[THIN] Re: Terminal Session security question

  • From: "Jim Kenzig http://thin.ms" <jkenzig@xxxxxxxxx>
  • To: thin@xxxxxxxxxxxxx
  • Date: Wed, 12 Nov 2008 10:14:27 -0500

Here is what you can do with a hosts file
http://www.mvps.org/winhelp2002/hosts.htm

For GPO in TS check out
http://technet.microsoft.com/en-us/library/cc776790.aspx
http://www.windowsnetworking.com/articles_tutorials/Terminal-Services-Group-Policy.html
http://www.msterminalservices.org/articles/Managing-Terminal-Services-Group-Policy.html
http://support.microsoft.com/kb/260370
http://www.dabcc.com/blogs/jeff/post/Blast-from-the-Past-Understanding-Group-Policy-in-a-Terminal-Services-Environment

Jim Kenzig
Blog: http://www.techblink.com


On Wed, Nov 12, 2008 at 9:55 AM, Doug Rooney <Doug@xxxxxxxxxxxxxxxxxxxx>wrote:

>  Nick,
>
> They do need to run Firefox to access the Internet, for FedEx, UPS and DHL,
> they also need to run many compiled Crystal Reports. They do not have
> e-mail, ftp and telnet are locked down at the firewall, incoming and
> outgoing, and the terminals have no disk drives or usable USB ports, so I
> think if we restrict the IPs, it will help, but I would like to do some
> things in the GPO, I just do not have the knowledge on how, so I don't as I
> do not want to totally screw up my AD. Can you recommend a resource for
> learning? I came from a Unix world. J
>
>
>
> Thank You
>
> -Doug Rooney
> Sonoma Tilemakers
> IT Systems Administrator
> 7750 Bell Rd.
> Windsor Ca, 95492
> (707) 837-8177 X11
> (707) 837-9472 FAX
> it@xxxxxxxxxxxxxxxxxxxx
>
>
>
> *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Nick Smith
> *Sent:* Wednesday, November 12, 2008 2:16 AM
>
> *To:* 'thin@xxxxxxxxxxxxx'
> *Subject:* [THIN] Re: Terminal Session security question
>
>
>
> Doug,
>
> If you allow your users to run executables they will. Via email, web, ftp,
> from their fat disks, hey, telnet; someone will find a way.
>
>
>
> Use GPO to allow only approved executables to run and you don't need to
> worry about the rest.
>
>
>
> I found this quite scary until I actually tried it, and then I just
> breathed easier.
>
>
>
> Nick
>
>
>
> *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Jim Kenzig http://thin.ms
> *Sent:* 11 November 2008 18:22
> *To:* thin@xxxxxxxxxxxxx
> *Subject:* [THIN] Re: Terminal Session security question
>
>
>
> Nope just dhl.com will suffice.  Yeah they might be able to circumvent
> with an IP but if the site is set up right it should convert it to a domain
> and lock it out.
> Jim Kenzig
> Blog: http://www.techblink.com
>
> On Tue, Nov 11, 2008 at 1:13 PM, Doug Rooney <Doug@xxxxxxxxxxxxxxxxxxxx>
> wrote:
>
> Jim,
>
> I was thinking of doing that, but for example DHL has several valid IP
> addresses for www.dhl.com, do I have to figure out and enter every valid
> possibility, and then how do I tell it everything else goes to 127.0.0.1,
> also if they type in an IP, I am guessing this will not work?
>
>
>
> Thank You
>
> -Doug Rooney
> Sonoma Tilemakers
> IT Systems Administrator
> 7750 Bell Rd.
> Windsor Ca, 95492
> (707) 837-8177 X11
> (707) 837-9472 FAX
> it@xxxxxxxxxxxxxxxxxxxx
>
>
>
> *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Jim Kenzig http://thin.ms
> *Sent:* Tuesday, November 11, 2008 9:20 AM
> *To:* thin@xxxxxxxxxxxxx
> *Subject:* [THIN] Re: Terminal Session security question
>
>
>
> Use the windows hosts file to control which urls they can and can't get to.
> Point the rogue sites to 127.0.0.1 and they will never get there
> Jim Kenzig
> Blog: http://www.techblink.com
>
> On Tue, Nov 11, 2008 at 12:11 PM, Doug Rooney <Doug@xxxxxxxxxxxxxxxxxxxx>
> wrote:
>
>
>
>
>
> ************************************************
>
>
>
>
>

Other related posts: