The Open Text Connectivity Solutions Group<\/a> produces a software package called Exceed<\/a> that provides X server software which is also quite popular but is not supported by IS&T at this time.<\/p>\n Recent versions of X-Win32 have implemented a much better security model by default, but you will need to understand some aspects of how it works in order to be able to use it reliably, efficiently, and securely.<\/p>\n To begin, you should understand the basics of the X-Windows system and security.\u00a0 If you do not know what xhost and xauth are, you should start by reading about How X-Windows Access Control Works<\/a>.\u00a0 You may also be interested in knowing what could happen if I fail to secure my X-Windows server<\/a>.<\/p>\n For the impatient, you may jump to the What Should I Do<\/a> section,<\/p>\n In X-Win32 the access control system is configured through the Xconfig tool, which can be launched via the Start Menu or by double clicking the X-Win32 Icon in the Task Bar.<\/p>\n The default behavior of X-Win32 varies across versions, but everyone should be running version 9 or newer at this point.\u00a0 In old versions, the default behavior was to allow all connections, which was part of the inspiration to create the X-Windows Security Probe<\/a>.\u00a0 Newer versions have more secure defaults.<\/p>\n If you have an older version of X-Win32 you should update to the latest version<\/a>.\u00a0 If for some reason you cannot, please look at our advice on Securing Older Version of X-Win32<\/a>.<\/p>\n Inside the XConfig tool there is a Security tab which deals exclusively with access control.\u00a0 The contents of the tab are shown below.<\/p>\n Xconfig Security Tab<\/p><\/div>\n Allow by Xauth Cookie<\/strong><\/p>\n In the first section, “Allow by Xauth Cookie” you can use the Xauth mechanism to provide authentication. This is a little difficult to use in the Microsoft Windows environment, but if it is the best fit for you then please read the X-Win32 help documentation for Xauth<\/a> for more information on how to use it.<\/p>\n Allow by Address<\/strong><\/p>\n The second section, “Allow by Address”, you can use xhost style authentication where you allow one or more hosts to connect.\u00a0 There is a radio button at the top marked “Allow all host addresses”.\u00a0 Selecting this is equivalent to using “xhost +<\/em>” and should not be done.\u00a0 Using the “Only allow these hosts addresses” radio button is equivalent to do “xhost +hostname<\/em>” for some set of hosts.<\/p>\n Note: If you use SSH forwarding<\/strong>, you will need to add an entry for “localhost” (with out the quotes) to your allowed “Allowed Host Addresses” list.<\/p>\n Allow by Prompt<\/strong><\/p>\n Finally, the panel offers “Allow by Prompt” which features one checkbox: “Prompt for connections not allowed by other means”.\u00a0 This last option is a feature that makes X-Windows easier to use under Microsoft Windows:<\/p>\n If a client connects without a valid magic cookie (xauth) and isn’t in the list of allowed hosts (xhost), the X-Server may prompt and ask you if you want to accept the connection.<\/p>\n To check or not to check?<\/strong><\/p>\n If you do check this box<\/strong>: Any time anyone<\/em> attempts to connect to your X-Windows server you will get a dialogue box asking you accept or refuse the connection.\u00a0 Since you cannot control how often people connect to your server, this can become an annoyance.\u00a0 To reduce this annoyance, read our section on Using the Microsoft Windows Firewall to limit X-Server connections<\/a>.<\/p>\nX-Win32 Security<\/h3>\n
Access Control in X-Win32<\/h3>\n
![\"Xconfig](\"\/tech\/files\/2009\/12\/xwin32.jpg\")
![\"Example](\"\/tech\/files\/2009\/12\/xwin32_good.jpg\")