©2002-2005 by Michael Knudsen.
$Date: 2006/04/19 17:26:54 $
This or excerpts hereof may under no circumstances be distributed in any form. This might change once the author is satisfied with content, layout, structure etc.
X-Win32 is an X11 server for various versions of Microsoft Windows. It works quite well and it is fairly fast too. You use it for displaying X-applications on your local computer while running them on another, possibly faster, central server. The X-Window system is very flexible but also very hard to overlook and understand. The large amount of features can lead to various security problems, such as revealing passwords to an attacker or similar disclosure of personal information. There are several ways to gaining this information. First of all, X11 network traffic is unencrypted, meaning that passwords and everything is easily obtained by sniffing the network traffic. Secondly, an attacker can connect to your server and request screen dumps, log keystrokes and other things, which can give away your information without you knowing it.
When I first encountered X-Win32, I was pleased to see an X11 server for the Windows platform. Thirty seconds later, I realized that there was absolutely no access control enabled in that particular installation. I later discovered that it was a default installation of X-Win32. I really have a hard time understanding why vendors do not understand that software should be shipped secure by default.
Configuration of the product is quite easy. Ten seconds later I had enabled basic access control, defeating the simplest attacks. Some people might think that this is good. However, it is not -- especially not when it is so easy to configure. Software should be shipped secure by default, because it often forces the users to understand the software they are using, along with the consequences of it. If all software was shipped secure by default, many system intrusions would be avoided.
I assume you have a fresh installation of X-Win32 and that the program is running. I will not bother commenting on the installation, since it is plain and simple. I assume you behave responsibly on trusted systems. This includes not executing 'funny' email attachments from people you know or do not know.
First open the X-Win32 configuration menu and select the security tab. First, make sure that both "Access control" and "Use XAuth" are checked. This was the actual step that ensures some security. Tough, huh? I still wonder why this is not done automatically by the vendor.
Next, remove all items from the "X-Host list", unless you really know what this means. You can add any trusted hosts by clicking "Add...", but I recommend that you only add hosts that you really trust. Any user on any host listed here can access your X-Win32 server without your approval, which means that any host listed here can access your display/desktop read and write, meaning that screen dumps of your desktop can be performed along with the ability to create windows on your desktop. It also means that keystrokes sent through X-Win32 can be read and logged. Therefore, if you rarely use a particular host, do not add it to this list. If you do not trust a particular host, do not add it to your X-Host list (and simply do not use it). These steps help to make sure that no hosts are explicitly trusted without your knowledge.
If you use X11 tunneling, you will want to add 127.0.0.1 to your list of explicitly allowed hosts. If you do not know what this is, read my guide about X11 tunneling with PuTTY and learn. I strongly recommend using X11 tunneling.
A trojan can be used to direct traffic from anywhere to anywhere (including 127.0.0.1) and various other attacks, but this is not a problem as long as you do not execute them, so do not.
You are now all done. This guide is ridiculously short, but it still manages to explain how to defeat all simple attacks. This should tell you that this should have been done by the vendor. The more advanced attacks are up to the vendor to prevent, since it is closed source software.