[clue-tech] remote access to Windows network from Linux

Dennis J Perkins dennisjperkins at comcast.net
Wed Sep 22 20:14:25 MDT 2010 

On Wed, 2010-09-22 at 17:31 -0600, Nate Duehr wrote:

> On 9/22/2010 4:52 PM, David L. Willson wrote: 
> 
> > Nate: Turning off ping responses ~does~ "add security", just like
> > running ssh on a non-default port, and not returning specific
> > version numbers for PHP, and other things of that sort. Not
> > providing more info/access than needed is part of a good security
> > policy.  Turning off ping responses ~might~ be appropriate,
> > depending on the circumstances.
> > 
> 
> 
> I was including his circumstances, and it was only a side-comment
> anyway... thus the asterisk. :-)
> 
> - If someone is inside your network is pinging things they shouldn't,
> your "security" already failed.  
> - If you don't trust your own employees, you made a very very big
> hiring error.  We're talking about his internal network here, I
> assumed but your question about whether or not the system is in the
> DMZ would change that... good question.  
> 
> (DMZ, labs, customer visit drops into conference rooms, etc... I would
> agree with you. But not desktop drops.  Ping should work.  No need to
> act like the TSA and have "Security Theater".  Heh heh.)
> 
> 
> > OTOH, once on the same IP subnet, an arp request is rarely (never)
> > declined, and so might make a better test.
> > 
> 
> 
> I hadn't gone into steps 2, 3, 4, 5, 6... yes, taking the machine to
> the office and trying it would be one (highly annoying) test that
> would make sure the RDP viewer even works. (+1 for getting rid of
> desktop machines, and buying only laptops!)
> 
> It should be possible to troubleshoot without doing that, however.
> 
> 
> > Dennis: Are you sure the VPN needs to be up to get to the TS? There
> > are an increasing number of networks with TS available directly to
> > the Internet.
> > 
> 
> Good question.  
> 
> Some companies do set up their Windows TS environments to be
> accessible from both inside and outside, since connections *can* be
> encrypted and authenticated with encryption. 
> 
> How to tell: Do you have to be on the VPN on a Windows box to access
> the TS?  How does the TS do the authentication with the native OS
> machines (Windows)... password? NTLM? Details needed prior to
> connecting to it with a non-standard OS and non-standard software. :-)
> 
> 
> > When you get the VPN up, what does 'ifconfig' look like? How about
> > 'ip route' or 'netstat -rn'? Does /etc/resolv.conf get modified?
> > Does the name of your TS end with .local? Can you dig it (the TS
> > name) (before/after) the VPN is up?
> > 
> 
> 
> Good questions.
> 
> At the end of the day, the answer really is... on any corporate
> network... "Talk to your IT person and see if they want you connecting
> a Linux box to the RDP-based Terminal Server."  If not, have 'em give
> ya a laptop.  :-)
> 
> (I always worry when I see questions like this that we're all helping
> someone bust company policy... someone busting policy on their own is
> one thing... doing it with my help... is totally another thing...)
> 
> (GRIN!!)
> 
> Nate 
> 
> _______________________________________________
> clue-tech mailing list
> clue-tech at cluedenver.org
> http://cluedenver.org/mailman/listinfo/clue-tech


They were rather astonished that anyone would want to use anything other
than Windows.  They don't know if Linux can access our network or not,
so I'm on my own.  They did provide a few IP addresses that might be
useful, like DNS servers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cluedenver.org/pipermail/clue-tech/attachments/20100922/438fc5a1/attachment.html

More information about the clue-tech mailing list