NoMachine Support

Your questions answered

Knowledge Base

Searching in: Articles & FAQs
Filter the search results
Applies to:
Last update:
Searching in: Articles & FAQs
ID: AR06Q01036
Applies to: NX Software
Added on: 2019-06-27
Last update: 2019-07-08
Hardening NoMachine server products

NoMachine servers don't require specific measures to harden them, but administrators can adopt specific measures within NoMachine software to make sure their systems are kept secure.

Keeping the software up-to-date is always advisable. In the case of critical security fixes to any of its components, NoMachine immediately notifies subscribed customers (via the Support Channel) and all users subscribed to the Announcement Mailing List  about the new version solving any security issue. The list of all updates is available here: https://www.nomachine.com/softwareupdates

All measures suggested by your OS vendor to harden the system are necessary to ensure that NoMachine is running on a secured host (e.g. SELinux policies, strong passwords, regular system updates etc...).

Note that NoMachine relies on the authentication subsystem as configured on the system. It can integrate with various authentication methods and also supports two-factor authentication. Please see this chapter for details: https://www.nomachine.com/DT10O00150#2

Depending on your Company's requirements, some further restrictions to access by NoMachine can be applied.

For example, NoMachine uses by default the NX protocol, implemented using OpenSSL TLS/SSL (default cipher suite:  ECDHE-RSA-AES128-GCM-SHA256) but companies with strict policies may want to disable it and force users to use only the industry-standard SSH protocol.

If needed, it's also possible to disable NoMachine connections via web. Or you can use the system's web server instead of NoMachine's built-in minimal Apache web server (nxhtd) shipped with the package.

In multinode or multiserver environments, users/groups of users can be allowed to access (or forbidden from accessing) a machine by setting NoMachine profiles rules.

Connections to the physical desktop of the remote host can be disabled or allowed only for specific users.

Services like file transfer and copy&paste can be completely disabled or limited to only one way (local-remote or remote-local).

Session types can be also limited (e.g. users are allowed to run only Linux virtual desktops or only custom sessions).

For more details about all possible configurations, we suggest to consult the relevant NoMachine Installation and Configuration Guide for your server product: https://www.nomachine.com/all-documents or contact NoMachine support for specific configurations.