Security Basics mailing list archives
Re: Restricting SSH in windows
From: John Pettitt <jpp () cloudview com>
Date: Mon, 14 Feb 2005 12:33:00 -0800
Brian T wrote:
I have a situation where a vendor is SSHing into a windows box on our internal network that is connected to the console of a system that he needs to support. In an effort to restrict the vendor's access to our network we disconnect the network connection of the supported system during maintenance procedures. There is, however still the issue of the vendor having unrestricted shell access to the windows box. The ssh server is using Cygwin and Openssh v3.5p1. I would like to restrict the commands the vendor is allowed to execute (in this case only ftp and telnet). All research I have conducted so far has not given me anything useful for windows. Does anyone have any experience is a situation such as this?Fundamentally whatever you do (even switching to a Linux live CD) won't solve the basic problem. Once you let somebody you don't trust have shell access to a box you can no longer trust the box. This is why they invented firewalls, the only secure solution is to put the now untrusted box on it's own DMZ network segment and to control what access rights is has from the firewall side. Trying to sandbox a user who has command line access, ftp and telnet is a lost cause particularly on Windows.Thanks, Brian T
John
Current thread:
- Restricting SSH in windows Brian T (Feb 11)
- Re: Restricting SSH in windows Daniel Miessler (Feb 14)
- Re: Restricting SSH in windows John Pettitt (Feb 14)
- <Possible follow-ups>
- RE: Restricting SSH in windows Jeff Gercken (Feb 14)