There is also a similar list to this – gptalk@freelists.org with some very very clever and helpful people on it.
From: thin-bounce@freelists.org [mailto:thin-bounce@freelists.org] On Behalf Of Jim Kenzig http://thin.ms
Sent: 12 November 2008 15:14
To: thin@freelists.org
Subject: [THIN] Re: Terminal Session security question
Here is what you can do with a hosts file http://www.mvps.org/winhelp2002/hosts.htm
For GPO in TS check out
http://technet.microsoft.com/en-us/library/cc776790.aspx
http://www.windowsnetworking.com/articles_tutorials/Terminal-Services-Group-Policy.html
http://www.msterminalservices.org/articles/Managing-Terminal-Services-Group-Policy.html
http://support.microsoft.com/kb/260370
http://www.dabcc.com/blogs/jeff/post/Blast-from-the-Past-Understanding-Group-Policy-in-a-Terminal-Services-Environment
Jim Kenzig
Blog: http://www.techblink.com
On Wed, Nov 12, 2008 at 9:55 AM, Doug Rooney <Doug@sonomatilemakers.com> wrote:
Nick,
They do need to run Firefox to access the Internet, for FedEx, UPS and DHL, they also need to run many compiled Crystal Reports. They do not have e-mail, ftp and telnet are locked down at the firewall, incoming and outgoing, and the terminals have no disk drives or usable USB ports, so I think if we restrict the IPs, it will help, but I would like to do some things in the GPO, I just do not have the knowledge on how, so I don't as I do not want to totally screw up my AD. Can you recommend a resource for learning? I came from a Unix world. J
Thank You
-Doug Rooney
Sonoma Tilemakers
IT Systems Administrator
7750 Bell Rd.
Windsor Ca, 95492
(707) 837-8177 X11
(707) 837-9472 FAX
it@sonomatilemakers.com
From: thin-bounce@freelists.org [mailto:thin-bounce@freelists.org] On Behalf Of Nick Smith
Sent: Wednesday, November 12, 2008 2:16 AM
To: 'thin@freelists.org'
Subject: [THIN] Re: Terminal Session security question
Doug,
If you allow your users to run executables they will. Via email, web, ftp, from their fat disks, hey, telnet; someone will find a way.
Use GPO to allow only approved executables to run and you don't need to worry about the rest.
I found this quite scary until I actually tried it, and then I just breathed easier.
Nick
From: thin-bounce@freelists.org [mailto:thin-bounce@freelists.org] On Behalf Of Jim Kenzig http://thin.ms
Sent: 11 November 2008 18:22
To: thin@freelists.org
Subject: [THIN] Re: Terminal Session security question
Nope just dhl.com will suffice. Yeah they might be able to circumvent with an IP but if the site is set up right it should convert it to a domain and lock it out.
Jim Kenzig
Blog: http://www.techblink.com
On Tue, Nov 11, 2008 at 1:13 PM, Doug Rooney <Doug@sonomatilemakers.com> wrote:
Jim,
I was thinking of doing that, but for example DHL has several valid IP addresses for www.dhl.com, do I have to figure out and enter every valid possibility, and then how do I tell it everything else goes to 127.0.0.1, also if they type in an IP, I am guessing this will not work?
Thank You
-Doug Rooney
Sonoma Tilemakers
IT Systems Administrator
7750 Bell Rd.
Windsor Ca, 95492
(707) 837-8177 X11
(707) 837-9472 FAX
it@sonomatilemakers.com
From: thin-bounce@freelists.org [mailto:thin-bounce@freelists.org] On Behalf Of Jim Kenzig http://thin.ms
Sent: Tuesday, November 11, 2008 9:20 AM
To: thin@freelists.org
Subject: [THIN] Re: Terminal Session security question
Use the windows hosts file to control which urls they can and can't get to. Point the rogue sites to 127.0.0.1 and they will never get there
Jim Kenzig
Blog: http://www.techblink.com
On Tue, Nov 11, 2008 at 12:11 PM, Doug Rooney <Doug@sonomatilemakers.com> wrote:
************************************************
No comments:
Post a Comment