Locking down terminal services

January 31, 2010 Pat McKay Leave a comment

This is the list of Group Policy and registry changes I like to make for terminal services environment:

GROUP POLICY CHANGES – to force, run GPUPDATE from command line, then log out and back in to test.
Computer Configuration
Administrative Templates
Windows Components
Terminal Services
Remove Windows Security Item from Start Menu – enabled
Remove Disconnect option from Shut Down dialog – enabled
Windows Update
Configure automatic updates – disabled
Windows Messenger
Do not start windows messenger initially – enabled
User Configuration
Administrative Templates
Start Menu and Taskbar
Add Logoff to the Start Menu – enabled
Remove and prevent access to the Shut Down command – enabled
Turn off personalized menus – enabled
Turn off notification area clenup – enabled
Do not display any custom toolbars in the taskbae – enabled
Remove Set Program Access and Defaults from Start Menu – enabled
Desktop
Active Desktop
Enabled Active Desktop – enabled
Prohibit Changes – enabled
Active Desktop Wallpaper – path to wallpaper file, and style (e.g. C:\DELL\wallpaper.jpg, wallpaper style: stretch)
Remove Desktop Cleanup Wizard – enabled

REGISTRY CHANGES
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
Add following Value: NoDisconnect (REG_DWORD) 0×1 = Hide Disconnect menu item

Value: NoDisconnect (REG_DWORD) 0×1 = Hide Disconnect menu item
Categories: Windows Server

SSH tunneling with firefox

January 22, 2010 Pat McKay Leave a comment

from a terminal window:

ssh user@<<ssh server>>.com -D 9000

in firefox:

go to preferences:advanced:network:Connection Settings

This will pipe all web traffic through a secure ssh tunnel, and allow access to local web resources from firefox.

Of course you want to disable that firefox setting if you’re not connected to the tunnel.

Categories: linux, networking

Allow ICMP traffic through pfsense firewall

January 20, 2010 Pat McKay Leave a comment

By default you cannot ping a pfsense firewall. You need to add a rule to allow it:
Action: Pass
Interface: WAN
Protocol: ICMP
ICMP type: Echo
Source type: Any
Destination: WAN Address

Categories: pfsense

Using pfsense with remote sip phones

January 20, 2010 Pat McKay 2 comments

pfsense by default only allows one sip registration to be active at a time on a protected LAN. The siproxd extension allows multiple phones to coexist happily, but it is a little confusing to set up. Here is what works the best from my testing:
Firewall: Rules: WAN = none for SIP or RTP

Firewall: NAT: Port Forward = none

Firewall: NAT: Outbound = Manual Outbound NAT, using default rule with NO Static Port mapping

Reboot the pfsense machine

UPDATE: siproxd is not necessary for multiple sip reigsrations to work! The above should be adequate.

Install the siproxd package from the System:Package Manager page on the pfsense admin page.

Services: siproxd: Settings = Inbound to LAN, Outbound to WAN, Port to 5060. Expedited Forwarding on.

Reboot the pfsense machine

I am including some screenshots to help.

Click on the “e” to edit the rule.

siproxd settings:

Categories: Asterisk, networking, pfsense

How to lock down a Windows 2003 or Windows 2000 Terminal Server

January 9, 2010 Pat McKay Leave a comment

Here is the Microsoft KB entry for terminal session security.

Categories: Windows Server, networking

ntop and ipcop 1.4.20

November 23, 2009 Pat McKay Leave a comment

Download ntop addon from here:

http://mh-lantech.css-hamburg.de/ipcop/download.php?view.138

transfer to /root on ipcop machine
from ssh session on icop:
cd /usr/lib
ln -s libpcap.so.0.9.7 libpcap.so.0.8.3
cd /root
tar -zxvf ntop_ipcop_1.4.8.tar.gz
cd ntop
./install
from ipcop gui, refresh view and choose NTOP from SERVICES menu
Click Start button, and refresh
There is a link now shown for Ntop Webinterface (http)

 

The ln -s  is necessary due to a change since ipcop v 1.4.18

Categories: ipcop, linux, networking

Ubuntu Server 8.04.3 – freenx setup

November 17, 2009 Pat McKay Leave a comment

Sorry for the brevity – it was quickly written to fill a need. I will try and flesh it out later. This is a minimal ubuntu server setup with just enough gui to function with nx client. We use these for remote access terminals on low powered equipment.

Install ubuntu server 8.04.3 from CD

only select openssh-server, use all other defaults

login and note ip address

ifconfig

change ssh port to non-standard port e.g. 8888

sudo nano /etc/ssh/sshd_config

change port 22 to port 8888, save and exit.

sudo reboot

From remote machine login with ssh

ssh <user>@<ip addr> -p 8888

sudo su

apt-get update

apt-get upgrade -y

–let it work for a while

reboot

log back in after a few minutes

sudo nano /etc/apt/sources.list

add this at the bottom:

deb http://ppa.launchpad.net/freenx-team/ppa/ubuntu hardy main

deb-src http://ppa.launchpad.net/freenx-team/ppa/ubuntu hardy main

save and update key, then reload repositories:

sudo apt-key adv –recv-keys –keyserver keyserver.ubuntu.com 2a8e3034d018a4ce

sudo apt-get update

Now actually install freenx:

sudo aptitude install freenx

wait 5-10 minutes for it to finish

sudo /usr/lib/nx/nxsetup –install

You should be ready to connect with NX Client from nomachine

optionally Install a few items you may need later:

sudo apt-get install gnome-terminal firefox tsclient libstdc++5

Categories: Software, linux, networking, ubuntu

Active Directory integration in Linux and OSX

August 26, 2009 Pat McKay Leave a comment

Likewise has a really impressive free product that lets Linux and OSX users integrate into an Active Directory environment very easily. In fact with linux I think it’s easier than with Windows!

In ubuntu you can install the likewise-open-gui package. For OSX you can download the installer package from the likewise.com website and follow the 10 minute setup guide.

Categories: DIY, OSX, Software, linux, networking, ubuntu

IPCOP traffic shaping for simple, effective qos

August 4, 2009 Pat McKay Leave a comment

Using the default traffic shaper works really well for simple qos needs. Set your defined rtp ports (e.g. udp 3000 and 3001) and udp 5060 and udp 4569 as high priority. Add any offending traffic (e.g. gotomeeting at udp 8200) as low or medium. Takes about 5 minutes and works like a charm!

Categories: Asterisk, VoIP, ipcop, networking

VMWare ESXi working on a Dell Optiplex GX280

April 13, 2009 Pat McKay Leave a comment

It is pretty easy to get VMWare ESX installable working on a GX280. Boot from a CD burned from the ISO, and hit tab at the first prompt.

Add  nocheckCPUIDlimit  as a boot option. Here is the whole string:

mboot.c32 vmkernel.gz nocheckCPUIDlimit — binmod.tgz — ienviron.tgz — cim.tgz — oem.tgz — license.tgz — install.tgz

Proceed with the install.

When the system reboots, you will get an error message about the CPUID. The boot option needs to be changed again on the installed system.

Boot from a linux livecd (I used Ubuntu 8.04 desktop), and navigate to the “HYPERVISOR1″ partition. Edit boot.txt

Add the boot option there are well:

kernelopt=nocheckCPUIDlimit

Reboot and it should start right up.

Then connect to the server with VMWare Infrastructure Client

Click on the server name, then the Configuration tab, and advanced settings.

Click on VMKernel and uncheck the VMKernel.Boot.checkCPUIDlimt checkbox, and hit OK.

Now you can reboot it in the future without problems.

Categories: VMWare, linux, ubuntu