Security

From Stratodesk Knowledge Base
Jump to: navigation, search

NoTouch per se is a very secure operating platform. User interaction with the system is limited to (unless otherwise configured) clicking on an icon, entering username/password and then being taken into a full-screen remote desktop. There are not many services running that allow access from the network. The default installation includes several features that may be of interest to some, but are not strictly necessary. If in doubt, go forward and deactivate SSH and RCMD.

This guide provides best practices to find your spot in the tradeoff between maximum security and maximum functionality.

One thing to note is that this guide’s focus is on the operating system and management side. It does not deal with securing your server-side VDI infrastructure such as password/authentication requirements for your users, and policies such as do you allow USB media to be forwarded or not.

Please also note that the security of the local system is determined by two things:

  • Your choice of connections that you offer. While Citrix, VMware, RDP, etc clients are seen as secure (because there is practically no interaction with the local system), giving your users access to a local Firefox browser changes the picture (See here: Mozilla Firefox#Security Considerations)
  • The physical setup. Please keep in mind that malicious users could find a way to boot your PCs into another operating system. Try to lock PCs cases and set BIOS passwords.

The operating system – NoTouch OS

As a first step, please think of the Client admin password and set it to something that can not be guessed by an intruder.

Services

These services can be switched off for increased security:

  • SSH/Secure Shell. The SSH server listens on TCP port 22 and provides remote login service. If you doubt you’ll ever need it, please switch it off at Services -> SSHD -> SSH Service.
    • Functionality lost: SSH remote login.
  • LPD. The line printer daemon (LPD) provides remote printing capability. If not needed, turn it off at Services -> LPD -> Start LPD service.
    • Functionality lost: Printer sharing via the LPD protocol.
  • RCMD. The RCMD service allows NoTouch Center to send actions to NoTouch machines. If it doesn’t run, configuration updates will happen at the next “announce” interval. If not needed, turn it off at Services -> RCMD -> Start RCMD service.
    • Functionality lost: “Client actions” in NoTouch Center
    • Warning: Do not set the “announce interval” to zero (0, means disable announce at all) and disable RCMD at the same time because it would make your machine unmanageable.
  • Web-based administration. NoTouch is (locally) administered via a web-based application. This web-based application can be accessed from other machines as well (HTTPS only). This is not related to NoTouch Center which also happens to be web-based. If you don’t need it because you use NoTouch Center exclusively or intend to administer locally only, please turn it off at Services -> Webservice -> Web-based administration
    • Functionality lost: Ability to use your PC’s web browser to access the configuration from remote.

Optional services that open ports and thus potentially open vulnerabilities are Samba, local X11, CUPS with remote access, serial port server, Windows port 9000 printing, Standalone Shadowing (VNC server), FTP server, local PXE server (TFTP), RSH. All these must be turned on explicitly and the majority of people does not need them and so doesn't even turn them on.

Sensitive information

By default, a Thin Client or a PC that's repurposed into a Thin Client does not contain sensitive user information because all the data is on the server in a VDI desktop. A thin client gets configuration information though, essentially the things you configure. There are these types configuration information:

  • Public. For example, a Citrix login URL is typically circulated widely as office and mobile users want to bookmark it.
  • Non-public but non-critical information. We consider information like what screen resolution you have set (e.g. "auto") as less critical than others.
  • Critical, sensitive information. This includes login credentials and network passwords.

We safeguard critical, sensitive information by encrypting them and blocking access to them. Nevertheless, we urge you to not store any user login passwords on the system. No matter if the same user is working on this machine every day, your office environment is believed to be secure and trusted. Let them type their passwords. Period. The only use case we found acceptable is for kiosk-type systems where you just have to have an automated login into some other environment.

Again, keep in mind people will find to circumvent access protections (remember they have physical access to the machines!) and people will find ways to decrypt information. Cloud computing has given even individuals and small groups a great amount of resources.

Communication between NoTouch OS and NoTouch Center

By default NoTouch sets its “service URL” to clients in the format http://hostname:port/easyadmin/servlet/XmlRPC. Even though the URL starts with http, the client will try to establish a connection via HTTPS (SSL, encrypted) and only if this is not possible, fall back to HTTP. This behavior provides maximum flexibility and backwards compatibility. You may change it by setting the parameter “Management URL treatment” to “HTTPS only”, for instance to disallow to fallback. If you choose to supply a custom URL (in the Settings of NoTouch Center), please make sure it contains host, port (!), and the path to the XmlRPC service.

NoTouch Center

If you use NoTouch Center in a Stratodesk Virtual Appliance, then your clients will automatically use the HTTPS/443 port. You can and should configure Firewall of the VA. Leave only port 443 open for maximum security.

NoTouch Center standalone (on Windows systems) listens on ports 8080 (HTTP) and 8443 (HTTPS). It is possible to change these port numbers by editing textual configuration files, but we advise to not do so. Should you dislike NoTouch Center being reachable via plain, unencrypted HTTP, we suggest using the host’s firewall to forbid traffic on that port.