Endpoint Software Security Analysis
Most experts would agree – the differences between traditional endpoints with Windows and Linux operating systems and purpose built VDI endpoint solutions are vast, with many security benefits over traditional endpoints. This current analysis focuses on the security available for VDI Endpoint Solutions.
My interest in pursuing this Linux software security comparison came from my recent presentation XenAppBlog.com comparing security among the top VDI vendors security features. One cannot have a VDI solution without endpoints, and understanding which endpoint operating system has the best security is critically important for the ongoing productivity of any business or organization.
While there are many aspects to consider when deciding which VDI endpoint solution is best suited for an organization’s needs, software security is arguably a top component in any decision criteria. This report focuses on operating system security. Other endpoint software strengths and weaknesses are highlighted and may affect your selection as well.
Thin Endpoint Operating Systems Evaluated
Dell, HP, IGEL, Stratodesk, which I have worked with, and Unicon were chosen for this first comparison round. Unicon is prevalent throughout the EU and thus deserves inclusion in the evaluation.
Thin devices by design ease endpoint management and ensure consistency in the user experience while reducing variables as much as possible between endpoints is important. Many of these solutions vary on device management and software updates – issues also covered in this comparison.
Today’s VDI endpoint market is made up of thin clients and repurposed or converted PCs and other endpoint devices. Leveraging existing hardware inventory is an additional ROI benefit and reason to focus on the software security running on your various VDI endpoint devices.
Dell | HP | IGEL | Stratodesk | Unicon | |
Endpoint Software | ThinOS | ThinPro | IGEL OS | NoTouch OS | eLux |
Management Software | WMS (WYSE Management Suite) | HPDM (Device Manager) | UMS (Universal Management Suite) | NoTouch Center | Scout Management Suite |
Repurposing/
Conversion |
No | No | Yes | Yes | Yes |
Scoring
Each vendor received ranked scores in each category. The best vendor in each scored category received a one, and then each other vendor was ranked with higher scores (two through five). There are some ties due to vendors having the same abilities. The vendor with the lowest total score represents the leader in VDI Endpoint Software Security.
*Please note, the vendor scores are based on the data available as of October 29th, 2021.
VDI Client Support
The first part of this assessment looks at these vendors and what VDI clients they have and latest versions. Having updated VDI clients can also help with compatibility and features for that specific VDI vendor. In most cases you may need the latest VDI client to upgrade to the latest VDI version. CVEs continue to be released related to the VDI clients, and you do not want to miss those updates. Depending on your VDI vendor, knowing how up-to-date they keep that client can steer you to a specific vendor. Vendors were ranked based on the latest released versions for Windows\Linux compared to the thin client releases.
Amazon Workspaces
Windows | Linux |
4.0.2 (9-1-21) | 4.0.1 (8-12-21) |
In first place is Stratodesk with the latest release, and then IGEL in second place. HP does not include it, but does provide a deployment guide for their customers. Dell and Unicon do not have this listed as a client or configuration possibility – using PCoIP configuration it could be possible, but using the Nice-DV protocol would not work.
Amazon Client | Dell | HP | IGEL | Stratodesk | Unicon Software |
Amazon Workspaces Client Ver | Not Listed | Not Included | 3.1.9 | 4.0.1.1302 | Not Listed |
Amazon Workspaces Rank | 4 | 3 | 2 | 1 | 4 |
Microsoft AVD Client
Windows | Linux |
1.2.2322.0 (09-14-21) | Web Client + Thin Clients |
In first place is Stratodesk with the latest release, followed by Dell in second place. HP is in third place with a dated version instead of using a version number. IGEL has an older version compared to Stratodesk at this time, which puts it in fourth place. Unicon does not have it listed and it does not appear to be supported currently. These vendors do not appear to be using version numbers typically associated with what the Microsoft AVD Linux SDK uses. Microsoft does not appear to list this information publicly either, which makes it difficult to know who is using the latest SDK.
Below is a link of supported vendors from the Microsoft side:
https://docs.microsoft.com/en-us/azure/virtual-desktop/user-documentation/linux-overview
AVD Client | Dell | HP | IGEL | Stratodesk | Unicon Software |
AVD Client Ver | 1.2_1157 | 2021.08.19 | 1.0.30igel1630670236 | 1.1-20210923 | Not Listed |
AVD Rank | 2 | 3 | 4 | 1 | 5 |
Citrix Workspace App Client
Windows | Linux |
2108 | 2108 |
In first place is Stratodesk with 2108 while all other vendors are in a four-way tie for second place with 2106. I was expecting to see more 2108 in some of them, but I think they all spent some time on testing.
