The terminal allowing administrators to access the administration network is a key element for the global security of organizations’ information systems. A possible corruption of this terminal is a major risk for companies. The use of a hardened thin client terminal communicating with administration virtual desktops allows you to take advantage of the specific and secure architecture of a hardened thin client terminal while benefiting from the functionalities of Privileged Access Management (PAM) solutions thanks to virtualization.
Prerequisites for using a thin client terminal for information systems administration
Due to its specific architecture, the thin client terminal meets certain points that enhance the security of the information system. To harden this terminal, several elements must nevertheless be taken into account:
- Avoid public operating systems, or even privilege terminals without an operating system: the more public an OS is, the more vulnerabilities it has, thus increasing the risk of attacks towards the terminal’s operating system.
- Limit or forbid the configuration means on the terminal: an administrator must not be able to reduce the security of the terminal by modifying its configuration.
- Centralize and secure the administration of terminals: it is necessary to be able to control all the terminals in order to update them. Avoid terminals that remain accessible without being updated and therefore possibly containing security flaws.
- Partition the use of the terminal between the different networks: have a different terminal to access the administration network and the office automation network.
What the ANSSI (the French National Cybersecurity Agency of France) recommends
The issue of access terminals is addressed in the document PA-022 from the ANSSI (Recommendations for the secure administration of information systems) under Recommendation R9. It recommends the use of a dedicated administration workstation, i.e. a workstation for access to the administration information system that is physically different from the workstations providing access to the office automation information system.
The ANSSI also proposes a degraded version of this recommendation (R9-) with multi-level workstations, i.e. the use of a physically identical workstation for access to the administration and office automation information system. However, these two accesses must not be common, which therefore implies two environments present on the same administration workstation. They must be extremely hardened and secured in order to avoid any communication and therefore any contamination between the two environments present on this same physical workstation.
These recommendations can be achieved by using a hardened thin client terminal dedicated solely to the administration information system (R9) or via a multi-level hardened thin client terminal (R9-) which will be easier to partition than a conventional workstation.
Which thin client terminal to administer the Information System?
The use of a thin client terminal from AXEL meets this security challenge since they are the only ones able, with their thin clients, to offer highly secure access terminals without an operating system. They are different from traditional thin clients on the market that have an architecture similar to a traditional PC with an operating system. Since most attacks are oriented towards the operating system, the absence of an OS in AXEL technology allows administrators to provide a highly secure thin client terminal.
AXEL offers firmware and hardware developed and supported by their teams in France and without bios, operating system or file system, which mechanically reduces the attack surface of their thin client terminals. The firmware is also dedicated, extremely light (less than 2MB) and immune to viruses.
Systancia Cleanroom Terminal
Systancia and AXEL have therefore joined forces to provide organizations with an incorruptible administration workstation with an AXEL hardened thin client terminal communicating with the Systancia Cleanroom virtual workstation module, which will allow the control of virtual administration workstations. This module sends to the thin client terminal the virtual workstation dedicated to the user who wishes to access the administration information system and the terminal will then be able to connect directly to this virtual administration workstation.
This virtual administration workstation will have all the surveillance mechanisms: analysis and recording of all the actions carried out from the virtual administration workstation. It will also have all the mechanisms linked to the vault module that will allow the automatic injection of login credentials to any type of application (web application, heavy, client-server, in-house application, etc.). Once this information has been retrieved, the virtual administration workstation will provide access to the resources that the administrator needs in order to carry out their administration actions.
This approach is therefore extremely secure since it combines the strength of the virtual administration workstation, which is disposable (and therefore reduces the attack surface), and the hardened thin client terminal, which guarantees that this administration access terminal is inviolable against an attack directed at this workstation. All this guarantees the security of the resources of the administration IS, which cannot be attacked via the administrator’s workstation.