Security Basics mailing list archives
Re: Thin-clients: THE Solution to the Security problem
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Thu, 1 Sep 2005 20:51:52 +0200
On 2005-08-31 Bill Stout wrote:
On Wednesday, August 31, 2005 5:12 PM, Saqib Ali wrote:Maybe you can start by serving inidividual application using Citrix, instead of the whole desktop. This way you can measure user's feedback. Click here for similar discussion on Slashdot <http://slashdot.org/article.pl?sid=04/12/28/2212243> Start by publishing Internet Explorer on Citrix, and require your users to use it from Citrix instead of their local copy of IE. Lock down IE, and use anonymous accounts for Internet Explorer. This way you can lock down the IE to your heart's desire. Also publishing IE 'anonymously' on Citrix will further secure the environment, as the anonymous profiles can be deleted on a nightly basis. However one issue with 'anonymous' access to Citrix applications, is that the user can not maintain their preference or even their bookmarks.Your network is still exposed to processes running in IE or launched from IE on the Metaframe servers.
Not true. IE is running on the remote Citrix server, which could be placed in a DMZ. Any code launched by IE may attack the server itself or any other host on the DMZ, but won't be able to attack your network without taking the router first.
IE is a major vector, but so is Outlook. Anything that brings in foreign (untrusted) content is a vector,
Of course. That's the reason why you *have* the users use the published IE instead of the local IE. A Citrix server publishing applications is a special type of graphical firewall.
and you users will demand the usability which they're accustomed to (like cut and paste, save-as, mailto).
C'n'P works with Citrix. Documents could be saved to shared folders on the server which could be mounted from within the network. Mail could be handled by another published application on the Citrix server.
Be aware that users on the same server share exposure to malware.
Not necessarily, if they don't have neither admin nor power user privileges.
How comfortable would you be if your Windows XP desktop had other users logged in?
If they were normal users and the system was kept up-to-date I wouldn't bother.
A thin client is an attempt to apply network sandbox security. It's as secure as the isolation is strict. If you have a path to it, malware on that system also has a path to you.
True. But in the given scenario, the attacker would have to launch a reverse attack, which I wouldn't consider a trivial thing to do.
You may want to explore different techniques to contain untrusted content while maintaining usability.
It looks to me like you didn't quite understand what Saquib Ali was suggesting. Please read up on graphical firewalls and what good they can do.
(Hint-hint, check our website).
Usually self-advertisement is unwelcome. Especially if there's not even a public demo, so people can verify your claims. I don't need to be contacted by a business representative of yours just so I can check out whether your software does or doesn't work. Regards Ansgar Wiechers -- "Another option [for defragmentation] is to back up your important files, erase the hard disk, then reinstall Mac OS X and your backed up files." --http://docs.info.apple.com/article.html?artnum=25668
Current thread:
- RE: Thin-clients: THE Solution to the Security problem Bill Stout (Sep 01)
- Re: Thin-clients: THE Solution to the Security problem Saqib Ali (Sep 01)
- Re: Thin-clients: THE Solution to the Security problem Ansgar -59cobalt- Wiechers (Sep 06)
- <Possible follow-ups>
- Re: Thin-clients: THE Solution to the Security problem Dave Aronson (SecBasics) (Sep 01)
- Re: Thin-clients: THE Solution to the Security problem Topi Ylinen (Sep 06)