?
Solved

Citrix - ICA Connection Security

Posted on 2004-08-10
10
Medium Priority
?
4,833 Views
Last Modified: 2012-06-21
Hi,

I have a question about our Citrix security.

Our setup here is that our Citrix server is open on the firewall through the normal port.  This is the only port open.

Our remote home users have Citrix program neighbourhood installed.  From here they have setup an ICA connection connecting to the public IP of our Citrix server.  The connection uses Citrix's DEFAULT basic encryption level.

Now I've been told this is a breach of security, because when the users enter there username & password this isn't secure enough, and is being sent over in clear text ?  I thought the default basic encryption would take care of this ?

Maybe I should set the encryption level higher on the server and remote users ICA connection ?

Thanks
Steve
0
Comment
Question by:stevendunne
  • 4
  • 2
  • 2
  • +2
10 Comments
 
LVL 8

Expert Comment

by:Marakush
ID: 11761779
stevendunne,

The easyest way around this is to change the default security level is the Citrix server, that way when the clients try to connect you can have the connection start at oh 56bit... No change on the client side what so ever..


Marakush
0
 

Author Comment

by:stevendunne
ID: 11762733
RC5 56- and 128-bit encryption levels are only available in the United States. Only Basic encryption is available without SecureICA Services installed.

The answer is SecureICA services which is exactly what we need.  However I cant find anything on this from Citrix's site ?
What product has taken over from this ?  We don't want to have to plan a major update of Citrix though.
0
 
LVL 4

Expert Comment

by:shard26
ID: 11764237
I think SecureICA services is included in the basic Citrix package now. You should have the ability to set the encryption level to 128 bit.

0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:stevendunne
ID: 11764446
I have Metaframe 1.8 SP4 for Windows 2000

I don't think it's included in this version ?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 11772531
If you sniff the connections, you'd see that in fact the UserName is sent Plain-text... but even M$ knows better than to send pass's PT... No matter what level of encryption you select, the UserName is PT. I've not seen, or been able to develop, a cracker for RDP/Citrix yet, but the gov probably has something for it ;) The Server set's the level of encryption- it's negotiated when first connecting, and cannot be downgraded like an SMB connection.
-rich
0
 
LVL 4

Expert Comment

by:shard26
ID: 11772626
We're on Metaframe XP

so when I go here on my Citrix Server:
start - settings - control panel - admin tools - terminal services config - connections - ICA TCP - properties - general - encryption level

We have 5 options for encryption; all the way up to 128bit.

0
 

Author Comment

by:stevendunne
ID: 11791690
I don't get the option to increase my encryption level.  It looks as though we have a basic Citrix package.

Can someone confirm if Citrix still offer SecureICA for clients & servers ?

Rich Rumble,

Are you telling me that you don't know of any crackers \ sniffers which can be used on Citrix connections to sniff out username & passwords etc ?



0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 700 total points
ID: 11793317
Personally i've not come across them... doesn't mean they don't exist- I know plenty of PW crackers, in fact I've probably used them all- but as far as citrix or even terminal service session "crackers" no... there are ton's of wireless crackers- and they work the same way a citrix/TS cracker would- finding the pass would require you to crack the session's encryption- then locate the pass, then crack it... and frankly that's why I don't think I've found any of these types of crackers, the info isn't worth the effort/time for most- someone will write one eventually, I'm sure. There are easier ways in to a window box. While you could use just about any sniffer to sniff and or replay the data sniffed- and the Username is still always sent PT. There are Terminal Service BruteForcers- where you try dictionary attacks and such at the Administrator account, because it cannot be locked out- but there isn'tmuch else. There are also Remote Desktop Password Decoders (decode passwords in .RPD files), but not a citrix session, or TS session. you can also increase your security by using windows IPSEC and making an encrypted tunnel for connecting clients, encryption upon encryption if you will. http://www.thinstructor.com/modules.php?op=modload&name=News&file=article&sid=1609
-rich
0
 

Author Comment

by:stevendunne
ID: 11839763
I'll probably look at upgrading to Metaframe XP which includes Secure Gateway.
0
 

Expert Comment

by:donnagti
ID: 12434892
Commenting on the idea of encryption set only on the server.

With the encryption set on the server say at 128 bit, any client trying to connect to that server will have to have their encryption set to match that of the server.  Otherwise the client will not be able to connect.  You may also want to consider published applications instead of giving the users access to the desktop.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
This blog will spread awareness about Dropbox. We have given the statements based upon our experience. Along with this, there is a section of some new plans that should be added in Dropbox this year. This will make the storage service enhanced from …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question