Showing posts with label security. Show all posts
Showing posts with label security. Show all posts

Friday, November 13, 2009

Secure Desktop, Going beyond the default security ...

On November 10, 2009 Sun Microsystems Netherlands organized a Sun Desktop Update Seminar for customers and Sun partners. The focus of this seminar was the new enhancement and possibilities of the Sun Desktop products focused on the new versions of Sun Virtual Desktop Infrastructure, Sun Ray Server Software and Sun Secure Global Desktop.

I was one of the speakers of this seminar and gave a presentation on the (new) security aspects and deployment options of Sun Secure Global Desktop.

Download theslides of my presentation:
Secure Desktop, Going beyond the default security ... .

Find here download links to the other presentations.

0 Comments

Tags: , , , , , ,

Sunday, August 2, 2009

SSGD modifying Apache and Tomcat for production

Installing and configuring Sun Secure Global Desktop for testing is easy. Most administrators use the same steps to install SSGD on an Acceptance and/or Production environment, but the requirements for a Acceptance/Production environment should be a bit different. When exposing a service to the Internet the service is open for anyone including people with less positive intentoions.

SSGD is secure by design and the security certifications are enough for Intelligence Agencies to use SSGD as their product for remote access to applications.

There are however minor modifications possible for the SSGD web server to enhance the security even more. For instance the default installation of SSGD provides the version and the installed modules of the Apache web server.

It is advisable to check / modify the configuration as described below.

Remove version information from server response header field:
Add the following line in the server config part of httpd.conf. If you don't know where place it below the 'ServerRoot'-directive.

ServerTokens Prod
(file /opt/tarantella/webserver/apache/<version>/conf/httpd.conf)


Remove directory listings of directories without default web-page (apache):
Edit http.conf and for every line starting with 'Option' add the minus sign for 'Indexes'. For example:

change in file /opt/tarantella/webserver/apache/<version>/conf/httpd.conf
Options Indexes FollowSymLinks
to
Options -Indexes FollowSymLinks

Remove directory listings of directories without default web-page (tomcat):
Open file web.xml and look for ' listings'. Set the param-value to false. This setting is correct in some versions of SSGD.

change in file /opt/tarantella/webserver/tomcat/<version>/conf/web.xml
<init-param>
  <param-name>listings<:/param-name>
  <param-value>true<:/param-value>
</init-param>

to
<init-param>
  <param-name>listings<:/param-name>
  <param-value>false<:/param-value>
</init-param>

Remove stack-traces for erroneous jsp-files:
This option is very usefull on production servers when for instance the Look&Feel of the webtop pages has been altered. The simplest way is to show a default error-page for erroneous pages. When the error-page does not exsist Tomcat will return an empty page (hence no java stack traces).
change in file /opt/tarantella/webserver/tomcat/<version>/conf/web.xml
</web-app>
to
<error-page>
  <exception-type>java.lang.Exception</exception-type>
  <location>/internalError.html</location>
</error-page>
</web-app>
For more SSGD Security information (including these options) take a look at the 'Secure Deployment Checklist' at wikis.sun.com. An other good article is: 'HOWTO Secure Access to the Administration Console'.

Just keep in mind connecting any server to the Internet requires good security settings independent on how secure the product is by default.

1 Comments

Tags: , , ,

Wednesday, July 23, 2008

SSGD version 4.41 to be released soon

A small update to the Sun Secure Global Desktop is about to be released. This update contains 5 new features (besides 123 bug and 1 documentation fix).


  • New Command for Securing an SGD Server

    A very easy command to enable security without changing files, creating certificates manually. More on this subject in a later post.

  • Pull-Down Header for Kiosk Mode Applications

    Sometimes needed to temporary switch between your local and remote session. This option can be changed per application on the command-line.

  • Service Tag Support

    More information on Sun Connection: Register

  • Active Directory Authentication Log Filter

    Once again a better way to perform debugging :)

  • Active Directory SSL Security Without Client Certificates

    This will make it easier to connect to Active Directory in a secure way. The secure connection is needed to be able to let users change there Active Directory password via SGD.



The documentation of this new release can be found on the document website of Sun: Sun Secure Global Desktop Software 4.41 Collection. (With a PDF-version of the Administration Guide :) )

The SSGD 4.41 version is currently not yet available for download, but will be soon.

0 Comments

Tags: , , ,

Subscribe to: Posts (Atom)