<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 9/22/2010 4:52 PM, David L. Willson wrote:
<blockquote
cite="mid:266500.861285195944872.JavaMail.dlwillson@dlwillson-laptop"
type="cite">
<style type="text/css">p { margin: 0; }</style>
<div style="font-family: Times New Roman; font-size: 12pt; color:
rgb(0, 0, 0);">
<style>p { margin: 0; }</style>
<div style="font-family: Times New Roman; font-size: 12pt;
color: rgb(0, 0, 0);">Nate: Turning off ping responses ~does~
"add security", just like running ssh on a non-default port,
and not returning specific version numbers for PHP, and other
things of that sort. Not providing more info/access than
needed is part of a good security policy. Turning off ping
responses ~might~ be appropriate, depending on the
circumstances.<br>
</div>
</div>
</blockquote>
<br>
I was including his circumstances, and it was only a side-comment
anyway... thus the asterisk. :-)<br>
<br>
- If someone is inside your network is pinging things they
shouldn't, your "security" already failed. <br>
- If you don't trust your own employees, you made a very very big
hiring error. We're talking about his internal network here, I
assumed but your question about whether or not the system is in the
DMZ would change that... good question. <br>
<br>
(DMZ, labs, customer visit drops into conference rooms, etc... I
would agree with you. But not desktop drops. Ping should work. No
need to act like the TSA and have "Security Theater". Heh heh.)<br>
<br>
<blockquote
cite="mid:266500.861285195944872.JavaMail.dlwillson@dlwillson-laptop"
type="cite">
<div style="font-family: Times New Roman; font-size: 12pt; color:
rgb(0, 0, 0);">
<div style="font-family: Times New Roman; font-size: 12pt;
color: rgb(0, 0, 0);">OTOH, once on the same IP subnet, an arp
request is rarely (never) declined, and so might make a better
test.<br>
</div>
</div>
</blockquote>
<br>
I hadn't gone into steps 2, 3, 4, 5, 6... yes, taking the machine to
the office and trying it would be one (highly annoying) test that
would make sure the RDP viewer even works. (+1 for getting rid of
desktop machines, and buying only laptops!)<br>
<br>
It should be possible to troubleshoot without doing that, however.<br>
<br>
<blockquote
cite="mid:266500.861285195944872.JavaMail.dlwillson@dlwillson-laptop"
type="cite">
<div style="font-family: Times New Roman; font-size: 12pt; color:
rgb(0, 0, 0);">
<div style="font-family: Times New Roman; font-size: 12pt;
color: rgb(0, 0, 0);">Dennis: Are you sure the VPN needs to be
up to get to the TS? There are an increasing number of
networks with TS available directly to the Internet.<br>
</div>
</div>
</blockquote>
Good question. <br>
<br>
Some companies do set up their Windows TS environments to be
accessible from both inside and outside, since connections *can* be
encrypted and authenticated with encryption. <br>
<br>
How to tell: Do you have to be on the VPN on a Windows box to access
the TS? How does the TS do the authentication with the native OS
machines (Windows)... password? NTLM? Details needed prior to
connecting to it with a non-standard OS and non-standard software.
:-)<br>
<br>
<blockquote
cite="mid:266500.861285195944872.JavaMail.dlwillson@dlwillson-laptop"
type="cite">
<div style="font-family: Times New Roman; font-size: 12pt; color:
rgb(0, 0, 0);">
<div style="font-family: Times New Roman; font-size: 12pt;
color: rgb(0, 0, 0);">When you get the VPN up, what does
'ifconfig' look like? How about 'ip route' or 'netstat -rn'?
Does /etc/resolv.conf get modified? Does the name of your TS
end with .local? Can you dig it (the TS name) (before/after)
the VPN is up?<br>
</div>
</div>
</blockquote>
<br>
Good questions.<br>
<br>
At the end of the day, the answer really is... on any corporate
network... "Talk to your IT person and see if they want you
connecting a Linux box to the RDP-based Terminal Server." If not,
have 'em give ya a laptop. :-)<br>
<br>
(I always worry when I see questions like this that we're all
helping someone bust company policy... someone busting policy on
their own is one thing... doing it with my help... is totally
another thing...)<br>
<br>
(GRIN!!)<br>
<br>
Nate <br>
</body>
</html>