PaulDotCom mailing list archives
Ideals on Securing a Citrix /Terminal Service Environment
From: raffi at flossyourmind.com (Raffi Jamgotchian)
Date: Tue, 13 Jan 2009 09:58:16 -0500
If you can help it, don't publish desktops. either way the same ideas that apply to locking down desktops apply here. GPOs will get you part of the way but not all the way. Don't allow external web browsing at all if you can. The problem with Citrix/Terminal services is typically they will be on the same segment as secured servers and not on the same vlans as desktops. If you are layering things in (i.e. something between your desktops and servers) your citrix servers provide an end-around. This is problematic with NAC systems for example. I would consider moving the citrix servers into its own segment and securing it from the rest of your infrastructure. The last thing you need as a machine get owned on the inside of your server farm because someone decided to go to myspace from their citrix session. On Jan 13, 2009, at 9:14 AM, infolookup at gmail.com wrote:
We are publishing both desktops and applications encryption is 128 bit. ------Original Message------ From: Raffi Jamgotchian To: infolookup at gmail.com To: PaulDotCom Security Weekly Mailing List Sent: Jan 13, 2009 8:43 AM Subject: Re: [Pauldotcom] Ideals on Securing a Citrix /Terminal Service Environment Are you publishing full desktops or applications? Right off the bat, disable RDP and enable ICA only and ensure that you are encrypting at the very least the logins but if you can "afford" it the whole stream. On Jan 13, 2009, at 7:40 AM, infolookup at gmail.com wrote:Hello All! If some of you are on security-basics you might think I am cross posting but I only got one reply there so I am posting here! <Question> We are in the process of auditing and locking down our security settings on our Citrix Presentation Server farms and I would like to get some feed back on what others are doing to secure their Citrix or terminal server environment. So far we have used GPO allow certain types of executables, disabled right clicking or creation of short cuts, disabled IE the search function on IE, and we are using an Internet proxy so sites like ikat and the likes are blocked. I know this is the very basics but I am just looking to get an ideal on others setup. </question> Thanks in advance. Sent from my Verizon Wireless BlackBerry _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.comSent from my Verizon Wireless BlackBerry
Current thread:
- Ideals on Securing a Citrix /Terminal Service Environment infolookup at gmail.com (Jan 13)
- Ideals on Securing a Citrix /Terminal Service Environment Raffi Jamgotchian (Jan 13)
- Ideals on Securing a Citrix /Terminal Service Environment christopher.riley at r-it.at (Jan 13)
- <Possible follow-ups>
- Ideals on Securing a Citrix /Terminal Service Environment infolookup at gmail.com (Jan 13)
- Ideals on Securing a Citrix /Terminal Service Environment Raffi Jamgotchian (Jan 13)
- Ideals on Securing a Citrix /Terminal Service Environment Tim Mugherini (Jan 13)
- Ideals on Securing a Citrix /Terminal ServiceEnvironment Russell Butturini (Jan 13)
- Ideals on Securing a Citrix /Terminal Service Environment Raffi Jamgotchian (Jan 13)