Solved

Presentation Server / XenApp

Posted on 2010-08-27
8
555 Views
Last Modified: 2012-05-10
What areas would typically be covered when reviewing the security of an organisations citrix presentation server / xenapp environment? Are there any automated tools to help with such a security review / manual review? To me it looks as simple as a user clicking a shortcut on his desktop which in turn opens up a citrix session and they work as normal on this "remote desktop". I am sure there must be more to it than that.
0
Comment
Question by:pma111
  • 5
  • 3
8 Comments
 
LVL 25

Accepted Solution

by:
Tony1044 earned 500 total points
ID: 33540521
Security is fairly good already within Citrix sessions but there are some things to consider.

Obviously, the servers need to be kept up to date with OS and application patches but unlike other servers it's usually more important (granted, less so these days than before) to test these updates to ensure that they don't break the server.

Keeping the Citrix client up to date can be useful, but to be fair Citrix don't get an awful lot of security vulnerabilities - people tend to go for the underlying OS.

You may want to consider things like client to server clipboard mapping - some establishments don't like this.

Likewise local drive mapping - this can be considered one of the most important security gotcha's depending on the site. Some places see it as being useful for their staff to be able to access their local disks but for others it's a complete no-no.

Then there are things that can be controlled by group policy - I've always created two discrete groups, a Citrix users and a Citrix Admins.

If you're publishing desktops then I would always recommend very restrictive policies - remove shutdown, remore run, disable right-click even in some cases. No one gets to administer the servers unless they are explicitly in the Citrix Admins group, not even domain admins.

Also consider enabling the configuration change database if you have the functionality - it shows which admins made which changes and when. Full accountability.

You might want to restrict RDP access to the server to only administrators, too, so your users can't use this as a back way onto the server.

Do you have Access Gateway at all? I would recommend two-factor authentication if you do, based on something such as RSA SecurID or my own preferred one, SafeWord. And of course, use SSL encryption.

That said again, these devices are quite secure from the offset because they use Linux kernels in most cases.

For some more specific security points, check out http://www.dabcc.com/channel.aspx?id=126
0
 
LVL 3

Author Comment

by:pma111
ID: 33540724
Many Thanks - some great pointers.

Could you ellaborate perhaps on:

"You may want to consider things like client to server clipboard mapping - some establishments don't like this."

I am unsure of this
0
 
LVL 3

Author Comment

by:pma111
ID: 33540739
Likewise local drive mapping - this can be considered one of the most important security gotcha's depending on the site. Some places see it as being useful for their staff to be able to access their local disks but for others it's a complete no-no.

Also whats the key risk? Are you talking about browsing the local drive on the citrix presentation server, or the local pc on which the citrix shortcut is located?
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 33540758
Of course - out of the box, Citrix will allow a user to copy something on, say their workstation and paste it into their Citrix session, and back in the other direction.

Let's assume that the company that they work for mandated that no local drives were mapped and that all work should only be saved to a share (oh I missed that one, too - you might want to hide local drives on the server from view - just google hide server drives in citrix for how to do it).

If clipboard mapping is enabled, there is nothing to stop the user opening, say a confindential word document, selecting all and copying everything and then opening Word on their workstation and pasting the contents into it.

Of course, if said user also has email access via Citrix, nor is there anything to stop them emailing it to themselves, either :)

0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 25

Expert Comment

by:Tony1044
ID: 33540774
With local drive mapping, what happens is that when a user logs into a Citrix session they can see the drives on their workstation.

Now some companies don't like this - some from a security standpoint, but also some from the simple fact that they don't want files stored locally, not being backed up, not being kept up to date etc.
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 33540787
What I have tended to do is hide the server local drives (C, D, etc on the server) so that they're not visible to the end user at all but they're still accessible and then to hide users workstation drives if required by the company.
0
 
LVL 3

Author Comment

by:pma111
ID: 33540797
Is there anything stopping them browsing the local drives on the Citrix Server by default?
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 33540864
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Citrix XenDesktop 7.6 Citrix Policies Graphics
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now