Archive

Archive for January, 2010

Locking down terminal services

January 31, 2010 Leave a comment

This is the list of Group Policy and registry changes I like to make for terminal services environment:

GROUP POLICY CHANGES – to force, run GPUPDATE from command line, then log out and back in to test.
Computer Configuration
Administrative Templates
Windows Components
Terminal Services
Remove Windows Security Item from Start Menu – enabled
Remove Disconnect option from Shut Down dialog – enabled
Windows Update
Configure automatic updates – disabled
Windows Messenger
Do not start windows messenger initially – enabled
User Configuration
Administrative Templates
Start Menu and Taskbar
Add Logoff to the Start Menu – enabled
Remove and prevent access to the Shut Down command – enabled
Turn off personalized menus – enabled
Turn off notification area clenup – enabled
Do not display any custom toolbars in the taskbae – enabled
Remove Set Program Access and Defaults from Start Menu – enabled
Desktop
Active Desktop
Enabled Active Desktop – enabled
Prohibit Changes – enabled
Active Desktop Wallpaper – path to wallpaper file, and style (e.g. C:\DELL\wallpaper.jpg, wallpaper style: stretch)
Remove Desktop Cleanup Wizard – enabled

REGISTRY CHANGES
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
Add following Value: NoDisconnect (REG_DWORD) 0x1 = Hide Disconnect menu item

Value: NoDisconnect (REG_DWORD) 0x1 = Hide Disconnect menu item
Categories: Windows Server

SSH tunneling with firefox

January 22, 2010 Leave a comment

from a terminal window:

ssh user@<<ssh server>>.com -D 9000

in firefox:

go to preferences:advanced:network:Connection Settings

This will pipe all web traffic through a secure ssh tunnel, and allow access to local web resources from firefox.

Of course you want to disable that firefox setting if you’re not connected to the tunnel.

There is a firefox addon called Quickproxy that allows you to activate/deactivate the proxy settings with a button push:

https://addons.mozilla.org/en-US/firefox/addon/1557/

And sshmenu has a great interface for quickly connecting to remote sites.

http://sshmenu.sourceforge.net/

SSHMenu Screenshot

sudo apt-get install sshmenu sshmenu-gnome

Categories: linux, networking

Allow ICMP traffic through pfsense firewall

January 20, 2010 1 comment

By default you cannot ping a pfsense firewall. You need to add a rule to allow it:
Action: Pass
Interface: WAN
Protocol: ICMP
ICMP type: Echo
Source type: Any
Destination: WAN Address

Categories: pfsense

Using pfsense with remote sip phones

January 20, 2010 3 comments

pfsense by default only allows one sip registration to be active at a time on a protected LAN. The siproxd extension allows multiple phones to coexist happily, but it is a little confusing to set up. Here is what works the best from my testing:
Firewall: Rules: WAN = none for SIP or RTP

Firewall: NAT: Port Forward = none

Firewall: NAT: Outbound = Manual Outbound NAT, using default rule with NO Static Port mapping

Reboot the pfsense machine

UPDATE: siproxd is not necessary for multiple sip reigsrations to work! The above should be adequate.

Install the siproxd package from the System:Package Manager page on the pfsense admin page.

Services: siproxd: Settings = Inbound to LAN, Outbound to WAN, Port to 5060. Expedited Forwarding on.

Reboot the pfsense machine

I am including some screenshots to help.

Click on the “e” to edit the rule.

siproxd settings:

Categories: Asterisk, networking, pfsense

How to lock down a Windows 2003 or Windows 2000 Terminal Server

January 9, 2010 Leave a comment

Here is the Microsoft KB entry for terminal session security.

Categories: networking, Windows Server