Exclusive Review of Kaspersky Thin Client: Remote Workspace Security at a New Level

Kaspersky Thin Client is a compact and efficient thin client for organizing a local workplace in a company.

Durov's Code attended the Kaspersky Cyber Security Weekend event, learned a lot of inside features and tested Kaspersky Thin Client. Now we are ready to tell you more about it.

What exactly is it?

Kaspersky Thin Client is an operating system from Kaspersky that runs on a hardware platform. It is part of Kaspersky Secure Remote Workspace, a functional infrastructure of thin clients with protection against cyber threats  →.

We’ve laid our hands on the device based on the Centerm F620 hardware platform. It is produced by the world's third thin client manufacturer after HP and Dell. Kaspersky Thin Client can actually be called a small full-time PC, but with a limited set of functions.

Specifications:

• Dimensions without stand: 131 mm x 31.5 mm x 167 mm, with stand: 131 mm x 76 mm x 178 mm, weight: 0.51 kg.
• 4-core Intel processor, 4 GB DDR4 RAM, 64 GB SSD, M2 and mSATA drives are supported.
• KasperskyOS: a proprietary microkernel operating system, which, unlike a monolithic OS like Windows or Linux, has an emphasis on security.
• Connectors: one DisplayPort and one HDMI port (4K monitors are supported), one LAN (speeds up to 1000 Mbps), four USB 2.0, two USB 3.0, one line-out, one mini jack for audio.

On a thin client, there are no familiar basic things that distinguish classic PCs. You will not be able to install applications here, it is impossible to store any data here. You can, however, connect to a remote workplace, that is, to a remote physical or virtual machine, where all the information necessary for work is taken from and stored.

Alexander Sergeenko, Presales Manager, KasperskyOS, at Kaspersky explained to Durov's Code:

A thin client is a device that gives a user access to the remote workplace. Globally speaking, it connects point A with point B. Its main function is organizing the infrastructure for remote workplaces.

Why is it a good device?

— First of all, it's more secure. Kaspersky Thin Client is an entry point to different types of other PCs and servers. Due to the impossibility of storing data and installing any applications on it, the risks of penetration of potentially dangerous components are eliminated. Users` data is stored on the server at a single point, which is easier to control.

Users have the opportunity to work with Windows 7, 10 and 11; Windows Server 2016, 2019 and 2022, as well as with any Linux-based OS. In the latter case, an RDP server is needed, that helps a user to connect via the RDP protocol.

Alexander Sergeenko:

The RDP protocol is the most common scenario for accessing remote machines from a thin client, both physical, virtual, and terminal servers.

— Secondly, it saves resources. For example, a company needs to deploy 100 workplaces on personal computers. You have to perform similar actions for every PC: install the operating system and necessary applications, including security software, and configure them. This is long and not easy, especially if the number of workplaces increases. Therefore, it is much more convenient to offer employees thin clients.

Setting up a new Kaspersky Thin Client for a new employee is simple. The workplace is created in a minute using the Kaspersky Security Center administration server. Instead of a PC, the employee receives an already configured thin client, which is remotely controlled by the company.

Valentina Khudyakova, product marketing manager at Kaspersky, told Durov's Code:

Thin clients consume much less electricity, they are much cheaper than a PC or laptop. Also, thin clients have a much longer service life. While a regular laptop is changed every four years at best, a thin client lives 7-10 years and it is resistant to damage.

Alexander Sergeenko:

To change an employee's computer or just give out a new one, you need to configure it, spend a lot of time installing all applications, and so on. It is much easier to set up a thin client in the network. With our thin client, creating a new workplace takes only a minute.

By the way, when we talk about the benefits, it should not be confused with cost limitation. After all, when a company saves on security, it can lead to problems in business. Let us remind you that the attack on City Union Bank in India in 2018 led to the fact that the attackers got access to the SWIFT system and were able to transfer funds for $2,000,000. To sum it up: the bank's shares fell, its reputation suffered.

A unique Cyber Immune approach in order to eliminate the risks of intrusion into the infrastructure

It is generally assumed that thin clients are secure by definition, but this is not the case. Usually, they are not protected during the development stage, which can lead to a possible attack by intruders. Because of this, it is necessary to additionally install antiviruses and security solutions, but companies often neglect this. How does Kaspersky solve this problem?

It is easy to draw a parallel with Windows and Linux, which are operating systems with a monolithic kernel, the architecture of which constantly opens up opportunities for exploiting new vulnerabilities. They are internally arranged so that any component can have access to any other by default. If one of them is somehow hacked, all the other components are also at risk.

Kaspersky Thin Client based on the KasperskyOS microkernel operating system uses the principles of Cyber Immunity when, thanks to the specific Kaspersky methodology, the product is secure by design. From the start of thin client development, security policies are implemented. All components of the operating system like drivers, applications and others are placed into their own security domains. The policies describe the rules of interaction between the domains.

In the Kaspersky product, security policies prevent vulnerabilities from developing between components interacting with each other. The components divided into different domains do not have direct access to each other, whereas in a monolithic OS, each component freely interacts with the other.

If a hacking attempt is made, the threat will not spread to the entire OS. And if hacking does happen, it will be localized within one domain, so the attack will not be able to develop further. All this allows a thin client on KasperskyOS not to use additional antiviruses and firewalls, and updating Kaspersky Thin Client is required solely to introduce new functions, not to close holes in the system.

Working with Kaspersky Thin Client is simple and convenient both for employees and companies

There are several options:

• by connecting to a physical device or server with all data stored on it, when each employee has their own thin client device;
• with the help of terminal servers, when all employees with their thin clients connect to one physical machine, working inside its OS;
• by connecting to a virtual machine, then working with it as with a physical one.

Another way to work is through the VDI platform. For example, a user connects via a thin client to a virtual machine that runs only one session, and the data is stored in network storage. Kaspersky Thin Client currently supports working only in Microsoft RDS infrastructure.

Kaspersky Thin Client boots very quickly, approximately in 30 seconds. What I like as well is the minimalistic interface. There are buttons on the main screen to connect to a remote workplace. After connecting, a desktop of virtual Windows 10 is deployed, after which you can securely perform various tasks.

Important technical settings can be hidden so that an employee working with a thin client cannot accidentally change important parameters and disrupt the operation of the device.

Commonly, there are the following parameters:

• Firmware update, system diagnostic information report, network settings, packet exchange data.
• With permission, an employee can choose the main monitor from two possible ones, change the time and date, and configure energy saving parameters.
• Crucial functions like resetting or disconnecting from the control system cannot be changed without going through the approval procedure with the administrator.

In practice, there are companies that have hundreds or even thousands of thin clients for employees, so it is inconvenient to manually configure each one. This is what the Kaspersky Security Center (KSC) utility is for. It is a unified console that allows you to automate the configuration of thin clients.

Right there, when managing a group of thin clients, the Kaspersky Security Management Suite web plugin will come in handy, activating management and monitoring capabilities.

The user of such a workplace can be prohibited or allowed to perform certain actions, for example, changing the connection server address. You can connect external devices, they will be displayed without problems in the virtual OS.

Some of the noteworthy functions of the KSC:

• Formation of a set of trusted working machines to which connection is allowed. This is useful to exclude the possibility of connecting to untrusted devices and protects against various attacks, including when there is a chance to intercept the session.
• Setting the time zone and language will be useful, if the company's employees live and work in different regions.
• Informative messages to employees can be sent from here, and all thin clients’ firmware can be updated from the management server.
• What else: the possibility of prohibiting or allowing switching to another RDP server, using flash drives, printers, security tokens, setting power saving parameters, changing graphics settings.

There are some firsthand positive reviews of the software usage from both commercial and governmental structures. For example, the company shared the results → of the implementation of the Kaspersky Thin Client to protect the VDI infrastructure of the Ministry of Digital Development and Communications of the Orenburg Region in Russia.

Explore Cyber Immunity solutions on the Kaspersky website — Kaspersky Cyber Immunity →