A Citrix Configuration Review will give you confidence that your Citrix environment is securely configured in line with industry best practice to protect your network while enabling your team to work remotely.
Citrix environments can be complex – easier to get working than they are to get working securely. Initial testing for new Citrix environments by your team probably focused on ensuring everyone was able to do their job remotely. A Citrix Configuration Review from SecureTeam will provide a thorough and detailed analysis of the many components that make up a Citrix environment and identify any areas where security and resilience can be improved. Our experts combine the best practice recommendations from Citrix with their own practical experience from performing penetration and breakout tests in many Citrix environments and any security frameworks that apply to your organisation (such as PCI-DSS or ISO 27001).
Methodology
We will review all the different components and systems which make up your Citrix Environment and inspect them to ensure that they are configured in line with the current security best-practice.
We include the following Citrix components which may be present in your environment:
Identity & Access Management
We will check your Citrix environment to ensure the Userid and Accounts are created and managed in line with best practices. This includes ensuring everyone uses personally allocated logins (not shared accounts), default and anonymous accounts are locked or removed and that permissions are granted on the least privilege basis. We will confirm that service accounts do not allow interactive logins and the role-based access controls provided by Citrix ADM are used. We will validate the use of 2 factor authentication in line with your Information Security Policy.
Application Delivery Management
We will confirm that the Citrix ADM is correctly capturing security metrics such as application flows, security events and user session information, and that the ADM itself is securely configured.
Application Layering
Citrix App Layering separates the management of your Operating System and apps from the infrastructure. Each app and OS patch only needs to be installed once into the associated templates and redeployed to your images. This means those images need to be patched and configured securely so they can safely be used across the different server instances. If Citrix XenApp segmentation is used for servers of different risk profiles, different images may be needed, appropriate for each risk profile. We will check the processes for the maintenance and deployment of the OS and app image security patches.
Content Collaboration
Citrix Content Collaboration is a file sharing system which can use its own credential and permissions system, separate from Active Directory. We will check user authentication is securely configured, two-factor authentication is working as it should and administrative permissions are only deployed as needed.
Endpoint Management
Citrix Endpoint Management enables the deployment and support of devices and mobile applications. If you allow staff to Bring Your Own Device then Endpoint Management provides the mechanism to keep your organisation’s data and applications secure on those devices – provided it is correctly configured and deployed.
Cloud Connector
Citrix Cloud Connector is a core Citrix service that supports virtual Apps and Desktops, End Point Management and is the interface to your Active Directory. We will check that the Cloud Connector is installed and configured as per Citrix’s security best practice guidelines.
Web Application Firewall
The Citrix Web Application Firewall can protect your web applications and servers from malicious traffic from the Internet. We will check it is deployed and configured correctly to protect your network and web applications.
Secure Browser
We will confirm the configuration of Citrix Secure Browser services, including integration with your Active Directory and configuration options such as: clipboard access, printer access, and client drive mapping are only active for authorised users.
Managed Desktop Environment
We will review the Citrix virtual desktop policy settings to ensure they are aligned with the required security posture for each segment of the Citrix environment. This includes checking clipboard redirection, launching of non-published programs, encryption levels, use of USB devices and encryption levels. This ensures that users have the features and tools they need to perform their role and no more, and that malicious users are not able to leverage these tools to attack your environment.
Password Policy
Password Policies enforced by Active Directory and Citrix control servers and managed desktop environments should comply with your Information Security Policy (we will check) and our best practice recommendations.
Administrative Users
We will check that Administrative Users accounts are not used for routine activities and the principle of least privilege is used when allocating user permissions. Users should not have administrator rights for virtual desktop sessions as this enables them to make changes which persist to a subsequent user session – including installing software.
Logging & Auditing
All server and session logs should be gathered into a central Security Information & Event Management (SIEM) system for monitoring and correlation – this may include Citrix ADM in your environment.
