Citrix - ICA Connection Security


I have a question about our Citrix security.

Our setup here is that our Citrix server is open on the firewall through the normal port.  This is the only port open.

Our remote home users have Citrix program neighbourhood installed.  From here they have setup an ICA connection connecting to the public IP of our Citrix server.  The connection uses Citrix's DEFAULT basic encryption level.

Now I've been told this is a breach of security, because when the users enter there username & password this isn't secure enough, and is being sent over in clear text ?  I thought the default basic encryption would take care of this ?

Maybe I should set the encryption level higher on the server and remote users ICA connection ?

Who is Participating?
Rich RumbleConnect With a Mentor Security SamuraiCommented:
Personally i've not come across them... doesn't mean they don't exist- I know plenty of PW crackers, in fact I've probably used them all- but as far as citrix or even terminal service session "crackers" no... there are ton's of wireless crackers- and they work the same way a citrix/TS cracker would- finding the pass would require you to crack the session's encryption- then locate the pass, then crack it... and frankly that's why I don't think I've found any of these types of crackers, the info isn't worth the effort/time for most- someone will write one eventually, I'm sure. There are easier ways in to a window box. While you could use just about any sniffer to sniff and or replay the data sniffed- and the Username is still always sent PT. There are Terminal Service BruteForcers- where you try dictionary attacks and such at the Administrator account, because it cannot be locked out- but there isn'tmuch else. There are also Remote Desktop Password Decoders (decode passwords in .RPD files), but not a citrix session, or TS session. you can also increase your security by using windows IPSEC and making an encrypted tunnel for connecting clients, encryption upon encryption if you will.

The easyest way around this is to change the default security level is the Citrix server, that way when the clients try to connect you can have the connection start at oh 56bit... No change on the client side what so ever..

stevendunneAuthor Commented:
RC5 56- and 128-bit encryption levels are only available in the United States. Only Basic encryption is available without SecureICA Services installed.

The answer is SecureICA services which is exactly what we need.  However I cant find anything on this from Citrix's site ?
What product has taken over from this ?  We don't want to have to plan a major update of Citrix though.
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

I think SecureICA services is included in the basic Citrix package now. You should have the ability to set the encryption level to 128 bit.

stevendunneAuthor Commented:
I have Metaframe 1.8 SP4 for Windows 2000

I don't think it's included in this version ?
Rich RumbleSecurity SamuraiCommented:
If you sniff the connections, you'd see that in fact the UserName is sent Plain-text... but even M$ knows better than to send pass's PT... No matter what level of encryption you select, the UserName is PT. I've not seen, or been able to develop, a cracker for RDP/Citrix yet, but the gov probably has something for it ;) The Server set's the level of encryption- it's negotiated when first connecting, and cannot be downgraded like an SMB connection.
We're on Metaframe XP

so when I go here on my Citrix Server:
start - settings - control panel - admin tools - terminal services config - connections - ICA TCP - properties - general - encryption level

We have 5 options for encryption; all the way up to 128bit.

stevendunneAuthor Commented:
I don't get the option to increase my encryption level.  It looks as though we have a basic Citrix package.

Can someone confirm if Citrix still offer SecureICA for clients & servers ?

Rich Rumble,

Are you telling me that you don't know of any crackers \ sniffers which can be used on Citrix connections to sniff out username & passwords etc ?

stevendunneAuthor Commented:
I'll probably look at upgrading to Metaframe XP which includes Secure Gateway.
Commenting on the idea of encryption set only on the server.

With the encryption set on the server say at 128 bit, any client trying to connect to that server will have to have their encryption set to match that of the server.  Otherwise the client will not be able to connect.  You may also want to consider published applications instead of giving the users access to the desktop.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.