Hide terminal servers. Budget solution
Basically, in our company, all jobs were built on the basis of HP t5530 thin clients. The exception was made by several workplaces with special requirements (exotic equipment or software) and several laptops of key employees. The total number of jobs was approximately 120 units. All this was served by two terminal servers (Windows 2003 Ent), one Active Directory server and one file storage. Internet access with FreeBSD. The standard tasks are IE (access to a remote online database), TheBat with mail in large quantities, MS Office (Word / Excel), 1C.
Unfortunately, all software, with very few exceptions, was unlicensed for one reason or another. And, of course, contained a fairly large amount of information that should not have been passed to certain organs.
At some point, the authorities set the task of taking a series of measures in case of unforeseen and not-so-called visits by certain individuals. Time was given a minimum, but funding was not given at all.
After a brief brainstorming, the following idea was born:
')
From what was found in the server was built a relatively good terminal server, which, theoretically, could withstand the input of all users. Of course, they could hardly work there. On this server, they placed Active Directory with a copy of user accounts, a large amount of white documentation, installed the software, and generally imitated in every way that all the work was done on it.
These servers have been removed away. In the same building, but where no one would look for them. In the server remained only a fake server, PBX and all network equipment.
Thin clients and a fake server were brought into a separate subnet, say 192.168.1.1/24 (A). All real servers were on the 192.168.0.1/24 subnet (B). On FreeBSD, virtual interfaces on subnet A were raised by the number of terminal servers. In normal mode, thin clients accessed via IP addresses of virtual interfaces, where they were redirected to real servers in subnet B. In the event of an hour X - forwarding from all interfaces to 1 IP of a fake server in subnet A was activated.
The users were instructed accordingly that if the connection with the terminal was interrupted, and after it was restored, they see a certain picture - that is the way it should be, you need to remain calm, imitate the work and avoid panic and shouting “why everything does not work”.
The whole system worked in manual mode - i.e. All the necessary manipulations were performed by running the script by the duty administrator. Over time, the plans were to implement an automatic mode, by crossing with the existing office alert system about the guests (radio keychain from the secretaries and light signaling in the necessary offices).
In general, the system turned out: a) very budget, b) not requiring a long time to recover after the guests leave.
Unfortunately, all software, with very few exceptions, was unlicensed for one reason or another. And, of course, contained a fairly large amount of information that should not have been passed to certain organs.
At some point, the authorities set the task of taking a series of measures in case of unforeseen and not-so-called visits by certain individuals. Time was given a minimum, but funding was not given at all.
After a brief brainstorming, the following idea was born:
')
From what was found in the server was built a relatively good terminal server, which, theoretically, could withstand the input of all users. Of course, they could hardly work there. On this server, they placed Active Directory with a copy of user accounts, a large amount of white documentation, installed the software, and generally imitated in every way that all the work was done on it.
These servers have been removed away. In the same building, but where no one would look for them. In the server remained only a fake server, PBX and all network equipment.
Thin clients and a fake server were brought into a separate subnet, say 192.168.1.1/24 (A). All real servers were on the 192.168.0.1/24 subnet (B). On FreeBSD, virtual interfaces on subnet A were raised by the number of terminal servers. In normal mode, thin clients accessed via IP addresses of virtual interfaces, where they were redirected to real servers in subnet B. In the event of an hour X - forwarding from all interfaces to 1 IP of a fake server in subnet A was activated.
The users were instructed accordingly that if the connection with the terminal was interrupted, and after it was restored, they see a certain picture - that is the way it should be, you need to remain calm, imitate the work and avoid panic and shouting “why everything does not work”.
The whole system worked in manual mode - i.e. All the necessary manipulations were performed by running the script by the duty administrator. Over time, the plans were to implement an automatic mode, by crossing with the existing office alert system about the guests (radio keychain from the secretaries and light signaling in the necessary offices).
In general, the system turned out: a) very budget, b) not requiring a long time to recover after the guests leave.
Source: https://habr.com/ru/post/92216/
All Articles