PaulDotCom mailing list archives
Ideals on Securing a Citrix /Terminal ServiceEnvironment
From: rbutturini at epictn.com (Russell Butturini)
Date: Tue, 13 Jan 2009 12:31:02 -0600
I've found it's well worth the time to publish the applications with seamless windows (even if it's several different apps) to users instead of giving them desktop sessions on the server itself, or using the Citrix web gateway to give them access to the applications they need if you don't want to have to manage deployment to client machines. You wind up with slightly more management overhead in the long haul, but fewer security issues to address. Of course, whether or not the users actually NEED access to anything more than applications to do their job from the Citrix server is a whole different debate (right John Strand?) J From: pauldotcom-bounces at mail.pauldotcom.com [mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Tim Mugherini Sent: Tuesday, January 13, 2009 11:51 AM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Ideals on Securing a Citrix /Terminal ServiceEnvironment I would agree with the no internet access comment if at all possible. If not consider tweeking the IE settings to be more restricitve with activex etc... to reduce risk of damage. Products like appsense (dev for citrix can assist in taking things a step further but is very expensive - or at least it was several years back when I used it) On Tue, Jan 13, 2009 at 9:58 AM, Raffi Jamgotchian <raffi at flossyourmind.com> wrote: If you can help it, don't publish desktops. either way the same ideas that apply to locking down desktops apply here. GPOs will get you part of the way but not all the way. Don't allow external web browsing at all if you can. The problem with Citrix/Terminal services is typically they will be on the same segment as secured servers and not on the same vlans as desktops. If you are layering things in (i.e. something between your desktops and servers) your citrix servers provide an end-around. This is problematic with NAC systems for example. I would consider moving the citrix servers into its own segment and securing it from the rest of your infrastructure. The last thing you need as a machine get owned on the inside of your server farm because someone decided to go to myspace from their citrix session. On Jan 13, 2009, at 9:14 AM, infolookup at gmail.com wrote:
We are publishing both desktops and applications encryption is 128 bit. ------Original Message------ From: Raffi Jamgotchian To: infolookup at gmail.com To: PaulDotCom Security Weekly Mailing List Sent: Jan 13, 2009 8:43 AM Subject: Re: [Pauldotcom] Ideals on Securing a Citrix /Terminal Service Environment Are you publishing full desktops or applications? Right off the bat, disable RDP and enable ICA only and ensure that you are encrypting at the very least the logins but if you can "afford" it the whole stream. On Jan 13, 2009, at 7:40 AM, infolookup at gmail.com wrote:Hello All! If some of you are on security-basics you might think I am cross posting but I only got one reply there so I am posting here! <Question> We are in the process of auditing and locking down our security settings on our Citrix Presentation Server farms and I would like to get some feed back on what others are doing to secure their Citrix or terminal server environment. So far we have used GPO allow certain types of executables, disabled right clicking or creation of short cuts, disabled IE the search function on IE, and we are using an Internet proxy so sites like ikat and the likes are blocked. I know this is the very basics but I am just looking to get an ideal on others setup. </question> Thanks in advance. Sent from my Verizon Wireless BlackBerry _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.comSent from my Verizon Wireless BlackBerry
_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090113/f43414f1/attachment.htm
Current thread:
- Ideals on Securing a Citrix /Terminal Service Environment infolookup at gmail.com (Jan 13)
- Ideals on Securing a Citrix /Terminal Service Environment Raffi Jamgotchian (Jan 13)
- Ideals on Securing a Citrix /Terminal Service Environment christopher.riley at r-it.at (Jan 13)
- <Possible follow-ups>
- Ideals on Securing a Citrix /Terminal Service Environment infolookup at gmail.com (Jan 13)
- Ideals on Securing a Citrix /Terminal Service Environment Raffi Jamgotchian (Jan 13)
- Ideals on Securing a Citrix /Terminal Service Environment Tim Mugherini (Jan 13)
- Ideals on Securing a Citrix /Terminal ServiceEnvironment Russell Butturini (Jan 13)
- Ideals on Securing a Citrix /Terminal Service Environment Raffi Jamgotchian (Jan 13)