Additional security guidance for Citrix Presentation Server deployments
Summary:
Citrix is releasing this Security Bulletin in response to recently published information relating to security issues affecting some deployments of Citrix Presentation Server.
Information recently released on the Internet has highlighted security risks associated with some Citrix Presentation Server deployments. This document contains guidance that can be used to mitigate these risks.
Citrix is currently in the process of analyzing these issues and will release further guidance as appropriate; this document may be updated accordingly.
Security Best Practice
The following best practice guidance is grouped under three headings: Server-side, Client-side, and User guidance.
• Server-side Best Practice
• Customers should ensure that Citrix Presentation Server machines are configured to allow only published applications to be launched.
• Customers not using the File Type Association feature (client to server redirection) should ensure that there are no file types associated with any published applications.
• Customers that are not using command line parameters for published applications should ensure that the wildcard (“%*”) is not present in the “Location” field of the published application path.
• Customers with deployments that require either File Type Association or published application parameters should consider making published application names unpredictable. This can help to prevent an attacker guessing such a name.
• Any Citrix Presentation Server deployment that is accessible from an untrusted network should implement strong authentication.
• Customers should ensure that Citrix Presentation Server is not deployed directly onto an untrusted network.
• Customers should ensure that applications available to users connecting to the Citrix Presentation Server are correctly configured, in order to prevent access to inappropriate functionality.
• Client-side Best Practice
• Customers that are not using Pass-through authentication (also referred to as Single Sign On or SSO), a feature of Citrix Presentation Server Client for Windows, should ensure that the feature is not installed on the client device.
• Customers that are using Pass-through authentication for Program Neighborhood only should ensure that the “EnableSSOnThruICAFile” setting is not enabled.
• Customers should ensure that clients are configured to allow only connections to trusted servers. This can be achieved through network configuration or the Trusted server configuration feature of the Citrix Presentation Server Client for Windows.
• Customers should ensure that web browsers are configured to disallow launching of an ICA Client from untrusted web sites, for example by disabling file download in the relevant Internet Explorer zones.
• User Guidance
• Customers should inform users of the risks of opening ICA files of untrusted or unknown origin, for example via e-mail from untrusted sources.
Resources for secure Internet deployment of Citrix Presentation Server:
Securing a Presentation Server Environment
http://www.citrix.com/English/SS/supportThird.asp?slID=162512&tlID=162513
Citrix Presentation Server 4.5 Administrator’s Guide
http://support.citrix.com/article/CTX112223
Clients for Windows Administrator's Guide
http://support.citrix.com/article/CTX112190
How to Configure the Trusted Server Configuration Rule
http://support.citrix.com/article/CTX112649
Citrix Access Suite Security for IT Administrators
• ISBN-13: 978-0071485432
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Base at http://support.citrix.com/article/CTX114938.
Obtaining Support on this Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Information for contacting Citrix Technical Support is available at http://support.citrix.com/.
Reporting Security Vulnerabilities to Citrix
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities very seriously. If you would like to report a security issue to Citrix, please compose an e-mail to secure@citrix.com containing the exact version of the product in which the vulnerability was found and the steps needed to reproduce the vulnerability.
