Hi, this is Andy Cooper from Citrix product security team. I’m starting the first in a series of blog posts on XenApp/XenDesktop to build upon the recently published End-to-End Encryption Whitepaper, describing why and how you should go about enabling security on various network links in the modern XenDesktop/XenApp 7.x architecture.
Read on to learn about how to secure the XML Services in XenApp/XenDesktop. It is important you read this post to understand configurations in which User Passwords might be sent in cleartext over the network, and how to secure this communication path using HTTPS.
Before we deal with the full details behind these security risks, let’s review the steps you can take to decide if you are potentially at risk from this issue.
How to tell if you are potentially vulnerable
- For each StoreFront store, determine whether you are using explicit password-based logon. Examples of explicit password authentication include:
- StoreFront authentication via ‘username and password’ authentication
- StoreFront authentication via ‘Pass-through from NetScaler Gateway’ authentication and in addition the associated setting Configure Delegated Authentication is not set to Fully delegate credential validation to NetScaler gateway.
- If you are not using explicit password logon for any StoreFront store, you are not vulnerable to the risk of cleartext password disclosure over the network. Examples of not vulnerable configurations include:
- StoreFront authentication via ‘Smart card’ authentication.
- StoreFront authentication via ‘Domain pass-through’ with either password passthrough or Smartcard passthrough
- If explicit password logon is enabled for a StoreFront store, next confirm whether StoreFront is configured to use HTTP for the Delivery Controller connection. To do this, perform the following steps:
- Click Manage Delivery Controllers
- For each Delivery Controller, click Edit
- If Transport Type is HTTP, you are potentially vulnerable to password interception and replay (see the screenshot below for an example of a potentially vulnerable configuration):
Understanding the Role of the XML Service
To understand the impact of the risk of password disclosure, it is helpful to understand the role of the XML Service and where it is situated in a XenDesktop deployment, see the diagram below:
The XML Service is used by the StoreFront server to communicate with the Delivery Controller. It is used for app/desktop enumeration and launch. The Secure Ticket Authority also shares the same port with the XML Service. The Secure Ticket Authority will not be discussed further in this article as it does not process user passwords.
During explicit password-based app/desktop enumeration and launch, the StoreFront server will send the user password to the XML service. The password is sent using a Citrix proprietary encoding, but this does not provide any significant protection, essentially the password is sent in clear text.
If passthrough authentication is used, the Trust the XML Service setting must be enabled, so that it is possible to perform application/desktop enumeration and launch using the XML Service without a password.
In this configuration, the XML Service returns a ticket that can be used to authorise a HDX connection to be made to a VDA (this is for an internal HDX connection, potentially behind a NetScaler gateway). No user passwords are sent to the XML service in this configuration. Instead the user credentials are passed over the HDX channel between Receiver and the VDA using Single Sign-on at the Windows logon provider.
Potential Impact and Mitigating Factors
If you are potentially vulnerable, as determined above, this means that cleartext passwords are traversing the network between the StoreFront servers and the XML Service. If it is possible for an attacker to eavesdrop on the network segment, or to otherwise obtain the traffic (for example by spoofing either endpoint), then they would be able to obtain and replay the user’s Active Directory username and password.
To mitigate this threat, enable TLS for the link between StoreFront and Delivery Controller. Refer to the TLS topic for step by step guidance, specifically Install TLS server certificates on Controllers.
It is also recommended to Enforce HTTPS traffic only, disabling HTTP by using the XmlServicesEnableNonSsl registry key (see here for details).
Note: this topic is titled “SSL” in XenApp and XenDesktop 7.6, but the same steps apply.