X11 for UNIX

X-Windows has been around for a long time and provides a convenient way for applications to connect to and manipulate a user's console. An "X-Server" runs on whatever computer the user is sitting at. This server allows applications to connect and retrieve mouse position, keyboard data, set and manipulate screen and display data, etc. This allows applications to interact with the user via a GUI.

Using X-Windows, applications can connect to the user interface on the same computer system, or on another system located elsewhere on the network. Using thi scapability, users can login to a remote machine and run applications that open windows and interact with the user at his or her desktop. Some rudimentary security mechanisms are provided secure the X-server from connection by other users, though these techniques are more designed to provide protection from unintentional connetions -- not sufficient to provide any real security from compromise.

To overcome these security weaknesses, X-windows can be used in conjunction with other products that provide a secure channel for X-windows applications to connect to an X-server. PuTTY on Windows, or ssh on Linux/Unix/MacOSX can be configured so when you log in from your desktop system to a remote system, X windows traffic is forwarded through the secure channel.

WARNING!

Improper configuration of X Windows can allow the compromise of your password and the exposure of everything typed on your keyboard and shown on your display. You must secure your system's X services!

Note that the UNIX command "xhost +" should NOT be used. It gives every computer complete access to your display and keyboard.

An good presentation of how X11 works and how to secure it is presented in this document from DOE-CIRC. The article has a UNIX focus, but is good background for the use of X11 on Windows machines, too.

XDM - based Sessions No Longer Supported

Many users are familiar with the XDMCP (X Display Manager Control Protocol) style logins used in the past that provided a full desktop onto a unix system via XDM. This approach provides no security whatsoever, is no longer supported and must be discontinued. Instead, users are asked to create terminal windows onto a unix host using their secure shell client, then launch X-windows applications as needed via the secure tunnel provided.

UNIX

Please see Securing X Windows document from DOE-CIRC for details on securing X Windows on a UNIX platform.