|
|
 |
|
Security with Windows® Embedded Thin Clients
The Wyse implementation of the thin client operating system is as secure, or better, than PCs and other thin client devices. Since disk drives are not standard in thin clients, data is almost never lost, stolen, or corrupted by mechanical failure, virus, or malicious attacks. Therefore, thin clients are a key component of a secure computing environment.
Base Operating System
All currently shipping Wyse Windows Embedded Standard 2009 (WES 2009) thin clients provide the same broad range of Operating system level security protections that Windows XP Professional SP3 include. Also, the Windows Firewall is a standard feature increasing the security of your thin clients. In addition, the Microsoft Baseline Security Analyzer, an easy-to-use tool designed to helps small- and medium-sized businesses determine their security state, is included with WES 2009.
Newer systems running Wyse Windows Embedded Standard 7 (WES 7) offer the same Operating System level protections as Windows 7. In addition, auto-run of USB devices has been disabled for the default user on WES 7.
Both Wyse WES 2009 and Wyse WES 7 thin clients come with strong default passwords, and a secure locked-down default-user profile. In addition, Wyse is committed to supporting the latest Microsoft Windows Embedded related monthly security updates per policy.
Units with older code are, in most cases, fully upgradeable to the latest Windows image release from Wyse (this may not be the case for all older units as new images are not created for unsupported platforms). Going forward, Wyse units remain upgradeable via re-imaging to newer image versions when released.
Vulnerability Protection
Most vulnerabilities, virus and malware are transferred by Internet browsers, email attachments, or by opening infected files in the local storage devices. Microsoft Windows Embedded Standard provides pop-up blocker and the capability to block both unknown and unsigned ActiveX controls. Also, in the thin computing environment, Wyse thin clients rely on the server-based email clients, when malicious mails or attachments are opened, they do not traverse or propagate to other thin client devices.
When local storage devices are attached, they could introduce security vulnerabilities for intrusion. You can even equip Wyse thin clients with any number of anti-virus solutions, although this is often overkill, and not used extensively by Wyse customers.
Write-Protection
All Wyse Windows Embedded Standard 2009 and Wyse Windows Embedded Standard 7 thin clients come with the File-Based Write-Filter (FBWF) feature. This makes it possible for you to write-protect your run-time images.
When enabled, this feature prevents permanent writes to the local media which means that your Wyse unit won’t suffer from a permanent virus. This does not prevent viruses which install to RAM and propagate without requiring a reboot, but it does mean that a simple reboot of the unit will clear any such virus and return the unit to its clean state. In additions, with the File-Based Write-Filter feature, selective file-based commits allow for persistence of user data across reboots without committing an entire overlay.
Firewall Protection
All Wyse Windows Embedded Standard thin clients ship with Microsoft’s Windows Firewall as part of the base OS and is enabled by default. This solution, and others like it, has proven effective against the spread of viruses.
On Wyse Windows Embedded Standard 7 thin clients, Windows Firewall with Advanced Security, amongst many security related features, can:
- Provide host-based, two-way networking traffic filtering for your devices. This allows you to block unauthorized network traffic flowing in and out of each device. It also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the device is connected
- Allow for multiple active profiles
- Allow for certificates issued by an intermediate certification authority
- Specify port numbers, protocols or port ranges
- Manage outbound and inbound filtering
Wyse Security Policy Statement
Wyse Technology Inc., is dedicated to provide the latest security updates from Microsoft and to help our customers comply with mandates such as Sarbanes Oxley, HIPAA, and others.
Microsoft’s monthly security updates remain the best proactive solution for anti-virus available for Windows XP embedded / Windows Embedded Standard 2009 / Windows Embedded Standard 7 devices. It is Wyse’s policy to convert and publicly post in the Wyse Device Manager format all necessary Security Updates and Patches as per the following policy.
| Critical Security Updates and Patches |
Regular Security Updates and Patches |
| Critical patches and updates, when applicable to Windows XP embedded / Windows Embedded Standard 2009 / Windows Embedded Standard 7, will be posted between 2 and 6 business days, depending on development and testing difficulty, after the release from Microsoft of the patches for the respective embedded operating systems. |
Regular patches and updates will be posted within 10 business days from the release date of Windows XP embedded / Windows Embedded Standard 2009 / Windows Embedded Standard 7 patches and updates from Microsoft. |
It is recommended that customers apply these updates when available. Fully patched units are nearly invulnerable to viruses and attacks. It is Wyse’s stance that this is the single most important thing that can be done to protect units from attacks and represents a significantly more secure and predictable situation than any form of anti-virus or firewall on the local client.
Version: 12/01/10
|
|
