Kaspersky

Thin Client 2.0

Cyber Immune, manageable

and functional infrastructure
of thin clients
Components of the solution
Cyber Immune Thin Client
Kaspersky Thin
Client
Operating system for thin clients based
on the microkernel KasperskyOS, which
is preinstalled
on the hardware platform
Centerm F620
2
A single management platform for Kaspersky products
Kaspersky
Security Center
A single console for the centralized
Kaspersky
administration of thin clients running on
Security Management Suite
Kaspersky Thin Client and other
Kaspersky products Extension module for the
centralized administration
of thin clients via the KSC
management console
The first Cyber Immune
Thin Client

Powered by KasperskyOS
Thin client that runs Windows or Linux is just another computers running Windows or Linux 4

Windows CVE

Linux CVE

• Thin client is a small full-fledged PC

• It’s impossible to install antivirus on thin client
• Update process is hard and painful
Why a microkernel? 5

96% 57% 29%

of critical Linux vulnerabilities are no of critical Linux vulnerabilities of critical Linux vulnerabilities can
longer critical in a microkernel OS move to the low-severity category in be completely prevented in a
a microkernel OS microkernel OS even without
verification

"From a security perspective, a monolithic OS architecture is inherently vulnerable and is the root cause of
most security events. So it's time to transition to an OS structure that better meets the security needs of the 21st
century."

Source: Simon Biggs, Damon Lee, Gernot Heiser. 2018. The Jury Is In: Monolithic OS Design Is Flawed: Microkernel-based Designs Improve Security
KasperskyOS: main differences from monolithic OS 6

General purpose OS KasperskyOS

Applications …

Security level

OS level Drivers Services

 Thin clients can be attacked and
On devices 7
require additional security tools connected
to the thin
On the network client
stack of the TC
OS

On applications
of third-party
37 vulnerabilities Attacks on thin vendors

in VNC and RDP libraries

clients*
25 vulnerabilities
in RDP clients of rdesktop Vulnerabilities in
and FreeRDP (used the code of remote
environment On the
in Windows, Linux, macOS)
delivery protocols thin client
management
server

* ICS CERT study by Kaspersky

Centerm F620: Kaspersky Thin Client hardware platform 8

Equipment specifications

Operating system Kaspersky Thin Client

Processor Intel® Celeron® 4125 Gemini Lake Refresh Quad-Core 2.0 GHz (4 MB L2 cache, up to 2.7 GHz)

RAM 4 GB DDR4 (maximum 8 GB, DDR4/LPDDR4)

Disk subsystem 64 GB, M.2 (2242) SSD

Video Intel® UHD Graphics 600, up to 1920 x 1080

Network 1 x LAN port (RJ-45) 10/100/1000 for LAN connection

1 x DP
1 x HDMI
Peripheral interfaces
4 x USB 2.0
2 x USB 3.0
Dimensions: 131 mm × 31.5 mm × 167 mm
Dimensions
Net weight: 0.55 kg
and weight
Packaging: 488 mm x 256 mm x 108 mm
DC input voltage: from universal (110-230 V)
AC adapter 12 V, 3 A
Power consumption: max. 30 W
Model details
VESA mount, horizontal or vertical mounting
Kensington Lock
Fanless cooling through natural air convection
Kaspersky Security Center:
a single management console
Kaspersky Security Center: a single console to manage all Kaspersky products 10

• Events monitoring on thin clients

• Configuring of thin clients

• Updates delivery to thin clients

• Distribution of responsibilities for

administrators and security officers

• Install and centrally update security

certificates on thin clients

* the management is available only via KSC 14.2 Web Console.

Interaction with centralized management system 11

Events

Is it something
we have to know about?

Policy

New firmware

Kaspersky Kaspersky
Certificates
Thin Clients Security Center

* the management is available only via KSC 14.2 Web Console.

Advantages for every role in Kaspersky Thin Client
IT administrator
− Quick deployment of thin client
(from 2 minutes)
− High update speed thanks
to compact OS image size
− Centralized management using
Kaspersky Security Center
− Updating via Kaspersky Security
Center
− Manage and monitor thin client
infrastructure from anywhere
in the corporate network
− VDI connection, terminal
connection, direct connection
− Connect to remote desktops
running Windows and Linux NEW
− Automatically connect when
disconnected NEW
IS administrator
− A single console for centralized
management of Kaspersky security
products
− Out-of-the-box device security thanks
to KasperskyOS architecture
− Guaranteed user access to information
within a remote environment
− Differentiation of rights
for Kaspersky Security Center
administrators
− Authorization of critical user action
− Safe migration to a new Kaspersky
Security Center server
− Control network connections
to remote desktops and applications
− Optimal application composition
for the main use case
12
User
− Intuitive graphical interface
− Fast loading and availability
− Power-saving mode
− Display of screen on 2 monitors
− Use of USB devices and tokens
in a remote environment Windows
− Remote desktop delivery
performance NEW
− Print from printer connected
to Thin Client NEW
− Audio conferences NEW
− Delivery of applications
from remote session NEW
− Use of USB devices and tokens
in a remote environment Linux NEW
Kaspersky Thin Client
usage scenarios
How to connect Kaspersky Thin Client to remote desktops 14

