Solved

Citrix - ICA Connection Security

Posted on 2004-08-10
10
4,779 Views
Last Modified: 2012-06-21
Hi,

I have a question about our Citrix security.

Our setup here is that our Citrix server is open on the firewall through the normal port.  This is the only port open.

Our remote home users have Citrix program neighbourhood installed.  From here they have setup an ICA connection connecting to the public IP of our Citrix server.  The connection uses Citrix's DEFAULT basic encryption level.

Now I've been told this is a breach of security, because when the users enter there username & password this isn't secure enough, and is being sent over in clear text ?  I thought the default basic encryption would take care of this ?

Maybe I should set the encryption level higher on the server and remote users ICA connection ?

Thanks
Steve
0
Comment
Question by:stevendunne
  • 4
  • 2
  • 2
  • +2
10 Comments
 
LVL 8

Expert Comment

by:Marakush
ID: 11761779
stevendunne,

The easyest way around this is to change the default security level is the Citrix server, that way when the clients try to connect you can have the connection start at oh 56bit... No change on the client side what so ever..


Marakush
0
 

Author Comment

by:stevendunne
ID: 11762733
RC5 56- and 128-bit encryption levels are only available in the United States. Only Basic encryption is available without SecureICA Services installed.

The answer is SecureICA services which is exactly what we need.  However I cant find anything on this from Citrix's site ?
What product has taken over from this ?  We don't want to have to plan a major update of Citrix though.
0
 
LVL 4

Expert Comment

by:shard26
ID: 11764237
I think SecureICA services is included in the basic Citrix package now. You should have the ability to set the encryption level to 128 bit.

0
 

Author Comment

by:stevendunne
ID: 11764446
I have Metaframe 1.8 SP4 for Windows 2000

I don't think it's included in this version ?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 11772531
If you sniff the connections, you'd see that in fact the UserName is sent Plain-text... but even M$ knows better than to send pass's PT... No matter what level of encryption you select, the UserName is PT. I've not seen, or been able to develop, a cracker for RDP/Citrix yet, but the gov probably has something for it ;) The Server set's the level of encryption- it's negotiated when first connecting, and cannot be downgraded like an SMB connection.
-rich
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 4

Expert Comment

by:shard26
ID: 11772626
We're on Metaframe XP

so when I go here on my Citrix Server:
start - settings - control panel - admin tools - terminal services config - connections - ICA TCP - properties - general - encryption level

We have 5 options for encryption; all the way up to 128bit.

0
 

Author Comment

by:stevendunne
ID: 11791690
I don't get the option to increase my encryption level.  It looks as though we have a basic Citrix package.

Can someone confirm if Citrix still offer SecureICA for clients & servers ?

Rich Rumble,

Are you telling me that you don't know of any crackers \ sniffers which can be used on Citrix connections to sniff out username & passwords etc ?



0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 350 total points
ID: 11793317
Personally i've not come across them... doesn't mean they don't exist- I know plenty of PW crackers, in fact I've probably used them all- but as far as citrix or even terminal service session "crackers" no... there are ton's of wireless crackers- and they work the same way a citrix/TS cracker would- finding the pass would require you to crack the session's encryption- then locate the pass, then crack it... and frankly that's why I don't think I've found any of these types of crackers, the info isn't worth the effort/time for most- someone will write one eventually, I'm sure. There are easier ways in to a window box. While you could use just about any sniffer to sniff and or replay the data sniffed- and the Username is still always sent PT. There are Terminal Service BruteForcers- where you try dictionary attacks and such at the Administrator account, because it cannot be locked out- but there isn'tmuch else. There are also Remote Desktop Password Decoders (decode passwords in .RPD files), but not a citrix session, or TS session. you can also increase your security by using windows IPSEC and making an encrypted tunnel for connecting clients, encryption upon encryption if you will. http://www.thinstructor.com/modules.php?op=modload&name=News&file=article&sid=1609
-rich
0
 

Author Comment

by:stevendunne
ID: 11839763
I'll probably look at upgrading to Metaframe XP which includes Secure Gateway.
0
 

Expert Comment

by:donnagti
ID: 12434892
Commenting on the idea of encryption set only on the server.

With the encryption set on the server say at 128 bit, any client trying to connect to that server will have to have their encryption set to match that of the server.  Otherwise the client will not be able to connect.  You may also want to consider published applications instead of giving the users access to the desktop.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now