The Citrix Consulting Security Practice team conducts assessments to help our customers improve the security of their existing Citrix solutions and to identify other technologies or configurations that could further strengthen their security posture. In the course of performing these assessments, we’ve encountered a number of recurring themes that affect many organizations, regardless of their industry sector, geography, and organizational structure.
In part 1 of this blog series, we listed the top 10 findings from these security assessments and explained why addressing them is so important. Now, in part 2, we offer you practical recommendations for each of the 10 areas based on our extensive field experience and leading Citrix practices. Our goal is to help you get started on the work of improving your security.
Disclaimer: This article is intended to provide general guidance on common themes observed during the course of these engagements. It is not intended to be an exhaustive or comprehensive hardening guide and all recommendations should be carefully reviewed with your internal security, risk and compliance teams to review alignment with your organization’s Policy. Some of these configurations may also have an impact on user experience, administrative complexity, etc. All proposed remediations should first be carefully tested and validated in a non-production capacity before being implemented into a production environment.
Following are checklists of actions you can take to address each security area.
- Reduce the Attack Surface
Here are common practices to help reduce the attack surface in a Citrix environment:
- Disable unneeded features and capabilities.
- Disable unneeded virtual channels or configure policies to restrict any redirections.
- Consider separating key components (StoreFront, Delivery Controller, SQL Server, Federated Authentication Service, etc.) into individual virtual machines.
- Leverage a Citrix networking appliance to provide a redundant single point of access to the environment. This minimizes the number of ingress ports open to higher security zones.
- Maintain consistent operating system and firmware patch schedules.
- Enforce the use of strong ciphers, encryption, and auditing.
- Exercise discipline in managing account permissions.
- Disable any anonymous accounts created by default.
- Implement host-based and network-based firewalls.
- Control or restrict your allowed endpoints and unmanaged devices.
- Restrict logon rights for both user and computer accounts appropriately (log on locally, log on as service). For example, VDA for Server OS requires “Allow log on through Remote Desktop Services,” while VDA for Desktop OS does not.
- Embrace Segmentation
Automation has made segmentation easier, and the advantages that can be achieved through segregation of applications and data of different trust levels has become a great capability and limits exposure.
- Review the resources and their sensitivity made available to your user community.
- Determine if these resources have varying degrees of criticality to your business. For example, is some data more sensitive than others or does it have higher confidentiality requirements?
- Consider isolating more critical resources from higher-risk user activities like web browsing and email access.
- By restricting access to Citrix networking appliances only, the TLS and TCP sessions can be terminated at a security boundary.
- Minimize open firewall ports or disable routing entirely between network zones of different security levels.
- Apply the Principle of Least Privilege
Does your organization follow the procedures below to help reduce the risk of excessive permissions and privilege?
- Create a justification and approval process before accounts are created and permissions granted.
- Implement stringent change control, enforcing the removal of any temporary permissions granted for “just in time” or troubleshooting purposes.
- Use a password vaulting tool so that account passwords are not directly known by administrators.
- Deny interactive logon rights for service accounts where possible.
- Periodically audit account permissions.
- Audit administrator and user operating system, share, and NTFS permissions.
- Enforce contextual access policies and two-factor authentication.
If you are due for a cleanup, there are a few places to start that can deliver the highest value. Ask these questions:
- Have administrators amassed permissions they no longer need?
- Are service accounts used for several purposes simultaneously (worse, do several people know the password and it has interactive logon rights)?
- Are service accounts given permissions they do not need?
- Are users granted access to applications, data, and services not required for their job function?
- Is file share or system drive access too lenient?
- Is role-based access control properly and consistently implemented?
- Tune Citrix Policies
Be sure to review your Citrix policy settings, particularly those under ICA/File Redirection, to validate that they are configured in alignment with your intended security posture. The additional settings below should also be reviewed and restricted where appropriate:
- Client clipboard redirection
- Launching of non-published programs during client connection
- Auto client reconnect
- Content redirection
- Browser content redirection
- Port redirection (COM, LPT)
- Printing flow and permissions
- Minimum encryption level
- Session limits/timeouts
- USB devices
- Protect User Credentials
Mitigation of pass-the-hash attacks is often best approached at several levels. Some of the primary considerations to review include:
- Adhering to the principle of least privilege
- Lateral network segmentation and isolation where appropriate
- Leveraging tools such as Credential Guard
- Using solutions, such as LAPS, which prevent provisioned systems from having the same local admin passwords
- Restricting authentication to Citrix network appliances that enforce two-factor authentication
- Avoiding use of privileged accounts for scheduled tasks or scripts where possible
- Not creating accounts on templates or source images
- Disable LM and NTLM responses and consider “Send NTLMv2 response only. Refuse LM & NTLM” if appropriate.
- Increasing the Domain Function Level can make enhanced security features available, such as Restricted Admin mode for Remote Desktop Connection, LSA Protection, Protected Users Security Group, or rolling of expiring NTLM secrets during sign on. Details of these security features enabled by increasing your Domain Function Level can be found here.
