Secure Desktop, Going beyond the default security ...

On November 10, 2009 Sun Microsystems Netherlands organized a Sun Desktop Update Seminar for customers and Sun partners. The focus of this seminar was the new enhancement and possibilities of the Sun Desktop products focused on the new versions of Sun Virtual Desktop Infrastructure, Sun Ray Server Software and Sun Secure Global Desktop.

I was one of the speakers of this seminar and gave a presentation on the (new) security aspects and deployment options of Sun Secure Global Desktop.

Download theslides of my presentation:
Secure Desktop, Going beyond the default security ... .

Find here download links to the other presentations.

SSGD modifying Apache and Tomcat for production

Installing and configuring Sun Secure Global Desktop for testing is easy. Most administrators use the same steps to install SSGD on an Acceptance and/or Production environment, but the requirements for a Acceptance/Production environment should be a bit different. When exposing a service to the Internet the service is open for anyone including people with less positive intentoions.

SSGD is secure by design and the security certifications are enough for Intelligence Agencies to use SSGD as their product for remote access to applications.

There are however minor modifications possible for the SSGD web server to enhance the security even more. For instance the default installation of SSGD provides the version and the installed modules of the Apache web server.

It is advisable to check / modify the configuration as described below.

Remove version information from server response header field:
Add the following line in the server config part of httpd.conf. If you don't know where place it below the 'ServerRoot'-directive.

ServerTokens Prod

(file /opt/tarantella/webserver/apache/<version>/conf/httpd.conf)


Remove directory listings of directories without default web-page (apache):
Edit http.conf and for every line starting with 'Option' add the minus sign for 'Indexes'. For example:

change in file /opt/tarantella/webserver/apache/<version>/conf/httpd.conf

Options Indexes FollowSymLinks

to

Options -Indexes FollowSymLinks

Remove directory listings of directories without default web-page (tomcat):
Open file web.xml and look for ' listings'. Set the param-value to false. This setting is correct in some versions of SSGD.

change in file /opt/tarantella/webserver/tomcat/<version>/conf/web.xml

<init-param>
  <param-name>listings<:/param-name>
  <param-value>true<:/param-value>
</init-param>

to

<init-param>
  <param-name>listings<:/param-name>
  <param-value>false<:/param-value>
</init-param>

Remove stack-traces for erroneous jsp-files:
This option is very usefull on production servers when for instance the Look&Feel of the webtop pages has been altered. The simplest way is to show a default error-page for erroneous pages. When the error-page does not exsist Tomcat will return an empty page (hence no java stack traces).
change in file /opt/tarantella/webserver/tomcat/<version>/conf/web.xml

</web-app>

to

<error-page>
  <exception-type>java.lang.Exception</exception-type>
  <location>/internalError.html</location>
</error-page>
</web-app>

For more SSGD Security information (including these options) take a look at the 'Secure Deployment Checklist' at wikis.sun.com. An other good article is: 'HOWTO Secure Access to the Administration Console'.

Just keep in mind connecting any server to the Internet requires good security settings independent on how secure the product is by default.

Login button on logged-out-page not always 'active'

When a users logs out of the SSGD webtop with the logout-button the logged-out-page is shown. The logged-out-page contains a login-button. The login-button is not always 'active' (when clicking on the login-button nothing happens).

When looking into the JSP-code of the logged-out-page the 'activation' of the login-button is based upon the status of the TCC (Tarantella Client Connector/a SSGD-application which displays the applications). When the TCC is still running the login-button is 'activated'. This is a bit strange since logging out of the SGD webtop will stop the TCC.

/opt/tarantella/webserver/tomcat//webapps/sgd/webtops/standard/webtop/logged-out.jsp
I saw a check to 'enable' or 'disable' the login-button. The button is 'enabled' when the TCC is stll running.


A quick fix to always show the link by editing the logged-out-page. Follow these steps:

• Logon to the SSGD server

• Go to the directory:
  /opt/tarantella/webserver/tomcat//webapps/sgd/webtops/standard/webtop

• Edit the file:
  logged-out.jsp

• change line (109 for SGD4.50) from

boolean showLoginLink = (tccStarted != null && tccStarted.equals("true"));

• to

boolean showLoginLink = (tccStarted != null && tccStarted.equals("true"));
showLoginLink = true;

After this change verify the change by logging on to the webtop and log out again to see if the login-button is 'active'.

Sun Secure Global Desktop 4.5 to be released on May 12, 2009

The latest news of the new SSGD version was announced on the SSGD Forum by Jeff Jameson. 

Download version of 4.5 will be available at release on May 12, 2009. GA and the availability of the media kit is slated for May 26th, 2009.
The 4.5 documentation is already available on Suns Documentation site:

• Release Notes
• User Guide
• Installation Guide
• Administration Guide
• Gateway Administration Guide

Sun Secure Global Desktop 4.5 to be released in May 2009

In May 2009 the new version (4.5) of Sun Secure Global Desktop (SSGD) will be released. There are no Release Notes of this new version yet.

More information will be provided around the launch of the new version.