Citrix Client | Dell | HP | IGEL | Stratodesk | Unicon Software |
Citrix Client Ver | 21.6.0.28_2 | 21.06.hp1a | 21.06.0.28 | 21.8.0.40 | 2106 |
Citrix Client Rank | 2 | 2 | 2 | 1 | 2 |
RDP Client
Windows | Linux |
1.2.2222 (8/24/2021) | 2.4 (07-28-21) |
In first place is Stratodesk with the latest release, and then IGEL in second place. HP has a slightly newer version listed compared to Unicon software. Dell does not have it listed but it does have RDP configuration references to using an RDP gateway. I suspect FreeRDP or a variant is used by Dell, HP, IGEL and Unicon software but it is not listed or referenced by name so they may just use a fork or something unique.
RDP Client | Dell | HP | IGEL | Stratodesk | Unicon Software |
RDP Client Ver | Not Listed | 1.1.1-hp19.3 | 2.2igel1628056781 | FreeRDP-2.4* 8dc782d009 | eLuxRDP 1.0 |
RDP Rank | 5 | 3 | 2 | 1 | 4 |
Nutanix Frame Client
Windows | Linux |
Multiple Browsers | Multiple Browsers |
Nutanix Frame deployments can be accessed using HTML 5 compliant browsers, but the Nutanix Frame App Client also brings other benefits to users if deployed. With the Frame App you gain better multi-monitor support, USB support and a couple other goodies.
Stratodesk is in first Place and the only vendor with a Frame Client referenced in documentation I could find. HP and IGEL are tied for second since they both have HTML 5-compliant browsers and reference the ability to connect, but no Frame client is referenced. Unicon Software does not have their Browser Versions listed, giving them fourth place, whereas Dell does not even have Frame listed or a supported browser.
Look for updates from Nutanix for their “Frame Ready” endpoints for more details on specific vendors and their benefits. I think IGEL is also “Frame Ready,” but I could not find their press release on IGEL or the Nutanix side. Unicon would have a lower penalty if they released the browser builds in their release notes.
Stratodesk was the first to be Frame Ready with Nutanix https://www.prweb.com/releases/stratodesk_notouch_achieves_nutanix_frame_ready_status/prweb18169312.htm
Looks like we need to look at ZeeTim soon, as they are on the list for Frame Ready with a press release.
https://www.zeetim.com/fr/zeeterm-et-zeetransformer-sont-maintenant-certifiees-nutanix-frame-ready/
Nutanix Frame Client | Dell | HP | IGEL | Stratodesk | Unicon Software |
Nutanix Frame Client Version | N/A | Firefox and Chromium | Firefox and Chromium | Frame Client 6.3.0 | Not Listed |
Nutanix Frame Rank | 5 | 2 | 2 | 1 | 4 |
Parallels Client
Windows | Linux |
18.1.0.1 (7-28-21) | 18.1.0.1 (7-28-21) |
In first place is Stratodesk with the latest client with IGEL in a close second. HP is in third place due to it not being bundled, but it is referenced as installable from Parallels just like we saw with Amazon and HP. Dell and Unicon do not list Parallels as a configuration option.
Parallels Client | Dell | HP | IGEL | Stratodesk | Unicon Software |
Parallels Client Ver | Not Listed | Not Included | 18.1.0 | 18.1.0.1 (22712) | Not Listed |
Parallels Rank | 4 | 3 | 2 | 1 | 4 |
VMware Horizon Client
Windows | Linux |
2106 | 2106.1 |
HP, IGEL and Stratodesk all tie for first place with having the latest version of the VMware Horizon Client. Dell and Unicon have a three-month-old client making it second or last place in this big multi-way tie. There does appear to be some different build versions after the main version of 2106 with VMware only listing on build version 17742757 for their release, maybe there was more than one release.
VMware Client | Dell | HP | IGEL | Stratodesk | Unicon Software |
VMware Client Ver | 2103.8.2.0.17742757.10 | 2106-8.3.0 – 18251983 – 60112 | 2106-8.3.0-18251983 | 2106-8.3.0-18035020 | 2103 |
VMware Client Rank | 4 | 1 | 1 | 1 | 4 |
Browsers
The ability to host a browser on a thin client gives you the ability to access other VDI systems along with controlled access to other resources. The browser in any deployment should always run the latest released version to ensure the latest security fixes are always applied.. Keeping browsers up to date in a Thin Client should still be important even though they will typically have less risk than normal endpoints that do not have restricted internet access, along with access to a full operating system.
Windows | Linux |
Chrome 93.0.4577.63 Firefox 92.0 Edge 93.0.961.47 | Chrome 93.0.4577.63 Firefox 92.0 Edge Beta 94.0.992.19-1 |
In first place is Stratodesk with the later Chromium and Firefox build. HP is in second place with an older Firefox build than either Stratodesk or the third place IGEL who has a recent Chromium release, but with an older Firefox version. Unicon does have a browser mentioned, but I could not find a version due to the lack of release notes. By not supporting a browser at all, Dell severely limits its capabilities and potential use cases.
