ThinClient Security

Q: Kindly elaborate your experience with ThinClient security from the likes of HP and Wyse.

Currently researching the following with regard to Thin Client Security :

1. Need of an AV in ThinClient and its manageability.If an AV is required which ones recommended and why(file size,footprint on the OS and detection capability)
2. How to enforce security policies in Embedded XP. Eg : Device control/lockdown of the system etc
3. Case study of ThinClient security - breaches that has happened in the past;best practices and recommendations etc etc
4.Possibility of a ThinClient turning on to be a zombie for a botnet and any other security considerations to keep in mind


A: Hi ........,
It is difficult have a generic answer for all thin clients since there are several OS flavors and several different deployment/use cases. HP offers clients with Windows CE, NeoLinux , Windows XP Embedded, Debian Linux 4.0 ,HP Thin Connect and Wyse offers clients with Wyse ThinOS ,Windows XP Embedded, Wyse Linux Windows CE etc) …You can choose to restrict user activity to minimum and reboot with a fresh image each time, or you may choose to customize your thin OS with some execution and allow limited apps in addition to RDP, ICA type terminal clients. So your risk profiles vary based on your decisions.

That being said here are my comments


Need of an AV in ThinClient and its manageability. If an AV is required which ones recommended and why(file size, footprint on the OS and detection capability)

If you are looking at XP embedded (XPe) as you stated down below you have some options. CA Anti-virus (formerly eTrust) is the first player with a small footprint.. Symantec offers full endpoint security with The Symantec Endpoint Protection for Windows XP Embedded. disk/cpu/memory requirements on Symantec client is 30Mb/1.3Ghz/128MB.. You can also use McAfee VirusScan Enterprise on XPe. I would crosscheck the licensing options on each of the option as well.. If you choose terminal connections and lock down the client only you may question the necessity as well.


How to enforce security policies in Embedded XP. Eg : Device control/lockdown of the system etc

Like in real XP, group policies and windows firewall. On Windows XP Embedded with SP2 you/your vendor can configure your run-time image for better security. Windows XP Embedded run-time image should include Group Policy Client Core Gptext.dll and Windows Firewall components.You can use MMC to update Group Policy on a deployed run-time image. You can also add Symantec endpoint security to the mix..

Case study of ThinClient security - breaches that has happened in the past;best practices and recommendations etc


Breaches seldom make it all the way to case studies for a good reason. In the past I have not personally witnessed a “thin client” related breach. But XP embedded is very close to XP and it is subject to similar attacks and even worse since it is not a closely monitored OS. There is a higher risk on thicker Linux and XPe distros if the end user is allowed to make any changes in the configuration. Best practice is to control all environment and disable user level access to OS settings completely. Remote exploits ( e.g. JavaScript, ActiveX vulnerabilities) will be sand-boxed if the user rights a restricted properly. I personally like terminal connection only or OS streaming models where every boot is a fresh start.


Possibility of a ThinClient turning on to be a zombie for a botnet and any other security considerations to keep in mind

It is technically possible if user has a right to modify anything and execute the changes. I would choose the thinnest model if the requirements do fit.

cheers,
- yinal