Brian Madden Logo
Your independent source for application and desktop virtualization.
Blogs » Original Blogs on BrianMadden.com » Brian Madden » How secure is Citrix Presentation Server after you do a default installation?
Marketplace

advertisement
Brian Madden's Blog

Syndication

Recent Posts

Tags

View more

Archives

How secure is Citrix Presentation Server after you do a default installation?

Written on Jan 10 2008
Filed under: ,
10,971 views, 25 comments

by Brian Madden

An interesting article by Robert Jaques at vnunet called "Poor Citrix set-ups leave firm vulnerable" claims that if you do a basic installation of Citrix Presentation Server without any special knowledge, you leave your system vulnerable to security breaches such as one user being able to access another user's data and private files. This article was written based on a report from a company called Global Secure Systems. I haven't been able to see the actual report--I think it's something you have to pay for--but the report's author claims that "Even in the most locked-down environment, five high-risk vulnerabilities were discovered."

What do you think? How secure is the base install of Citrix Presentation Server? (Or plain Terminal Server or Provision Networks / Quest Software's Virtual Access Suite.) Are there any "little things" you can do to make a system more secure?

Speaking personally, one of the best ideas I've heard was to remove users' "execute" permissions from everywhere except for the important system locations like the Windows and Program Files directories. If you remote the execute permissions from Temp, Temporary Internet Files, the Outlook attachment folder, and the users' home drives, that single act should prevent a lot of bad stuff from happening.

What else should we think about?

Comments

Joe Shonk wrote I'm call their bluff...
on 01-10-2008 10:40 AM

I for one am a little skeptical about the claim made in the article.   When the article title specifically mentions "Citrix" and then the second paragraph is "Global Secure Systems (GSS) acknowledged that the issues it claims to have discovered are not the fault of Citrix itself." is somewhat misleading.

Toward the end of the article, "Robin Hollington, director of consulting at GSS, said: 'Imagine how your board would feel if they discovered that a junior clerk had subverted controls to gain access to board members' restricted network drives.'  Is this one of the vulernabilities? or is the director making something up?  I highly doubt this was one of the vulenerabilities but a scare tatic designed to drum up business.

Perhaps there are 5 BIG vulnerabilities, buthe article only make a claim and provides nothing to back it up.  No proof, no examples, nothing.  If these vulernability are that bad,  I think its important for the rest of the world to know what they are and how they can deal with it.  Holding this type of information randsom makes the company out to look like a legal scam artist.

Anyways, we all know there are some holes and backdoors in the OS, but those are relatively minor.  A lot of time, those hole are exposed in order to make a poorly designed application work. 

Joe 

Guest wrote Pointless article
on 01-10-2008 10:44 AM
When was the last time you installed a "platform" (OS or otherwise) that was secure out of the box? Personally, I'm going with never. This article is nothing more than FUD from a "security" company, that's hoping to net a few dollar from this report. I hope someone actually buys a copy and posts the results, so that we can all see what a hoax this most assuredly is...
Dan Shappir wrote Interesting difference between Citrix and Ericom PowerTerm WebConnect
on 01-10-2008 10:47 AM
One notable difference between Citrix and Ericom PowerTerm WebConnect that can have security implications is that we do not have anything like the .ica files. Instead connection settings are always passed directly from the server to the client using an encrypted communication channel. This information is never saved to the local drive. This means that a user cannot modify the settings specified by the administrator.
Kata Tank wrote is it safe to ...
on 01-10-2008 10:50 AM

Is it safe to drive a car without any driving licence...
What append it you let the administrator set up a "allow all" rule in a firewal...
What if...

We are supposed to be trained and skills profesionals. Experienced people cost money! That's why I saw (especially since "W2K bug" and "Euro passage in 2001") a lot of basic pseudo system administrators covering task that should normally belong to senior administrator and Project managers just because they were less expensive to recruit...

Let's talk about rules...

1- no direct connexion to PS servers - WI+SG... probably AG+ workstation scan in a near futur
2- no published desktop, only published app (if home made, no web help or about feature)
3- Token authentication for all remote users
4- no direct connexion  from PS servers to network  (firewall for each applicaiton port)
5- Internet Explorer blocked (iexplorer.exe) on all servers except intranet dedicated ones and internet specials dedicated ones (reimage every night, investigating Ardence system)
6- currently testing AppSense and PowerFuse to lock down windows environment

probably much more on GPO but out of my knowledge...

Guest wrote The problems involved in this report...
on 01-10-2008 11:05 AM

...revolve around the use of published content for the most part.  They are addressed by Citrix in CTX114938 and CTX115245.  I haven't seen the report, but my guess would be that GSS used known problems in applications that were published, exploiting them by passing specially crafted command lines to the apps via a tweaked ICA file. This could allow the injection of arbitrary code and making the system vulnerable to further remote exploitation.  It makes sense and the recommendations in the Citrix CTX articles are pretty common-sense and not much of a burden to implement if you don't use content redirection.  If you do, it just means that you need to be careful about the applications you use it with and keep up on any security bulletins that may involve those particular apps.