Browsers | Dell | HP | IGEL | Stratodesk | Unicon Software |
Browser Version | N/A | Firefox 91.0.1 ESR | Chromium 91.0.4472.164-igel1626429779 + Firefox 78.12.0 | Chromium 92.0.4503.u1 Firefox 88.B2 | Not Listed |
Browser Rank | 5 | 2 | 3 | 1 | 4 |
Client Version Summary Ranks
Clients | Dell Score | HP Score | IGEL Score | Stratodesk Score | Unicon Score |
Amazon Workspaces Rank | 4 | 3 | 2 | 1 | 4 |
AVD Rank | 2 | 3 | 4 | 1 | 5 |
Citrix Client Rank | 2 | 2 | 2 | 1 | 2 |
RDP Rank | 5 | 3 | 2 | 1 | 4 |
Nutanix Frame Rank | 5 | 2 | 2 | 1 | 4 |
Parallels Rank | 4 | 3 | 2 | 1 | 4 |
VMware Client Rank | 4 | 1 | 1 | 1 | 4 |
Browser Rank | 5 | 2 | 3 | 1 | 4 |
VDI Client Reference Links
Nutanix Frame App
https://docs.frame.nutanix.com/session-conduct/frame-app/frame-app-gsg.html
Windows Microsoft AVD Client
https://docs.microsoft.com/en-us/azure/virtual-desktop/user-documentation/connect-windows-7-10
Linux Microsoft AVD Client
https://docs.microsoft.com/en-us/azure/virtual-desktop/user-documentation/linux-overview
Windows Citrix Client
https://www.citrix.com/downloads/workspace-app/windows/workspace-app-for-windows-latest.html
Linux Citrix Client
https://www.citrix.com/downloads/workspace-app/linux/
Windows VMware Client
Linux VMware Client
Windows Parallels Client
https://download.parallels.com/ras/v18/RAS%20Client%20for%20Windows%20Changelog.txt
Linux Parallels Client
https://download.parallels.com/ras/v18/RAS%20Client%20for%20Linux%20Changelog.txt
Microsoft Edge
https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnote-stable-channel
Mozilla Firefox
https://www.mozilla.org/en-US/firefox/92.0/releasenotes/
Windows RDP Client
https://docs.microsoft.com/en-us/azure/virtual-desktop/user-documentation/connect-windows-7-10
Linux RDP Client
https://www.microsoftedgeinsider.com/en-us/download?platform=linux-deb
Management Server Comparison
Operating System Releases and Types
The frequency of these releases typically can signify that the components within the operating system are updated while bundled components and bug fixes are applied regularly. There are also some OS releases that are all inclusive firmwares with supporting packages and others where you can add/remove packages you do not need.
Firmware Builds | Dell | HP | IGEL | Stratodesk | Unicon Software |
Firmware Version | ThinOS 9.1.3129 (9-9-21) | ThinPro 7.2 SP5 (9-24-21) | IGEL OS 11.06.100 (9-22-21) | NoTouch OS 3.3.290 (9-25-21) | eLux RP6 2107 (8-29-21) |
Firmware Version Rank | 4 | 2 | 3 | 1 | 5 |
In first place is Stratodesk followed closely by HP, IGEL and then Dell who have updates all within the same month (which is great to see). Unicon is in last place due to the lack of release notes, with their last public post having been back in July. In most cases we expect to see these operating systems to update at least monthly to marry updates from Linux distributions and every couple of months when the VDI clients get updated.
Management Server Releases
The frequency of these updates is typically done quarterly, and, in some cases, they are near monthly. Many of these solutions use open-source components that get updated at least monthly and will have security and fixes. These will also typically provide more features for the administrators and may also need to be paired with the latest firmware for those new features to work. The effort for each upgrade will also vary depending on which solution is used.
Management Build | Dell | HP | IGEL | Stratodesk | Unicon Software |
Management Version | 3.3.1.29 (08-16-2021) | 5.0 SP7.1 (8-19-21) | 6.08.120 (9-24-21) | 4.5.183 (9-25-21) | 15.0 2107 (July-2021) |
Management Version Rank | 4 | 3 | 2 | 1 | 5 |
In first place is Stratodesk by just one day with IGEL in second place followed by Dell and HP, both having releases in August. Unicon is in last place due to the lack of release notes and no public posts since July.
Management Options
The number of options of where these solutions can be deployed and serviced is also another large factor in the decision process. In the past, many Thin Client solutions have been typically managed with an onsite management suite\server with Dell being one of the first major players to get their solutions managed in the cloud. That was first made possible in the summer of 2017 – and now in 2021, Stratodesk released Stratodesk NoTouch as an Azure Marketplace offering. Each of these solutions could have their appliances deployed in a cloud but you would still be managing it like a traditional VM along with its own software upgrade paths also.
