Actually, this isn't really old school, it's still currently used. The current term for the client device is "Thin Client" (which you can search on to learn). They are basically low end PCs with a network device. You connect to the server using ethernet, set the device to use PXE booting, and point it at the image on the server. If your PC or laptop supports PXE booting, you can do this with it too. Obviously, this is a real basic explanation.

I have been researching this because in my new home, I want to have a fully networked system where any user can call up their desktop and files anywhere. Having a single bootable iso that's updated automatically by the server and every user having a single home-space for files and setting sounds a lot more easily maintained than 5 or 6 workstations. Plus the idea that you could log out of the office PC, walk to the Kitchen, log in there and be able to resume where you left off would be stellar.

One spanner in the works: Wifi becomes difficult to use in this environment because you need a driver and password to log in - which most thin clients don't do. And I suppose in this day of high powered tablets, that large format tablets with docking stations would be just as easy to use with similar benefits.

My plan is to off-load the "heavy lifting" to the server and use low powered desktop devices. Printing, Backups, Downloading, DVD rips, Video editing, etc., would be done on the server.

Have they always been low end PCs, or were they once less than that?

PXE is interesting, I remember you mentioned it when we were discussing the NUC (which I am still very happy with BTW). One thing though... you have a workstation in the kitchen?! Do you need it to control all your automated chef bots? Heston Blumenthal, eat your heart out

If they're low end PCs with a network device then don't they still have the same vulnerabilities? You could boot an OS on the low powered PC and do whatever you liked on it, but with less processing power...

Sounds like this kind of setup would be likely to assume that whatever is on the other end of the ethernet cable (the thin client end) is trusted, too?

Thinking about my own home network, being on the LAN actually gives people the opportunity to do quite a few mischievous things because eveyone on the LAN is considered to be "trusted" to a certain extent. In an office, I imagine most printers don't require authentication from people on the LAN, mail servers commonly accept unauthenticated outgoing email when it originates from the LAN, etc.

IMW, yes I have my lan devices are "trusted" automatically if they are wired. Wifi devices with lan access can be controlled, but my children, wife, and a few friends aren't really interested in doing mischievous things as they would suffer the wrath-of-the-dad if they did!

A thin client (usually) has no hard drive but as we discussed above - physical access is almost impossible to make totally secure. Having backups of data that aren't reachable by normal means prevents accidental loss and having a single image that everyone boots from makes updates and backups very easy.

I considered using NUCs as a dual purpose setup - boot PXE for computer stuff, boot to local drive for media device - but I think streaming video/audio would be doable via a thin client if I got the right devices. I haven't really settled on a plan yet - still playing around.

BTW: My "chef bot" is a 5' 8" dark haired beautifully freckled woman of Bohemian/Irish descent. She is about as far from "automated" as one gets but one hell-of-a-lot better looking than that Heston Blumenthal fellow. She loves to spend a day researching recipes on the 'net and then making a mess in the kitchen. Usually the results are wonderful, so I support the effort by having a device in her domain.

I can see the appeal of booting from a single image, it would definitely reduce repetitive admin. Aren't most of your devices laptops though? What happens when you take it out of the house?

I can stream video over WiFi from one raspberry pi to another at very good quality, so I'm sure pretty much anything you choose will be able to do that!

My chef bot is 5'3" and just made me a lovely fish pie. She never uses a recipe, which sometimes works out well and sometimes not, but this time we had some surprise mozzarella in the pie, which was really nice!

Sounds delish!

Almost no laptops here. I eschew those things when I can. We do have a couple netbooks and I have a laptop for work so it's rarely on my network.

Clearly, if I enable this program, I will have to consider handling laptops properly.

Yep, that's the old GNOME which has the very traditional layout we all learned from Windows 95, except that GNOME 2 used a top panel and a bottom panel.

Just to be clear... you aren't implying that the device performs a fresh install every time it's powered on, right? That shouldn't be necessary since you aren't running something like an Internet cafe where who-knows-what happens on those PCs. PXE would be useful to ensure that the half dozen or so PCs in your house all have the same installed OS, but I wouldn't think you'd need to reinstall it each time the PC is powered on.

Mostly what you're describing is a remote desktop environment. I've seen this implemented successfully in organizations where employees have fixed functions -- bank tellers, for example. It's also useful for situations in which you need to quarantine an application that requires ancient support software. For instance, my employer uses some ERP software from Oracle. And get this -- it will work only with Java 6.16 and Firefox 3.6! So our plan is to set up a Windows Terminal Server running the Oracle application and those decrepit addons. This server will have no Internet access. The couple dozen people who need to use this particular application will VPN into corpnet, then connect the Windows Remote Desktop to the server to do their work.

Printers are the worst. It's quite common for bad guys to get into a network via some initial social engineering attack. Once in, they go for the networked multi-function printers. Invaribaly, these things are running embedded Windows XP or embedded Linux with an ancient unpatched kernel and vulnerable libraries. Ideal hosts for botnet zombies. Printers should be isolated from the rest of the network, and the "printer firewall" should be configured accordingly. No outbound flows, only inbound flows from LAN devices, etc.

That's interesting, I would never have thought of doing that!

When you say no outbound flows, do you mean nothing outside the LAN? All those fancy "email me my PDF" functions wouldn't work otherwise!

My printer isn't connected to the network directly, it will only connect with WPS(!) which is unsupported on *wrt because of its security problems. So, it used to be plugged into the router via USB and now it's connected to a raspberry pi I'm using as a print sever, which is velcroed to the side of a book case like a naughty little ninja.

I've seen this myself. I was once working with a customer trying to locate the source of repeated malware infections. Every 90 days, when the printer would "mysteriously" break down, the Xerox guy would dutifully show up, open the hood, hook up his laptop to some diagnostic port, and fiddle around for a while. After he left, malware would attempt to infect the network for a few days. What tipped us off was first the 90-day pattern, then noticing that the source IP was -- a printer! Turns out the repair dude was first class ultra maroon, carrying around not a laptop but an electronic Typhoid Mary.

Here's a perfect example of making a risk decision. Definitely no outbound flows beyond the corpnet (which may include a WAN). Whether or not you want to prohibit all outbound flows largely depends on how resilient the rest of your security posture is. If you have lousy endpoint controls, where anybody can install anything and people have bad habits like never patching their operating systems, then infected printers can spread malware throughout an organization.

A joke lurks somewhere in here, but damned if I can think of one now!

We should receive better funding within the year, but I prefer to use the funding for better medical equipment. The lab has some pretty cool gear already from the university and since we are talking 8 PCs in total, that includes both our laptops (mine and Frank's), I think the system should save us some bacon. The six desktops were all donated from the local high school. Somebody got upgraded eh? lol

As far as security, we lock the door at night, I doubt someone is going to want to hack into our medical records. But sadly since we still kill trees (I am pushing for paperless) here in the office, they could just as easily break into a file cabinet.

Well I am off for 3 days and I am going to the casino tonight.

My understanding is PXE booting is not an installation at all, rather the client BIOS supports booting over the network, just as it would from a local disk or device. The PXE portion of the BIOS scans the network for the PXE server, then if found - boots the image provided.

Although my late reading reveals that this sort of set up is rather slow, and since the new NUCs that are coming out are very capable, I'll more likely go that route. Meaning stand alone NUC PCs mounted behind the monitors remotely administered.

And let's face it - with cron jobs, network, server, and automated backups, I doubt it will be much work to maintain - once properly configured, of course.