I am greatly pleased when we at Lithik meet a client who uses thin clients. It not only means that IT management is forward-looking, it also often means they understand the substantial security benefit that can be gained by removing hard-disk-based Windows systems from their network. Converting an organization with a hundred Windows XP desktops accessing three Windows servers to thin client technology means a reduction from 103 Windows installations to 3. That means 30 times fewer machines to patch, 30 times fewer machines to monitor for antivirus updates and Windows events, and 30 times fewer machines on which to install services packs and other application updates. This is a seriously good thing.
Thin client sales pitches frequently include claims saying they can’t be hacked. They don’t have hard drives, so how could they? Besides, you can always push the reset button and—voilà—the software is booted from a clean copy, erasing any filth that may have found its way into memory.
Even so, I always recommend that our clients choose the version running Linux or some oddball embedded OS like VxWorks or QNX. I do this because although I frequently quote the famous security paradigm, “security by obscurity is no security at all,” I know that obscurity often does add to security—sometimes quite substantially.
Thin clients running Windows CE or Windows XP Embedded need to be updated every month, just like XP or your servers. Patch Tuesday applies both to the OS and to Internet Explorer, which is always the web browser in Windows-based thin clients. Go ahead and look in the manual for your thin client management software; network-wide updates are supported and recommended, but they usually leave out the dire threats and arm-waving you get when security folks talk about Windows patches. That’s too bad, because the same IE bug you just patched on all your XP machines is probably in all your CE and XPE thin clients, too. Thin clients may not have hard drives, but they do have memory-based filesystems that can store malware and run it, at least until you reboot. By then the damage may be done and the malware may have jumped to servers that do have hard drives.
But the fun doesn’t stop there! Show me a thin client browser and I’ll show you a device that runs JavaScript for sure, and probably Java and Adobe Flash as well, technologies that fall into a category known as mobile code. Claims that these environments are safe because they run in a protective “sandbox” are only partly true. All software has bugs, even sandboxes. A thorough security design requires measures that can protect against bugs that haven’t been found yet. Thus the principle of defense in depth or security in layers is undoubtedly the most important threat mitigation tool in defending against the unknown. Thin clients are great, but they’re only one layer.
So, what to do? There are some steps you can take. The following list is not exhaustive, because the author is not omniscient. But it’s a start.
- Choose Linux-based or RTOS-based thin clients over those running Windows CE or XP Embedded.
- Keep your thin clients up to date with the latest firmware available. If you do use Window-based devices, this means every month.
- Restrict the use of mobile code. If you need it for your business applications, configure the browser to only allow it from a select list of servers.
- If your thin client vendor hasn’t given you the ability to restrict mobile code, configure your firewall to do it instead.
- If your firewall won’t let you control mobile code, configure it to restrict all web browsing to a list of approved sites. This is called a white list.
Applying these methods to a thin client environment will certainly decrease the risk of infection. But it must be said that there is really no guaranteed safe way to give your staff unlimited freedom to browse the Internet with all the bells and whistles enabled. Well, at least not unless you figure out a way to move them outside your firewall while they do it. If you think of your business environment as a surgery room in which every item introduced from the outside represents a potential threat, you will understand the importance of continued vigilance to avoid contamination. Thin clients are indeed way more secure than desktops. It’s just that the Internet is anything but sanitary and nothing is perfectly safe.
{ 2 comments… read them below or add one }
you will like chanel knockoffs and get big save
Wow, great blog.Really thank you! Great.