Inherent Security in Citrix Workspace
By CMD Technology Group
7 min read
There has been a lot talk about the recent security breach at Citrix. Sadly there’s also been a lot of speculation and misinformation surrounding the ongoing investigation. Citrix is doing a commendable job maintaining transparency as the facts are established. If you’re curious about the details, we recommend going straight to the source and checking out their blog for the most accurate information.
The good news is, Citrix products themselves remain uncompromised. Having users access data through products like Citrix Virtual Apps and Desktops (XenApp and XenDesktop) still offers excellent security solutions.
Great Security from the Start
Out of the box, Citrix Virtual Apps and Desktops make daily tasks more secure for users. How? For one, when a user accesses a Citrix desktop or published application, they are presented with an image of what is occurring on a remote system in a data center. That means all data and files are stored there, not on the user’s device; unless you allow it. This reduces the opportunity for someone to breach the system.
Through the Citrix Workspace App (Citrix Receiver), you can interact with a remote system and do your work with the same freedom as if the data were accessed locally.
Manageable Encryption
Another way Citrix is more secure out of the box is the incorporation of ICA (Independent Computing Architecture) encryption protocol for communications, and the level of encryption can be controlled. For instance, an administrator can choose 64-bit, 128-bit, or 256-bit encryption. In addition to encryption, ICA does not transmit data the way you would typically think. When a user accesses an image hosted in a data center the ICA transmits changes to the backend. So, ICA is transmitting mouse movements, key clicks, and visual changes to the image. But, if someone tries an attack like a Man in the Middle attack, they are going to get encrypted traffic. If they are able to decrypt the traffic, they are going to get dispersed information. They will have a few packets transmitting a change in the screen, in another about a few keys being pressed, or mouse movement in still another packet. The entire stream from start to finish would have to be captured and reassembled in order to get anything coherent.
Added protection comes from the full range of custom policies, permissions, and hardware configurations that ensure top security is combined with productive workflows.
Security Customization & Fine-Tuned Control
Policies
Policies can be created to lock down a workstation allowing only the use of a keyboard, mouse, and video during a session. For users that require access to certain peripherals or network shares, policies can be configured for a group or individual basis. One way you can do this, start by setting a base policy that affects all users. Then, you can create exceptions to that base policy. You have the freedom to be as broad or granular as you need in establishing policies.
For instance, a team that works within an application on a factory floor may only need to obtain or enter information. That would merely require a keyboard, mouse, and video. Policies can be created restricting all factory workers to those peripherals. However, the foreman, who is also a factory worker, may need to print or save files to a network share. He can have the same base policy as all the factory workers, but a higher priority policy can be applied to allow access to printers and a network share. Overriding or preempting particular settings in the base policy offers excellent flexibility for user types and maintaining high-level system security.
Permissions
Server, desktop, file, directory, and share permissions can add further security in a Citrix environment. If a user does not have access to a file, directory, or network share, then that data remains secure, plain and simple. Limiting access to the local server or desktop drives and restricting installation permissions offers excellent protection for the local system and network. Windows operating systems and many other technologies come with permission controls built in. Citrix Virtual Apps and Desktops must reside in an Active Directory domain and therefore can take advantage of AD permission controls.
With proper configuration, policies and permissions can keep all the work users do within the datacenter. Depending on the product edition you license, other tools can be utilized for security. For instance, session recordings will show you everything a user does during their sessions.
Ultimately, permissions will determine what applications and data users have access to. If you have questions about these and other tools, let us know at info@cmdtechnologygroup.com.
Hardware
Using endpoints that have no internal storage like thin or zero clients and prohibiting connections of portable media further increase security. By using a client that has no media attached, there is nowhere to store downloaded data. Without writable storage, users cannot download and install unsanctioned applications. Admins no longer have to worry about a user downloading or installing items with viruses or malware to their workstations.
As discussed with policies, access to peripherals in a Citrix session can be tightly controlled or denied. Today, almost all peripherals such as printers, scanners, flash media, and portable drives are connected through USB ports. On a broad level, you can control whether a Citrix session maps client USB ports into a session. On a granular level, you can control who is allowed to map the USB ports and what type of peripherals are recognized in the session.
Encrypted Connections
Internal communications between the components that make up a Citrix environment can be encrypted. Certificates can be installed for each component and configured to utilize SSL encryption for all communications. We recommend setting Storefront for SSL communications only. This will ensure all user communication to the Citrix environment will be encrypted, and usernames and passwords will not be transported in clear text.
Citrix ADC (NetScaler)
Citrix ADC is a hardened appliance that proxies communications between the client and the Citrix environment. For additional security, you can require all acres, both internal and external go through the Citrix ADC. Then, you can have one open user-facing SSL encrypted port for Citrix ADC communications. Once a session is established, the SSL encrypted communications utilize the ICA protocol. Which means that the encrypted ICA traffic is encrypted again through SSL for added protection.
You can utilize VPN technology to get to StoreFront. However, the VPN is connecting you directly to the internal network and Storefront is going to treat the connection as internal, therefore more work is involved to maintain security. If you are required to use a VPN, Citrix ADC can still be put in front of all StoreFront communications.
I Use More Than Just Citrix Products. What Then?
Most of you will have to think about how a Citrix session can be secured further with the help of other products. In future articles, we can cover those details, but in the meantime, we recommend you review your current use of antivirus, malware, patching, and other security software. If you’re not using any of these, stop reading this right now and get busy protecting your system!
Password History and Retention Policies
A new school of thought among some security authorities believe it is better for users to maintain a more complex password over an extended period, instead of requiring frequent password changes. Why? Because when a password is not changed frequently, a user can remember a longer, more complex password which harder to crack with something like Password-Spraying. But if you have them change their password too often, human nature kicks in and users begin to use less-complex passwords for the sake of retention making passwords easier to crack.
Points to Remember:
Technology Can Only Advance Security to a Point
For a system to indeed be secure, the human element cannot be overlooked; it is often the most vulnerable component. Citrix products have no way of stopping a user from remembering sensitive information, thankfully that dystopian hellscape hasn’t arrived…yet. No technology can prevent someone from taking notes from what’s on their screen; Burt from security probably can. You can disable the ability to take screenshots, but you can’t stop someone from taking pictures of the screen with their cell phone. Will someone please get Burt, quick? Password policies and management can be implemented, but often users will take the path of least resistance to create a password and remember it. Password Post-it Note on the monitor, anyone?
These are essential scenarios to consider depending on the sensitivity of your data and the compliance regulations of your industry. If you give a user permission to work with data, then you have to train them to exercise healthy security habits.
When we hear of high-profile security breaches, we are all reminded that threats to our own network can happen unexpectedly. Citrix products can help you maintain high levels of security that’s easy to use. They are designed to store your data securely, allowing dynamic access through protected channels, and only those you grant permission to access.
If you have any questions about security settings or other options for your Citrix products, let us know. Send us an email at info@cmdtechnologygroup.com or give us a call (1-800-806-4173).
If you have a question about any of our solutions or any feedback you’d like to share, contact us. We would love to hear from you!
Get in touch
You can email us at afernandez@cmdtg.com
Give us a call at 1-800-806-4173
Or contact us using the form below