[THIN] Re: How can I keep people from seeing my server

  • From: Mark Lee <marklee15@xxxxxxxxx>
  • To: thin@xxxxxxxxxxxxx
  • Date: Thu, 22 Aug 2002 13:36:28 +0100 (BST)

Try lockdown from http://www.wizbang.org.uk

This utility (replacement Gina) is in it's second
version and will allow you to do block ICA or RDP
access to systems in the following way

Block/Disable use of Initial Application settings from
the client

Block/Disable use of Interactive Logins

Block/Disable use of Published Applications

The above three are selective - you can therefore, set
a system up to only allow Published Application
connections, then exclude certain admin IP's to allow
the use of ANY connection type (eg. from you're home
or office PC's!).  

Therefore, you're servers can face that big nasty
internet thingy but a port scanning user cannot point
an ICA client at you're server and get a login prompt
!

Oh, and it's free :-)


ML


 --- "Rowlandson, John"
<John.Rowlandson@xxxxxxxxxxxxx> wrote: > 
> Mallesons Stephen Jaques
> www.mallesons.com
> 
> Confidential communication
> 
> 
> 
> if you put 1494 out on the net, people will port
> scan you and see 1494
> and imediately point a ica client at your IP....
> 
> you cant stop that.
> 
> use CSG or firewall sessions like we currently do,
> after you give your
> username and securid details to a web page on our
> Fwall 1494 is opened
> for your session thru thr MF servers
> 
> 
> roly
> 
> -----Original Message-----
> From: Adam_Baum@xxxxxxxxxxxxx
> [mailto:Adam_Baum@xxxxxxxxxxxxx]
> Sent: Thursday, 22 August 2002 8:21 AM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: How can I keep people from
> seeing my server
> 
> 
> 
> 
> Yes.  No one has succeeded in logging in since they
> don't have a valid
> account.   I wouldn't say completely exposed.  Our
> router filters out
> all
> traffic except port 1494.
> 
> It's very hard for us to do VPN because too many
> users have too many
> machines (I have 5).  We also let our external
> business partners in
> (just a
> teeny bit) via metaframe.  We don't have the $$$ for
> a good hardware VPN
> solution.  Also, depening on which VPN solution you
> use, most of our
> users
> don't have static IP addresses.
> 
> As for CSG, I am not familiar with it but if it's
> connected to the
> Internet, people can hack it too.
> 
> 
> 
> 
> =20
> 
>                     "Chris Lynch"
> 
>                     <lynch00@xxxxxx       To:    
> <thin@xxxxxxxxxxxxx>
> 
>                     t>                    cc:
> 
>                     Sent by:              Subject:  
>   [THIN] Re: How
> can I keep people from seeing my server       =20
>                     thin-bounce@fre
> 
>                     elists.org
> 
> =20
> 
> =20
> 
>                     08/21/2002
> 
>                     03:12 PM
> 
>                     Please respond
> 
>                     to thin
> 
> =20
> 
> =20
> 
> 
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> You mean someone is trying to login to your MF
> server when it is
> completely exposed to the Internet?  Why don't you
> have CSG
> implemented, or only allow access for external users
> througha VPN
> connection?  There are many hack techniques out
> there that someone
> "could" bring your server down, or worse gain access
> and steal data.
> 
> Just my humble opinion.
> 
> CHRIS LYNCH -  MCSE, CCNA, CCA
> NETWORK ENGINEER - INFORMATION TECHNOLOGY
> NRT Incorporated, 27271 Las Ramblas, Mission Viejo,
> CA 92691
> Chris.lynch@xxxxxxxxxx  Tel 949.367.3406
> 
> 
> - -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto:thin-bounce@xxxxxxxxxxxxx] On
> Behalf Of Adam_Baum@xxxxxxxxxxxxx
> Sent: Wednesday, August 21, 2002 2:57 PM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] How can I keep people from seeing my
> server
> 
> HI Folks,
> 
> On a W2K  SP2,  XPe FR2 system.  I've disabled all
> the "respond to
> ICA broadcasts" and I've unchecked all the the
> "Create browser
> listener on ...".  I'm still getting invalid logons.
>  These don't
> look targeted.  More like something is
> broadcasting/responding.  My
> MF 1.8 server doesn't do this and I can't determine
> what is different
> between them.  I should mention that these servers
> are used for
> remote access so they are Internet connected.
> 
> Other than the farm checkbox of repsonding to RAS
> broadcasts (won't
> let me disable it), everything appears to be setup
> correctly.  Given
> that my servers are 1 ip address away from each
> other, I can't see
> how one is getting hit (on purpose) and not the
> other.
> 
> I've also made sure the router is configured the
> same for both ports.
> 
> Any ideas?
> 
> adam
> 
> 
> 
> 
> 
> 
> 
>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> This weeks Sponsor:
> ThinPrint
> - High resolution, DRIVER FREE PRINTING with no loss
> of quality in
> color.
> - Removes print spooling and rendering tasks from
> your terminal server.
> http://www.thinprint.com
>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> For Archives, to Unsubscribe, Subscribe or=20
> set Digest or Vacation mode use the below link.
> 
> http://thethin.net/citrixlist.cfm
> 
> 
> ===================================
> This weeks Sponsor:
> ThinPrint
> - High resolution, DRIVER FREE PRINTING with no loss
> of quality in color.
> - Removes print spooling and rendering tasks from
> your terminal server.
> http://www.thinprint.com
> ===================================
> For Archives, to Unsubscribe, Subscribe or 
> set Digest or Vacation mode use the below link.
> 
> http://thethin.net/citrixlist.cfm 

__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com


===================================
This weeks Sponsor:
ThinPrint
- High resolution, DRIVER FREE PRINTING with no loss of quality in color.
- Removes print spooling and rendering tasks from your terminal server.
http://www.thinprint.com
===================================
For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link.

http://thethin.net/citrixlist.cfm

Other related posts: