IE Point of Sale and IE Internet Browsing Security

Posted on 2011-05-09
Last Modified: 2012-05-11
Our golf courses use a web based POS application that has Bar code scanners using a keyboard wedge type. This means anything read by the scanner is simply input the same as if a user typed the characters at a keyboard. The Cash drawers are also pretty simple. They are triggered by a command over a serial port similar to printing. All it does is release a latch on the cash drawer, a spring pushes the drawer out.

The security issue is protecting the CC data from a downloaded key-logger virus when the user browses the Internet.  We are thinking about setting up the local browser to be allowed to communicate only with the POS web application.  Then install a Citrix client to launch an IE browser for the user to be free to browse the Internet.  

Has anyone setup a similar configuration using Citrix for secure web browsing?  Any better ideas out there are appreciated?  

Thanks, Dan
Question by:danfiggolf
    LVL 6

    Expert Comment

    I personally would not allow web browsing from the POS machines.  It would be a lot more secure if you placed a separate computer somewhere in the building for web surfing, preferably on a separate vLan.  
    LVL 74

    Expert Comment

    by:käµfm³d 👽
    Does the POS machine have exposed ports? I would be concerned about USB keys being attached. Also, this statement worries me:
    This means anything read by the scanner is simply input the same as if a user typed the characters at a keyboard.
    Just because it's a barcode doesn't mean it's hack-proof. What if I bar-encoded the following?
    ' or 1=1;DROP ALL;--
    ...dependent on the backing database, of course. I am not saying it is or isn't likely, but is possible. I just hope your POS software is coded properly  ; )

    Oh, and I agree with nettek0300 about having a separate machine.
    LVL 60

    Expert Comment

    I also see it as isolation especially for "vulnerable" machine due to the exposure it has with multi-user needs for business. It need to address such kiosk mode where various aspect need to be consider for defense in depth

    a) Network layer - it is configured in one VLAN separated from the management LAN and corporate intranet. Any incoming traffic will pass through the firewall and content filter to scan for attack signature especially when visiting malicious sites or download executable like "fake AV", "flash codec" etc.

    b) Endpoint layer - only allow user mode where no admin right is given to tamper the system resources, install programs, perform system admin process like user account. Have it centrally managed with policy and update pushed down if possible, else it need to make sure the host machine is updated with patches. Remote appl browsing through Citrix application is also one means, do check out remote desktop services (RDS) in Windows server 2008 R2 (its has strong RDP v7.0 that is secure from past attacks). Of course, the host will then be isolated since the server is doing the browsing on behalf. The server will then need to be secure with policy control and whitelisting since they provide such services. Check out Applocker too in whitelisting context (only in windows 7)

    There are more but it just means adding more layers which I believe if we contained the entry point which is typically the web traffic via the browser. We may want to consider sandboxing the application such that it does not know the real host hence virtualised in that means. Check out sandboxie which does application sandboxing such that it created another space for that appl to "abuse".

    Ideally the host machine has a base image that can be reverted but it can be tedious hence I rather focus on application and restricting what appl and how it interact with the "wild". Logging is crucial for investigation but probably in your case, not so key. Device control such as storage media should be disabled if not used (advised not to enable since we are not using it). Steadystate from Windows is another you may be interested (but note that it is not maintained)
    LVL 60

    Accepted Solution

    thought client hypervisor is another new technology to be aware of

    Client hypervisors are useful in that they isolate the operating system from the hardware, making the OS hardware-agnostic. Client hypervisors can also be used to isolate and run different versions of operating systems on the same machine, which isn’t possible otherwise. For example, a user with a Windows 7 machine could run a virtualized version of Windows XP and an older version of Internet Explorer (IE) to access legacy applications that aren’t supported on Windows 7.

    In addition, companies using virtual desktop infrastructure (VDI) to deploy desktops can use client hypervisors to support disconnected VDI. One of the problems with desktop virtualization is that users can only access their desktops while connected to a network. With a client hypervisor, their virtual desktop can run on the client device even when the user doesn’t have broadband access.

    Another security feature in client hypervisors is the ability to revoke privileges or kill company-owned VMs when employees leave the company or if their machines are lost or stolen.

    The centralized desktop management features that client hypervisors provide also make it easier to roll out new OS images when it's time to replace compromised machines or upgrade to a new OS version. And security patch delivery can be done as part of image updates.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.
    Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now