Get-xRDS_Logs_Security.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
function Get-xRDS_Logs_Security {

<#
    .DESCRIPTION
    Collects Security Logs for RDS sessions from RDS Session Hosts.
  
    .PARAMETER Broker
    -ConnectionBroker - FQDN of RDS ConnectionBroker.
 
    .PARAMETER Broker
    -Computer - FQDN of RDS computer. (No required if you use connection brokers FQDN).
 
    .PARAMETER BeforeDays
    -BeforeDays - By default, logs are collected from current days midnight. If you use this value logs are calculated since before number of days.
 
    .PARAMETER Credential
    -Credential [Optional] - Query RDS Connection Broker resources under provided credentials, the same credentials will be used to query RDS session hosts.
 
    .PARAMETER UI
    -UI [Optional] - Displays records in GridView for output selection.
 
    .PARAMETER WINRMPort
    -WINRMPort [Optional] - WINRM Port to test for host connectivity validation. Default port is 5985.
 
    .EXAMPLE
    # Invokes RDS user's session logoff:
    Get-xRDS_SessionHostList -ConnectionBroker ardscbl01.adatum.labnet
#>



    [CmdletBinding()]
    Param(
        [Parameter(Mandatory=$false)][string]$ConnectionBroker,
        [String]$Computer = "localhost",
        [switch]$UI,
        [Int]$BeforeDays = 0,
        [Int]$WinRMPort = 5985,    
        [PSCredential]$Credential
    )      
   
    $ObjectsList=@()

    if($ConnectionBroker) {$Collection = Get-xRDS_CollectionsList -ConnectionBroker $ConnectionBroker -Credential $Credential} 
    else {$Collection = @{ $Computer = "Computer"}}

    Try {  

    #List session host maintenance mode

             foreach ($key in $Collection.Keys) 
                {

                $TempObject=@()
                $connection = $null;

                #Test host WInRM access
                $connection =  Invoke-xRDS_TestPort -hostname $key -port $WinRMPort
                
                if ($connection.open) {
                write-host "Collecting RDS Security logs from $key" -ForegroundColor Cyan

                $ObjectsList += invoke-Command -cn $key -ArgumentList $BeforeDays -ScriptBlock {`
                  Get-EventLog -LogName Security -after ((Get-date -hour 0 -minute 0 -second 0).adddays(-($args[0])))| ?{(4624,4625,4778,4799) -contains $_.EventID -and ($_.Message -match 'logon type:\s+(10)\s') -OR $_.Message -match 'logon type:\s+(7)\s'}| %{
                (new-object -Type PSObject -Property @{
                EventID = $_.EventID
                TimeGenerated = $_.TimeGenerated
                ClientIP = if ($_.Message -eq ($_.Message -replace '(?smi).*Source Network Address:\s+([^\s]+)\s+.*','$1')){"-"} else {$_.Message -replace '(?smi).*Source Network Address:\s+([^\s]+)\s+.*','$1'};
                SID = $_.Message -replace '(?smi).*Security ID:\s+([^\s]+)\s+.*','$1'
                UserName = $_.Message -replace '(?smi).*[^Network Account Name:]Account Name:\s+([^\s]+)\s+.*','$1'
                Domain = $_.Message -replace '(?smi).*[^Network Account Domain:]Account Domain:\s+([^\s]+)\s+.*','$1'
                ReasonCode = if ($_.EventID -eq 4625) {if ($_.Message -eq ($_.Message -replace '(?smi).*Sub Status:\s+([^\s]+)\s+.*','$1')){""} else {$_.Message -replace '(?smi).*Sub Status:\s+([^\s]+)\s+.*','$1'}};
                LinkedLogonID = if ($_.Message -eq ($_.Message -replace '(?smi).*Linked Logon ID:\s+([^\s]+)\s+.*','$1')){""} else {$_.Message -replace '(?smi).*Linked Logon ID:\s+([^\s]+)\s+.*','$1'}
                LogonType = $_.Message -replace '(?smi).*Logon Type:\s+([^\s]+)\s+.*','$1'
                })
                } | sort TimeGenerated -Descending | Select TimeGenerated,EventID,Domain,Username,ClientIP `
                , @{N='EventType';E={
                switch ($_.EventID) {
                4624 {'LOGON SUCCESS'}
                4625 {'LOGON FAILED'}
                4778 {'SESSION RECONNECTED'}
                4799 {'SESSION DISCONNECTED'}
                default {$_.EventID}
                }
                }}`
                , @{N='Logon';E={
                switch ($_.LogonType) {
                2 {'Interactive - local logon'}
                3 {'Network connection to shared folder)'}
                4 {'Batch'}
                5 {'Service'}
                7 {'Unlock (after screensaver)'}
                8 {'NetworkCleartext'}
                9 {'NewCredentials (local impersonation process under existing connection)'}
                10 {'RDP'}
                11 {'CachedInteractive'}
                default {$_.LogonType}
                }
                }},LogonType `
                , @{N='Reason';E={
                switch ($_.ReasonCode) {
                "0XC000005E" {'There are currently no logon servers available to service the logon request.'}
                "0xC0000064" {'User logon with misspelled or bad user account'}
                "0xC000006A" {'User logon with misspelled or bad password'}
                "0XC000006D" {'This is either due to a bad username or authentication information'}
                "0XC000006E" {'Unknown user name or bad password.'}
                "0xC000006F" {'User logon outside authorized hours'}
                "0xC0000070" {'User logon from unauthorized workstation'}
                "0xC0000071" {'User logon with expired password'}
                "0xC0000072" {'User logon to account disabled by administrator'}
                "0XC00000DC" {'Indicates the Sam Server was in the wrong state to perform the desired operation.'}
                "0XC0000133" {'Clocks between DC and other computer too far out of sync'}
                "0XC000015B" {'The user has not been granted the requested logon type (aka logon right) at this machine'}
                "0XC000018C" {'The logon request failed because the trust relationship between the primary domain and the trusted domain failed.'}
                "0XC0000192" {'An attempt was made to logon, but the Netlogon service was not started.'}
                "0xC0000193" {'User logon with expired account'}
                "0XC0000224" {'User is required to change password at next logon'}
                "0XC0000225" {'Evidently a bug in Windows and not a risk'}
                "0xC0000234" {'User logon with account locked'}
                "0XC00002EE" {'Failure Reason: An Error occurred during Logon'}
                "0XC0000413" {'Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.'}
                "0x0" {'Status OK.'}
                default {$_}
                }
                }}`
                ,SID,LinkedLogonID}

                }
                
                else {write-host "Cannot access WinRM port for $key" -ForegroundColor Red}
                   
                } 

             #Output
             If($UI) {$ObjectsList | Out-GridView -PassThru -Title "RDS Security Log Details"}
             ELSE {$ObjectsList } 

    } Catch {Write-host $_.Exception.message }   

}