Virtual Desktop Terminal server Remote virtual machine

Infrastructure (VDI)

Remote computer/server Application server

Connection options 15

Physical Machines

RDP

Virtual Machines

Terminal Servers
Kaspersky
Thin Client Microsoft Remote Desktop
Connection Broker
HTML5
Citrix, VMWare VDI
and others…
Remote access to physical machines 16

Windows 7
Windows 10
Windows 11

Windows Server 2016

RDP Windows Server 2019
Kaspersky Windows Server 2022
Thin Client

Linux
Any Linux with xRDP
Remote access to virtual machines 17

Kaspersky
Thin Client

RDP

Windows 7 Windows Server 2016

Linux
Windows 10 Windows Server 2019
Any Linux with xRDP
Windows 11 Windows Server 2022

Microsoft
VMWare
Hyper-V ...
Hypervisor
Remote access to terminal server 18

Kaspersky
Thin Client

RDP

Terminal Terminal Terminal Terminal Terminal

session 1 session 2 session 3 session 4 session 5

Microsoft Terminal Server

TSPlus Remote Access
Remote access to Microsoft RDS 19

Kaspersky Microsoft RDS

RDP
Thin Client Connection Broker

Windows 7 Windows Server 2016

Windows 10 Windows Server 2019
Windows 11 Windows Server 2022

Microsoft
Hyper-V

Hypervisor
Remote access to Microsoft RDS 20

VDI Broker
Kaspersky
Thin Client
HTML
5 VMWare ...

Windows Linux

VMWare
Microsoft
Hyper-V ...
Hypervisor
Kaspersky Thin Client is not a VDI solution 21

VDI is a big and complex

infrastructure

We don’t offer a VDI.

We offer a solution to work with VDI,
terminal servers, etc.
List of supported operating systems for remote access 22

Windows OS

Windows 7 Windows Server 2016

Windows 10 Windows Server 2019
Windows 11 Windows Server 2022

Kaspersky
Thin Client

Linux OS
Device redirection 23

RDP
USB flash drives Audio (via mini-jack)

USB smart cards USB printers

Up to 2 monitors
USB tokens
Windows (HDMI, DP)
Linux
Kaspersky
Thin Client HTML5
Audio (via mini-jack)

Up to 2 monitors
(HDMI, DP)

Known limitations:
1. USB drive redirection into active RDP session.
2. Redirection into Linux is available in case of krdp server application.
The list of supported devices will be expanded. All limitations will be fixed in upcoming releases.
Major features of
Kaspersky Thin Client
Main security features 25

1 KasperskyOS secure 2 RDP and HTTPS are 3 All counterparts are verified
design. always encrypted. using certificates:
No additional security RDP-TCP is used • Remote desktops
tools are required • VDI brokers
• KSC
• Log server

Security Kaspersky
Administrator Security Center
Kaspersky
Thin Clients
Major advantages 26

Cyber Immunity Image less than 200 Mb

(no antivirus or firewall needed) (fast booting and update)

Less frequency of updates Fast loading

(no OS patch needed) (about 30 sec)

No antivirus database update Fast OS update

needed (less than 2 min and 1 reload)

Group management via KSC Automatic configuration

(up to 100000 devices) (~1 min)
Other key features
How to flash KTC firmware? 28

Prepare special USB drive (~5 minutes)

Special files and guides are ready for you to use

~2 minutes to flash a single device

Automatic configuration 29

DHCP server Kaspersky

Security Center
Step 1
Step 2
Obtaining network
Obtaining settings
settings including KSC
from KSMS policy
server address
Kaspersky
Thin Client

KTC is ready for work in 1 min

after connection to the network
Update process 30

1 Signature updates and

patches are not required Public Update
for the KTC Servers

2 The only reason to update

is if you need new features

3 Firmware update process

takes less than 2 minute
and requires 1 reboot

Kaspersky
4 Update process is managed Security Center
centrally with KSC
Kaspersky
Thin Clients
Automatic installation of certificates on Windows machines via KSC 31

