FAO CarlWebster or other Citrix gurus

Posted on 2011-10-05
Last Modified: 2012-05-12
We are moving towards a thin client environment via citrix.

Some of our data is classed as highly sensitive.

Do you have any best practice security policies for users to protect this data when being accessed/edited in thin client / citrix environment?

Are there other considerations above and beyond our traditional fat client workstations and windows servers - when migrating to citrix/thin client -- in terms of data security? If yes can you detail what?
Question by:pma111
    1 Comment
    LVL 25

    Accepted Solution

    Embedded Windows based thin clients are very useful in these situations because of their write filter - nothing is saved on the thin client after a reboot.

    Depending on the exact classification, you may want to consider any or all of the following:

    Disable clipboard and local drive mapping;

    Have the clients on a completely separate VLAN and separate via ACL's;
    Disabled local USB and if applicable, local CD/DVD writing;

    On the Citrix servers themselves, you may want to utilise the restricted applicatons group policy such that only applications (ideally by MD5 hash not application name) can be run;

    Have a separate Citrix Admins group and only allow members of that group elevated permissions, not the usual administrative groups;

    Depending how you decide to deliver the applications or desktop, you may want to have very tight group policy based lockdowns on the Citrix Users (again, I usually create a separate group);

    I have used products in the past by a company called Varonis - this is actually quite useful in all high security environments, as it has the capability of showing genuine, historical data on files accessed (by the file or user) across an environment;

    Again, depending on the classification of data and the networks, it may be worthwhile considering moving the clients to fiber based networking that can't be non-invasively sniffed;

    The server disks could potentially be encrypted;

    Use SSL where applicable;

    I'll probably think of some more after hitting submit, but all of what I've suggested above I have actually used over the years.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
    This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
    How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now