備忘錄_20160105(定位) 修改 回首頁
程式 2020-03-27 15:22:57 1585293777 100
遠端桌面安全議題
遠端桌面安全議題
● 密碼錯三次,封鎖一段時間。
[cmd] gpedit.msc
本機電腦原則→電腦設定→Windows設定→安全性設定→帳戶原則→帳戶鎖定原則
● 使用指令查看記錄
runas /user:username "cmd /s /k c:\windows\system32\wevtutil.exe qe Security /rd:true /f:text \"/q:* [EventData[Data[@Name='TargetUsername']='administrator' and Data[@Name='LogonType']='10']]\""
● [cmd] eventvwr
找到安全性的記錄,篩選,用 XML,輸入底下字眼(查出使用遠端桌面連線,且用Administrator帳號)

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">* [EventData[Data[@Name='TargetUsername']='Administrator' and Data[@Name='LogonType']='10']]</Select>
  </Query>
</QueryList>
● Logon Type 資料如下
Logon type Logon title Description
2 Interactive A user logged on to this computer.
3 Network A user or computer logged on to this computer from the network.
4 Batch Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.
5 Service A service was started by the Service Control Manager.
7 Unlock This workstation was unlocked.
8 NetworkCleartext A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).
9 NewCredentials A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.
10 RemoteInteractive A user logged on to this computer remotely using Terminal Services or Remote Desktop.
11 CachedInteractive A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.