[clue-tech] remote access to Windows network from Linux

Nate Duehr nate at natetech.com
Wed Sep 22 17:31:09 MDT 2010


  On 9/22/2010 4:52 PM, David L. Willson wrote:
> Nate: Turning off ping responses ~does~ "add security", just like 
> running ssh on a non-default port, and not returning specific version 
> numbers for PHP, and other things of that sort. Not providing more 
> info/access than needed is part of a good security policy.  Turning 
> off ping responses ~might~ be appropriate, depending on the circumstances.

I was including his circumstances, and it was only a side-comment 
anyway... thus the asterisk. :-)

- If someone is inside your network is pinging things they shouldn't, 
your "security" already failed.
- If you don't trust your own employees, you made a very very big hiring 
error.  We're talking about his internal network here, I assumed but 
your question about whether or not the system is in the DMZ would change 
that... good question.

(DMZ, labs, customer visit drops into conference rooms, etc... I would 
agree with you. But not desktop drops.  Ping should work.  No need to 
act like the TSA and have "Security Theater".  Heh heh.)

> OTOH, once on the same IP subnet, an arp request is rarely (never) 
> declined, and so might make a better test.

I hadn't gone into steps 2, 3, 4, 5, 6... yes, taking the machine to the 
office and trying it would be one (highly annoying) test that would make 
sure the RDP viewer even works. (+1 for getting rid of desktop machines, 
and buying only laptops!)

It should be possible to troubleshoot without doing that, however.

> Dennis: Are you sure the VPN needs to be up to get to the TS? There 
> are an increasing number of networks with TS available directly to the 
> Internet.
Good question.

Some companies do set up their Windows TS environments to be accessible 
from both inside and outside, since connections *can* be encrypted and 
authenticated with encryption.

How to tell: Do you have to be on the VPN on a Windows box to access the 
TS?  How does the TS do the authentication with the native OS machines 
(Windows)... password? NTLM? Details needed prior to connecting to it 
with a non-standard OS and non-standard software. :-)

> When you get the VPN up, what does 'ifconfig' look like? How about 'ip 
> route' or 'netstat -rn'? Does /etc/resolv.conf get modified? Does the 
> name of your TS end with .local? Can you dig it (the TS name) 
> (before/after) the VPN is up?

Good questions.

At the end of the day, the answer really is... on any corporate 
network... "Talk to your IT person and see if they want you connecting a 
Linux box to the RDP-based Terminal Server."  If not, have 'em give ya a 
laptop.  :-)

(I always worry when I see questions like this that we're all helping 
someone bust company policy... someone busting policy on their own is 
one thing... doing it with my help... is totally another thing...)

(GRIN!!)

Nate
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cluedenver.org/pipermail/clue-tech/attachments/20100922/a392b3fb/attachment.html 


More information about the clue-tech mailing list