Question

Why Terminal server / Citrix used for client security, and can desktop security be achieved w/o a thin client?

Asked by: GPCDIADMIN

I'm looking at a job at a law firm. They are very unhappy with their Citrix services administrative overhead, speed, & reliability and the setup looks rather complex for the promise that the previous administrator made, that is desktop and document security.

Couldn't I provide the same level of security with Group Policies w/o the thin client architecture?

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-11-05 at 10:38:16ID24875505
Topics

Miscellaneous Security

,

Operating Systems Network Security

,

Windows Network Security

Participating Experts
2
Points
50
Comments
8

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Thin Client
    Hi i like to assemble some thin clients. I would like to know what is the hardware required for it i have heard the an EPROM is sufficient nothing else is required any information will be of great help Thanks
  2. Thin Clients
    I have several vendors quoting me new systems. One is using Citrix clients and another is using Windows terminal services. Would a thin client such as HP's t5700 thin client be compatible with either the Citrix and Windows terminal services? I do not have any experience with...
  3. Citrix PS4.0 and thin clients - KEYBOARD ISSUES
    I am having a very strange issue on a Citrix PS4.0 server with connecting THIN CLIENTS (these particular thin clients are HP T5520, and they run the linux OS). The issue is related to the KEYBOARD and certain keystrokes. When users are in an ICA session, the QUOTES key ( ' ...
  4. Dicom Images displaying over a citrix thin client
    We are able to display the images over a workstation or even directly on the presentation server. When we try to display them on the citrix thin clients we get a blank screen. There is also no error
  5. HP thin client Printing on Citrix
    Can anyone recommend a moderately priced black and white printer for use with an HP thin client, model t5135? The thin client will be connecting to a Citrix server running Presentation Server 4.5 and the thin client's image is HP's Linux based ThinConnect OS, version S2ST004...
  6. Thin or Fat?
    hello all, I am with a company of about 75 users, and we are currently running a network with desktops and laptops. We are running a windows 2k server, and planning on upgrading the server in the next month. Before we do that our VP wants me to look into possibly going to thi...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: richrumblePosted on 2009-11-05 at 20:04:43ID: 25756534

What are the current issues with "overhead" and is there budget for "fat" clients? A thin client or a physical workstation should work equally well, the main problem with thin clients can be single points of failure, but either should be manageable in reasonable number.
-rich

 

by: GPCDIADMINPosted on 2009-11-06 at 07:16:37ID: 25759798

Thank you for your interest in my question.  I will make this more understandable.

This law firm has less than 55 users in one flat domain. They have 3 domain controllers, 4 member servers, and from what I can tell from the Citrix Program Neighborhood,  3 application servers with one in failure mode.

They have reported varying complaints of intermittent slowness issues. Sometimes they'll be kicked completely off their Citrix session. The problems do not always affect everyone in the office, it is very random.

Two things are obvious;
There are too many servers for the number of applications running.
The law firm was sold thin client technology ostensibly as the predominant solution to network security.
I don't believe this to be true.

Im looking for a honest, unbiased, comparison between fat/thin clients as it relates to network security, and client access.

 

