thinlaunch quick take v08.20.09.txt

after reading Michael Keen's post at: http://www.brianmadden.com/blog/MichaelKeen/Have-you-heard-of-ThinLaunch I headed over to http://www.thinlaunch.com/ for the eval since repurposing existing winxp clients is something I am interested in..

first thing is that it requires .net 2.0 framework.. this shouldn't be an issue but just another hurdle and for whatever reason I don't have snapshot for my winxp sp2 vm with .net 2.0 already installed.. atleast not on this laptop.

quick install and at the end it asks you for what executable you want to run at startup.. browse and select something.

now for the guts.. it's is scary!!

it creates a local user that is a member of Local Users AND Administrators called:
ThinDesktopUser with a password of: test!123abc!!@#

then proceeds to modify the registry to autologin and run C:\Program Files\Thin Desktop\ThinDesktop.exe /s, via the UserInit key.

ThinDesktop.exe then reads: HKLM\SOFTWARE\ThinLaunch\Thin Desktop\LaunchCommand (which has the full path to the exe you defined earlier)

so... my quick and dirty lockdown that is going to set me back $20-26 per workstation has created a local admin account with a standard password and is still running explorer.exe as the shell..

good news is there is an alternative and Microsoft was so kind to provide it for free.. regedit.exe

simply browse to: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and change the Shell key to the full path of the executable of your VDI client, XenApp full client or better yet, frontend a web-portal with Public Web Browser from TeamSoftware Solutions

PWB will set you back $125 per year for a site license so you'll need atleast 5 clients to repurpose to realize your ROI versus ThinLaunch. This is only if you want to do the web portal, setting the Shell key to any other .exe is free and requires a keyboard, but PWB does give you alot of other neat features.

The above solution works as a local or domain USER not admin, and won't expose you to the vulnerabilities that appear very obvious with ThinLaunch.

Sorry, throwing together a quick .NET 2.0 app that modifies the registry and perform a ShellExec API command (possibly more, don't want to understate it) isn't worth $26 per client when there is alot of hard work and engineering that goes into many other client licensed products around that price range such as appvirt, antivirus, device control, and full disk encryption.

Comments

Nick Rudnik said…
Thanks for the feedback and for taking the time to dig into it deeply on a technical level. The next update to Thin Desktop will address this. It is being tested now. The major improvements will be (1) the password for the auto logon user will be moved to the local security authority and not saved as plain text within the registry. (2) The password will be a random, strong password specific to each computer on which Thin Desktop is installed. (3) The special purpose ThinDesktopUser will be removed from the Administrators and left in the Users group after first run. It may be further restricted by the administrator if desired.

Look for the release some time this week.

Popular posts from this blog

using vlc to create a web-based vod library v07.18.11.txt

how to kill an ix4-200d with ssd iometer tests v09.30.12.txt

wireless pxe bios v08.09.09.txt