RE: SecureIIS

From: Kevin Neely (ktneely@juniper.net)
Date: 09/27/01

Previous message: Sean Kelley: "RE: Windows Update"
Maybe in reply to: Mark Fagan: "SecureIIS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Subject: RE: SecureIIS
Date: Thu, 27 Sep 2001 11:07:41 -0700
Message-ID: <5B1CAAC2F0818444BF07B7AD8845E53C016525@ELECTRON.jnpr.net>
From: "Kevin Neely" <ktneely@juniper.net>
To: <rusecure@earthlink.net>, <mstark@dceg.com>, "Focus-Ms (E-mail)" <focus-ms@securityfocus.com>

> VNC is not secure at all, passes everything in the clear
> unless you use SSH first.

When using VNC, I always setup an SSH daemon on the server. The SSHd
from cygwin can query the SAM (or the Domain SAM, if the client is part
of a domain). Then I use these registry settings to make VNC secure:

In HKLM\\Software\\ORL\WINVNC32

Add these values:
Value: AuthRequired
Type: REG_DWORD
String: 0

Value: LoopbackOnly
Type: REG_DWORD
String: 1

This way, the client connects via SSH, then port forwards the VNC port
to the host and conects through the tunnel. Since the user has already
authenticated, I do not require a VNC logon, and therefore do not have
to maintain another user list.

> PcAnyWhere has more secure options, but uses it's own user
> database so therefore another bunch of users to manage on
> every server.

Take a look at PCA 10. It has some nice features, including querying
the AD. PCA 8&9 have always been able to use users from the NT domain
or local SAM so you do not have to maintain other user lists (do have to
maintain an additional local group, though; unless you just want to make
everyone an admin). I haven't played with 10 much, but it doesn't
appear that NT machines can query the AD, only Win2k machines. This is
a serious drawback for me, since I only install PCA on NT4 boxes, as I
see no point in not using the RDP protocol.

> Terminal server is encrypted and uses AD so you only have to
> manage one set of users and obviously easier to manage.

Agreed. The only thing I'd like to add is this great tool to access RDP
hosts via a UNIX client: http://www.rdesktop.org
These guys have made an amazing product. In some ways, I think it's
even better than the MS client. I haven't really played with the XP
client, though.

enjoy.
K

Previous message: Sean Kelley: "RE: Windows Update"
Maybe in reply to: Mark Fagan: "SecureIIS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]