Security: it’s a topic that’s been in the news more than most IT professionals would care for. A string of highly public security breaches and technology hacks has many of our customers asking: How do I secure my Citrix environment and prevent a similar security incident?

Many enterprises are now re-focusing on security as a top priority after a period of concentrating on user experience and system capabilities. This means Citrix teams are now being tasked with protecting systems that may not have been designed with security in mind.

No worries, Citrix Consulting is here to help. Here are just a few of our top leading practices when it comes to securing your Citrix environment.

Authentication. Authentication is one of the most common attack vectors for any IT system, yet many enterprises don’t go beyond implementing basic password complexity requirements. Some simple NetScaler and StoreFront configurations can ensure that additional security considerations are addressed. One is to make sure NetScaler Gateway and AAA service logon limits, failed logon timeouts, and HTTP Rate Limiting are properly set. This takes only a small effort to configure, and can prevent one of the most basic authentication attacks, Brute Force. NetScaler MAS can also easily display these attempts for further analysis and auditing.

OS and Application Security. OS and application lockdowns are one of the best first steps you can take to locking down your internal Citrix environment. Microsoft provides some good baselines to start with, and Citrix provides Common Criteria-compliant group policy objects as well. These should be used as baselines to start preventing users from “breaking out” on your servers and desktops. In addition, applications need to be analyzed for threats. By default, Microsoft Office provides access to numerous dialog boxes, allows the execution of macros and has the ability to launch browsers from hyperlinks. In many instances, these functions are not needed by users and should be removed!

Contextual Access. Contextual access refers to the different user access scenarios that exist across a Citrix environment. Many of our customers implement technical controls (Microsoft and Citrix policy, file permissions, network permissions, etc.) based solely upon Active Directory group membership. This means that a user accessing data internally from a corporate device has the same rights at home from their unmanaged laptop. It’s critical to think of these two scenarios as having disparate security risks, and take appropriate action. A good first step is to implement Citrix policy based not only on security group membership, but also on where the user is located. NetScaler and XenDesktop can easily identify and control users in these different access scenarios through SmartAccess/SmartControl and backend Citrix policy filters.

This is just a high-level overview of some key lessons we’ve learned. They can benefit you as you start applying leading security practices to your environment.

If you want more information, please join Mike Schaeffer, Katie Cuthbert and me for a free webinar on August 8 at 9 a.m. and 2 p.m. EDT. There will be a live Q&A session at the end so you can ask your own Citrix security questions.


Feel free to comment below if there are any additional security-related topics you’d like to see addressed.

Nick Czabaranek
Public Sector Enterprise Architect
Citrix Consulting Services