Tagged: ubuntu security logout defaults
August 1, 2018 at 07:01 #19188sdcinvanParticipant
I just noticed a potential security issue because of two default settings, namely:
– Blank the physical screen when somebody connects
– Lock the physical screen on disconnect
The default for the above two settings is off. Because of that, a remote user may not be aware that:
a) Anyone can view their session, if their monitor is turned on.
b) If the remote user doesn’t initiate a logout, their physical computer remains accessible to anyone.
Is there any way to change this default behavior with a patch or a custom install script? I ask because no matter how clear my instructions are, there will always be a user or two who will not heed the best practices advice or warnings.
Other than this issue, NoMachine is a beautiful piece of software engineering. Kudos to the developers. 🙂
Attachments:August 1, 2018 at 14:44 #19199BritgirlKeymaster
Hi sdcinvan, when deciding default settings we have to consider a number of criteria, such as who is using the software and what they are using it for 🙂
So changing the default server settings for one group of users would upset a load of other users, and vice-versa, such as users who are engaging in remote collaboration vs. those who are using it for unattended access. Your question, though, has given us food for thought, and we’ll definitely be looking in to ways to how we can handle better such situations.
You published this in the Linux category. I’m not sure how you are using the software and how the software is being installed (by you or directly by the users you mention). If your users are all using Linux on the server, and you’re concerned they’ll forget to blank the monitor when accessing their desktop or skip your advice on how to best configure their computers for unattended access, could the terminal server family be more appropriate, such as Workstation?August 2, 2018 at 07:47 #19209sdcinvanParticipant
We are currently experimenting with NoMachine. This is how it is being installed and used:
– Every developer has both a MacBook and an Ubuntu desktop
– For those developers who require remote access to their Ubuntu desktop, we ask them to install NoMachine on both OS’s.
– When they are out of office, they will connect to the VPN and then access their Ubuntu desktop via NoMachine.
When it was discovered that, by default, NoMachine shows the desktop session and doesn’t automatically blank the screen and log out at the end of a session, I quickly scrambled to create a notice with instructions to change these two settings. However, ideally, I would like to know if there is a way to automate and/or force enable the settings:
– Anyone can view their session, if their monitor is turned on.
– If the remote user doesn’t initiate a logout, their physical computer remains accessible to anyone.
…during the installation.
On another topic, I am a bit confused about NoMachine licensing. Since we are using NoMachine in a corporate environment, do we need to license NoMachine? It is very important that we are compliant with your licensing. Our use is specifically Mac OS workstation to Ubuntu OS workstation but since we are only recommending this application, I am uncertain about how we can control how many copies of this application are in use.
Thank youAugust 2, 2018 at 10:11 #19221BritgirlKeymaster
In a corporate environment, where the company is requesting the use of NoMachine software to its users, that would be considered commercial use. So a better fit would be the NoMachine Enterprise Desktop to access the Ubuntu desktops which reside in the office (or wherever it is they are).
I would also recommend it because you have direct access to the support team which would be able to help you with exploring possible options on how to pre-configure the settings for your specific environment and usage (whether that could be via script of some sort or other solution could be explored with them), and of course for any other problems or questions.
Some additional information about what defines personal and commercial use is available here: https://www.nomachine.com/AR03P00972 You can compare Enterprise Desktop and free NoMachine package here: https://www.nomachine.com/remote-access-for-your-needs. From what you write I understand you’ve got quite a few users, so packs of 10 subscriptions seem like the best option. If you contact our sales team, they will be able to answer any commercial-related questions (and also pre-sales support) further.
As a client-side software, your users can use NoMachine free on the personal Macs or, if they only require the connection GUI and they don’t want to enable access to the Macs, Enterprise Client is available.
This topic was marked as solved, you can't post.