Security Basics mailing list archives

RE: Thin-clients: THE Solution to the Security problem

From: "Bill Stout" <bill.stout () greenborder com>
Date: Wed, 31 Aug 2005 17:41:16 -0700

Your network is still exposed to processes running in IE or launched
from IE on the Metaframe servers.  IE is a major vector, but so is
Outlook.  Anything that brings in foreign (untrusted) content is a
vector, and you users will demand the usability which they're accustomed
to (like cut and paste, save-as, mailto).

Be aware that users on the same server share exposure to malware.  How
comfortable would you be if your Windows XP desktop had other users
logged in?

A thin client is an attempt to apply network sandbox security.  It's as
secure as the isolation is strict.  If you have a path to it, malware on
that system also has a path to you.

You may want to explore different techniques to contain untrusted
content while maintaining usability.  (Hint-hint, check our website).

Bill Stout
www.greenborder.com

-----Original Message-----
From: Saqib Ali [mailto:docbook.xml () gmail com] 
Sent: Wednesday, August 31, 2005 5:12 PM
To: sf_mail_sbm () yahoo com
Cc: security-basics () securityfocus com
Subject: Re: Thin-clients: THE Solution to the Security problem

answer to your question is not easy. and it will depend on the type of
organization in question.

Maybe you can start by serving inidividual application using Citrix,
instead of the whole desktop. This way you can measure user's
feedback. Click here for similar discussion on Slashdot <
http://slashdot.org/article.pl?sid=04/12/28/2212243 >

Start by publishing Internet Explorer on Citrix, and require your
users to use it from Citrix instead of their local copy of IE. Lock
down IE, and use anonymous accounts for Internet Explorer. This way
you can lock down the IE to your heart's desire. Also publishing IE
'anonymously' on Citrix will further secure the environment, as the
anonymous profiles can be deleted on a nightly basis. However one
issue with 'anonymous' access to Citrix applications, is that the user
can not maintain their preference or even their bookmarks.

Now if we replace all of these PCs with thin-clients, whereby they

will access servers (may be Terminal Servers) to get their mails, get
Web access, does it not eliminate the potentially large pool of
'vulnerable' machines, and hence greatly decrease the Risk Exposure of
an organisation's network?


Is this the solution to manage Security more effectively?


-- 
In Peace,
Saqib Ali
http://www.xml-dev.com/blog/
Consensus is good, but informed dictatorship is better.

Current thread:

RE: Thin-clients: THE Solution to the Security problem Bill Stout (Sep 01)
- Re: Thin-clients: THE Solution to the Security problem Saqib Ali (Sep 01)
- Re: Thin-clients: THE Solution to the Security problem Ansgar -59cobalt- Wiechers (Sep 06)
- <Possible follow-ups>
- Re: Thin-clients: THE Solution to the Security problem Dave Aronson (SecBasics) (Sep 01)
- Re: Thin-clients: THE Solution to the Security problem Topi Ylinen (Sep 06)