Mgmt. Options | Dell | HP | IGEL | Stratodesk | Unicon Software |
Mgmt. Options | Managed Cloud & Onsite | Onsite Only | Onsite Only | Unmanaged & Managed Cloud & Onsite | Onsite Only |
Mgmt. Options Rank | 2 | 3 | 3 | 1 | 3 |
In first Place is Stratodesk with their three hosting options with Managed (NoTouch Cloud) and Unmanaged (Azure Marketplace) Cloud and Onsite options giving you the most flexibility and control based on your needs. Dell is in second place as it offers an onsite and a managed cloud solution. After these top two everyone else is in a three-way tie for third with HP, IGEL and Unicon because all the other solutions have the same capabilities. Cloud hosting does come with its own security risks, but the flexibility also helps to deploy more secure deployments assuming proper planning and products in place. Managed solutions are typically better for security. They are patched automatically versus administrators responding to notifications of updates that could include security and/or bug fixes.
Azure NoTouch Cloud
https://www.stratodesk.com/products/notouch-cloud/
Dell WMS Pro Public Cloud
https://www.dell.com/en-us/work/shop/wyse-endpoints-and-software/wyse-management-suite/spd/wyse-wms
Management Server Requirements
The requirements of these management consoles are one of the biggest differentiators between the solutions compared. There major differentiators are which operating system is used, what type of database is supported and what other platform and hosting options are available. Some solutions use a virtual appliance that can be hosted in the cloud while others are built for onsite deployments with connections to popular database platforms. At the same time, many systems are built on open source components that require consistent patching. Some vendors do a better job than others along with this by nearly building completely in house without relying on other parties.
Mgmt. Server | Dell | HP | IGEL | Stratodesk | Unicon Software |
Mgmt. Server | Windows | Windows | Windows + Linux | Linux Virtual Appliance | Windows |
Mgmt. Server Rank | 3 | 3 | 2 | 1 | 3 |
In first place we have Stratodesk. Stratodesk is a one-stop shop, deploying just a Linux appliance. IGEL is in second place because its software can run on Windows or Linux. Then we have a three-way tie for third with Dell, HP and Unicon with just Window server offerings.
Management Server Components
What components require installation on your server is something you and your security team are aware of with each solution. If you only rely on the thin client vendor for all updates there may be some vulnerabilities that your compliance team will find by scanning the host or learn about from these vendor threat feeds. There have been instances where known CVEs for these components took a couple weeks or more to be patched by the vendor. This dovetails back into the release notes and components list. I believe every thin client vendor should have to know each item’s version and what has been fixed. These are items listed outside of the Database requirements.
Mgmt. Components | Dell | HP | IGEL | Stratodesk | Unicon Software |
Mgmt. Components | Apache, Tomcat, Postgres | Apache, IIS (FTP) , PHP, OpenSSL | Tomcat | MySQL, Java, PHP, NGINX | IIS + HTTP |
Mgmt. Components Rank | 3 | 4 | 1 | 4 | 2 |
In first Place is IGEL using just Tomcat publicly listed, I believe it has a couple more components that are not listed but I did not get a chance to install UMS recently so I will update this at a later date. Then in second place is Unicon with only IIS and their HTTP server used on the server, which is followed by Dell with just another extra component listed that appears to be used even if SQL is deployed as the database location. Then tied for fourth place is HP and Stratodesk, which have the most components listed and appear as required.
Management Database Options
All these solutions require a database to store the device details along with the configuration settings applied to devices in them. Most of the solutions offer a couple different database types for their solution, which helps with flexibility and hopefully will allow you to use the database system your team is most comfortable with, thereby yielding a better section outcome. There is one vendor that uses an embedded database solution, which has its Pros and Cons when it comes to functionality but does help on security as there is less adjustment required.
Mgmt. Database | Dell | HP | IGEL | Stratodesk | Unicon Software |
Mgmt. Database | Internal. External PostgreSQL | OpenJDK, SQL, PostgreSQL | SQL, Oracle, PostgreSQL, Apache Derby | MySQL, SQL, Oracle | SQL |
Mgmt. Database Rank | 4 | 3 | 2 | 1 | 5 |
In first Place is Stratodesk with an embedded database in their solution that has three potential external database sources, which do not require the extra configurations typically needed to secure other database solutions. In a close second place is IGEL with the most database options with four options, which can provide the ultimate flexibility. Third Place is with HP followed up behind with Dell and finally Unicon.
Security Features Comparison
All the previous comparisons were security-focused viewpoints of solution builds, but the following features are more security-focused. When any solution manages a portion and/or all your endpoints its security becomes important. If we compare this to the typical Windows endpoint deployment and management constructs this thin client solution must also be easier to manage but should still have granular role-based access for administrators and devices.
