Thin Client 2FA Access with GateKeeper Proximity.

2FA thin client access is crucial for any good security infrastructure. But protecting access to thin clients and RDP isn’t always straight-forward. The GateKeeper 2FA Client application (installed on end user computers) authenticates end users into thin clients running Windows with the proper requirements. This process ONLY authenticates the user on the local thin client, and not on the remote desktop they would be launching from the thin client. Users can use 2FA to login to the local thin client and access their remote desktops seamlessly. After logging into the remote desktop, the user’s respective passwords will become available for use. However, if a user does not login with their GateKeeper token, their passwords will not be accessible.

Requirements for using GateKeeper on Thin Clients:

1. 1. Windows OS (Windows 10, Windows 8, Windows 7, Windows Embedded 7, and Windows Embedded 10)
   2. Ability to install GateKeeper Client software on the thin client
   3. Ability to add USB CDC drivers to Windows Embedded thin clients (Link)
   4. Disable “Always logged in mode” for the thin clients – GateKeeper logs the user into the thin client itself
   5. Lastly, Microsoft .Net 4.6.1 must be installed on the thin client (Download)

Adding USB CDC Drivers using package manager (pkgmgr.exe):

1. Get the winemb-inf-mdmcpq.cab file from the Windows Embedded DVD
2. Alternatively download the winemb-inf-mdmcpq.cab file from this link
3. Copy the file onto the thin client
4. Open a command prompt with administrator privileges and run the command given below
   pkgmgr /ip /m:winemb-inf-mdmcpq.cab
5. This will add the USBSER.SYS file to the thin client
6. Reboot the thin client

Launching RDP Sessions from Thin Clients:

Once an end user is logged in to the thin client, launch the RDP (Remote Desktop Protocol) session. Then, GateKeeper Proximity will pass the connected user’s passwords to the remote server through the RDP’s credential user interface (CredUI). The user then types their GateKeeper PIN to login to the remote computer. Afterwards, the user’s passwords become available through RDP. So, if the user logs into the local thin client using GateKeeper 2FA, then they can use the password manager to seamlessly login to their RDP, then auto-fill web passwords. Finally, a passwordless RDP solution.

Use GateKeeper Proximity 2FA login to let users access their passwords through RDP on local thin clients. Then, users will be able to login to all of their digital accounts, even while on remote machines. WYSE Thin Clients can available with Windows or non-Windows OS. GateKeeper Proximity is compatible with WYSE thin clients that have Windows Embedded. In conclusion, use a layered 2FA defense approach to protecting thin clients, RDP access, and password-protected accounts. However, WYSE thin clients with ThinOS are not compatible with GateKeeper.