Using GPO to collect data about VMware view activity
Posted
by
MoSiAc
on Server Fault
See other posts from Server Fault
or by MoSiAc
Published on 2013-06-11T18:25:58Z
Indexed on
2014/05/28
21:34 UTC
Read the original article
Hit count: 161
security
|vmware-view
Our security group wants us to begin logging data for external access to our view enviroment. At first we thought that view security would be logging all source ip's that are external in nature so if for some reason there is an intrusion we would have record of it there.
Of course our firewall logs all that information but correlating it to view is sketchy at best with our current implementation.
We know on viewdesktops there is a set of keys in VolitateEnviroment that contains stuff such as source ip and username, etc.
We have a script in place that, when run as a logon script attached to a user account in AD collects the information as we need it.
If we have a GPO run the same script the information does not get collected.
We feel like there is a piece of the puzzle we're missing but we don't know what. If anyone knows what we're forgetting or misconfiguring that would be great, or if you have a better way of us collecting external source ip's for view specifically we'd be interested in that as well.
Thanks,
EDIT CODE
Batch script to dump to text file @echo off timeout 20 echo %computername%/%username% %time% %date% >>c:\vdi\vmware.txt echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>>c:\vdi\vmware.txt reg query "HKEY_CURRENT_USER\Volatile Environment" /v "ViewClient_LoggedOn_Username">>c:\vdi\vmware.txt reg query "HKEY_CURRENT_USER\Volatile Environment" /v "ViewClient_IP_Address">>c:\vdi\vmware.txt echo.>>c:\vdi\vmware.txt
VB Script to display values Const HKEY_CURRENT_USER = &H80000001 Set wmiLocator=CreateObject("WbemScripting.SWbemLocator") Set wmiNameSpace = wmiLocator.ConnectServer(".", "root\default") Set objRegistry = wmiNameSpace.Get("StdRegProv") sPath = "Volatile Environment" lRC = objRegistry.GetStringValue(HKEY_CURRENT_USER, sPath, "ViewClien_Machine_Name", vMachine) lRC = objRegistry.GetStringValue(HKEY_CURRENT_USER, sPath, "ViewClien_IP_Address", vIP) lRC = objRegistry.GetStringValue(HKEY_CURRENT_USER, sPath, "ViewClien_MAC_Address", vMAC) msgbox "The Remote Device Name is " & vMachine & " @ " & vIP & " (" & vMAC & ") "
he wanted me to mention that the batch file actually runs and I can see it counting down when I reconnect but it does not grab the registry values.
© Server Fault or respective owner