Management Multi-Factor Authentication
Currently just having a username and password protecting anything is a bigger risk than any time before. There are over ~14 billion usernames and passwords that we know about that attackers use to get into any organization and/or personal identity. Having some form of multi-factor authentication should be required to any external and/or sensitive systems. When you manage your endpoints and have total control over those endpoints and their configurations protecting that management plane should be a top priority. Adding any multi-factor authentication is also not attacker proof as in many cases they can be bypassed with the users help in a social engineering attack.
Mgmt. MFA | Dell | HP | IGEL | Stratodesk | Unicon Software |
Mgmt. MFA | Yes (Email) | None | None | Yes (TOTP) | None |
Mgmt. MFA Rank | 2 | 3 | 3 | 1 | 3 |
In first place is Stratodesk as they can integrate with most TOTP systems, which has become the industry standard in most cases for another factor. Then in second place is Dell with email verification before user login, this is more commonly bypassed if the users’ credentials are compromised as they will typically have access to their email. To bypass TOTP with compromised credentials requires access to the device associated with the seed\App. This typically requires physical access along with possibly another passcode to get into that device, as well. This lowers the risk of attack on TOTP-based systems. Email verification is better than nothing for sure, it would benefit users if more vendors would integrate TOTP like Stratodesk, which has some of that coding already done for the email notification system. Then we have a three-way tie for third place with HP, IGEL and Unicon as currently they do not appear to have a solution in place.
Management USB Control Policies
Controlling USB devices is critical to any endpoint deployment. It is unfortunate that managing USB devices is not as easy as it is on ChromeOS, MacOS, Linux and Windows endpoints overall, but I think it will just take a couple larger breaches and incidents that use a USB device to start the incident to push these vendors to make it easier to manage USB devices through each of their policy engines. We have seen some improvements from some of these operating systems to have some native management abilities, but many require another license and/or product to manage USB device rules.
Most deployments I assess only need to just have HID devices (mouse & keyboard) allowed from the endpoints and only specific device types or devices need to have other device classes or devices allowed. The good thing for this category is all the vendors have a way to prohibit specific classes of USB devices along with allowing the ability to allow classes of devices and/or specific devices only. The key to this working as expected is making sure the VDI broker security settings match the endpoint security settings.
USB Policy Control | Dell | HP | IGEL | Stratodesk | Unicon Software |
USB Policy Control | Yes (Class) | Yes (Class) | Yes (Class) | Yes (Class) | Yes (Class) |
USB Policy Control Rank | 1 | 1 | 1 | 1 | 1 |
In this category we have a five-way tie with Dell, HP, IGEL, Stratodesk and Union. This is a great sign that these endpoints understand the security gaps created by allowing anything to plug into anything.
Management OS Component Management
How the OS is built and how it is maintained directly impacts the capability and risk of the system. Some clients allow extra OS components to be disabled and/or uninstalled, which is great for security. Some thin clients allow you to install Linux packages to customize the use case per client and allow you to use these devices outside of VDI, too. How the solution manages components and clients is an important aspect for businesses to consider. You should want to tune your endpoints to their use cases in order for them to have the items you want, while disabling/uninstalling the things you do not want.
Component Management | Dell | HP | IGEL | Stratodesk | Unicon Software |
Component Management | Basic | Custom Image Builds | Remove or Disable Unused Packages | Remove or Disable Unused Packages | Remove or Disable Unused Packages |
Component Management Rank | 4 | 5 | 1 | 1 | 1 |
In this category we have a tie for first place between IGEL, Stratodesk and Unicon. Each of these vendors can add custom packages for the ultimate tailored solution and include the ability to disable or remove extra components. The policy engines and methods for component management between these top vendors varies but can achieve the same goal. In fourth place we have Dell. Dell has some basic component management with App Packages that can be managed outside of the firmware updates. With Dell and the others in this comparison some Firmwares include updated components on them without the need to manage them separately. In last place is HP, which has amazing flexibility but due to its update method it is not a policy-driven update. It requires the build, configuration and deployment of a new image to the devices or completion of complicated scripting to achieve a single component upgrade.
Update Method
This one is typically overlooked when picking a solution, especially when the focus is not security. With thousands of devices, the operational ability, the size of the package and the update method can have a significant impact on your new and/or old endpoint deployment. I will not go into the size and other operational differences as this blog is focused on just the security aspects of the solution, but I would advise looking at a couple of those items along with doing some testing before picking any solution.
When it comes to security, we need to be able to update the Firmware\OS or a single component application quickly when critical vulnerabilities are announced and resolved. The time from the announcement to resolution with updates directly impacts the risk to your organization by how fast and consistently you can roll out these updates.
