I can get the desktop environment in cygwin using xwin.exe -query ip_address .
I think that it is using raw XDMCP. I want to lock down the servers and only use SSH or better SSH2. I understand that "you can tunnel XDMCP 'through' SSH". Do I have that last statement correct?