RDS Powershell disabled by GPO

2015-04-03 03:44:00 -07:00 · 2015-04-03 03:44:00 -07:00 · fce7f6792a
commit fce7f6792a
parent ab3ff694ac
10 changed files with 195 additions and 72 deletions
--- a/WebsitePanel/Sources/WebsitePanel.Providers.TerminalServices.Windows2012/Windows2012.cs
+++ b/WebsitePanel/Sources/WebsitePanel.Providers.TerminalServices.Windows2012/Windows2012.cs
@ -95,6 +95,11 @@ namespace WebsitePanel.Providers.RemoteDesktopServices
        private const string HideCDriveGpoValueName = "NoDrives";
        private const string RDSSessionGpoKey = @"HKCU\Software\Policies\Microsoft\Windows NT\Terminal Services";
        private const string RDSSessionGpoValueName = "Shadow";
+        private const string DisableCmdGpoKey = @"HKCU\Software\Policies\Microsoft\Windows\System";
+        private const string DisableCmdGpoValueName = "DisableCMD";
+        private const string DisallowRunParentKey = @"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer";
+        private const string DisallowRunKey = @"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun";
+        private const string DisallowRunValueName = "DisallowRun";

        #endregion

@ -1136,7 +1141,13 @@ namespace WebsitePanel.Providers.RemoteDesktopServices
                RemoveRegistryValue(runspace, RemoveRestartGpoKey, administratorsGpo);
                RemoveRegistryValue(runspace, RemoveRestartGpoKey, usersGpo);
                RemoveRegistryValue(runspace, DisableTaskManagerGpoKey, administratorsGpo);
-                RemoveRegistryValue(runspace, DisableTaskManagerGpoKey, usersGpo);                
+                RemoveRegistryValue(runspace, DisableTaskManagerGpoKey, usersGpo);
+                RemoveRegistryValue(runspace, DisableCmdGpoKey, usersGpo);
+                RemoveRegistryValue(runspace, DisableCmdGpoKey, administratorsGpo);
+                RemoveRegistryValue(runspace, DisallowRunKey, usersGpo);
+                RemoveRegistryValue(runspace, DisallowRunParentKey, usersGpo);
+                RemoveRegistryValue(runspace, DisallowRunKey, administratorsGpo);
+                RemoveRegistryValue(runspace, DisallowRunParentKey, administratorsGpo);

                var setting = serverSettings.Settings.FirstOrDefault(s => s.PropertyName.Equals(RdsServerSettings.SCREEN_SAVER_DISABLED));
                SetRegistryValue(setting, runspace, ScreenSaverGpoKey, administratorsGpo, usersGpo, ScreenSaverValueName, "0", "string");
@ -1153,6 +1164,9 @@ namespace WebsitePanel.Providers.RemoteDesktopServices
                setting = serverSettings.Settings.FirstOrDefault(s => s.PropertyName.Equals(RdsServerSettings.HIDE_C_DRIVE));
                SetRegistryValue(setting, runspace, HideCDriveGpoKey, administratorsGpo, usersGpo, HideCDriveGpoValueName, "4", "DWord");

+                setting = serverSettings.Settings.FirstOrDefault(s => s.PropertyName.Equals(RdsServerSettings.DISABLE_CMD));
+                SetRegistryValue(setting, runspace, DisableCmdGpoKey, administratorsGpo, usersGpo, DisableCmdGpoValueName, "1", "DWord");
+
                setting = serverSettings.Settings.FirstOrDefault(s => s.PropertyName.Equals(RdsServerSettings.LOCK_SCREEN_TIMEOUT));
                double result;

@ -1162,6 +1176,7 @@ namespace WebsitePanel.Providers.RemoteDesktopServices
                }

                SetRdsSessionHostPermissions(runspace, serverSettings, usersGpo, administratorsGpo);
+                SetPowershellPermissions(runspace, serverSettings.Settings.FirstOrDefault(s => s.PropertyName.Equals(RdsServerSettings.REMOVE_POWERSHELL_COMMAND)), usersGpo, administratorsGpo);
            }
            finally
            {
@ -1169,6 +1184,24 @@ namespace WebsitePanel.Providers.RemoteDesktopServices
            }
        }

+        private void SetPowershellPermissions(Runspace runspace, RdsServerSetting setting, string usersGpo, string administratorsGpo)
+        {
+            if (setting != null)
+            {
+                SetRegistryValue(setting, runspace, DisallowRunParentKey, administratorsGpo, usersGpo, DisallowRunValueName, "1", "Dword");
+
+                if (setting.ApplyAdministrators)
+                {
+                    SetRegistryValue(runspace, DisallowRunKey, administratorsGpo, "powershell.exe", "string");
+                }
+
+                if (setting.ApplyUsers)
+                {
+                    SetRegistryValue(runspace, DisallowRunKey, usersGpo, "powershell.exe", "string");
+                }
+            }
+        }
+
        private void SetRdsSessionHostPermissions(Runspace runspace, RdsServerSettings settings, string usersGpo, string administratorsGpo)
        {
            var viewSetting = settings.Settings.FirstOrDefault(s => s.PropertyName.Equals(RdsServerSettings.RDS_VIEW_WITHOUT_PERMISSION));
@ -1233,6 +1266,17 @@ namespace WebsitePanel.Providers.RemoteDesktopServices
            }
        }

+        private void SetRegistryValue(Runspace runspace, string key, string gpoName, string value, string type)
+        {
+            Command cmd = new Command("Set-GPRegistryValue");
+            cmd.Parameters.Add("Name", gpoName);
+            cmd.Parameters.Add("Key", string.Format("\"{0}\"", key));
+            cmd.Parameters.Add("Value", value);            
+            cmd.Parameters.Add("Type", type);
+
+            Collection<PSObject> result = ExecuteRemoteShellCommand(runspace, PrimaryDomainController, cmd);
+        }
+
        private void SetRegistryValue(Runspace runspace, string key, string gpoName, string value, string valueName, string type)
        {
            Command cmd = new Command("Set-GPRegistryValue");