Update Method | Dell | HP | IGEL | Stratodesk | Unicon Software |
Update Method | Firmware + Apps | Firmware + Apps + Write Filter Custom/Capture | Firmware + Apps | Firmware + Apps | Firmware + Apps |
Update Method Rank | 1 | 5 | 1 | 1 | 1 |
In this category there is another four-way tie for first place between Dell, IGEL, Stratodesk and Unicon. Each of these vendors can update the OS and application components separately. HP is in a weighted last place beyond just the second place they are in based on their legacy method of updating devices, configuration and applications with a capture and deploy process. If you have multiple endpoint types it could require you to have multiple golden dedicated devices that will need to be updated the same way to achieve an upgrade and/or configuration change. There are some custom scripting abilities possible to make this easier but the documentation along with the delay this can still create is not as fast as the other vendors. I have seen deployments in a risky position with vulnerable CVEs that were resolved by HP but could not update the devices until they got someone into the office to update the golden device because they could not do it with just access to the HPDM server and remote VNC access to the device.
Release Notes
Having good public release information on your products is critical for potential and existing customers. This is also a bigger differentiator for some of the vendors as some do not release nearly any public information while others release summarized information on firmware build details and the components within it, while others simply summarize lists of what was added only. Some vendors also do not mention any Common Vulnerabilities and Exposures for their own operating system or other components, which I think is a bigger risk because you may have at risk software and not know it. This is also a good thing for overall compliance of the solution to know that if a scanner finds a vulnerability, they know it will be tracked and fixed automatically in many cases. Since so many systems rely on third-party software, knowing if it has been patched is important to understand the risk to those endpoints.
Release Notes Details | Dell | HP | IGEL | Stratodesk | Unicon Software |
Release Notes Details | Details Per OS and Package, CVE Mentioned | Details Per OS and Package, CVE Resolved Listed | Most Details Per OS and Package, CVEs Not Listed | Details Per OS with Changes and Package Info | Not Listed Publicly, Only Behind Client Portal |
Release Notes Details Rank | 3 | 2 | 1 | 4 | 5 |
In this category, IGEL is in first place with the most detailed release notes. These release notes mention VDI clients and other components to include in the operating system, along with lists of CVEs resolved. They also have almost as many details for the management server, but one good thing they have is an easy way to see the latest release of the endpoint and server systems. HP is in second place with the most thorough release notes, but they do not keep many of the items on HTML as they rely on FTP sites. It is not easy to find out the latest version for the endpoint or server systems.
Once the more detailed release notes are found, they just barely beat out Dell in third place. Dell makes it easier to find out what the latest version is but has less detail in the release notes, which does not help as much as IGEL and HP. Stratodesk has some basic release notes on a static page to see which version is the latest and the latest news and updates on the OS and a list of operating system and management component versions also, but is missing references to CVEs resolved. Unicon is in last place because they do not publicly disclose their release notes, they sometimes will release blogs that may only cover small portions of the updates to the builds and the build numbers.
I think every vendor should have release notes for the endpoint and management system that are easily found. They should show the version history with the latest version at the top. Within the release notes we should know the bug fixes, security fixes (with CVEs), updated component versions highlighted (with all the packages), known issues and possibly other items. This helps customers see the latest version and what has changed while ensuring they know the client version and other build details. We want to make sure that customers can search for their version number, find details about it, and quickly pivot to the latest version and understand what that includes.
Thin Client Release Notes Overview
Below are some of the sections I found helpful from each Thin Client vendor as part of this audit. Some are better than others. For example, some keep their release notes behind their customer portal. Many vendors do a good job of organizing and optimizing their items for quick reference and for easy searching.
Dell
Summary Of Firmware Release, this is where you can see all the 9.1 operating systems and know you are on the latest one on the right side.
Great one-stop shops to find the package version, with the dates of the whole release in the summary other than just the month and day would be of great help.
Dell ThinOS 9.1.3129 Component Version Summary
Good view of some of the packages in the firmware release, does not list OS-related items.
Dell ThinOS 9.1.3129 Fixed Issue Summary
Shows CVEs resolved and which packages and version numbers, which is great for referencing.
Dell ThinOS 9.1.3129 Fixed Issue Summary
Good list of Fixed issues to scan if any apply to you.
Dell ThinOS 9.1 Administrators Guide
https://dl.dell.com/topicspdf/thinos_9_1_ag_en-us.pdf
HP
HP ThinPro 7.2 Component Marketing Page
Marketing slick of 7.2 Firmware that I found trying to search for any info on it. It has a list of the Horizon and Citrix Clients on here, but I could not find them on the web.
https://h20195.www2.hp.com/v2/getpdf.aspx/4AA7-8412ENW.pdf
HP ThinPro AVD Client Details
Good list of the changes in each release. An easier way to view each package would be helpful. I could not find it on Citrix, Frame or VMware.
