Building a modern, secure , low cost endpoint
I designed and manage a singular thin client platform spanning thousands of employees across 20 sites across the world.
We’ve used this platform, with upgrades over the years, for 10 years. We’ve never had a single security incident (and I watch things like a hawk) (a hungry, angry hawk). Much of the end user desktop hardware is over 10 years old. Our total cost of ownership per employee is tiny. Here’s how I did it.
Don’t use Citrix or VDI
You don’t need either. You will waste time and money. Don’t believe the sales hype in products here - believe what you can do for your employees.
Use Microsoft Remote Desktop Services
Use standard RDS, and use FreeRDP (an open source RDP client) or Microsoft’s RDP client. You can buy HP thin clients very cheap. You can also use Thinstation to boot almost any x86 hardware via PXE boot - you end up with a tiny ~10mb OS, which can use Remote Desktop over a WAN connection. If you have a PXE booting client OS, your clients gain a significant leap in security too.
It works very well over low speed bandwidth connections, and later versions support multimedia, sound etc. With ~100ms or less latency links, you can deliver a full blown desktop OS. This isn’t a theory - this is the reality of what I do for a living. You can also put a lot of users on those links.
Use Group Policy
Deploy everything via Group Policy. Software, settings, PowerShell scripts etc. If you use central management, you can bang out new servers on demand.
Use DNS load balancing
Setup a DNS entry, e.g. thinclient.corp.local, and add your RDS server IP addresses into the pool. Keep some spare servers out of the pool, use those for upgrades and in the event of issues. You can also use this for Windows patching - no user downtime at all to patch by cycling servers in the pool.
Use AppLocker
From the get go, deploy AppLocker rules via Group Policy. AppLocker means only authorized software works.
Don’t use the default rules (as they trust c:\windows, which is risky) - build from scratch, trust what you need (this will stop many AppLocker bypass techniques, too). It will take you 30 minutes, but it’s the best 30 minute investment you will make - you can stop a very significant portion of malware and attacks via this.
Use EMET
EMET stops exploit some unknown exploits, by getting in the way of exploit techniques. Because everything is central, you have the ideal opportunity to stop executable in memory code by making EMET rules upfront.
Use RemoteApp
Need funky 3rd party applications and don’t want to install them directly on the RD Host servers? Bung them on RemoteApp. Use RD Web combined with RD Workspaces to deploy those Apps straight to your user start menu.
You can put more RemoteApp servers into the pool, for applications that don’t play well together, or need extra resource.
Monitoring
Use Group Policy to schedule tasks to trigger on certain Event IDs. Make these events trigger email alerts, or use Windows Event Forwarding. Look at Event IDs around stalling services (in case of stability issues), services being installed (in case of security issues), EMET terminating processes, AppLocker denying execution, OLE objects being opened from Office apps… You name it, you can know about it.
Use Windows Firewall
Yes, Windows Firewall. Build rules for both inbound and outbound traffic. If your client PCs are PXE booted fresh each day, and your RDS servers only allow inbound port 3389 (RDP) traffic - that’s a high class situation to exist in. Your outbound traffic just needs to be what users use - e.g. Outlook, a file server. Don’t allow lateral movement.
It is real. It works.
Every time I roll this system out to new companies and sites, people give me ‘the look’. The ‘this won’t work’ look. The ‘Citrix doesn’t work like this’ look.
Here’s the reality: it works. You can get a secure, modern, flexible desktop by just building.
Obviously, when it comes to IT users you need to look at more security. Speak soon.