Re: Thin-clients: THE Solution to the Security problem

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2005-08-31 Bill Stout wrote:
> On Wednesday, August 31, 2005 5:12 PM, Saqib Ali wrote:
> > Maybe you can start by serving inidividual application using Citrix,
> > instead of the whole desktop. This way you can measure user's
> > feedback. Click here for similar discussion on Slashdot
> > <http://slashdot.org/article.pl?sid=04/12/28/2212243>
> >
> > Start by publishing Internet Explorer on Citrix, and require your
> > users to use it from Citrix instead of their local copy of IE. Lock
> > down IE, and use anonymous accounts for Internet Explorer. This way
> > you can lock down the IE to your heart's desire. Also publishing IE
> > 'anonymously' on Citrix will further secure the environment, as the
> > anonymous profiles can be deleted on a nightly basis. However one
> > issue with 'anonymous' access to Citrix applications, is that the
> > user can not maintain their preference or even their bookmarks.
>
> Your network is still exposed to processes running in IE or launched
> from IE on the Metaframe servers.

Not true. IE is running on the remote Citrix server, which could be
placed in a DMZ. Any code launched by IE may attack the server itself or
any other host on the DMZ, but won't be able to attack your network
without taking the router first.

> IE is a major vector, but so is Outlook.  Anything that brings in
> foreign (untrusted) content is a vector,

Of course. That's the reason why you *have* the users use the published
IE instead of the local IE. A Citrix server publishing applications is a
special type of graphical firewall.

> and you users will demand the usability which they're accustomed to
> (like cut and paste, save-as, mailto).

C'n'P works with Citrix. Documents could be saved to shared folders on
the server which could be mounted from within the network. Mail could
be handled by another published application on the Citrix server.

> Be aware that users on the same server share exposure to malware.

Not necessarily, if they don't have neither admin nor power user
privileges.

> How comfortable would you be if your Windows XP desktop had other
> users logged in?

If they were normal users and the system was kept up-to-date I wouldn't
bother.

> A thin client is an attempt to apply network sandbox security.  It's
> as secure as the isolation is strict.  If you have a path to it,
> malware on that system also has a path to you.

True. But in the given scenario, the attacker would have to launch a
reverse attack, which I wouldn't consider a trivial thing to do.

> You may want to explore different techniques to contain untrusted
> content while maintaining usability.

It looks to me like you didn't quite understand what Saquib Ali was
suggesting. Please read up on graphical firewalls and what good they can
do.

> (Hint-hint, check our website).

Usually self-advertisement is unwelcome. Especially if there's not even
a public demo, so people can verify your claims. I don't need to be
contacted by a business representative of yours just so I can check out
whether your software does or doesn't work.

Regards
Ansgar Wiechers
-- 
"Another option [for defragmentation] is to back up your important files,
erase the hard disk, then reinstall Mac OS X and your backed up files."
--http://docs.info.apple.com/article.html?artnum=25668