-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 No they can't hack into the CSG (unless you have the STA Ticket Timeout configured too long). The CSG uses a ticketing system, and if you have the ticket authority exposed to the Internet, then yes they could. Even if you only have TCP 1494 and maybe 3389 open to the Internet, a hacker could still get in. Just search for ICA or Citrix at http://neworder.box.sk and you will find quite a few docs on how to hack/crash a Citrix server. There are probably hotfixes for these techniques, but do you really want to have your boss or the owner of the company ask how someone had got into your systems via an ICA connection, or RDP connection? Look at the CSG to secure your environment. It is probably the best product out there, and it is EASY to setup. If you want, I have not only a document that explains how to install the CSG along with Nfuse (which is required). Also, you would have to upgrade the MF 1.8 server to Windows 2000 and MF XP with FR2 in order to implement CSG 1.1. Email me offline if you want to discuss this further. CHRIS LYNCH - MCSE, CCNA, CCA NETWORK ENGINEER - INFORMATION TECHNOLOGY NRT Incorporated, 27271 Las Ramblas, Mission Viejo, CA 92691 Chris.lynch@xxxxxxxxxx Tel 949.367.3406 - -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Adam_Baum@xxxxxxxxxxxxx Sent: Wednesday, August 21, 2002 3:21 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: How can I keep people from seeing my server Yes. No one has succeeded in logging in since they don't have a valid account. I wouldn't say completely exposed. Our router filters out all traffic except port 1494. It's very hard for us to do VPN because too many users have too many machines (I have 5). We also let our external business partners in (just a teeny bit) via metaframe. We don't have the $$$ for a good hardware VPN solution. Also, depening on which VPN solution you use, most of our users don't have static IP addresses. As for CSG, I am not familiar with it but if it's connected to the Internet, people can hack it too. "Chris Lynch" <lynch00@xxxxxx To: <thin@xxxxxxxxxxxxx> t> cc: Sent by: Subject: [THIN] Re: How can I keep people from seeing my server thin-bounce@fre elists.org 08/21/2002 03:12 PM Please respond to thin - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You mean someone is trying to login to your MF server when it is completely exposed to the Internet? Why don't you have CSG implemented, or only allow access for external users througha VPN connection? There are many hack techniques out there that someone "could" bring your server down, or worse gain access and steal data. Just my humble opinion. CHRIS LYNCH - MCSE, CCNA, CCA NETWORK ENGINEER - INFORMATION TECHNOLOGY NRT Incorporated, 27271 Las Ramblas, Mission Viejo, CA 92691 Chris.lynch@xxxxxxxxxx Tel 949.367.3406 - - -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Adam_Baum@xxxxxxxxxxxxx Sent: Wednesday, August 21, 2002 2:57 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] How can I keep people from seeing my server HI Folks, On a W2K SP2, XPe FR2 system. I've disabled all the "respond to ICA broadcasts" and I've unchecked all the the "Create browser listener on ...". I'm still getting invalid logons. These don't look targeted. More like something is broadcasting/responding. My MF 1.8 server doesn't do this and I can't determine what is different between them. I should mention that these servers are used for remote access so they are Internet connected. Other than the farm checkbox of repsonding to RAS broadcasts (won't let me disable it), everything appears to be setup correctly. Given that my servers are 1 ip address away from each other, I can't see how one is getting hit (on purpose) and not the other. I've also made sure the router is configured the same for both ports. Any ideas? adam =================================== This weeks Sponsor: ThinPrint - - High resolution, DRIVER FREE PRINTING with no loss of quality in color. - - Removes print spooling and rendering tasks from your terminal server. http://www.thinprint.com =================================== For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link. http://thethin.net/citrixlist.cfm -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBPWQZAPl56xfvzmMfEQJM5QCfVXygVpXSof0eLm7cvPR+Tlx2UEkAnR8M /MnThLLbWAfJVxPduVGr31hL =c7Ek -----END PGP SIGNATURE----- =================================== This weeks Sponsor: ThinPrint - High resolution, DRIVER FREE PRINTING with no loss of quality in color. - Removes print spooling and rendering tasks from your terminal server. http://www.thinprint.com =================================== For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link. http://thethin.net/citrixlist.cfm