[clue-tech] remote access to Windows network from Linux
Nate Duehr
nate at natetech.com
Wed Sep 22 17:31:09 MDT 2010
On 9/22/2010 4:52 PM, David L. Willson wrote:
> Nate: Turning off ping responses ~does~ "add security", just like
> running ssh on a non-default port, and not returning specific version
> numbers for PHP, and other things of that sort. Not providing more
> info/access than needed is part of a good security policy. Turning
> off ping responses ~might~ be appropriate, depending on the circumstances.
I was including his circumstances, and it was only a side-comment
anyway... thus the asterisk. :-)
- If someone is inside your network is pinging things they shouldn't,
your "security" already failed.
- If you don't trust your own employees, you made a very very big hiring
error. We're talking about his internal network here, I assumed but
your question about whether or not the system is in the DMZ would change
that... good question.
(DMZ, labs, customer visit drops into conference rooms, etc... I would
agree with you. But not desktop drops. Ping should work. No need to
act like the TSA and have "Security Theater". Heh heh.)
> OTOH, once on the same IP subnet, an arp request is rarely (never)
> declined, and so might make a better test.
I hadn't gone into steps 2, 3, 4, 5, 6... yes, taking the machine to the
office and trying it would be one (highly annoying) test that would make
sure the RDP viewer even works. (+1 for getting rid of desktop machines,
and buying only laptops!)
It should be possible to troubleshoot without doing that, however.
> Dennis: Are you sure the VPN needs to be up to get to the TS? There
> are an increasing number of networks with TS available directly to the
> Internet.
Good question.
Some companies do set up their Windows TS environments to be accessible
from both inside and outside, since connections *can* be encrypted and
authenticated with encryption.
How to tell: Do you have to be on the VPN on a Windows box to access the
TS? How does the TS do the authentication with the native OS machines
(Windows)... password? NTLM? Details needed prior to connecting to it
with a non-standard OS and non-standard software. :-)
> When you get the VPN up, what does 'ifconfig' look like? How about 'ip
> route' or 'netstat -rn'? Does /etc/resolv.conf get modified? Does the
> name of your TS end with .local? Can you dig it (the TS name)
> (before/after) the VPN is up?
Good questions.
At the end of the day, the answer really is... on any corporate
network... "Talk to your IT person and see if they want you connecting a
Linux box to the RDP-based Terminal Server." If not, have 'em give ya a
laptop. :-)
(I always worry when I see questions like this that we're all helping
someone bust company policy... someone busting policy on their own is
one thing... doing it with my help... is totally another thing...)
(GRIN!!)
Nate
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cluedenver.org/pipermail/clue-tech/attachments/20100922/a392b3fb/attachment.html
More information about the clue-tech
mailing list