ThinPro 7.2 SP 5.5 Release Notes
Has the exact date of release, fixes and all the CVEs but then it becomes a running list of things fixed in other versions, so it is not as helpful. It should be easier to find, and it was for all clients in HTTP and not an FTP Text file. This seems to be the way of HP for the past 20+ years. This results in horrible SEO and makes it difficult for research; I am unsure how much better the customer portal is.
http://ftp.ext.hp.com//pub/tcdebian/updates/7.2.0/service_packs/ThinPro7.2_SP-5.5.txt
MCDS HP Blog Links
Awesome site that shows almost all HP releases and some of the notes. It would benefit HP if their site did not rely on FTP site that only a lucky Google search would find. I had to find a lot of data on here and not from Official HP sources because of how difficult they make it to find out information on their product.
https://www.mdcs.nl/knowledge/latest-articles/
How to Install Parallels Client on HP ThinPro
https://kb.parallels.com/124789
HP ThinPro 7.2 Admin Guide
http://h10032.www1.hp.com/ctg/Manual/c07119616
IGEL
IGEL Release Notes Summary
Main Page, easy to navigate and see what the latest release is.
https://kb.igel.com/igelos-11.04/en/igel-os-release-notes-32871635.html
Release Dates are crystal clear.
IGEL OS Firmware Summary
Everything you want to know on this one link with multiple links to Component Versions, Information, Fixes (Bug and Security), Known Issues and much more. This is the best of all the release notes of any thin client vendor assessed to date. Easy to find on their site and/or by searching on the website.
https://kb.igel.com/igelos-11.04/en/igel-os-11-49591233.html
IGEL Component Versions Summary
This makes it easy to see what version anything is on the device. They also use mainstream release version references unlike some other vendors that add/or reassemble the version numbers, which makes it difficult to cross reference to know what version is.
https://kb.igel.com/igelos-11.04/en/component-versions-11-06-100-49591235.html
Stratodesk
They have just recently started keeping their release notes online, which is a great move. This is not as detailed or structured as some of the other vendors, but you can see what was added to each firmware version, improvements, fixes, and obsoleted functionality. This currently does not show the version of each of the components on the system along with any resolved CVEs.
Stratodesk Release Notes Summary Page
Stratodesk NoTouch OS Release Notes Sample
Stratodesk NoTouch OS Components Summary
Stratodesk Release Summary Fall 2021
https://www.stratodesk.com/whats-new-at-stratodesk-autumn-2021-edition/
Stratodesk NoTouch Center Guide
This is the summary of some of the settings on their knowledge base.
https://www.stratodesk.com/kb/NoTouch_Center_Settings
Stratodesk NoTouch OS Admin Guide
https://www.stratodesk.com/resource/stratodesk-notouch-os-quick-start-admin-guide-pdf/
Stratodesk NoTouch OS Quick Start Admin Guide
https://www.stratodesk.com/kb/NoTouch_OS_Quick_Start_(Admin_Guide)
This seems to be more up to date then the Quick Start Admin Guide and in PDF form.
Unicon Software
Unicon Scout Enterprise Management Server Release Summary
High level items only.
https://www.unicon-software.com/news/detail/scout-eluxr-scg2107-released101/
Unicon eLux Software Release Summary
This has some component version details on this release notes. This does not mention any CVEs or details of Bug Fixes or Security enhancements. This makes it difficult to understand what was updated and what risks were mitigated.
https://www.unicon-software.com/news/detail/scout-elux-2104-ltsr-cu1-released/
https://www.unicon-software.com/udocs/archive/elux_rp_en.pdf
Unicon Software eLux RP Administrator’s Guide
https://myelux.unicon-software.com/udocs/archive/elux_rp_en.pdf
Unicon Software Scout Enterprise Management Administrator’s Guide
https://myelux.unicon-software.com/udocs/archive/scout_enterprise_en.pdf
Endpoint Ports
Having the lowest number of ports open typically will indicate the lower amount of security risk. With each open port typically associated with a service running it that could be vulnerable to an attack. I wanted to focus on the ports that are open from the endpoint to servers and management components. One commonality between all solutions is there is a common management port to manage the devices and another port in most cases to shadow the user’s session for troubleshooting. Some solutions have more components than others and that changes their port\firewall, database, and server requirements.
