Presentation Server / XenApp

What areas would typically be covered when reviewing the security of an organisations citrix presentation server / xenapp environment? Are there any automated tools to help with such a security review / manual review? To me it looks as simple as a user clicking a shortcut on his desktop which in turn opens up a citrix session and they work as normal on this "remote desktop". I am sure there must be more to it than that.
LVL 3
pma111Asked:
Who is Participating?
 
Tony JConnect With a Mentor Lead Technical ArchitectCommented:
Security is fairly good already within Citrix sessions but there are some things to consider.

Obviously, the servers need to be kept up to date with OS and application patches but unlike other servers it's usually more important (granted, less so these days than before) to test these updates to ensure that they don't break the server.

Keeping the Citrix client up to date can be useful, but to be fair Citrix don't get an awful lot of security vulnerabilities - people tend to go for the underlying OS.

You may want to consider things like client to server clipboard mapping - some establishments don't like this.

Likewise local drive mapping - this can be considered one of the most important security gotcha's depending on the site. Some places see it as being useful for their staff to be able to access their local disks but for others it's a complete no-no.

Then there are things that can be controlled by group policy - I've always created two discrete groups, a Citrix users and a Citrix Admins.

If you're publishing desktops then I would always recommend very restrictive policies - remove shutdown, remore run, disable right-click even in some cases. No one gets to administer the servers unless they are explicitly in the Citrix Admins group, not even domain admins.

Also consider enabling the configuration change database if you have the functionality - it shows which admins made which changes and when. Full accountability.

You might want to restrict RDP access to the server to only administrators, too, so your users can't use this as a back way onto the server.

Do you have Access Gateway at all? I would recommend two-factor authentication if you do, based on something such as RSA SecurID or my own preferred one, SafeWord. And of course, use SSL encryption.

That said again, these devices are quite secure from the offset because they use Linux kernels in most cases.

For some more specific security points, check out http://www.dabcc.com/channel.aspx?id=126 
0
 
pma111Author Commented:
Many Thanks - some great pointers.

Could you ellaborate perhaps on:

"You may want to consider things like client to server clipboard mapping - some establishments don't like this."

I am unsure of this
0
 
pma111Author Commented:
Likewise local drive mapping - this can be considered one of the most important security gotcha's depending on the site. Some places see it as being useful for their staff to be able to access their local disks but for others it's a complete no-no.

Also whats the key risk? Are you talking about browsing the local drive on the citrix presentation server, or the local pc on which the citrix shortcut is located?
0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

 
Tony JLead Technical ArchitectCommented:
Of course - out of the box, Citrix will allow a user to copy something on, say their workstation and paste it into their Citrix session, and back in the other direction.

Let's assume that the company that they work for mandated that no local drives were mapped and that all work should only be saved to a share (oh I missed that one, too - you might want to hide local drives on the server from view - just google hide server drives in citrix for how to do it).

If clipboard mapping is enabled, there is nothing to stop the user opening, say a confindential word document, selecting all and copying everything and then opening Word on their workstation and pasting the contents into it.

Of course, if said user also has email access via Citrix, nor is there anything to stop them emailing it to themselves, either :)

0
 
Tony JLead Technical ArchitectCommented:
With local drive mapping, what happens is that when a user logs into a Citrix session they can see the drives on their workstation.

Now some companies don't like this - some from a security standpoint, but also some from the simple fact that they don't want files stored locally, not being backed up, not being kept up to date etc.
0
 
Tony JLead Technical ArchitectCommented:
What I have tended to do is hide the server local drives (C, D, etc on the server) so that they're not visible to the end user at all but they're still accessible and then to hide users workstation drives if required by the company.
0
 
pma111Author Commented:
Is there anything stopping them browsing the local drives on the Citrix Server by default?
0
 
Tony JLead Technical ArchitectCommented:
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.