I have a web server that is not behind Wingate for IP/domain reasons. It has posed a security risk and i am in the process of locking it down. Regardless of this, people have made it into our network (Trojans/Dial bots) To be able to get back out the Firewall they utilized the guest account in Wingate.
I have all of my users assumed by IP address or machine name. I am wanting to disable the guest account, so only assumed users can gain access. However, my first test of this showed that remote VNC connections would not work. Is there a way to accomodate VNC connections with the guest account closed? Or am i going at this whole thing wrong?
Further i am looking for ways to authenticate VNC remote sessions. This is complicated by the fact that these are done from employee's homes and don't have static addressing. Do you have any ideas for authentication?
Thanks,
Matt --p.s. we use NAT and don't employ the WGIC.
VNC Security & Guest Account
Moderator: Qbik Staff
6 posts
• Page 1 of 1
VNC Security & Guest Account
by mcb » May 06 05 9:16 am
- mcb
- Posts: 41
- Joined: Aug 07 04 7:36 am
- Location: NE Tennessee
by ChrisH » May 06 05 12:27 pm
mcb wrote:Further i am looking for ways to authenticate VNC remote sessions. This is complicated by the fact that these are done from employee's homes and don't have static addressing. Do you have any ideas for authentication?
It is possible that each employee could remotely authenticate with WG via Gatekeeper. They wouldn't be assumed but authenticated of course, but policies would still apply. Each employee would have to have a copy of Gatekeeper on their machine at home and launch it and log in before starting the VNC session. This might be what you are looking for? I would suggest that these users not have administrative rights as you would have to bind the RCS service to your external adapter and this opens up the possibility of remotely controlling WG via Gatekeeper (depending on which version of WG) and you probably don't want that to happen!
Chris H.
- ChrisH
- WinGate Master
- Posts: 388
- Joined: Sep 13 03 1:38 am
- Location: Canada
by jamesc » May 06 05 2:54 pm
Just a suggestion on your VNC question
What about giving the people at home VPN connections to the WinGate server and use VNC through that? They could have a static address set on there internal network card maybe? I do not know what license you have, but I presume you know that there is a VPN plugin for WinGate.
James
What about giving the people at home VPN connections to the WinGate server and use VNC through that? They could have a static address set on there internal network card maybe? I do not know what license you have, but I presume you know that there is a VPN plugin for WinGate.
James
- jamesc
- Qbik Staff
- Posts: 928
- Joined: Apr 04 05 2:04 pm
- Location: Auckland, New Zealand
by mcb » May 07 05 9:12 am
Thanks guys, for the help. I haven't tried the VPN solution yet. But i did create a Wingate account for the Port 808 remote option. And after disabling the guest account I could VNC in if I initiated the Wingate Remote admin first.
Cool, so that works. But that brings up the next concerns.
1. What type of security risks does having Port 808 open on Wingate pose?
2. When i disabled the Guest account it said some services would no longer be available. Like DNS, etc. What does that mean, or what would be affected? We use our ISP for primary and secondary DNS, so it is not hosted in house.
We have VPN in our pro package, but how many clients do you get by default? Not sure if i want to mess with it or not. If i employed VPN would i not need to have any forward facing ports open, like VNC 59xx for instance?
Thanks again for the 411,
Matt
Cool, so that works. But that brings up the next concerns.
1. What type of security risks does having Port 808 open on Wingate pose?
2. When i disabled the Guest account it said some services would no longer be available. Like DNS, etc. What does that mean, or what would be affected? We use our ISP for primary and secondary DNS, so it is not hosted in house.
We have VPN in our pro package, but how many clients do you get by default? Not sure if i want to mess with it or not. If i employed VPN would i not need to have any forward facing ports open, like VNC 59xx for instance?
Thanks again for the 411,
Matt
- mcb
- Posts: 41
- Joined: Aug 07 04 7:36 am
- Location: NE Tennessee
by ChrisH » May 07 05 11:14 am
Matt,
AFAIK the only issue opening port 808 externally is that you run the risk of WG being remotely administered. I believe there is an encrypted path between a remote GK and WG so that is secure. With sound policies you should be able to lock down who you want in and who you want out. It's all about minimizing risks. In the back of my mind I recall Adrien from Qbik saying something about disabling the Guest - it might cause some probs. As an alternative to disabling the Guest account you could establish policies on services that restrict usage only to those with a minimum level of authentication (assumed) or an advanced policy This criterion is NOT met if User:Authentication level equals 0. Where level 0 is an unknown user or Not username equals Guest etc. A caveat though - you must be careful when locking down services. Some policy may lock you out - especially the RCS service. Always backup up your WG config before changing policies.
You get a 30 day trial of the VPN so it may be worth a try.
AFAIK the only issue opening port 808 externally is that you run the risk of WG being remotely administered. I believe there is an encrypted path between a remote GK and WG so that is secure. With sound policies you should be able to lock down who you want in and who you want out. It's all about minimizing risks. In the back of my mind I recall Adrien from Qbik saying something about disabling the Guest - it might cause some probs. As an alternative to disabling the Guest account you could establish policies on services that restrict usage only to those with a minimum level of authentication (assumed) or an advanced policy This criterion is NOT met if User:Authentication level equals 0. Where level 0 is an unknown user or Not username equals Guest etc. A caveat though - you must be careful when locking down services. Some policy may lock you out - especially the RCS service. Always backup up your WG config before changing policies.
You get a 30 day trial of the VPN so it may be worth a try.
Chris H.
- ChrisH
- WinGate Master
- Posts: 388
- Joined: Sep 13 03 1:38 am
- Location: Canada
by stevehiner » May 13 05 7:59 am
What VNC software are you using?
If you're concerned about authentication and if you only have Widows clients you should try out UltraVNC. It supports an encryption plug-in that requires a key file to be on both sides of the connection. Even the initial contact with the VNC server is encrypted so if an attacker doesn't have the key file they'll get an invalid protocol error. Of course it also supports password protection, auto-logout and stuff like that. Oh, it's free, stable and under fairly active development.
If you're concerned about authentication and if you only have Widows clients you should try out UltraVNC. It supports an encryption plug-in that requires a key file to be on both sides of the connection. Even the initial contact with the VNC server is encrypted so if an attacker doesn't have the key file they'll get an invalid protocol error. Of course it also supports password protection, auto-logout and stuff like that. Oh, it's free, stable and under fairly active development.
Steve
- stevehiner
- Posts: 6
- Joined: May 13 05 7:52 am
6 posts
• Page 1 of 1
Who is online
Users browsing this forum: Google [Bot] and 6 guests