Restricting access

Andrew van der Stock ajv "at" greebo.net
Wed, 20 Mar 2002 10:26:38 +0000


Nick,

I think as it stands today (and unless a patch is forthcoming pretty
quickly), VNC fails your business requirements for the time being.

Use ConnectPriority=2 on the *server*. However, there's an outstanding
bug that allows VNC clients to come in as "shared", and view this
connection but not take over it, when connectpriority is 2. 

ConnectPriority instructions:

In TightVNC, there is a radio button group in the Advanced dialog. Set
"Refuse concurrent connections". 

In normal AT&T WinVNC (I think, I could be wrong), this has to be done
using a registry editor.

HKLM\ORL\WinVNC3\ConnectPriority 	REG_DWORD		2

The default value for this is 0 - disconnect existing sessions. 

If this doesn't secure your site adequately, I would suggest rdesktop on
the Unix boxes to connect to the Terminal Services Administration mode
(installed by default in win2k and .NET server). This allows two
concurrent users, as well a third on the console. If you need more, then
add the TS licensing component and buy some TS licenses from your MS
vendor. I suggest using about 512 MB of RAM to a box that has 20
simultaneous users and 1 GB to a box that has about 50 users. It's a
good idea for this box to be a dual proc if you're going for 50 users.
With any dual PIII or Xeon's this will be fine for normal office work -
2K is *very* good at sharing program images like IE and Office. Even
with 50 users, you'll still get sub-second launch times for Word,
Outlook, etc*. 

http://www.rdesktop.org/ 

I know it's not VNC, but it does satisfy your business requirements to
not show a particular session. However, users must be trained to log
out, not "disconnect" their session when using rdesktop. Disconnect
allows the session to be resumed by another user successfully
authenticating to the same user. If the HR person logs on as "alice" and
Joe Bob logs on as "joe bob", then there's no problem - Joe Bob cannot
take over the disconnected "alice" session. 

Andrew

* I did the security audits and some of the security architecture on
this:

http://optusbusiness.com.au/00/01/00/000100fb.asp?spid=423

The global predecessor before C&W offloaded C&W Optus to Singtel. 
http://www.cwas.net/ (site down when I went there :-( )

Some very large sites use CWaS. 

-----Original Message-----
From: owner-vnc-list "at" uk.research.att.com
[mailto:owner-vnc-list "at" uk.research.att.com] On Behalf Of Nick Stock
Sent: Wednesday, 20 March 2002 8:41 PM
To: vnc-list "at" uk.research.att.com
Subject: Restricting access

Hi All,

[snip] I cannot find any way to easily
restrict the windows box to one connection at a time.

The "-noshared" option with "ConnectPriority=2" is
only useful if everyone uses it and there is no
practical way to police a client side requirement.
---------------------------------------------------------------------
To unsubscribe, mail majordomo "at" uk.research.att.com with the line:
'unsubscribe vnc-list' in the message BODY
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------