Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Citrix - ICA Connection Security

Posted on 2004-08-10
Medium Priority
Last Modified: 2012-06-21

I have a question about our Citrix security.

Our setup here is that our Citrix server is open on the firewall through the normal port.  This is the only port open.

Our remote home users have Citrix program neighbourhood installed.  From here they have setup an ICA connection connecting to the public IP of our Citrix server.  The connection uses Citrix's DEFAULT basic encryption level.

Now I've been told this is a breach of security, because when the users enter there username & password this isn't secure enough, and is being sent over in clear text ?  I thought the default basic encryption would take care of this ?

Maybe I should set the encryption level higher on the server and remote users ICA connection ?

Question by:stevendunne
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +2

Expert Comment

ID: 11761779

The easyest way around this is to change the default security level is the Citrix server, that way when the clients try to connect you can have the connection start at oh 56bit... No change on the client side what so ever..


Author Comment

ID: 11762733
RC5 56- and 128-bit encryption levels are only available in the United States. Only Basic encryption is available without SecureICA Services installed.

The answer is SecureICA services which is exactly what we need.  However I cant find anything on this from Citrix's site ?
What product has taken over from this ?  We don't want to have to plan a major update of Citrix though.

Expert Comment

ID: 11764237
I think SecureICA services is included in the basic Citrix package now. You should have the ability to set the encryption level to 128 bit.

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.


Author Comment

ID: 11764446
I have Metaframe 1.8 SP4 for Windows 2000

I don't think it's included in this version ?
LVL 38

Expert Comment

by:Rich Rumble
ID: 11772531
If you sniff the connections, you'd see that in fact the UserName is sent Plain-text... but even M$ knows better than to send pass's PT... No matter what level of encryption you select, the UserName is PT. I've not seen, or been able to develop, a cracker for RDP/Citrix yet, but the gov probably has something for it ;) The Server set's the level of encryption- it's negotiated when first connecting, and cannot be downgraded like an SMB connection.

Expert Comment

ID: 11772626
We're on Metaframe XP

so when I go here on my Citrix Server:
start - settings - control panel - admin tools - terminal services config - connections - ICA TCP - properties - general - encryption level

We have 5 options for encryption; all the way up to 128bit.


Author Comment

ID: 11791690
I don't get the option to increase my encryption level.  It looks as though we have a basic Citrix package.

Can someone confirm if Citrix still offer SecureICA for clients & servers ?

Rich Rumble,

Are you telling me that you don't know of any crackers \ sniffers which can be used on Citrix connections to sniff out username & passwords etc ?

LVL 38

Accepted Solution

Rich Rumble earned 700 total points
ID: 11793317
Personally i've not come across them... doesn't mean they don't exist- I know plenty of PW crackers, in fact I've probably used them all- but as far as citrix or even terminal service session "crackers" no... there are ton's of wireless crackers- and they work the same way a citrix/TS cracker would- finding the pass would require you to crack the session's encryption- then locate the pass, then crack it... and frankly that's why I don't think I've found any of these types of crackers, the info isn't worth the effort/time for most- someone will write one eventually, I'm sure. There are easier ways in to a window box. While you could use just about any sniffer to sniff and or replay the data sniffed- and the Username is still always sent PT. There are Terminal Service BruteForcers- where you try dictionary attacks and such at the Administrator account, because it cannot be locked out- but there isn'tmuch else. There are also Remote Desktop Password Decoders (decode passwords in .RPD files), but not a citrix session, or TS session. you can also increase your security by using windows IPSEC and making an encrypted tunnel for connecting clients, encryption upon encryption if you will. http://www.thinstructor.com/modules.php?op=modload&name=News&file=article&sid=1609

Author Comment

ID: 11839763
I'll probably look at upgrading to Metaframe XP which includes Secure Gateway.

Expert Comment

ID: 12434892
Commenting on the idea of encryption set only on the server.

With the encryption set on the server say at 128 bit, any client trying to connect to that server will have to have their encryption set to match that of the server.  Otherwise the client will not be able to connect.  You may also want to consider published applications instead of giving the users access to the desktop.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

596 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question