Notice! This document is currently in Archived status.
The content of this document may be incorrect or out dated.

X Windows Security with PC-Xware

by Curtis Smith

Introduction

This document describes the interaction of Windows operating systems with the NCD PC-Xware software product in terms of network security.

Overview

Purdue University holds a site license to the NCD PC-Xware software product for use on all computers at the University, plus use on student home computers. The NCD PC-Xware product runs on Windows 2000 or Windows XP operating systems. To obtain the software for home use, go to the X-Server software for Intel PCs running Microsoft Windows and follow the download instructions.

Once installed, it is important to make additional enhancements to the NCD PC-Xware software package to enable network security. Without these changes, anyone on the Internet that is able to contact your computer could read any keystrokes, show any image on the screen or disable and lock the Windows system from use. That's all pretty amazing stuff, and believe it or not, people are leaving themselves open to this all the time. Usually the thought is that this will never happen to me.

Furthermore, most don't implement security on their X windows system because it is inconvenient. But with a little bit of adjustment and practice, security can be maintained and little will be lost in productivity.

Be sure to read all the instructions on this document before proceeding.

Implementation

Operating an X windows application is accomplished by the following: Start the X windows server program running on the PC computer, if it isn't already running. Create a connection to a UNIX host, either as a single command processor or by starting a console window. In the single command processor or the console window, invoke an X windows application with the application's display option set (usually -display) to the PC computer for input and output.

In a more secure environment, the process is nearly the same: Start the X windows server program running on the PC computer, with host access limited to the local machine only. Create a console window connection to a UNIX host with a secure telnet program with X11 forwarding enabled. In the console window, ask for an X windows application to start. The secure telnet program will already have the reference back to the PC.

All pretty simple stuff. In following sections, there are step by step instructions for setting up a secure environment and how to navigate through the process of starting an X windows application.

Installation

NCD PC-Xware

Obtain the NCD PC-Xware software from the X-Server software for Intel PCs running Microsoft Windows and install it on your Windows computer. The download of NCD PC-Xware requires no user information, but the installation process requires a software license key. Submit your Purdue email address to the PULS NCD PC-Xware download page, and the software license key will be mailed to the email address immediately. I won't discuss the installation process, as it is straight forward.

Teraterm with SSH

Obtain the Teraterm software from the ECN PC software directory and install it on your Windows computer. This version operates with all Windows 2000 and Windows XP systems. Note that this is an ECN version, and will contain only the major servers for the schools of engineering. Since it includes any host as one of the connection options, it will effectively work with any system on campus. You could make your own adjustments to the host list yourself after installation if you're not in one of the Schools of Engineering. Again, the installation is pretty straight forward. Reboot your computer after the installation so Windows will reread the autoexec.bat file into memory.

Adjustments

NCD PC-Xware

NCD PC-Xware will need to have two adjustments made; one for securing the product; the second to make starting the server conveniently.

Securing NCD PC-XWare

NCD PC-Xware will need to be told to disallow all connections except those coming from the local system. There are two ways to implement this change; either by a graphical interface, or by an editor.

Using A Graphical Interface

To change the configuration file using a graphical interface, click on Start->Run and enter the command (including the quotes) "C:\Program Files\ncdsoft\pcxware\xncd" console followed by the enter key. A PC-Xservices Console window will appear on the screen.

Click on Setup->Change Setup Parameters.... A second graphical window will appear on the screen. Click on the button Access Control and the window will expand to show access control settings. Click on the button for Default for Enable X Access Control. Then, inside the box labeled Default X Access Control List, click on the New button. Go over to the Host text input area, and replace nil with the name localhost and press enter. The name localhost and tcpip should appear in the the listing. Finish by clicking Apply at the bottom of the window, then close the application with File->Close.

Close the console window by clicking on Console->Close.

