSION_Users] = cbControlSessionUsers.Checked.ToString(); + settings[RdsServerSettings.DISABLE_CMD_ADMINISTRATORS] = cbDisableCmdAdministrators.Checked.ToString(); + settings[RdsServerSettings.DISABLE_CMD_USERS] = cbDisableCmdUsers.Checked.ToString(); } } } \ No newline at end of file diff --git a/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/SettingsRdsPolicy.ascx.designer.cs b/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/SettingsRdsPolicy.ascx.designer.cs index 2b120670..9ecc5ff4 100644 --- a/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/SettingsRdsPolicy.ascx.designer.cs +++ b/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/SettingsRdsPolicy.ascx.designer.cs @@ -407,5 +407,41 @@ namespace WebsitePanel.Portal { /// To modify move field declaration from designer file to code-behind file. /// protected global::System.Web.UI.WebControls.CheckBox cbControlSessionAdministrators; + + /// + /// secDisableCmd control. + /// + /// + /// Auto-generated field. + /// To modify move field declaration from designer file to code-behind file. + /// + protected global::WebsitePanel.Portal.CollapsiblePanel secDisableCmd; + + /// + /// disableCmdPanel control. + /// + /// + /// Auto-generated field. + /// To modify move field declaration from designer file to code-behind file. + /// + protected global::System.Web.UI.WebControls.Panel disableCmdPanel; + + /// + /// cbDisableCmdUsers control. + /// + /// + /// Auto-generated field. + /// To modify move field declaration from designer file to code-behind file. + /// + protected global::System.Web.UI.WebControls.CheckBox cbDisableCmdUsers; + + /// + /// cbDisableCmdAdministrators control. + /// + /// + /// Auto-generated field. + /// To modify move field declaration from designer file to code-behind file. + /// + protected global::System.Web.UI.WebControls.CheckBox cbDisableCmdAdministrators; } }