- Ensure Availability
When reviewing environment availability/business continuity, confirm the following:
- All infrastructure components are (at minimum) N+1 highly available.
- All redundant infrastructure components have anti-affinity rules applied so that highly available counterparts are not on the same host.
- Hardware fault tolerance aligns with accepted organizational risk (N+1, 20 percent, rack failure, etc.).
- Components are connected to redundant network and storage infrastructure.
- Failure domains have been sized in accordance with business risk tolerance.
- Relevant components are properly backed up, and restoration procedures have been tested and are documented.
- Failure model, either fail open or fail closed, is documented and tested.
- Business continuity plans and the disaster-recovery strategy are documented, implemented, and tested.
- A robust monitoring and alerting strategy has been implemented and alerts have been tuned to avoid alert fatigue.
- Network threat prevention actions have been taken against things like DDoS attacks. This could be an article by itself but some details can be found here.
- Encrypt All Sensitive Traffic Flows
All traffic flows should be adequately encrypted to protect secrets and to prevent eavesdropping or modification of traffic flows.
- Make sure the following communication flows are secured with TLS and access to administrative consoles is restricted to the extent possible at a network level:
- All Citrix-related web consoles (Director, ADC/NetScaler, ADM/MAS, SD-WAN, License server, App Layering management console)
- XML communications between StoreFront and Controllers or Cloud Connectors
- All user communication to Citrix servers. Optionally, certificates can be deployed on the VDA to have end-to-end TLS
- Enable public key authentication for SSH to NetScaler/ADC.
- Perform StoreFront IIS hardening.
- Enforce secure LDAP for all relevant components.
- Do not rely solely on SecureICA to provide robust encryption.
- Prevent Session Breakouts
Preventing the array of possible session breakouts can be difficult to achieve, but some common controls can be implemented to reduce exposure:
- File system – Many applications have simple functions such as “Save as,” which may allow someone to launch an application by navigating the file structure. The file system and accessible network shares should be sufficiently hardened to prevent the actor from unauthorized access (least privilege).
- Help menus – Based on a similar concept, these menus often give the actor access to do “something else” like view a web page. Be sure to observe these workflows and restrict potential outcomes as necessary.
- Admin tools – Access to many of these tools, such as CMD, Run, RegEdit, and Control Panel, can be prevented via simple GPO. Others, like PowerShell, require an alternate approach.
- Enforce sanitization of web proxy usage for outbound web traffic to reduce the ability to bring in untrusted programs.
- Application restrictions – These tend to be the most effective, and the final line of defense. They can be implemented with tools like AppLocker or WEM Application Security. We generally recommend hash-based whitelisting but may settle for blacklisting specific sensitive components such as command-line tools in the interim.
- Revisit External Access
External access connects your company to a less-trusted network, the Internet. As such, we must be consistently diligent and think carefully about these questions,
- Are all of your access vectors, particularly those that are Internet/customer/partner facing, known, inventoried and managed over their full life cycle?
- Are controls such as multi-factor authentication consistently enforced?
- Are exclusions justified and documented and residual risks offset via some other control to a level that is tolerable to the business?
- Are boundaries protected with firewalls and proxy servers to control and secure traffic?
- Do you scan external systems for open ports and weak algorithms?
- Do you have the ability to block IPs, networks, and countries from access?
- Is external access connected to the lowest trust network?
- Are developmental or pre-production environments still available externally?
- How restrictive or capable are the available firewalls?
- Mature Operations and Maintenance
Common operational gaps we’ve observed include the following. These are a good starting point when determining if your operational procedures can further facilitate an improved security posture:
- Training end users and administrators
- Introducing comprehensive change control processes with correlated audit
- Centrally aggregating logging and forensic information into your SIEM system
- Leveraging security tools that are virtualization aware to provide anti-malware services
- Enabling configuration logging and session recording to monitor administrative functions and help facilitate comprehensive audit logging and accountability
- Conducting regular audits of permissions, configurations, baselines, policies, etc.
- Performing regular penetration tests and evaluations
- Practicing detection, alerting, and response procedures
- Establishing a risk management presence in all change control proceedings
- Practicing incident response and testing disaster recovery and backup restoration
- Testing with an adequate isolated lab or staging environment
- Documenting and managing all service accounts and associated passwords
- Practicing secure application update processes and testing. (Do we download binaries into production over unencrypted channels from the Internet?)
- Automating where possible, as it can provide more-consistent deployments and settings and enable additional recovery capabilities
While the above lists of configurations and procedures to fully harden a Citrix environment aren’t exhaustive, we hope they at least provide a starting place. They cover some of the high-value adjustments you can make quickly to improve the security posture of your environment.
These efforts shouldn’t be viewed as a one-time exercise, as many of these tasks are ongoing or need to be audited over time to be successful. We also advise that you review the Security Considerations and Best Practices documentation for some additional detail and considerations, as well as the Common Criteria guides, System Hardening for XenApp and XenDesktop whitepaper, and Securing the Published Browser whitepaper.
— Eric Beiers, Lead Security Architect, and Ryan McClure, Sr. Enterprise Architect