10.2 Locking Down Thinfinity® Workspace

Locking down Thinfinity Workspace refers to the implementation of security configurations and controls that restrict system access, minimize the attack surface, and ensure that users have access only to the resources they need to perform their job.

In the context of Thinfinity Workspace, relying solely on usernames and passwords is insufficient for securing access to applications. Such credentials, being highly susceptible to theft and misuse, should not be the sole gatekeepers to your critical resources.

Hardening Identity

Enable Two-Factor Authentication (2FA): Implement 2FA using the Native Thinfinity Workspace HOTP/TOTP server or 3rd party vendors like DUO for an added layer of security.

Restrict Anonymous Access: Disable the Allow Anonymous Access option in the Authentication tab to prevent unauthorized access.

Manage Local Server Users: Disable unnecessary local server users and the Windows "Guest" account, as they can be exploited to gain access to Thinfinity Workspace.

For a robust cybersecurity posture, it's also recommended to enhance Thinfinity Workspace's authentication mechanism by integrating it with leading identity providers such as Okta, Auth0, PingID, and JumpCloud. Utilize established protocols like SAML and OAuth2 to secure access within your digital environment.

Hardening Access

• Enable brute force detection to stop potential Denial of Service attacks. (Protection Tab)

• If determinable, set up an "Allow list" / " Deny list" to control access. (Protection Tab)

• Disable the default-enabled "+" profile.

• Configure "Max Login Attempts" and "re-enable after" settings. (Protection Tab)

• Enable "Remove Server Response Header" to prevent sending server version information in HTTP headers. (General Tab)

• Additionally, implement GeoIP filtering to restrict access based on geographic location.

Safeguarding Sensitive Data

Secure File System Permissions

Certain Thinfinity files and directories require protection to ensure that only the necessary security principals have access. General users should not have permissions to these sensitive areas.

Specifically, attention should be given to securing the directory:

C:\ProgramData\Cybele Software\Thinfinity\Workspace\DB

And in particular, the file:

C:\ProgramData\Cybele Software\Thinfinity\Workspace\DB\Settings.ini

Safeguarding Secrets

The API key, stored within C:\ProgramData\Cybele Software\Thinfinity\Workspace\DB\Settings.ini, must be regenerated if it has been utilized for development purposes.

The NetworkID should also be carefully protected. In the event of a compromise, it must be altered across the installation setup to maintain security integrity.

Host Layer

Hardening Host Access

User mappings in Thinfinity Workspace play a critical role in establishing who has access to what within the virtual environment. It is essential to review and assign user mappings diligently, ensuring that each user's access rights are aligned with their role and requirements within the organization. This minimizes the potential for unauthorized access to sensitive resources and systems.

Implement role-based permissions to control access levels within the Thinfinity Workspace environment. Define roles based on job functions and assign permissions that grant only the access necessary to perform a user's duties. This approach adheres to the principle of least privilege, reducing the risk of insider threats and the potential impact of user account compromises.

Privileged credentials on the host should be restricted to the absolute minimum required for operations. Regularly audit and review privileged accounts, ensure that strong and unique passwords protect them, and employ multi-factor authentication for an added layer of security. Whenever possible, use privileged access management solutions to monitor and manage the use of privileged credentials, logging all activities for accountability and traceability. By tightening controls around host access, organizations can substantially bolster their defense against both internal and external threats, ensuring that critical systems remain secure and resilient.

Hardening Files

Intermediate Disk (File Transfer): Disable this feature if not essential to reduce the attack surface related to file transfers.

File Transfer Restrictions: When file transfer is necessary, implement Disable these file extensions to blacklist potentially harmful file types and prevent their upload.

Licensing

Thinfinity Workspace requires connectivity to Cybele's license endpoint at https://secure.cybelesoft.com. For setups involving a separate Licensing Server installation, the following access provisions are necessary:

• The Licensing Server must be allowed to make outbound connections to https://secure.cybelesoft.com.

• It should be configured to listen on a specified port (default is 7443) and accept incoming connections

Audit Trails

Recording Sessions

• Session Monitoring: Activate Remote Desktop Session Recording to monitor and record user activity, providing an audit trail for security and compliance.

• Enable Enterprise Logging.

• Enable Analytics.

Protect Privileged Sessions and Resources

• Implement time-based access controls for mission-critical hosts or privileged sessions to ensure resources are available only during specified times.

• Require users to obtain authorization for accessing privileged sessions or critical hosts. This step adds an additional layer of security by involving a review process before access is granted.

• Secure admin credentials on host machines through credential mappings, which prevent direct exposure of sensitive login information and reduce the risk of unauthorized access.