Dell (3) | HP (10-13) | IGEL (4-8) | StratoDesk (1) | Unicon (5) |
TCP 443 (Client to WMS Server) | TCP 443 Repository (Client to HPDM) | TCP 8443 (Client to UMS HTTPS Tomcat) | TCP 443 (Client to NTC) | TCP 80 (Client to Scout Server) |
TCP 1883 MQTT (Client to WMS Server) | UDP 40009 (Client to HPDM) | TCP 30001 (Client to UMS) | TCP 443 (Client to Scout Server) | |
TCP 5900 (VNC) | TCP 20, 21 FTP (Client to HPDM) | TCP\UDP 30005 (Client to UMS) | TCP 5900 (VNC) | |
TCP 5900 (VNC) | TCP 5900 (VNC, Unless Secure VNC Opened) | TCP 22123 Mgmt (Client to Scout Server) | ||
TCP 5800 (VNC) | TCP 30022 (Client to UMS, Secure Terminal | TCP 22124 Mgmt TLS1.2 (Client to Scout Server) | ||
TCP 22 SFTP (Client to HPDM) | UDP 9 (Wake on LAN) | |||
TCP 989, 990 (Client to SFTP) | ||||
UDP 40000, 40003 (Client to HP Gateway) | ||||
UDP 40004 (SSL VNC Proxy) | ||||
UDP 40009 (Client to HPDM) |
Endpoint Ports
Endpoint Ports | Dell Score | HP Score | IGEL Score | Stratodesk Score | Unicon Score |
Endpoint Ports Open | 3 | 12 | 6 | 1 | 5 |
Endpoint Ports Rank | 2 | 5 | 4 | 1 | 3 |
Stratodesk has the fewest number of ports open by default followed by Dell then Unicon to make the top three and then IGEL and HP round out the group. HP has double the ports as other thin client types. These findings were all based on release notes and guides provided by the vendor. In later versions I hope I can get each of these systems so we can do port scans on the endpoints and servers.
Server Ports
Just like with the endpoint ports comparison the lowest should be the best as there are fewer services open and should require patching. The ports that are open to the server vary, but they also seem to correlate directly with the required ports from the endpoint as expected.
Dell (3) | HP (21) | IGEL (5) | StratoDesk (2) | Unicon (7) |
TCP 443 Secure MQTT + MGMT (WMS Server) | TCP 443 Repository (HPDM) | TCP 8443 IGEL RM GUI Server (UMS) | TCP 443 Mgmt (NTC) | TCP 80 Dashboard (SE) |
TCP 1883 MQTT (WMS Server) | TCP 1099 RMI Registry (HPDM) | TCP 9080 IGEL RM Server (UMS) | TCP 80 Mgmt (NTC) | TCP 443 Dashboard (SE) |
TCP 11211 Memcached (WMS Server) | TCP 20, 21 FTP (HPDM) | TCP HighPort IGEL RM GUI Server (UMS) | UCP 1434 MSSQL (SE) | |
UDP 40000 UDP In (HPDM) | TCP 30001 IGEL RM GUI Server (UMS) | TCP 22123 Mgmt (SE) | ||
TCP 40001-40009, 400012 TCP In (HPDM) | TCP 30002 IGEL RM GUI Server (UMS) | TCP 22124 Mgmt TLS1.2 (SE) | ||
TCP 22 SFTP (HPDM) | TCP 22 SSH (SE) | |||
TCP 137-139 NetBIOS File Sharing (HPDM) | TCP 22125 Clients TLS 1.2 (SE) | |||
TCP 445 Microsoft Directory Services (HPDM) | ||||
TCP 989, 990 FTPS (HPDM) |
Server Ports | Dell Ports | HP Ports |
IGEL Ports |
Stratodesk Ports |
Unicon Ports |
Server Ports Open | 3 | 21 | 5 | 2 | 7 |
Server Ports Rank | 2 | 5 | 3 | 1 | 4 |
Stratodesk has the fewest number of ports open by default followed by Dell then IGEL to make the top three and then Unicon and HP round out the group. HP has three times the ports as the next highest thin client vendor. There is a lot of room for improvement on their side but would require a great deal of effort. It seems like HPDM has a lot of legacy baggage, which is also what we saw from some of the largest and oldest VDI vendors and their default policies. These findings were based on release notes and guides provided by the vendor. In later versions I hope to get each of these systems to port scans on the endpoints and servers.
Conclusion
Now we can take the Client Versions, Security Features and the Ports comparison and put all the data together for the grand finale results.
Security Feature Score Overview
Security Feature Rank Summary
Overall, there was a good spread of ties and first places, which is good to see. It is good to see the ranking to know which ones are better in each category and which ones are tied.
Final Rank Overview
Final Rank
Stratodesk wins with IGEL close behind and then Dell follows is over 10 points away and then an almost 10-point gap again to Unicon and HP. I thought that IGEL and Stratodesk would be close as I have worked with both of those solutions the most and most recently. I knew Dell, which came in third place, would appear competitive. It has the longest legacy and many endpoints deployed. Unicon is in fourth place with most of the major clients up to date and good features overall, but many things are behind the client portal, which does not help. HP is in last place. It has numerous endpoints deployed and an overall good solution, but their legacy deployment model lacks updates and the OS and management server also lack frequent and/or substantial updates as compared to other solutions.
September 2021
First Place Stratodesk
Second Place IGEL
Third Place Dell
Fourth Place Unicon
Fifth Place HP
Overall, I hope this was helpful and if people enjoyed it. I will work on adding other vendors along with keeping it up to date at least quarterly. This was a great way to see how vendors stacked up from a Security angle, but many of the comparison points also may highlight the leaders for certain vendors when paired to certain brokers also. If you know of other security features that I should compare, please let me know along. Also, if you find a miscalculation or something I missed please contact me.