RE: Thin-clients: THE Solution to the Security problem
From: Bill Stout (bill.stout_at_greenborder.com)
Date: 09/01/05
- Previous message: Jason Coombs: "Re: Computer forensics to uncover illegal internet use"
- Maybe in reply to: sf_mail_sbm_at_yahoo.com: "Thin-clients: THE Solution to the Security problem"
- Next in thread: Saqib Ali: "Re: Thin-clients: THE Solution to the Security problem"
- Reply: Saqib Ali: "Re: Thin-clients: THE Solution to the Security problem"
- Reply: Ansgar -59cobalt- Wiechers: "Re: Thin-clients: THE Solution to the Security problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 31 Aug 2005 17:41:16 -0700 To: <security-basics@securityfocus.com>
Your network is still exposed to processes running in IE or launched
from IE on the Metaframe servers. IE is a major vector, but so is
Outlook. Anything that brings in foreign (untrusted) content is a
vector, and you users will demand the usability which they're accustomed
to (like cut and paste, save-as, mailto).
Be aware that users on the same server share exposure to malware. How
comfortable would you be if your Windows XP desktop had other users
logged in?
A thin client is an attempt to apply network sandbox security. It's as
secure as the isolation is strict. If you have a path to it, malware on
that system also has a path to you.
You may want to explore different techniques to contain untrusted
content while maintaining usability. (Hint-hint, check our website).
Bill Stout
www.greenborder.com
-----Original Message-----
From: Saqib Ali [mailto:docbook.xml@gmail.com]
Sent: Wednesday, August 31, 2005 5:12 PM
To: sf_mail_sbm@yahoo.com
Cc: security-basics@securityfocus.com
Subject: Re: Thin-clients: THE Solution to the Security problem
answer to your question is not easy. and it will depend on the type of
organization in question.
Maybe you can start by serving inidividual application using Citrix,
instead of the whole desktop. This way you can measure user's
feedback. Click here for similar discussion on Slashdot <
http://slashdot.org/article.pl?sid=04/12/28/2212243 >
Start by publishing Internet Explorer on Citrix, and require your
users to use it from Citrix instead of their local copy of IE. Lock
down IE, and use anonymous accounts for Internet Explorer. This way
you can lock down the IE to your heart's desire. Also publishing IE
'anonymously' on Citrix will further secure the environment, as the
anonymous profiles can be deleted on a nightly basis. However one
issue with 'anonymous' access to Citrix applications, is that the user
can not maintain their preference or even their bookmarks.
> Now if we replace all of these PCs with thin-clients, whereby they
will access servers (may be Terminal Servers) to get their mails, get
Web access, does it not eliminate the potentially large pool of
'vulnerable' machines, and hence greatly decrease the Risk Exposure of
an organisation's network?
>
> Is this the solution to manage Security more effectively?
-- In Peace, Saqib Ali http://www.xml-dev.com/blog/ Consensus is good, but informed dictatorship is better.
- Previous message: Jason Coombs: "Re: Computer forensics to uncover illegal internet use"
- Maybe in reply to: sf_mail_sbm_at_yahoo.com: "Thin-clients: THE Solution to the Security problem"
- Next in thread: Saqib Ali: "Re: Thin-clients: THE Solution to the Security problem"
- Reply: Saqib Ali: "Re: Thin-clients: THE Solution to the Security problem"
- Reply: Ansgar -59cobalt- Wiechers: "Re: Thin-clients: THE Solution to the Security problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
