Server 2016 and Enhanced Security Reporting
The release of XenDesktop 7.11 comes with the new version of Citrix AppDNA with a new reporting module for Server 2016 RTM and added security algorithms for the Security reporting feature introduced in 7.9.
Let’s take a look at what has changed.
Server 2016 RTM
In Server 2016, we’ve introduced three new algorithms, namely:
- Updates to new GPO section with two new GPO algorithms
- W2K16_GPO_EDGE_001 – This detects whether the applications has URL handlers that would be default trigger a launch of the Edge browser, however if you’re using a built in admin account this would fail.
- W2K16_GPO_SHELL_002 – This is a policy that can block or limit specific Shell calls like ShellExecute.
- W2K16_VER_001 – GetVersionEx has been deprecated and should not be used. This will however continue to work so the algorithm is green (informational).
Does that mean that is all there is for Server 2016?
No! Every time there is a new operating system the operating system snapshots in AppDNA are refreshed or added, which means the delta algorithms will all update … but what are these delta algorithms?
The delta algorithm are the “difference” between the previous operating system and the current one, looking for applications that are making calls to API calls that existed previously that have been removed. So, if you had an application that called xyzFunc() on Server2012R2 that no longer existed on Server 2016, then Citrix AppDNA would flag this up as an issues as part of the standard delta algorithms that are in the product.
What about the new security algorithms?
In the security analysis module, we’ve added three new algorithms:
- SEC_SEH_001 – The binary that is flagged up has not been compiled with the /SAFESEH flag which makes it potentially vulnerable to Structured Exception Handler (SEH) overwrite exploitation techniques. The is a red algorithm.
- SEC_SSL_001 – This looks for the presence of specific versions of the OpenSSL libraries that are a known to be vulnerable to the Heartbleed exploit. This is a red algorithm.
- SEC_FIPS_001 – This will look for uses of .Net applications that make use of algorithms that are known to not work on a FIPS secured platform, this can provide valuable insight into potential compatibility problems if you are operating a FIPS compliant deployment. This algorithm does not currently detect all cases but we are planning to extend this in future releases. We’re also looking at whether we can do the same for native C++ applications.
We’re proud of the security enhancements that have come with each release of AppDNA; let us know what you think!