?
Solved

Citrix - ICA Connection Security

Posted on 2004-08-10
10
Medium Priority
?
4,818 Views
Last Modified: 2012-06-21
Hi,

I have a question about our Citrix security.

Our setup here is that our Citrix server is open on the firewall through the normal port.  This is the only port open.

Our remote home users have Citrix program neighbourhood installed.  From here they have setup an ICA connection connecting to the public IP of our Citrix server.  The connection uses Citrix's DEFAULT basic encryption level.

Now I've been told this is a breach of security, because when the users enter there username & password this isn't secure enough, and is being sent over in clear text ?  I thought the default basic encryption would take care of this ?

Maybe I should set the encryption level higher on the server and remote users ICA connection ?

Thanks
Steve
0
Comment
Question by:stevendunne
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +2
10 Comments
 
LVL 8

Expert Comment

by:Marakush
ID: 11761779
stevendunne,

The easyest way around this is to change the default security level is the Citrix server, that way when the clients try to connect you can have the connection start at oh 56bit... No change on the client side what so ever..


Marakush
0
 

Author Comment

by:stevendunne
ID: 11762733
RC5 56- and 128-bit encryption levels are only available in the United States. Only Basic encryption is available without SecureICA Services installed.

The answer is SecureICA services which is exactly what we need.  However I cant find anything on this from Citrix's site ?
What product has taken over from this ?  We don't want to have to plan a major update of Citrix though.
0
 
LVL 4

Expert Comment

by:shard26
ID: 11764237
I think SecureICA services is included in the basic Citrix package now. You should have the ability to set the encryption level to 128 bit.

0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 

Author Comment

by:stevendunne
ID: 11764446
I have Metaframe 1.8 SP4 for Windows 2000

I don't think it's included in this version ?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 11772531
If you sniff the connections, you'd see that in fact the UserName is sent Plain-text... but even M$ knows better than to send pass's PT... No matter what level of encryption you select, the UserName is PT. I've not seen, or been able to develop, a cracker for RDP/Citrix yet, but the gov probably has something for it ;) The Server set's the level of encryption- it's negotiated when first connecting, and cannot be downgraded like an SMB connection.
-rich
0
 
LVL 4

Expert Comment

by:shard26
ID: 11772626
We're on Metaframe XP

so when I go here on my Citrix Server:
start - settings - control panel - admin tools - terminal services config - connections - ICA TCP - properties - general - encryption level

We have 5 options for encryption; all the way up to 128bit.

0
 

Author Comment

by:stevendunne
ID: 11791690
I don't get the option to increase my encryption level.  It looks as though we have a basic Citrix package.

Can someone confirm if Citrix still offer SecureICA for clients & servers ?

Rich Rumble,

Are you telling me that you don't know of any crackers \ sniffers which can be used on Citrix connections to sniff out username & passwords etc ?



0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 700 total points
ID: 11793317
Personally i've not come across them... doesn't mean they don't exist- I know plenty of PW crackers, in fact I've probably used them all- but as far as citrix or even terminal service session "crackers" no... there are ton's of wireless crackers- and they work the same way a citrix/TS cracker would- finding the pass would require you to crack the session's encryption- then locate the pass, then crack it... and frankly that's why I don't think I've found any of these types of crackers, the info isn't worth the effort/time for most- someone will write one eventually, I'm sure. There are easier ways in to a window box. While you could use just about any sniffer to sniff and or replay the data sniffed- and the Username is still always sent PT. There are Terminal Service BruteForcers- where you try dictionary attacks and such at the Administrator account, because it cannot be locked out- but there isn'tmuch else. There are also Remote Desktop Password Decoders (decode passwords in .RPD files), but not a citrix session, or TS session. you can also increase your security by using windows IPSEC and making an encrypted tunnel for connecting clients, encryption upon encryption if you will. http://www.thinstructor.com/modules.php?op=modload&name=News&file=article&sid=1609
-rich
0
 

Author Comment

by:stevendunne
ID: 11839763
I'll probably look at upgrading to Metaframe XP which includes Secure Gateway.
0
 

Expert Comment

by:donnagti
ID: 12434892
Commenting on the idea of encryption set only on the server.

With the encryption set on the server say at 128 bit, any client trying to connect to that server will have to have their encryption set to match that of the server.  Otherwise the client will not be able to connect.  You may also want to consider published applications instead of giving the users access to the desktop.
0

Featured Post

Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question