PowerShell: machine vs man

    Some time ago, I inherited a terminal server farm. And the manual set me the task - to eradicate skype, chrome, firefox and mail.ru agents on all terminal servers. Historically, the company uses thin clients and only privileged users have a full-fledged PC, and the above programs are allowed there, and on the terminals - no, no.

    image



    I demolished all the programs, fastened the AD policies restricting the launch of the given applications and decided - that's probably all. But a day later, I found that users were using the programs again, but they were already portable versions, and the exe files were renamed to 123 * .exe Frankly, I was surprised by the knowledge and preparedness of users.

    The issue of closing the Internet or banning absolutely all programs, except for those allowed, was not suitable due to the specifics of the office. There was a sporting interest and I decided to use powershell:

    1. we determine the running processes
    get-process

    2. then we only need those that are of interest to us - here we pay attention to the fact that if the process is renamed to 123.exe and in the process list it will hang like 123 , and this is bad, because it’s not clear whether this process is good or bad, so we look at the description field - even though the skype file is renamed to 123 and 123 hangs in the processes, but its description is old - skype ...

    where-object { $_.Description -match 'skype' }

    3. stop the processes found:

    Stop-Process -Force

    In the end, we have a design of the form:
    get-process | where-object { $_.Description -match "skype" } | Stop-Process -Force

    You can put this in a ps1 script and attach it to something, but then you need to sign it or disable the security requirement - do not run unsigned scripts.

    I acted differently - I created a task in the scheduler where I indicated to start the program:
    C:\Windows\...\powershell.exe
    with the parameter
    get-process | where-object { $_.Description -match 'skype' } | Stop-Process -Force

    In this case, the launch occurs and the script is not required to be signed. Now the task can be launched at least every minute and beat programs that are not desirable to us. And if you add refined filtering to this solution , then in general you can wean users from using any given programs in the entire domain (without a refined search, it will not work on renamed files).

    Also popular now: