Professional Documents
Culture Documents
Deployment
THIS PUBLICATION IS PROVIDED “AS IS” WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-
INFRINGEMENT. CITRIX SYSTEMS, INC. (“CITRIX”), SHALL NOT BE LIABLE FOR TECHNICAL OR EDITORIAL
ERRORS OR OMISSIONS CONTAINED HEREIN, NOR FOR DIRECT, INCIDENTAL, CONSEQUENTIAL OR ANY
OTHER DAMAGES RESULTING FROM THE FURNISHING, PERFORMANCE, OR USE OF THIS PUBLICATION, EVEN
IF CITRIX HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES IN ADVANCE.
This publication contains information protected by copyright. Except for internal distribution, no part of this publication may
be photocopied or reproduced in any form without prior written consent from Citrix.
The exclusive warranty for Citrix products, if any, is stated in the product documentation accompanying such products.
Citrix does not warrant products other than its own.
Product names mentioned herein may be trademarks and/or registered trademarks of their respective companies.
Copyright © 2002 Citrix Systems, Inc., 851 West Cypress Creek Road, Ft. Lauderdale, Florida 33309-2009 U.S.A. All
rights reserved.
Version History
INTRODUCTION.............................................................................................................................................................................1
PRE-REQUISITES ............................................................................................................................................................................2
ORDER .........................................................................................................................................................................................4
ACTION .........................................................................................................................................................................................4
EVENT ..........................................................................................................................................................................................4
COMMENTS ...................................................................................................................................................................................4
Secure Gateway......................................................................................................................................................................5
Authentication .......................................................................................................................................................................10
User Accounts.......................................................................................................................................................................11
Auditing .................................................................................................................................................................................23
NetBIOS ................................................................................................................................................................................25
Port Filtering..........................................................................................................................................................................27
This document assumes the reader has some knowledge of NFuse and the Citrix Secure Gateway, and briefly
discusses them.
CSG provides a single point of entry and secures access to Citrix server farms. SSL technology is used for encryption,
allowing secure transfer of data across public networks. CSG is also designed to make firewall traversal with
MetaFrame solutions easier.
CSG is an enterprise-wide solution that protects a customer's investment in Citrix MetaFrame infrastructure and
business applications. It is completely transparent to both application programs and network devices, eliminating the
need for any program modifications or equipment upgrades.
• Certificates are only required on the CSG gateway, and not on every MetaFrame server.
• No requirement for separate client software (the standard ICA Win32 client is sufficient)
Although CSG can be used in conjunction with any NFuse v1.61 (or higher) supported platform, on NFuse v1.60 and
v1.51 implementation of CSG requires the use of Microsoft Internet Information Server (IIS). The first release of this
document will therefore provide security best practices for CSG implemented with Microsoft IIS 5.0 and installed on the
Windows 2000 Server family.
Pre-requisites
Before proceeding with this document the reader should complete the following prerequisites.
• Download the latest version of the CSG software. Version 1.01 contains a number of security Hot Fixes for the
STA component.
1. A remote user launches a Web browser and connects to an NFuse Web server on port 80 (HTTP) or port 443
(HTTPS). The NFuse Web portal requires the user to authenticate using valid user credentials.
2. NFuse uses the user credentials to contact the Citrix XML Service, on port 80, running on a MetaFrame server
and obtains a list of applications that the user is authorized to access. NFuse populates the Web portal page
with the list of published applications that the user is authorized to access. The communications so far are the
normal sequence of events that occur when an NFuse Web server is deployed to provide ICA client users with
access to published applications.
3. When the user clicks on a link for a published application, NFuse sends the IP address for the requested
MetaFrame server to the STA and requests a Secure Gateway ticket for the user. The STA saves the IP
address and issues the requested Secure Gateway ticket to NFuse.
4. NFuse generates an ICA file containing the ticket issued by the STA, and then sends it to the client browser.
Note that the ICA file generated by NFuse contains only the IP address of the Secure Gateway server. The
address of the MetaFrame server(s) that the ICA client eventually connects to is not exposed.
5. The browser passes the ICA file to the ICA client, which launches an SSL connection to the Secure Gateway
server. Initial SSL handshaking is performed to establish the identity of the Secure Gateway server.
7. On receipt of the IP address for the MetaFrame server, the Secure Gateway server establishes an ICA
connection to the MetaFrame server. After the ICA connection is established, the Secure Gateway server
monitors ICA data flowing through the connection, and encrypts and decrypts client-server communications.
• Citrix NFuse
Secure Gateway
The Secure Gateway acts as a SSL Gateway for ICA network traffic that services requests between the
ICA client and the MetaFrame XP server. This is a NT service and must run on a Windows 2000 Server.
Citrix NFuse
The Citrix NFuse application portal allows organizations and application service providers (ASPs) to
publish unmodified interactive applications to a standard Web browser. Customers can integrate and
publish interactive applications into any standard Web browser. Administrators retain all the robust
features and benefits of Citrix MetaFrame while getting business and productivity applications across
the Web to users quickly and cost-effectively.
NFuse has the following benefits:
Legend
More Secure These steps should be completed unless there is a good reason not to implement them,
by doing so, the CSG infrastructure will be more impenetrable.
Authentication Mandatory
User Account Mandatory
IIS Anonymous Access User Account Mandatory
NetBIOS Mandatory
Information Leakage via NULL Sessions More Secure
Port Filtering More Secure
Authentication Mandatory
User Account Mandatory
IIS Anonymous Access User Account Mandatory
Authentication Mandatory
User Account Mandatory
Disable Unused Services Mandatory
NetBIOS Mandatory
Information Leakage via NULL Sessions More Secure
Port Filtering More Secure
File System
Description
The file system on each of the CSG components detailed below should be secured so that the
Everyone group in particular does not have Write and Execute permissions for particular
directories. The Windows 2000 system directories should also be secured so that the Everyone
group does not have access to the server’s system files. Another important configuration change
that should be made is preventing the user’s ability to traverse directories.
Solution
The file system is secured by modifying the ACLs on the relevant areas of the NTFS file system.
Components
STA, NFuse and Secure Gateway (system directories only)
Importance
Mandatory
Sample Code
Description
During the installation of IIS 5.0 a number of sample applications are installed. These are a security
hole because malicious users will know the default installation directories of the samples. A
malicious user could use these samples to violate the IIS server.
Solution
The following directories and virtual directories should be removed if they are present.
IIS Samples \IISSamples c:\inetpub\iissamples
Components
STA and NFuse
Importance
Mandatory
User Accounts
Description
User accounts can be a major weakness in a Windows 2000 environment; an important
consideration is the prevention of malicious access to the environment using brute-force password-
related attacks. These can be made much more difficult by implementing a security policy. The
following settings must be implemented:
• IUSR_MYPC
• Guest
Solution
1. Within the MMC, load the Security Templates and Security Configuration and Analysis
snap-ins
2. Copy the template securews and call it secure_ccs
3. Select Account Policy\Password Policy and configure as shown in the figure below:
Components
NFUSE, Secure Gateway and STA
Importance
Mandatory
3. Create a new account called CCS_ANON with a strong password. A strong password is at
least 10 characters long and has a combination of alphanumeric characters. The
passwords should not contain natural language words.
Components
NFuse and STA
Importance
Mandatory
• Application Management
• Clipbook
• Computer Browser
• DHCP
• DFS
• DNS Server
• Fax Service
• Index Service
• Intersite Messaging
• Messenger
• Network DDE
• Print Spooler
• QoS RSVP
• RunAs Service
• SMTP
• Smart Card
• Telephony
• Telnet
• Terminal Services
• Windows Installer
• WINS
Solution
1. Start Computer Management and select Services
2. Highlight the service and select properties
3. Disable each of the services listed above as depicted in the figure below:
Components
NFuse, Secure Gateway and STA
Importance
Mandatory
3. Within the IIS options deselect everything except Common Files, Internet Information
Services Snap-In and World Wide Web Server
Components
NFuse, Secure Gateway and STA
Importance
Mandatory
Once the utility has been run, the Hot Fixes can to be downloaded from www.microsoft.com and
installed on the server.
Components
NFuse, Secure Gateway and STA
Importance
Mandatory
.ida .idc
.idg .stm
.cdf
Solution
1. Within Computer Management, select IIS
2. Right-click Default Web Site
3. Select the Home Directory tab
4. Under Application Settings, select Configuration
5. Remove the Unused File Associations Listed above as depicted in the figure below:
Components
NFuse and STA
Importance
More Secure
Auditing
Description
Auditing is an essential security consideration. Without auditing it may be hard to detect that a user
has infiltrated the system or has attempted to do so. The size of the event log also needs to be
increased to 500MB and needs to be backed up weekly. It is essential that the following objects be
audited:
• Account management
• Logon events
• Policy change
Solution
1. Within the MMC, load the Security Templates and Security Configuration and Analysis
snap-ins.
2. Copy the template securews and call it secure_ccs
3. Select Local Policies\Audit Policy and configure as in the figure below:
Components
NFuse, Secure Gateway and STA
Importance
Mandatory
Components
NFuse, Secure Gateway and STA
Importance
More Secure
On the Secure Gateway, the ports that need to be enabled are the following:
• XML Port 80
The STA needs the following ports available:
• XML Port 80
Solution
On each of the servers:
1. Right-click My Network Places
2. Select TCP/IP and click Properties
3. Click Advanced
4. Select TCP/IP filtering and select Properties
5. On the TCP Ports, select Permit Only
6. Add the ports listed above for the server you are configuring
Components
NFuse, Secure Gateway and STA
Importance
More Secure
Solution
1. Start REGEDT32.EXE
2. Set the registry values detailed above
Components
NFuse, Secure Gateway
Importance
More Secure
Components
NFuse, Secure Gateway
Importance
More Secure
http://www.microsoft.com/technet/security/tools/tools.asp.
http://www.microsoft.com/technet/security/iis5chk.asp