[THIN] Re: How can I keep people from seeing my server
- From: "Chris Lynch" <lynch00@xxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Wed, 21 Aug 2002 15:49:36 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
No they can't hack into the CSG (unless you have the STA Ticket
Timeout configured too long). The CSG uses a ticketing system, and
if you have the ticket authority exposed to the Internet, then yes
they could.
Even if you only have TCP 1494 and maybe 3389 open to the Internet, a
hacker could still get in. Just search for ICA or Citrix at
http://neworder.box.sk and you will find quite a few docs on how to
hack/crash a Citrix server. There are probably hotfixes for these
techniques, but do you really want to have your boss or the owner of
the company ask how someone had got into your systems via an ICA
connection, or RDP connection?
Look at the CSG to secure your environment. It is probably the best
product out there, and it is EASY to setup. If you want, I have not
only a document that explains how to install the CSG along with Nfuse
(which is required).
Also, you would have to upgrade the MF 1.8 server to Windows 2000 and
MF XP with FR2 in order to implement CSG 1.1.
Email me offline if you want to discuss this further.
CHRIS LYNCH - MCSE, CCNA, CCA
NETWORK ENGINEER - INFORMATION TECHNOLOGY
NRT Incorporated, 27271 Las Ramblas, Mission Viejo, CA 92691
Chris.lynch@xxxxxxxxxx Tel 949.367.3406
- -----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Adam_Baum@xxxxxxxxxxxxx
Sent: Wednesday, August 21, 2002 3:21 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: How can I keep people from seeing my server
Yes. No one has succeeded in logging in since they don't have a
valid
account. I wouldn't say completely exposed. Our router filters out
all
traffic except port 1494.
It's very hard for us to do VPN because too many users have too many
machines (I have 5). We also let our external business partners in
(just a teeny bit) via metaframe. We don't have the $$$ for a good
hardware VPN solution. Also, depening on which VPN solution you use,
most of our users don't have static IP addresses.
As for CSG, I am not familiar with it but if it's connected to the
Internet, people can hack it too.
"Chris Lynch"
<lynch00@xxxxxx To:
<thin@xxxxxxxxxxxxx>
t> cc:
Sent by: Subject: [THIN] Re: How
can I keep people from seeing my server
thin-bounce@fre
elists.org
08/21/2002
03:12 PM
Please respond
to thin
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
You mean someone is trying to login to your MF server when it is
completely exposed to the Internet? Why don't you have CSG
implemented, or only allow access for external users througha VPN
connection? There are many hack techniques out there that someone
"could" bring your server down, or worse gain access and steal data.
Just my humble opinion.
CHRIS LYNCH - MCSE, CCNA, CCA
NETWORK ENGINEER - INFORMATION TECHNOLOGY
NRT Incorporated, 27271 Las Ramblas, Mission Viejo, CA 92691
Chris.lynch@xxxxxxxxxx Tel 949.367.3406
- - -----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Adam_Baum@xxxxxxxxxxxxx
Sent: Wednesday, August 21, 2002 2:57 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] How can I keep people from seeing my server
HI Folks,
On a W2K SP2, XPe FR2 system. I've disabled all the "respond to
ICA broadcasts" and I've unchecked all the the "Create browser
listener on ...". I'm still getting invalid logons. These don't
look targeted. More like something is broadcasting/responding. My
MF 1.8 server doesn't do this and I can't determine what is different
between them. I should mention that these servers are used for
remote access so they are Internet connected.
Other than the farm checkbox of repsonding to RAS broadcasts (won't
let me disable it), everything appears to be setup correctly. Given
that my servers are 1 ip address away from each other, I can't see
how one is getting hit (on purpose) and not the other.
I've also made sure the router is configured the same for both ports.
Any ideas?
adam
===================================
This weeks Sponsor:
ThinPrint
- - High resolution, DRIVER FREE PRINTING with no loss of quality in
color.
- - Removes print spooling and rendering tasks from your terminal
server. http://www.thinprint.com ===================================
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link.
http://thethin.net/citrixlist.cfm
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQA/AwUBPWQZAPl56xfvzmMfEQJM5QCfVXygVpXSof0eLm7cvPR+Tlx2UEkAnR8M
/MnThLLbWAfJVxPduVGr31hL
=c7Ek
-----END PGP SIGNATURE-----
===================================
This weeks Sponsor:
ThinPrint
- High resolution, DRIVER FREE PRINTING with no loss of quality in color.
- Removes print spooling and rendering tasks from your terminal server.
http://www.thinprint.com
===================================
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link.
http://thethin.net/citrixlist.cfm
Other related posts:
