Obviously this script will only return a list of client IP's and names. If there is a problem with spoofed IP addresses or bogus client names then you have bigger fish to fry. Time for a security assessment. -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On Behalf Of ALEX . Sent: Thursday, September 01, 2005 2:31 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Be aware: RE: Re: Client IP Be aware that Client IP (provided by either RDP or ICA client to TS or Citrix server) can be easily faked and cannot be fully trusted. This can be easily demonstrated for example by running SSH server and SSH client on your client system where you run RDP or CIA client from by establishing your connection through a local tunnel. The most simple ?fake? client IP is 127.0.0.1, or any IP address that you run your local SSH server on. Event better ? run your SSH server using IP address as if it is from the target network - any admin that is not familiar with this possibility will have a heart attack since your client will appear to be coming from their local network. Here is an example - http://www.ishadow.com/docs/snaps/ssh_snap.gif First ? user ?administrator? (any name will do ;) connects to the target server without local SSH contraption - local client IP address is exposed to the target server and is 192.168.255.33 (will be reported by either ICA or RDP, here it is RDP). Now our user connects to the same server through SSH tunnel (again, SSH client and server are on the same machine as the RDP client for simplicity sake). What is the result? We do see the same client name (in this example it is MSFT), the same user, but... a preset IP address 123.123.123.123. So, what is the conclusion? Most people will not attempt to do this exercise, however those that will are of the most interest. If you plan to buy software for your corporate TS or Citrix implementation or working on an app or script of your own to be able to prevent this "bad guys" from hitting your server by using RDP or ICA client provided IP address or log this data - BE AWARE IT MIGHT NOT WORK AS DESIRED. This is true for either MFCOM collected information (as in the original example below) or APIs (both Microsoft WTSAPI32 or Citrix WFAPI). And of course, client name can be a fake too. ALEX >From: "Mike Semon" <msemon@xxxxxxx> >Reply-To: thin@xxxxxxxxxxxxx >To: <thin@xxxxxxxxxxxxx> >Subject: [THIN] Re: Client IP >Date: Wed, 31 Aug 2005 13:06:58 -0500 > >You might try the following VB Script > >To generate a list of users and their client IP addresses. > >Save the following code to a file named users.vbs and run it with the >command cscript users.vbs. It lists all users in the farm and their IP >addresses: > >Set objFarm = CreateObject("MetaFrameCOM.MetaFrameFarm") > >objFarm.Initialize(1) > >For Each objSession In objFarm.Sessions > >WScript.Echo "User name : " & objSession.UserName > >WScript.Echo "IP Address: " & objSession.ClientAddress > >-Mike > >-----Original Message----- >From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On >Behalf Of rick.mattingly@xxxxxxxxxx >Sent: Wednesday, August 31, 2005 12:20 PM >To: thin@xxxxxxxxxxxxx >Subject: [THIN] Client IP > > >Is there anyway to capture a User's client IP upon their logon? The >information is there when I look at session information of the user, but >not sure how to capture it. > >My Environment > >XPe 1.0 FR3 >VB script for the logon script >Windows 2003 > >Thanks, >Enterprise Server Team >Rick Mattingly > >The information transmitted is intended only for the person or entity to >which it is addressed and may contain confidential and/or privileged >material. Any review, re-transmission, dissemination or other use of, or >taking of any action in reliance upon, this information by persons or >entities other than the intended recipient is prohibited. If you received >this in error, please contact the sender and delete the material from any >computer. > >******************************************************** >This Weeks Sponsor: triCerat Inc. >You need Day Zero Protection! >Get Proactive with triCerat's Simplify Suite. >Solve printing, security and profile problems before they occur. >http://www.tricerat.com/?thethintl2 >********************************************************** >Useful Thin Client Computing Links are available at: >http://thin.net/links.cfm >ThinWiki community - Excellent SBC Search Capabilities! >http://www.thinwiki.com >*********************************************************** >For Archives, to Unsubscribe, Subscribe or >set Digest or Vacation mode use the below link: >http://thin.net/citrixlist.cfm > > > >******************************************************** >This Weeks Sponsor: triCerat Inc. >You need Day Zero Protection! >Get Proactive with triCerat's Simplify Suite. >Solve printing, security and profile problems before they occur. >http://www.tricerat.com/?thethintl2 >********************************************************** >Useful Thin Client Computing Links are available at: >http://thin.net/links.cfm >ThinWiki community - Excellent SBC Search Capabilities! >http://www.thinwiki.com >*********************************************************** >For Archives, to Unsubscribe, Subscribe or >set Digest or Vacation mode use the below link: >http://thin.net/citrixlist.cfm ******************************************************** This Weeks Sponsor: triCerat Inc. You need Day Zero Protection! Get Proactive with triCerat's Simplify Suite. Solve printing, security and profile problems before they occur. http://www.tricerat.com/?thethintl2 ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm ThinWiki community - Excellent SBC Search Capabilities! http://www.thinwiki.com *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm ******************************************************** This Weeks Sponsor: triCerat Inc. You need Day Zero Protection! Get Proactive with triCerat's Simplify Suite. Solve printing, security and profile problems before they occur. http://www.tricerat.com/?thethintl2 ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm ThinWiki community - Excellent SBC Search Capabilities! http://www.thinwiki.com *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm