February 28, 2019

Are thin clients a good idea?  It depends. – WST

Most folks know the drill with the common corporate desktop setup.  For full desktop PC’s, adequate hardware starts around $500.  You’ll need antivirus licensing, a patching / vulnerability management system, and process in place to keep these systems up to date and secure.

So, what about thin clients?

For pricing, an admittedly limited search for prices for new “adequate” thin clients showed that they were generally priced between $250 and $480.  This can add up to quite a savings.

Next, you must have the back-end infrastructure to support those clients – in other words, your virtual / Citrix / whatever environment must be beefy enough to serve those users.  This infrastructure also must be licensed, managed, updated, and ultimately replaced after hardware reaches the end of its lifecycle in 5-7 years.  There could also be an additional cost of updating your connectivity to provide adequate bandwidth to remote locations served by the thin client infrastructure.

On patching the thin client hardware, you should be patching those as well.  From the Dell website (https://blog.dellemc.com/en-us/wyseshield/):

About 40 percent of commercially-available thin clients run the Microsoft Windows Embedded Standard (WES) operating system. Using WES, these endpoints can offer the increased flexibility to use a local browser, to install drivers for external peripherals, and run small applications locally. As such, WES-based thin clients must be security-patched regularly (like any other endpoint running a Windows OS), as they still run the risk to be potentially infected by a malicious website, an infected web link, or an infected file residing on a USB stick or other attached peripheral device…. Microsoft releases security patches for WES each month.

Even if you don’t use any of those “increased flexibility” features described above, it’s still important to keep the thin client firmware up-to-date for security and stability reasons.  The above link goes on to advertise their antivirus solution for the thin client devices, which best practices dictate that you also be using.  While you will have antivirus installed on the user’s desktop, including thin clients themselves in your managed antivirus infrastructure will increase licensing costs.  Windows Embedded does include Windows Defender and a firewall, and those should be enabled on the thin client system at a minimum.  While not centrally managed, this is better than not having any local AV at all. 

On patching the user’s desktop, having a golden image to update for everyone sounds like a time saver, but you could also end up with several different images as different departments need different software.  That will increase management time and complexity somewhat. 

Thin clients may or may not be right for your environment.  Ultimately, you have to do a detailed assessment of your needs, conduct thorough research, compare pros and cons of each scenario, and don’t rely solely on some salesperson’s information – they won’t have to live with your choice for years like you will.

Past Weekly Security Tips – WST