Centralized certificate installation

• Authenticates remote desktops VM VM VM

to which the thin client connects

• Ability to quickly add a reference certificate Certificate installation

for a group of machines

Physical and virtual
• Installation is performed using the built-in Windows machines

Windows utility certutil KSC Server

Trusted mode
• Installation package is a batch file with two
commands
Distribution of certificates
via Kaspersky Secure
RDP RDP RDP
• KSC agent on a Windows machine is not Management Suite (KSMS)
compulsory! policy
KTC KTC KTC

A certificate with a private key (.pfx) is installed on Windows machines

KSC Server distributes a similar certificate without a private key (.cer or .der) to thin clients
Connection to a thin client RDP session from the KSC MMC console 32

1 Requires Kaspersky Total Kaspersky Windows

Security for Business or Security Center machine
Windows desktop
KES (Advanced) licenses sharing (over RDP
session)
2 An administrator can see MMC console RDP
what is happening on a user’s
screen from the MMC console
Administrator User
and assume control

3 No password is requested for

the connection, but the operator
from the KTC session must
explicitly allow the connection
4 Ability to establish multiple
simultaneous connections
to different users
Requirements:
1. Administration agent on the machine
2. Access to the KSC MMC console
3. Session with KTC via RDP must be active
The administrator sees everything the operator does in a given
session, sees the cursor, the clicks. The administrator can move
his/her own cursor and click.
Work over Privilege Access Management (PAM) system 33

Privileged employee workstations/

contractor access segments

Secure channel
connection Record of session
PAM Audit
system Incident investigation
Contractor's remote
employee

Target IT system in Critical corporate IT/InfoSec service

ICS information system management systems
Key features of Kaspersky Security Center for IT administrators
Audit
1. Auditing of file actions
The administrator is notified
about actions performed with
certain files (opening, modifying,
sharing)
2. Software inventory
KSC receives information about
which software is installed
on which device
3. Hardware inventory
The administrator can view
the hardware configuration
of each remote machine from KSC
Technical support
1. Windows desktop sharing
Allows the administrator to see
what is happening in the remote
user session and provide help
in case of errors
2. VDI Microsoft Hyper support
Limited support scenario for
the new virtualization platform
3.Certificate installation on
remote machines using a KSC task
Ability to simplify configuration
of certificate verification using
a KSC task
34
Update & backup
1. Patch Management
Ability to perform application and
OS updates on all remote machines
in a couple of simple steps
2.Remote installation of software
A KSC administrator can install
an application on a group of managed
remote machines with one task
3.Working with images
−Creating a machine image
from a reference machine
−Adding the attachments and
response file to the ISO file
−Installing an OS from
an image over an existing OS
−OS installation over
the network (PXE)
Frequently asked questions
Roadmap for 2024 36

2.1 2.2

Blocking access Scanning USB headset Video Redirecting

to the thin client documents Redirection Redirection USB-tokens
desktop through RDP via Web Access

Remote access Resetting the Redirecting Auto connection

to Thin Client credential cache USB-flash storages to remote desktop
desktop via RDP for connecting via Web Access
via web access
Frequently asked questions
FAQ
- Is KasperskyOS a Linux-based
operating system?
- No.
- Is it possible to use
KasperskyOS as a desktop OS?
- No.
- Does Kaspersky have backend
services for thin clients?
- No.
- Is it possible to install KTC
on different HW platforms?
- Currently only Centerm F620
supported.
- How administrator or user
can log in to KTC?
- KTC doesn`t use role model.
- Does KTC support Bluetooth,
Wi-Fi or 4G devices?
- It`s intended in future releases.
- When will it be possible
to transfer audio via USB?
- In 2024.
- Is it possible to use
KTC without KSC?
- Yes, but it`s insecure and
inconvenient in large systems.
37
- Does KTC support VPN?
- It`s intended in future releases.
- When will it be possible
to redirect scanner / camera?
- In 2024.
- When will it be possible
to get remote access to KTC?
- In 2024.
- Is it secure not to use role model
in KTC?
- Yes, since KTC doesn`t
store passwords to remote
infrastructure.
Demo
How to demonstrate Kaspersky Thin Clients? 39

Kaspersky Thin Client

interface demonstration

Management console
in Kaspersky Security Center demo

Connection to remote machine

Device redirection demo

(USB drive and token)
How to demonstrate Kaspersky Thin Clients online? 40

HDMI to USB video signal

converter
AVerMedia GC311
Live Gamer mini

Video capture software

OBS Studio

Online streaming
Thank you!