[plug] [OT] XP Remote

Craig Ringer craig at postnewspapers.com.au
Tue Aug 24 15:17:48 WST 2004


Skribe:

This is probably going well off topic now, so if you reply please do so
off-list. I'm not on [plug-OT].

Thanks.

On Tue, 2004-08-24 at 11:18, skribe wrote:

> > What changes do you _need_ to impose a QoS policy? Make sure your
> > restricted users are in a defined IP range (ISC DHCPd is good at this
> > sort of thing) then throttle their HTTP (and RTSP etc) to (say) 50kbit
> > with a large burst rate to allow decent performance on web pages.
> 
> This can be done on windows?

I'm certain that rate-limiting by a proxy can be done with Windows. I
don't know whether it requires third-party add-ons or whether it can be
done with the IIS proxy server, though. Some documentation reading and
knowledge base research should tell you that. I don't know what your
network setup is, what products you use - and you do.

I'm assuming you're running a Windows Server OS here. If you're running
a network of a Windows client OS ... I run away now ;-)

> As far as I understand it, the tech is planning to run two separate networks 
> - one for upstairs, where the editing suites are, which will have no internet 
> access but will have access to the file & printer server, and downstairs 
> which will have full internet access.

Makes sense to me. I'd use a multi-homed router to isolate the networks
too, though the chances are my router would be a linux box because
that's what I know. vlans would work fine too, I guess.

I'm no longer clear on what the big deal was, anyway. I thought your
admin was talking about crippling the entire network to restrict some
users (which to me seems retarded). Now it sounds like any restrictions
are being imposed intentionally rather than through idiocy or perceived
technical limitations. I take it you're working upstairs and not happy
about the 'net access restrictions?

> I'm 
> hazy on how he intends to set this up but IIRC he mentioned something about 
> using the ADSL router and using one port for upstairs and one for down.  Does 
> that sound right?

If you have an ADSL router with 'Cisco' written on on it, then quite
likely ;-)
Otherwise, NFI. Without knowing about the hardware etc I couldn't even
guess.

> Unfortunately everyone shares computers.

If you run a Windows domain, you can look at forcing everybody to
authenticate to a proxy server and having the proxy server make
per-user-ID policy decisions. IIS proxy and NTLM will do the trick here.
You could also use squid, which apparently now supports NTLM. If you're
OK with having users authenticate to the proxy manually using HTTP BASIC
auth, then it should be trivial to do with Squid. Of course, if your
admin is set on a Windows-only network that doesn't do you any good and
you'll need to look at WinGate (*shudder*) or IIS.

> He's planning on setting up the machines so that they are only able to run 
> certain programs and will automagically wipe any files saved to the system 
> drive upon shutdown.  We often get people using the system drives for their 
> video work rather than the removable hdd.

Sounds like a plan to me. I'd be more inclined to hide files on the
first pass and delete (say) a few days later if I could, though. I hate
automatically deleting anything, it's too easy for things to go wrong. I
very much prefer making it impossible to save in the first place, or
hiding it/moving it away and telling the users it'll be deleted.

> I don't actually know.  I guess I was asking is using windows remote services 
> inherently insecure like just about everything else that M$ puts out.

I don't know. The only people I know who use terminal services _all_ use
VPNs, but that may be for other reasons (there's already a corporate VPN
set up; habit ; PHBs having been told that 'remote access == VPN'; etc).

> Is it as secure as SSH, for instance?

I rather doubt it. Not that SSH is perfect, but it has a pretty good
track record and I'd be very surprised if rdesktop was able to match it.
The real question is "is it secure enough?" IMHO. That, I can't answer.

> but the tech 
> seems to think the windows equivalent is just hunky dory.  Hence my concern.

He might be right. He might simply have a realistic view of the security
trade-off ("Sure, there's a remote chance of a user account compromise
but all our firewall makes launching attacks from our network
unattractive and machines can be re-imaged in an hour anyway so it's not
a big deal"). He might be a crazy yahoo. You'll need to do some research
on Remote Desktop to get some solid info before forming any opinions - I
suggest starting at the MS knowledgebase. The sites 'theserverside.net'
and 'securityfocus.com' are also very useful.

--
Craig Ringer




More information about the plug mailing list