[plug] [OT] XP Remote

skribe skribe at amber.com.au
Tue Aug 24 11:18:45 WST 2004 

On Mon, 23 Aug 2004 13:06, Craig Ringer wrote:
> skribe wrote:
> > Now we're about to get ADSL and the PHB is instituting all these changes
> > to the computing network so that the work-for-the-dolers don't steal all
> > their bandwidth by downloading movies all day.
>
> What changes do you _need_ to impose a QoS policy? Make sure your
> restricted users are in a defined IP range (ISC DHCPd is good at this
> sort of thing) then throttle their HTTP (and RTSP etc) to (say) 50kbit
> with a large burst rate to allow decent performance on web pages.

This can be done on windows?

As far as I understand it, the tech is planning to run two separate networks 
- one for upstairs, where the editing suites are, which will have no internet 
access but will have access to the file & printer server, and downstairs 
which will have full internet access - guess where the PHB works =).  I'm 
hazy on how he intends to set this up but IIRC he mentioned something about 
using the ADSL router and using one port for upstairs and one for down.  Does 
that sound right?

> > These changes will of course put a
> > serious crimp in the efforts of the people that do the real work and in
> > particular the editors.
>
> Hence the need to impose the restrictive QoS and/or firewall policies
> selectively. If everybody shares computers, this won't work of course,
> but if either the 'priority' users or the restricted users use a select
> group of workstations it should be easy.

Unfortunately everyone shares computers.

> Anyway, if you're running a windows network you can do all sorts of
> magic with using NTLM-auth proxies to impose per-userid QoS for any host
> on the domain, right? (Aside: The same could be done by using kerberos
> to authenticate with squid or aother proxy. Anybody know if this is
> supported by any browsers or proxies?).
>
> You could also just use Group Policy to lock down the user accounts of
> the more restricted users. 'No MSIE, Windows Media Player, Real Player,
> QuickTime, or program installs for you!'. It's from impossible to get
> around unless done extremely carefully (I know someone who configures
> Group Policy for a living!) but it's easy to use it to stop casual abuse.

He's planning on setting up the machines so that they are only able to run 
certain programs and will automagically wipe any files saved to the system 
drive upon shutdown.  We often get people using the system drives for their 
video work rather than the removable hdd.

> > Our new tech unfortunately has a real job and so can't spend that much
> > time at CTV and so plans to Remote Desktop all the computers, which
> > despite my best linux advocacy efforts still run XP Pro.  How safe is
> > remote operation over ADSL?
>
> Well, it should work fine so long as the load on the link is low enough
> to keep the latency reasonable. A symmetric ADSL link might be
> preferable. As for security, he'll be using a VPN, right?

I don't actually know.  I guess I was asking is using windows remote services 
inherently insecure like just about everything else that M$ puts out.  Is it 
as secure as SSH, for instance?  I know I personally don't allow SSH remote 
logins from outside my network especially to the root account, but the tech 
seems to think the windows equivalent is just hunky dory.  Hence my concern.

skribe
-- 
Public key information available at:
http://www.amber.com.au/~skribe/publickey.html
Key fingerprint = A855 9CA3 953B 5195 C518  12F2 0E05 DCCD 5A88 E8A4 

The eyes of taxes are upon you.

Xaraya Content Management Solutions http://www.xaraya.com/

More information about the plug mailing list