Open for comment / feedback. It’s for all intensive purposes, pretty secure in my opinion. The only thing making it more secure would be dropping all outbound packets and specifically allowing traffic outbound, which might be the next thing I will work on.

[root@web ~]# iptables --list

Chain INPUT (policy DROP)
target prot opt source destination
BLACKLIST all -- anywhere anywhere state INVALID,NEW,UNTRACKED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all --        anywhere
ACCEPT tcp --      anywhere tcp multiport dports squid,webcache
ACCEPT tcp -- anywhere anywhere tcp multiport dports http,https
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:ndmp
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT tcp -- anywhere tcp dpt:nrpe

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain BLACKLIST (1 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning
DROP all -- 124.115.4.0/24 anywhere
DROP all -- 91.201.66.0/24 anywhere


Microsoft tools for TMG 2010 - www.microsoft.com/downloads/en/details.aspx?FamilyID=8809cfda-2ee1-4e67-b993-6f9a20e08607&displaylang=en

Technet Doco for TMG 2010 – technet.microsoft.com/en-us/library/ff355324.aspx

Jim Harrison’s list of tools for TMG2010 - www.isatools.org/tools.asp?Context=TMG2010

Microsoft ISA Blog – blogs.technet.com/b/isablog/

Authenticating with Windows Username/Password

I actually had to use this last week, cause for some odd reason, the password we configured for our custom TeamViewer app wouldn’t work for this particular client… Odd…

Firstly, this only appears to be available on Windows – I tried doing this on my Mac TeamViewer client but it wouldn’t work… Booooo. Might just be an old version, I couldn’t be stuffed checking right now…

That said, on your Windows TeamViewer client, after entering the Client ID and connecting, click the “Advanced” button on the Authorization screen to bring up a bunch more options. You should now have a “Authentication” drop down box, with TeamViewer and Windows as your options. Selecting Windows gives you a familiar, “Username, Password, Domain” style screen. Simple. Enter the details and click Log On. You’re done!

Blocking TeamViewer Access

This is probably something I’d not ever want to touch, purely because I have clients I NEED to connect to, but I understand that some systems administrators might feel the need to block their employees from setting up TeamViewer on their machines for remote access purposes, or just to stop outside parties from soliciting internal users into starting TeamViewer sessions…

The first way I can think of to block TeamViewer access, is by using Local Security Policies, or Group Policies. There is a nasty little policy option that enables you to block an application from running, if it matches a certain filename – obviously, use this with care!

The option you want to look for is located in User Configuration -> Administrative Templates -> System -> Don’t run specified Windows applications.

Enable this policy, and simply add the TeamViewer executables (TeamViewer.exe, TeamViewer_Setup.exe, etc etc) to the “List of disallowed applications”.

Obviously, renaming the files is going to circumvent this… So moving on…

A quick NetStat on my Vista machine with the full TeamViewer client installed yielded the following result:

TCP    192.168.1.10:53039     server904:5938         ESTABLISHED
[TeamViewer.exe]

The answer is quite simple – block outgoing connections to TCP port 5938… This will stop the TeamViewer client from connecting back to TeamViewer’s central servers, which is necessary to generate the client ID, and to punch a hole through the firewall to allow people to connect in the first place.

You could probably set this on the local firewall, using Windows Firewall or perhaps by using your chosen centrally managed endpoint security package (Trend/Sophos/Symantec etc all have firewall options with their antivirus clients).