Using an Editor

To change the configuration file using an editor, start an editor window, such as Start->Programs->Accessories->Wordpad. Inside Wordpad, edit the configuration file named C:\Program Files\ncdsoft\pcxware\configs\changes.usr. At the bottom of the file, add the following lines:

xserver-access-control-enabled-default = true
xserver-access-control-list = {
{ "localhost" tcpip }
}

Then save the file by clicking on File->Save and close Wordpad by clicking on File->Exit.

Starting the Server

In order to use the X server, a way will be needed to start it running conveniently. This could be done by creating an icon on the desktop, or putting it in the startup folder so it starts every time Windows is started. To find the icon to copy, click on Start->Run and enter the command (including the quotes) "C:\Program Files\ncdsoft\pcxware" followed by the enter key. The PC-Xware folder will display. Find the icon labeled pcxsvc32. Right-click on this icon and dragging it to the desktop and select Create Shortcut(s) Here. Use this icon to start the X server if the X server icon isn't displaying in the system tray.

Teraterm with SSH

Teraterm does not forward X11 requests by default. An adjustment is needed to enable this service.

Start Teraterm by clicking on Start->Program Files->Telnet via TeraTerm->any host. When the connection host is requested, click on Cancel. Now click on Setup->SSH Forwarding.... Click the checkbox Display Remote X applications on local X server and click OK. Save the settings by clicking on Setup->Save setup. Click on Save to accept the standard file location. Close Teraterm by clicking on File->Exit.

Operation and Testing

It's time to give this all a try and to test to make sure security is set up correctly.

Start a connection to your UNIX server using Teraterm. Click on Start->Programs->Telnet via Teraterm->any host (or use one of the predefined icons to Engineering computers). Enter your user name and passphase to complete the connection. Once logged on, verify that a DISPLAY variable has been set up on behalf of Termterm by typing the command echo $DISPLAY followed by the enter key. A typical X windows display setting should display. If a blank line is shown, go back to the instructions for Teraterm and make sure that X forwarding is enabled.

Next, make sure the NCD PC-Xware icon is showing in the system tray. If it isn't, start it now, by double-clicking on the NCD icon on the desktop (if that's where you put it).

Start an X windows program. Do something simple like typing xclock followed by the enter key. A clock should appear on your screen. Close the clock by clicking the close button. If the xclock program shows unknown command instead of starting, that means that the X windows software isn't in your PATH variable. Try something like /usr/openwin/bin/xclock or /usr/X11R6/bin/xclock.

That was the secured method of getting the clock to display on your screen. It work by having Teraterm capture the DISPLAY port on the local machine and passing it back through the ssh connection back to the PC. Teraterm then passes this information through the localhost interface to the PC's NCD PC-Xware program. Since NCD PC-Xware only permits connections through localhost, the communications are secure.

Now, test that the PC is not open to remote connections of other users. One way to do this is to refer to the PC's X windows display by the direct name. You'll need to know what the Internet name of your PC, or the IP number. One way, if the Internet name is short enough, you could type the command who am i on the UNIX console window and see what the last field returns.

Now take the host name and use it in typing the command xclock -display name:0, where name is your PC computer's Internet name or IP address. Type enter to execute the command. This should not operate correctly. You should see a response something like:

Xlib: connection to "xxx:0.0" refused by server.
Xlib: Client is not authorized to connecto to Server
Error: Can't open display: xxx:0

If you get another clock to appear, the NCD PC-Xware settings don't restrict connections to localhost only. Go back to the instructions for NCD PC-Xware and make sure that localhost access is enabled.

Future Enhancements

Future enhancements to this document ought to include how to get an XDM session to work (October 5, 2000).

Last modified: 2006/08/14 16:34:6.430000 GMT-4 by Unknown
Created: 2006/08/14 16:34:6.430000 GMT-4 by brian.r.brinegar.1.

Categories

Search

Type in a few keywords describing what information you are looking for in the text box below.

Admin Options: Edit this Document