by: richrumblePosted on 2009-11-06 at 08:12:16ID: 25760391

They are very equal in security for the most part. Depending on the thin hardware, and your perspective, there may be no difference at all. Some thin hardware provide a USB or two as well as ps2's for the kb and mouse, some provide Cd/Dvd rom's as well. If data-loss prevention is very important then it might be best to lock out/disable cd/dvd and even the USB's. Some thin hardware might not support mass-storage USB's to be mapped back to the terminal, but I know that (some) they can use USB one-time-pads and even smart card readers. The point is it may be possible to copy files off the central server to the local hardware. One would need a login first and foremost for that to work, and most DLP is intended to "catch stupid", meaning users not following the rules or doing something that is clearly out of the norm.
From a patch/update perspective it should be much much easier to manage a citrix/terminal server, everyone uses the same OS typically, however they can diverge when users start installing what ever they want, and maintaining and patching all those other apps needs to be addressed.
The connection between the thin hardware and the server is encrypted by default so the main source of plain-text traffic would be to/from the central server.
With "fat" hardware, you have the same attack vectors and challenges, some to a greater degree like patching. M$ patching is easy, set the machines to get their updates automagically with group policy, or add in a wsus server to push them at will. Then maintaining adobe, quicktime, firefox etc... patches become a challenge, as well as users installing whatever they want. Removing the admin right is my first recommendation there. Licensing on Citrix, like for Anti-Virus can sometime be cheaper than individual machines, but with only 60 or so it probably isn't an issue. We actually have AV installed on users machines, and they are not admins, we maintain a strict set installed program files as well.

There is no question that hardware would speed up the access times. Again from a DLP perspective, the thin client might be a little better when thinking of physical devices being used for "theft" or someone being ignorant of encryption and personally identifiable information. However there are soo many "worse" ways that users can be thieves or "be stupid" with such data, email, ftp, sites like yousendit/rapidshare/megaupload... again that's for thin of fat clients.
-rich

 

by: GPCDIADMINPosted on 2009-11-09 at 09:11:54ID: 25777842

What would be the arguments of taking the network back to fat clients?

For instance: The problem I see often with Citrix is that it just adds another layer of complexity. You're already having to manage the (usually fat) clients and servers, and Citrix lays on a whole new tier that must be administered, supported, and troubleshot.

Given the hardware investment they already have made,  Can a desktop virtualization initiative be considered as a replacement for Citrix?

 

by: richrumblePosted on 2009-11-09 at 10:49:47ID: 25778733

If using thin client hardware I'd say yes, but if your using hardware that is already "fat", then probably not. Visualization is typically about space or power, not really security. If the company already shelled out money for PC's that have HD's, CPU/Mem and video cards, they probably bought a windows license for them too. Dell's typically have a M$ license tatoo'd to their chasis somewhere, so they might be paying for more licenses than they ever needed to, paying for the IBM/DELL/HP "fat" clients and the citrix seat licenses. If the hardware didn't come with licenses, they are "white boxes" of generic parts/chassis then that's better. If they are of decent speed and capabilities, then going back to "fat" might help with slow downs and eliminate single points of failure in most cases.
-rich

 

by: amichaellPosted on 2009-11-10 at 11:13:15ID: 25788636

I'll give you a few points from a pro-Citrix/thin perspective.  We're 85% Citrix/thin client.  We are moving from a XenApp 4 environment to XenDesktop.  We currently have about 300 virtual desktops running with another 200-250 to go.

1. Security can be enhanced using thin clients.  If users can't store data on their local computer (and this includes prohibiting USB storage) then you don't need to worry about them walking out with information.

2. Fat clients are just more prone to failure and more difficult to manage.  

3. Citrix is another level of complexity, though you have to weigh that against decentralized application management.  With 55 desktops then maybe this isn't as big of a deal for you, though it is still worth considering every time you do an application update.

4. Virtualizing and thin clients reduces power and space consumption.

5. Citrix does desktop virtualization (XenDesktop).  You can kiosk existing fat clients so they boot to a web interface page giving access to virtual desktops.

 

by: richrumblePosted on 2009-11-11 at 07:09:44ID: 25795655

The usb/cd/dvd local storage I covered above, we found however that most users don't even use usb devices when we catch them exporting data they shouldn't, it's to their Hotmail/gmail/megaupload/rapidshare/yousendit or RDP'ing home...
If you do go to the fat client mode, the kiosk suggestion is a good one, M$ has a free product called SteadyState:http://www.microsoft.com/windows/products/winfamily/sharedaccess/whatis/default.mspx
-rich

 

by: GPCDIADMINPosted on 2009-11-12 at 07:16:04ID: 31650643

no comments

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...