Dell acquired thin client manufacturer Wyse in 2012. Jeff McNaught, VP Marketing of Cloud Client-Computing, explained that today’s thin client products consist of Wyse software on Dell hardware. According to McNaught, many of their customers are in highly-regulated industries such as healthcare, government, education, finance, retail, and manufacturing. A mobile thin client facilitates access from almost anywhere without exposing data to loss or theft.
Dell’s line of thin clients run Windows Embedded Standard 7, Windows IoT 10, Wyse ThinOS, or Wyse ThinLinux. The company provided a Windows-based Latitude E7270 Mobile Thin Client for review.
The E7270 features an Intel Core i5-6300U processor (15W dual core, 2.4GHz, 3M cache, with integrated graphics), 8GB of 2133MHz DDR4 Memory, 128GB SATA SSD, dual-band 802.11ac Wi-Fi, and Bluetooth 4.1. The 12.5” notebook includes three USB 3.0 connectors, HDMI, an SD card slot, and 10/100/1000 Mbps ethernet. The hardware alone makes the E7270 a capable business-class notebook, and it can be purchased as such with Windows 7 or Windows 10 Pro.
The Latitude E7270 Mobile Thin Client runs a locked-down Windows Embedded Standard 7, augmented by careful configuration and Wyse utilities. The Microsoft File-Based Write Filter (FBWF) prevents changes from being written to the hard drive, and instead retains those changes in RAM. As a result, every time the notebook boots, the user is presented with a totally clean environment.
It arrives ready to run, including Citrix, Microsoft and VMware VDI applications, but it should be customized prior to deployment, including changing default passwords. Dell offers management options: a locally-hosted Dell Wyse Device Manager (WDM), Dell Cloud Client Manager (CCM), and a USB imaging tool. WDM can greatly simplify administration, including pushing new and updated images to thin clients in an enterprise setting. CCM extends management to the cloud. And, for small deployments or even individuals, the USB imaging tool allows restoring to a factory default image, as well as copying customized configurations from one device to another.
After some experimentation with the E7270 to gain experience customizing the locked-down environment, I decided to simulate a small business using the laptop for international business travel. I downloaded the USB imaging tool and installed it on an old Windows laptop. Next, I downloaded a fresh system image from Dell and, using the USB imaging tool, created a bootable USB stick containing the image. I also staged the Viscosity OpenVPN client, a VPN profile (with password-protected key encryption), PuTTY, Chome installer, and the free Microsoft Word, Excel, and PowerPoint viewers on a second USB stick.
Powering up the laptop, I used F12 to access the boot menu, booted from the USB stick, and selected the simple menu option to push the image to the E7270. A few reboots and about 15 minutes later I had a default image ready for customization. Using the instructions and default administrator password supplied by Dell, I switched to the admin account.
The customization process is straight-forward, but those who have not previously configured a locked-down system will need patience due to the nuances involved. By default, the FBWF is enabled. This prevents changes to the hard drive, including the obvious, such as installing applications or placing files on the desktop, and not-so-obvious things such as WiFi network credentials and drivers installed automatically when USB devices are inserted.
For example, the first time a Fido U2F device is inserted into a USB port, it takes several seconds for drivers to be installed. On a normal PC, this happens once. On a locked-down PC, this happens the first time the U2F device is inserted after every boot, unless the process is completed once with the FBWF turned off.
Having already learned of these issues, I clicked the desktop icon to turn off the FBWF, and the system immediately rebooted. I logged in to the administrator account again, and carefully installed the applications staged on the second USB key. I then logged in to the user account, installed the VPN profile, inserted the U2F device, and waited until the drivers had loaded. I also connected the E7270 to my local WiFi network because I wanted that setting to persist, as opposed to entering the WPA key every time I booted the computer.
While it might be tempting to open up a browser or start the VPN client to test the configuration, doing so with the FBWF turned off will result in associated information, such as web history, being saved to the SSD. It is therefore best to reactivate the FBWF prior to testing.
I logged back in as the administrator and made a few final tweaks: I changed the default Windows Administrator password, the default VNC password (installed for remote assistance to users), and I used the menu option to deregister the TightVNC service. Then I clicked the green desktop icon to re-enable the FBWF and then notebook rebooted.
By default, the E7270 automatically logs in to the user account when it boots. While many organizations will change that, for testing it didn’t make sense to do so, especially given that the system is designed to ensure that no data remains once it is shut down. In fact, the Windows configuration makes it difficult to store data on the thin client while it is running.
Web and remote desktop access was wonderfully responsive due to the minimalistic operating system on powerful hardware. The FBWF, absence of administrator rights, and minimalistic operating environment significantly reduces malware-related risk. During a recent trip, I was able to establish an OpenVPN connection back to my office and use Windows Remote Desktop to access a complete environment, including files, Microsoft Office applications, and a web browser with password manager. I also verified that I could use the free Microsoft PowerPoint viewer to conduct an offline presentation from a USB key.
Using the USB imaging tool to create a new image from the customized E7270 only had one hitch: The utility required that the USB stick have at least 128GB of free space, presumably to ensure that an out-of-space situation could not occur, even though my compressed image ultimately required just over 10GB. Those intending to backup up their custom image or copy it to another thin client should add a fast 256GB USB 3 stick to their shopping list.
The primary downside to the E7270 thin client is that functionality is very limited without Internet connectivity. However, since it runs Windows, I was able to install LibreOffice and use it to successfully edit documents on a USB stick while offline.
While relatively expensive at around CDN $1800, the beauty of the E7270 Mobile Thin Client is that no personal or sensitive information, with the potential exception of an encrypted VPN key, remained on the laptop. In the event it is stolen or searched at the border, there is simply no data to find.
Have a security question you’d like answered in a future column? Please send me an email.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…