[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 408
  • Last Modified:

FAO CarlWebster or other Citrix gurus

We are moving towards a thin client environment via citrix.

Some of our data is classed as highly sensitive.

Do you have any best practice security policies for users to protect this data when being accessed/edited in thin client / citrix environment?

Are there other considerations above and beyond our traditional fat client workstations and windows servers - when migrating to citrix/thin client -- in terms of data security? If yes can you detail what?
1 Solution
Tony JLead Technical ArchitectCommented:
Embedded Windows based thin clients are very useful in these situations because of their write filter - nothing is saved on the thin client after a reboot.

Depending on the exact classification, you may want to consider any or all of the following:

Disable clipboard and local drive mapping;

Have the clients on a completely separate VLAN and separate via ACL's;
Disabled local USB and if applicable, local CD/DVD writing;

On the Citrix servers themselves, you may want to utilise the restricted applicatons group policy such that only applications (ideally by MD5 hash not application name) can be run;

Have a separate Citrix Admins group and only allow members of that group elevated permissions, not the usual administrative groups;

Depending how you decide to deliver the applications or desktop, you may want to have very tight group policy based lockdowns on the Citrix Users (again, I usually create a separate group);

I have used products in the past by a company called Varonis - this is actually quite useful in all high security environments, as it has the capability of showing genuine, historical data on files accessed (by the file or user) across an environment;

Again, depending on the classification of data and the networks, it may be worthwhile considering moving the clients to fiber based networking that can't be non-invasively sniffed;

The server disks could potentially be encrypted;

Use SSL where applicable;

I'll probably think of some more after hitting submit, but all of what I've suggested above I have actually used over the years.

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now