Data Encryption
All sensitive data flows should be encrypted with TLS. This includes all traffic to Citrix Web Consoles, XML communications between Citrix controllers and cloud connectors, and all user communication to Citrix servers. HTTP (non-secure) access to management interfaces should be disabled.
Network Security & Segmentation
Network Segmentation is an effective tool that can enhance network security and limit the ability of malware or malicious users to traverse the network. However poorly-configured firewall rules or vulnerabilities in devices which may span multiple networks, can provide a way for an attacker to pivot an attack between networks that were designed to be isolated. We will confirm the Citrix environment provides access to the required network resources and no more.
Additionally, the Citrix environment itself can be segmented into multiple XenApp silos to separate users and systems with different risk and trust levels. We will review the Citrix configuration and advise if further segmentation is merited.
If you employ a Citrix ADC, its management interface (the NISP) should not be exposed to the Internet and should be further protected by a firewall on a dedicated management VLAN.
Management Services
We will confirm that all Citrix components have been patched with the latest security updates and the core management services are securely configured. This ensures your environment is secure and security hardened. Any components and services which are not used should be disabled in order to reduce the attack surface of your Citrix environment.
Prerequisites
- Remote access to your Citrix Access Gateway (CAG) (or equivalent)
- Administrator credentials
Deliverables
Engaging with SecureTeam for your Citrix Configuration Review will provide you with the following:
In-flight Support
Prior to your test commencing, our consultant(s) will discuss the scope of work with you, so that a full understanding is obtained of what your Citrix environment is used for, and how users connect to it – either from within your network or over the Internet. This not only allows the test to run more efficiently, but also allows the discovered vulnerabilities to be rated more accurately in terms of risk.
During the testing phase, our consultant(s) will engage directly with you – notifying you of any critical vulnerabilities that may be present within your applications or infrastructure and any evidence in our results that indicates a security breach may have already taken place.
Reporting
Once the project has been completed, you will be provided with the following:
Comprehensive Technical Report
Our clear & concise reporting format contains an Executive Summary that can be understood by all members of your organisation – including individuals who may be in management or non-technical roles. All vulnerabilities are explained to a sufficient level of technical detail, so that your development team and systems administrators can quickly pinpoint the root cause of the vulnerability and apply the recommended course of action.
Technical References
Where applicable, we provide additional reference URLs for each vulnerability, so that further information and mitigation advice can be obtained from reputable sources of technical information.
Risk-Based Approach with CVSS Scoring
A risk-based approach is used throughout the report and all vulnerabilities are scored in line with CVSS (Common Vulnerability Scoring System). This allows the contents of the report to be fed into your own internal risk assessments and allows a plan to be developed to address the vulnerabilities which present the highest risk to your organisation.
Secure & Encrypted Report Delivery
Due to the sensitive content which may be contained in our test reports, all test reports are delivered to our customers through a secure file delivery mechanism. All test reports are encrypted using AES-256 encryption and are secured with a strong, randomly-generated password which is delivered ‘out-of-band’ to you via SMS. The encrypted file is then delivered to you through an encrypted & expiring URL link – allowing you to download the test report securely to your workstation.
After Care
Once our consultancy engagement is complete and our final report has been delivered to you, our consultancy team remain available to you indefinitely for any questions you may have surrounding the report’s findings or our consultancy engagement with you.
We pride ourselves in partnering with our customers to provide adhoc security advice and to ensure that our engagement with you doesn’t simply end once the final report has been delivered.
We are committed to ensuring that you receive the utmost value out of our consultancy services and look forward to developing a long-lasting business relationship with you.
Conference Call
Once you have received our final report, you have the option of attending a conference call between the consultant(s) involved in delivering your project and individuals within your organisation who you feel would benefit from a more in-depth discussion of the report’s findings.
A conference call is suitable for both management and technical staff. It provides you with the perfect opportunity to ensure that all vulnerabilities and their recommended course of action are fully understood by stakeholders the technical staff who will be tasked with applying the recommended course of action.
Find out more
If you'd like to find out more about our services or would like us to provide you with a quotation, please fill out the following form and one of our team will get in touch with you.