Selective prohibition of IP on cloud-based Windows Server 2012 through RDP

Selective prohibition of IP on cloud-based Windows Server 2012 through RDP  
The enterprise consists of an office and remote stores. Once the employee took away the customer base on a flash drive. After that, everyone immediately moved to the remote desktop with the local interface turned off. But you need even more control admin! Under the cut, a method is described to slightly improve the safety and control of the situation.
Server Windows Server 2012 R2 Standard.
PowerShell version [/b]
PSVersion ???r3r3288.  
WSManStackVersion ???r3r3288.  
SerializationVersion ???.1
CLRVersion ???.42000
BuildVersion ???.18773
PSCompatibleVersions {1.? 2.? 3.? 4.0}
PSRemotingProtocolVersion ???r3r3296.
All this was done by the previous admin in a hurry, so now the whole infrastructure is on crutches. Then I came to support all this. One of the new tasks - on the cloud desktop office managers can only enter from the office. You can not go home. At the same time, let the chosen people work from home. And do not touch remote stores at all. This is usually done through a firewall policy or through a domain. Since the lock is needed selectively, there is no domain, and the server is cloudy, it was necessary to look for unusual solutions.
I never wrote to PowerShell, so I made a paid request to the technicians of our hosting. But while they were thinking, I sketched a quick and working decision. Here is the scheme:
Create a daddy for scripts. We add the script itself:
#saved as UTF8
$ username = "username" # The system username is
$ localnet = "???.4" # The allowed IP is
$ lastevent = Get-EventLog Security -Message "* $ username * address: *. *. *. *" -Newest 1 # Last successful login event
$ IP = $ lastevent.message.substring ($ lastevent.message.indexof ("Network Address:") + 1? $ lastevent.message.indexof ("Port:") - $ lastevent.message.indexof ("Network Address: ") -18)
$ IDbyName = ((query session $ username)[1]-Split 's +')[3]# Extend the address by "truncating" the event
if ($ IDbyName -notlike $ null) {if ($ IP -notlike $ localnet) {# Check and throw
logoff $ IDbyName
"` n --------- "| Out-File "C: SCRIPTFOLDERScriptslog.txt" -Append
Get-Date | Out-File "C: SCRIPTFOLDERScriptslog.txt" -Append
"RDP session completed` nUSER: $ username `nIP: $ ip" | Out-File "C: SCRIPTFOLDERScriptslog.txt" -Append

The script is not the most flexible, but working on hurray. Now about automation. We go to the scheduler of tasks. We create the event manually, and it's better to import it through this task.xml
task.xml [/b]
    <?xml version="1.0" encoding="UTF-16"?>
2018-08-09T15: 44: ???r3r390.
ServerNameAdminUser Prevent certain users from logging in only from the authorized IP false *[System[(Level=4 or Level=0) and (band(Keywords,9007199254740992)) and (EventID=4648) and TimeCreated[timediff(@SystemTime) <= 3600000]]] true RemoteConnect ServerNameusername true ServerNameusername ServerNameAdminUser Password HighestAvailable Parallel false true true false false true false true false false false false PT1H 7 PT1M 3 PowerShell -File "C: SCRIPTFOLDERScriptskickUsername.ps1"

Do not forget to forward ServerName to the server name of the server, AdminUser to the system name of the executing admin and username to the system username of the user you want to limit.
After creating the task, a window appears:
Triggers start:
If you are connected to the user session remotely, use username
When you log in username
Action: Run the PowerShell program with the argument -File "C: SCRIPTFOLDERScriptskickUsername.ps1"
Be sure to perform from the admin with the highest rights. Click OK, enter the admin password. The task is ready! Now when you try to connect a restricted user from another's IP-addresses, it will be thrown out, and we will write a log to the daddy with scripts.
To limit the new user, you need to repeat the process (I wanted to make a list of prohibitions in the file, but lack experience and time). That's all.
Criticism is very welcome, because this is my first code on PowersHell. I also realize that this method does not protect valuable information 100%. But dishonest employees will have to do their dark things in the workplace, and this is more dangerous for them. Pleasant use!
+ 0 -

Add comment