Reply To: antivirus on XPe devices

  • Total Post: 1686
  • Jacked into The Matrix
  • ★★★★★★

Great Question! Here is a bit of a blurb about XPe security to get the discusion going…

If a Wyse Windows XPe terminal were loaded with all the applications locally, had all the core binaries included and was a AD domain member then it would essentially have the same attack vector as a Windows XP PC. In this scenario you would be bound to run by the Microsoft Operations Framework (MOF) as a minimum of good practice.

Thin computing is different, the security moves to the network and authentication and network traversal become the security end points, in brief here is a common customer deployment of Wyse XPe with a security focus:

– A customer configures a custom image with only the required components built into the image, this can be done from a modified Wyse image or built from the ground up as specific appliance firmware.

– The terminals are deployed in the network on a separate VLAN with only the minimum required ports to the Citrix Secure Gateway server and the Rapport server. 802.1x authentication can be carried out via MAC authentication or a proprietary client application. Essentially the terminals are treated as untrusted, all data and information will reside server side only.

– Clients authenticate to the secure network with smartcard or token, this is done via the ICA session and not by local domain credentials being stored on the terminal. Although the Wyse terminals can be domain members this is not recommended. The OS is really a host for drivers and low level networking protocols.

Some additional lock down of the terminal is provided by the write filter that prevents permanent changes to the OS. If we look however at a terminal that is compromised its interesting to asses the risks:

Virus Infection: It is possible to run some anti virus products on terminals however it is generally viewed as only adding complexity and expense to a deployment. If a device was to get a virus a simple reboot of the terminal would remove it, the risk then becomes that the terminal will become re-infected and then become an infection source its self. Placing the terminals on the edge of the network outside the trusted network stops the trusted network being placed at risk. Also terminals can be fire walled to stop network borne viruses cross infecting other terminals, Windows XPe SP2 includes the Windows firewall or third party products such as the Sygate enhanced firewall product can be used. Additionally removing un used services and applications greatly lowers the attack surface for viruses, it is rare for terminals to contract viruses when configured this way. Internet Kiosks that use Internet Explorer generally are at the greatest risk.

Network Attacks: similarly to viruses fire walling and reducing the attack surface are very effective for mitigating this risk. If a unit is compromised however no date is stored locally, only the core OS and ICA client software is on the terminal and this software is freely available. As only keyboard, mouse clicks and screen updates are being sent to the terminal via a ICA session there is little of use to an attacker.

Administrative privilege: Gaining admin rights on a device is of little use, damage may be done to render the device inoperable but once again no data is stored on the unit. As the devices are outside the trusted network they can not be used as a platform to launch an attack.

The above is a summary not meant to detract from security however highlight that the focus moves in Server based computing. Network access becomes critical and does network traversal, if an attacker gains access to authenticate and launch an ICA session they have now moved from the perimeter to the centre of the network and this is where the main focus should be. Citrix have a number of excellent resources around these issues.