RE: Remote Administration on W2K
From: Mark L. Jackson (mark_l_jackson@iname.com)Date: 08/05/01
- Previous message: freehold@erols.com: "Re: cisco VPN client + Nortel VPN client??"
- In reply to: Doug Wombles: "Re: Remote Administration on W2K"
- Next in thread: Brock Campbell: "Re: Remote Administration on W2K"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Mark L. Jackson" <mark_l_jackson@iname.com> To: "Doug Wombles" <fisdu@hotmail.com>, "Matt LYNCH" <MLynch@imb.com.au>, "'Matt Block'" <blockdev@blockdev.net>, <SECURITY-BASICS@securityfocus.com> Subject: RE: Remote Administration on W2K Date: Sun, 5 Aug 2001 12:34:41 -0700 Message-ID: <ANELKCODANPLKGOODADAAEBCCGAA.mark_l_jackson@iname.com>
> Why would you run VNC through Citrix? If you are already using Citrix you
> can monitor/control any connection that is logged into the server
> using the
> built in Citrix Administration tools.
Not to mention that the Citrix client connection alone is more secure than
VNC; with the Citrix VPN it is by far the more secure solution.
The only reason I could see doing this is to connect to a non Citrix system
from outside the firewall.
If not then try this on for size: connect to your Citrix server (one that
should be reserved for RAS, assuming you are outside the firewall), to a
published app for your connection software. You could also create a
published app that is a desktop with only the admin tools you want
available. On that desktop you could have either PCAnywhere, Remote desktop,
VNC or whatever. If you want to be ultra secure then force a login through
the windows domain (a domain only for that server and pub app), authenticate
with an ACE server from RSA. You can could even go so far as to restrict the
connections possible by the login used. I.E. user group = as400login would
be restricted your i-series/400 machines, win2klogin would be restricted to
servers that are win2k, rs6000login would be restricted to you nix boxes.
You can restrict vendors the same way, say POSvendor is restricted to POS
servers and connections, or ROUTERvendor is restricted to connecting to
routers etc...
Another option is to have the app published on a web page. (please note for
those not familiar with Citrix you can publish the Citrix client on a web
page either embedded or stand alone. While this is not as insecure as it
sounds, it does give me the willies). We have a hidden web page that is used
in emergencies only. The connections to it are watched closely. I don't like
it, although I have used it in a bind (my laptop not available, and only had
a public terminal available).
If you are inside the firewall and the boxes you want to admin are inside
the firewall, then this is mostly wasted effort. Not to mention overkill. If
you are outside the firewall, this works well. It is what we have
implemented in our system.
- Previous message: freehold@erols.com: "Re: cisco VPN client + Nortel VPN client??"
- In reply to: Doug Wombles: "Re: Remote Administration on W2K"
- Next in thread: Brock Campbell: "Re: Remote Administration on W2K"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
