DXZ4 security edition zero client
Page 32
If you keep the AWI and CMI enabled, so that zero client
administration is not restricted to the local On Screen Display,
you must ensure that any configuration changes are performed
from the trusted network on which the zero client is deployed.
If you want to make sure that the connection is confidential, you
must use a Virtual Private Network assured to the classification
of the data being exchanged.
6.3
Set up the control of allowed USB devices
Important!
Make configuration changes using the AWI on
each zero client and then disable the AWI before you deploy
the unit to end-users (see
The DXZ4-A and DXZ4-AM zero client supports access control of
peripheral USB and audio devices. We advise that you limit the
USB devices accepted by the zero client to only include those
devices that are critical for zero client usage.
6.3.1
Specify permissions for attached USB devices
To specify or deny permissions for attached USB devices:
1.
Launch the AWI for the zero client that you want to
configure.
2.
From the home screen, choose
Permissions > USB
.
3.
Specify lists of authorized and unauthorized USB devices.
You can identify devices by ID (vendor or device) or by class (for
example, ‘Mass Storage’ or ‘Wireless’).
a).
Add a ‘white list’ of any
authorized
USB devices;
b). Add a ’black list’ of
unauthorized
USB devices.
In both cases, you can use wild cards (* and ?) to define general
device types that you want to allow or block.
Note:
A list of hexadecimal vendor IDs and USB device IDs is
available at
6.4
Disable the audio (optional)
Important!
Make configuration changes using the AWI on
each zero client and then disable the AWI before you deploy
the unit to end-users (see
We recommended that you disable the zero client audio inputs
and outputs if they are not critical to the deployment operation.
To disable audio:
1.
Launch the AWI for the zero client that you want to
configure.
2.
From the home screen, choose
Permissions > Audio
.
3. Clear the
Enable HD Audio
check box.
6.5 Use event logs
Important!
Make configuration changes using the AWI on
each zero client and then disable the AWI before you deploy
the unit to end-users (see
The DXZ4-A and DXZ4-AM zero clients record a log of device
activity and performance. The zero client supports Syslog and
Network Time Protocol (NTP) to centralize and improve the
accuracy of log data.
We recommend that you use both of these features. You can
also specify a higher level of detail (‘enhanced logging’) in the
zero client log for one specific category of log entry.
6.5.1
Enable event logs
To enable the Syslog and NTP protocols and set up enhanced
logging:
1.
Launch the AWI for the zero client.
2.
From the home screen, select
Diagnostics > Event log
.
3.
Enable and configure Syslog logging on the zero client.
4.
Identify the Syslog server and choose a syslog facility for your
zero clients.
Note:
You can also enable enhanced logging for a single
category of log entries, such as USB entries.
5.
From the home screen, choose
Configuration > Time
.
6.
Configure the
Network Time Protocol
(NTP) parameters to
allow zero client log entries to be time-stamped based on NTP
time.
7.
Make sure you specify an NTP server and the local time zone.
6.5.2 Check the event logs from the OSD
Inspect the event log at regular intervals for unexpected entries
or activity. Follow your organisation’s security procedure if the
log includes unexpected or suspicious entries that indicate
possible interference.
To use the OSD to inspect the event log:
1.
Launch the On Screen Display.
2.
From the
Connect
screen, choose
Options > Diagnostics
> Event Log
.
To use the AWI to inspect the event logs:
1.
Launch the Administrative Web Interface.
2.
From the home screen, chose
Diagnostics > Event log
.
3. Click the
View
button.
6.6 Dispose of zero clients securely
The DXZ4-A and DXZ4-AM zero clients support a factory reset
option. This option resets all configuration and permission
settings stored on the device.
If you intend to dispose of a device, make sure you apply the
factory reset, and that this reset has been effective.