E-Mail/Office Applications; Web Browser/Internet/Non-E-Mail/Peer-To-Peer; Operating System - HP Compaq t5720 Supplementary Manual

E-mail/office applications

Using thin clients, users execute their e-mail and office productivity applications on centralized servers
and/or blade PCs. These applications and their associated data execute only on the server/blade. The
user interface for these applications is rendered locally on the thin client through Microsoft's Remote Desk-
top Protocol (RDP) or Citrix's® Independent Computing Architecture (ICA®) protocol. This means any
virus or vulnerability introduced through your e-mail/office or other remote applications are remediated
by the server/blade before affecting the thin client. Additionally, the administrator has total control over
crucial applications and data on servers or blade PCs, and can readily manage and deploy virus and
firewall protection to these centralized systems. While these back-end systems are at risk, applying
patches or hot fixes to centralized computing resources is more cost effective and takes less time than it
does for standalone PC systems. As a result, back-end servers are typically governed by security-conscious
personnel.

Web browser/Internet/Non-e-mail/peer-to-peer

These attack vectors and technologies are a growing concern. The majority of infection occurs through
infected/malicious code that is downloaded or shared through these technologies. Security holes in inter-
net browsers are reported frequently. Browser-related intrusions are centered on JavaScript, Java Applets,
Active X, unsigned or untrusted browser extensions, and so on. Also, some viruses and trojans propagate
through instant messaging software.
The thin client model addresses these exposures in several ways. First, peer-to-peer applications and many
Internet and non-e-mail Web services are typically not deployed on thin clients. The best thin client strat-
egy is to deploy only what you need to achieve your business goals. Secondly, user initiated file down-
loads and sharing typically occur at the server/blade PC level and not on the thin client itself. The thin
client typically does not provide the user with the space and access rights to support this. For example, on
HP XPe thin clients, the Enhanced Write Filter (EWF) prevents permanent modifications (writes) to the con-
tents of the system's flash. Finally, the Internet browser is an optional feature on select HP thin clients.
Selecting models without it or optionally removing it ensures a more secure environment.

Operating system

Compared to a standard PC operating system, embedded operating systems are substantially smaller,
providing less surface area to attack. Also, it is usually easier to configure an embedded operating system
to have fewer services that can be exploited than it is for a standard operating system. Advantages differ
based on operating system. Different operating systems are targeted at different rates and inherently have
unique vulnerabilities. For example, Windows CE is substantially smaller and lighter than Windows XPe
and is not targeted aggressively.
The following is a comparison of operating systems and their exposure on HP systems to the most
2
exploited vulnerabilities of 2003 as listed by TruSecure® . As compared to a standard Windows PC,
only two (MS03-026 and MS03-007) or around 22% of the nine most exploited vulnerabilities were rele-
vant to the HP XPe thin client. The image includes patches for both.
2.Wildtrends 2003: A Look at Virus Trends in 2003 and a Few Prediction for 2004; A TruSecure® Whitepaper
6