Dell Wyse ThinOS Version 9.1 Security Configuration Guide February 2021 Rev.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2021 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Contents Chapter 1: Preface........................................................................................................................ 4 Legal disclaimer.................................................................................................................................................................... 4 Scope of document.............................................................................................................................................................
1 Preface Topics: • • • • • • Legal disclaimer Scope of document Document references Security resources Getting help Reporting security vulnerabilities Legal disclaimer THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS-IS." DELL MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Getting help The Dell support page provides access to licensing information, product documentation, advisories, software downloads, how-to videos, and troubleshooting information. Reporting security vulnerabilities Dell takes reports of potential security vulnerabilities in our products very seriously. If you discover a security vulnerability, you are encouraged to report it to Dell immediately.
2 Security quick reference Topics: • • • • • Supported platforms Security profiles Flash security USB device security Federal Information Processing Standard (FIPS) compliance Supported platforms The Dell Wyse ThinOS version 9.1 firmware is supported on the following thin clients: ● ● ● ● Wyse Wyse Wyse Wyse 3040 Thin Client 5070 Thin Client 5470 Thin Client 5470 All-in-One Thin Client Dell Technologies recommends that you use the Dell Wyse Management Suite version 3.
When you set the user privilege to Customize, you can manually select options that you want to enable or disable in the ThinOS system menu. 7. Click Save & Publish. Flash security ● Secure Boot—By default, Secure Boot is enabled on the device to ensure that the system is secure during the boot process. ● Flash encryption—The entire disk is encrypted for each individual device except the Extensible Firmware Interface (EFI) system partition. The data on the disk is safe and secure.
Federal Information Processing Standard (FIPS) compliance ThinOS allows you to enable or disable the Federal Information Processing Standard (FIPS) Publication 140-2 Level 1 authentication compliance. It is based on OpenSSL (Open Secure Socket Layer). You can configure the option using System Tools on the ThinOS client, local Admin Policy Tool, or Wyse Management Suite. When you enable FIPS on ThinOS, algorithms that are unapproved by FIPS are not allowed to be used in a wireless connection.
3 Product and subsystem security Topics: • • • • • • • • • Product overview Authentication Authorization Network security Data security Cryptography Auditing and logging Code or product integrity Contacting Dell Product overview ThinOS is a highly secure, deployment-ready operating system for endpoints that connect to virtual workspaces. Figure 1.
Authentication ThinOS supports the following configuration options for users or processes to authenticate to the product subsystems. ● ● ● ● ● ● ● Account privilege levels VDI broker agent authentication Active domain authentication Multifactor, token, and certificate-based authentication Authentication application support Unauthenticated authentication support Wyse Management Suite server authentication For more information about the authentication types, see Authentication types and setup.
For more information about how to configure the network and VPN settings, see the Dell Wyse ThinOS Version 9.1 Administrator's Guide at www.dell.com/support. ● Virtual Desktop Infrastructure (VDI) broker agent authentication—User can use AD user credentials to authenticate to remote VDI brokers agents to access remote sessions and remote resources. Credential type can be a domain username with a password or a smart card.
For more information about multifactor, token, and certificate-based authentication, see the Dell Wyse ThinOS Version 9.1 Administrator's Guide at www.dell.com/support. ● Unauthenticated Interfaces—Anonymous authentication can be configured from a remote system. Citrix and VMware workspaces support anonymous authentication to remote broker agents and session hosts. However, thin client users can log in to the broker agent and the remote session using a configured username and password.
Network security ● Network exposure—The following table lists the network ports that are supported on ThinOS. Table 1. Network exposure Service name Port TCP or UDP Summary VNCD 5900 TCP You can enable or disable the VNC server using Admin Policy Tool or Wyse Management Suite. By default, the option is disabled. ntp 123 UDP If NTP is not configured, you cannot use the NTP service. You can configure the NTP settings using Admin Policy Tool or Wyse Management Suite.
● Alerting—Warning logs are displayed on the ThinOS UI as notifications. Using log files to troubleshoot your thin client About this task You can use the troubleshooting options on the ThinOS desktop to troubleshoot your device. Steps 1. From the desktop menu, click Troubleshooting. The Troubleshooting dialog box is displayed. 2.
d. Open the Troubleshooting window, and click Export Logs on the General tab. The log file is stored in the root folder of the USB drive—system_log_201910107_125610.tgz. e. Extract the tgz file. The log files are available at ./compat/linux/var/usbdump/. 4. Click the Ping tab, and do the following: a. Enter the IP address, DNS-registered hostname, or WINS-registered hostname of the target device. b. Click Start. The data area displays the ping response messages.
Steps 1. Go to www.dell.com/support. 2. Select your support category. 3. Verify your country or region in the Choose a Country/Region drop-down list at the bottom of the page. 4. Select the appropriate service or support link based on your need.