Our security group wants us to begin logging data for external access to our view enviroment. At first we thought that view security would be logging all source ip's that are external in nature so if for some reason there is an intrusion we would have record of it there.
Of course our firewall logs all that information but correlating it to view is sketchy at best with our current implementation.
We know on viewdesktops there is a set of keys in VolitateEnviroment that contains stuff such as source ip and username, etc.
We have a script in place that, when run as a logon script attached to a user account in AD collects the information as we need it.
If we have a GPO run the same script the information does not get collected.
We feel like there is a piece of the puzzle we're missing but we don't know what. If anyone knows what we're forgetting or misconfiguring that would be great, or if you have a better way of us collecting external source ip's for view specifically we'd be interested in that as well.
Thanks,
EDIT CODE
Batch script to dump to text file @echo off timeout 20 echo %computername%/%username% %time% %date% >>c:\vdi\vmware.txt echo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>>c:\vdi\vmware.txt reg query "HKEY_CURRENT_USER\Volatile Environment" /v "ViewClient_LoggedOn_Username">>c:\vdi\vmware.txt reg query "HKEY_CURRENT_USER\Volatile Environment" /v "ViewClient_IP_Address">>c:\vdi\vmware.txt echo.>>c:\vdi\vmware.txt
VB Script to display values Const HKEY_CURRENT_USER = &H80000001 Set wmiLocator=CreateObject("WbemScripting.SWbemLocator") Set wmiNameSpace = wmiLocator.ConnectServer(".", "root\default") Set objRegistry = wmiNameSpace.Get("StdRegProv") sPath = "Volatile Environment" lRC = objRegistry.GetStringValue(HKEY_CURRENT_USER, sPath, "ViewClien_Machine_Name", vMachine) lRC = objRegistry.GetStringValue(HKEY_CURRENT_USER, sPath, "ViewClien_IP_Address", vIP) lRC = objRegistry.GetStringValue(HKEY_CURRENT_USER, sPath, "ViewClien_MAC_Address", vMAC) msgbox "The Remote Device Name is " & vMachine & " @ " & vIP & " (" & vMAC & ") "
he wanted me to mention that the batch file actually runs and I can see it counting down when I reconnect but it does not grab the registry values.
I managed to get the source IP, username, and time all in one text file EVERY time a user connects using the View client to a Windows VM, whether they logoff or not. There is a GPO I found from the View templates called CommandtoRunOnConnect and CommandtoRunOnReConnect. Using those we can execute a script that pulls information from View and use them to our liking. Since this GPO is not executing a Logon script, I believe it executes using the local SYSTEM account.
The trick was to use environment variables instead of registry keys. I believe because the script had to be run at connection as the local SYSTEM account, the keys for the user were not accessible. Instead the script just says %Viewclient_IP_Address% and that's it. Feel free to post that on the user forum. The documentation for this doesn't make mention to these because the variables weren't written by default in 4.6.
Thanks for all the help