Monday, September 13, 2010

On Thin Clients Security

I'm constantly being asked about it, and so I thought I would write a handy blog post, so I could just referrer to it in the future, when yet anther person asks me if I think the use of Thin Clients is a game-changer to desktop security...

It is not! Thin Clients do not improve your desktop security in any way, and that's because:

  1. You still run a regular full-blown OS, such as Widows and all the regular applications, such as those buggy PDF readers, Web browsers, etc - it's just you run them all on some corporate server, rather on your laptop. The fact that you run the OS on the corporate server, doesn't make it any less prone to compromises, compared to if you run it locally on your laptop.

  2. A compromise of your laptop, even if it's just a dump terminal, is still fatal! This is because if your laptop's kernel (or MBR, or BIOS, or some PCI device's firmware, or GPU) is compromised, the attacker can intercept/steal/spoof all the data that you work on remotely, because it is still your laptop that processes the input (keystrokes, mouse events) and output (pixels). So, an Evil Maid attack on your laptop when you use it as a Thin Client, would be just as devastating, as it is otherwise (and don't fool yourselves that crypto tokens can help)

We really need secure end-user systems, even if we just want to use them as dump terminals only! There is really no way we could skip this step (and e.g. focus only on infrastructure, or services security).


Larry Seltzer said...

I'll disagree with you a little on these grounds: thin clients are easier to manage and lock down than fat clients, so I would ass-u-me that they will tend to be kept more up to date and less vulnerable.

And yes, a local malware could sniff your network traffic even before it's encrypted, but with a protocol like RDP it will be hard to do anything useful with it. Not impossible, but a lot of work.

You are right that the architecture of thin clients is that you are running a virtual fat client on the server, so all the same software compromises should be possible.

Joanna Rutkowska said...


"Locking down" an OS like Windows by keeping it "up to date" is all one big bullshit, let's admit it. You can apply all those "security best practices", yet your system will still be vulnerable to all those PDF or Browser 0days that come out *every* month. It really doesn't matter that your system will be owned by "just a few" botnets each month, instead of a few hundred...

Also, local malware doesn't need to sniff anything on the network to mess with your data -- it can sniff much earlier, e.g. by hooking into your keyboard driver. The choice of the network protocol (e.g. RDP vs. VNS vs. X. vs. something-else-proprietary-and-super-secure) is totally irrelevant.

David STSHM1 said...

I believe the sentence "Thin Clients do not improve your desktop security in any way" lacks the profundity and technical analysis. Ok, before I'm being lambasted, let me explain.

Btw, I don't represent any companies who sell thin-solution for a living. However, having been around long enough, I have seen most if not all the thin solutions around the world. I strongly believe there are true value in thin-client. The hype protection;
memory reservation technique; video prioritization mode; and so on.

Yes, it does not take away the problem entirely. But, it is just another defense in-depth strategy any organization should consider. Just like in the mainframe days, dump terminal (aka TN3270) equates today's thin solution. TN3270 also has microcode; don't we forget that.

Let's open up our mind to accept things in perspective. We should brush the technology aside simply because it is not "yet" perfect.


Joanna Rutkowska said...

@David: so, can you actually explain why you think that thin client can improve security of our desktops? Please provide some *concrete* thoughts/examples.

Anonymous said...

Does data theft count? Steal as many thin clients as you want its all on the server, swap and all

Joanna Rutkowska said...

@Anonymous: Thin Clients cannot prevent data theft -- if your laptop is compromised, it can still steal all the data that is being displayed on it.

Keith Drone said...

I do security audits for hospitals, and often enough we are asked to 'steal' a laptop to show physical security weaknesses. Often enough, we are also told that the thin-clients are useless if 'stolen' and are oh-so-very-secure.

Every time we 'steal' one, we glean all sorts of useful data off of it (network information and keys, user credentials, etc) and it is never reported gone so we can load anything we want along with the OS or in the background. Place it back, and BAM we have even more access.

If you are going to argue that 'locking down' an OS is the answer, then you have to get rid of the browser, PDF reader, Java, active-X, and all those other things. Hell, lets just prevent the user from getting online at ALL (actually I'm for that most of the time).

Unfortunately, a secure end-user system is only as secure as the end-user. Plus, a keylogger attached to physical keyboard is easy enough too.

Max Tiktin said...


first of all, thanks for quick reply.

i was glad to see some opinions too.

i think we should consider (dumb)thin-clients with no external devices except keyboard and mouse, no usbs, no build-in OS (network boot),
NIC with hrdwr encryption, direct encrypted connection to primary server, token if you want.
IF the environment will be properly build and strongly encrypted - the probability of OS attack on primary server can be significantly reduced even when we talk about insiders(consider HSM and etc), also and especially if the perimeter' defence is build well (IPS,NAC,Filtering).i thought with all this, things doesnt look so bad.
frankly, i was thinking (maybe naive) that the era of personal OS is nearly ended, with all the CLOUD things going on..
what do you think?
(i beleive you've seen some cool implementations of the hardened thin-clients..maybe even tested some of them :))

mokum von Amsterdam said...

More secure or not, I leave that to the language interpretation experts, but I know I rather "clean out" 1000 virtual desktops [click!] then 10 physical desktops...

Joanna Rutkowska said...

@mokum: And how often you would like to "clean them out"? Every day? Every hour? Every minute? Because, you never know when the system was compromised...


Anonymous said...

@David: I suggest that thin clients increase the damage done by compromise by a factor equal to the number of thin clients that replace a regular desktop system.

If a desktop gets infected, it may be isolated to that one machine, however, should a thin client be be "infected", it is in fact the server that gets infected, and thus the damage is greatly enhanced.

Thin clients are easier to manage, but more secure? I'd argue the exact opposite.