From: Bill Stout [Bill.Stout@ARISTASOFT.COM] Sent: Tuesday, July 20, 1999 9:01 PM To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: WTS security tightening paper? O.K., in one day I now have like, 30 responses to locking down WTS/Citrix security. Obviously there's alot of interest in this topic (opportunists take note) . Unfortunately I can't give the subject the attention it's due, due to operating in a startup environment and reprioritization of the sleep factor. A few resources have been highlighted: A new article in MCP magazine: http://www.mcpmag.com/members/99aug/col3main.asp Implementing Policies in Terminal Server: http://www.microsoft.com/ntserver/terminalserver/deployment/MAP/implpol.asp Security tools in the Zero Administration Toolkit for WTS: http://www.microsoft.com/ntserver/terminalserver/downloads/admintools/TermSe rvZAK.asp A book: Windows NT Thin Client Solutions - Implementing Terminal Server & Citrix Metaframe Publisher: Macmillan Technical Publishing Authors: Todd W. Mathers & Shawn P. Genoway ISBN:1578700655 The ACLSET Utility. A Feburary '99 SANS writeup on NT security by multiple authors: http://www.sans.org/newlook/publications/ntstep.htm Steve Suttons' paper (doesn't help much): http://www.trustedsystems.com/MSWhitePaper.htm Also see: http://www.microsoft.com/security/resources/whitepapers.asp?ID=42&Parent=6 Bill Stout -----Original Message----- From: Bill Stout [mailto:Bill.Stout@ARISTASOFT.COM] Sent: Monday, July 19, 1999 9:56 AM To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: WTS security tightening paper? Hi. I have the unenviable task of tightening WTS/Citrix systems. A multi-user environment is where NT now needs to approach real UNIX-like security, and I have to get over the expression that "once a user has physical (like) access, game over". It's not fun watching extranet (outside user) users do File-Open on a published application and; browse the directory structure, view file security properties (browse users/groups), etc. Of course marketing is demands client-WTS disk mapping capability, and I'm attempting to compromise on HTTP upload. Since another expression is, "a good admin is a lazy admin", I'll do my best to emulate that. Is there a documented procedure to tighten specifically WTS? Bill Stout