This is not a Citrix bug, but it does exploit a feature and it is something that admins do need to be aware of.  

Guest wrote Re: The problems involved in this report...
on 01-10-2008 11:06 AM
blah, long day already.  That should read "...revolve around the use of content redirection"
Guest wrote Could someone please explain the remark about 'remote the users execute permissions'??
on 01-10-2008 11:35 AM

It's not immediately clear what this sentence means -- it's an awkward sentence, does this mean remove execute permissions etc.??

Thank you!!

Aaron Parker wrote More FUD?
on 01-10-2008 11:37 AM
Sounds like a bit of FUD too me. I think the best thing you can do is to whitelist allowed applications with a tool such as AppSense Application Manager.
Brian Madden wrote Re: Could someone please explain the remark about 'remote the users execute permissions'??
on 01-10-2008 12:18 PM
Whoops! That's a typo. I mean "remove" the users' execute permissions. I'm fixing that now.
Guest wrote Re: Interesting difference between Citrix and Ericom PowerTerm WebConnect
on 01-10-2008 1:18 PM

And this is a security risk how?  You cannot connect to another Published Application if you do not have access to it.

Modify the .ica file all you want,  it's no different that using Program Neighborhood.  If it was such a big deal, Citrix would have done something with it by now.

This is another attempt by Dan to spread FUD about Citrix and Pimp his own product.

Dan Shappir wrote Re: Re: Interesting difference between Citrix and Ericom PowerTerm WebConnect
on 01-10-2008 1:55 PM

Please read what I actually wrote rather than reply to your own conceptions of my statements. I wrote "that can have security implications", not "that is a security hole". Sure, through proper configuration and attention to detail a Citrix expert can configure a server so that a hacked .ica file cannot be used to compromise it. But if details are overlooked or mistakes are made then this can become a vulnerability. As a poster below wrote:

I haven't seen the report, but my guess would be that GSS used known problems in applications that were published, exploiting them by passing specially crafted command lines to the apps via a tweaked ICA file. This could allow the injection of arbitrary code and making the system vulnerable to further remote exploitation

CPS is a good product and we strive to emulate (and extend) much of the functionality that it provides. This does not mean that we don't improve on it's design where we can. Not allowing end-users to save and edit configuration files is such an improvement IMO.

Tom Lyczko wrote Execute permissions QQ
on 01-10-2008 2:43 PM

Remove execute permissions on users' home folders??
What if home folder is on another server as a share that is redirected to My Documents??

Wouldn't people be unable to edit files etc.??
A few words about this part of the comment would help too.

I'd really like to prevent people from installing apps and plugins and whatnot and this remove execute permissions idea seems like it might help, since Group Policy can't cover every single executable out there...

Thank you, Tom 

 

Guest wrote Re: is it safe to ...
on 01-11-2008 12:17 AM

>> if home made, no web help or about feature

 

just curious what is the danger in having an "About" screen for a homemade app? 

Kata Tank wrote Re: Re: is it safe to ...
on 01-11-2008 2:55 AM
a "about screen" can include information like hyperlink that launch IE on the server even if you never published it... from it user can polute the server with browsing... not a security problem (but could become one) but more a production stability problem.
Guest wrote Re: Re: Re: Interesting difference between Citrix and Ericom PowerTerm WebConnect
on 01-11-2008 7:23 AM
Given that Brians site is "Your independent application delivery resource", I don't know about other people, but I for one would appreciate you keeping your marketing colleteral to your own website, as it seems that jumping on every bandwagon passing, and offering your sales pitch to a technical audience is very tiresome. Don't you have your own forum you can put your propaganda on, or does no one read it?
Brian Madden wrote Re: Re: Re: Interesting difference between Citrix and Ericom PowerTerm WebConnect
on 01-11-2008 8:54 AM
I don't think that the ICA file thing is a real issue in Citrix implementations anymore. Web Interface now writes directly to the ICA client object instead of creating ICA files, and since 2001 it's written tickets into those files instead of actual user credentials. (I'm not talking about the Secure Ticket Authority. I'm talking about NFuse ticketing that's been a feature since way back in Version 1.5.)

I know there have been some articles in the mainstream press about ICA file security implications, but I think those have all been FUD.

Finally, I think I agree with the guest Dan. Again, you know I like Ericom's products and I like your blog, but I think you just gotta chill out a bit. It seems that every time anyone posts anything on this site mentioning an issue about Citrix, you're right there posting "Well with Ericom this is not an issue." I know you can claim that it is technically accurate, but when you post as a response to "I don't like this about Citrix" and not to "what else is out there that doesn't have this," then you are doing some hard core marketing that rubs people the wrong way.

Do what you want of course! But if I were in your position, I wouldn't want to be cramming Ericom down everyone's throat when they didn't ask for it.
Guest wrote Re: Re: Re: Interesting difference between Citrix and Ericom PowerTerm WebConnect
on 01-11-2008 10:21 AM
Apparently Dan is not doing Ericom any favors today by upsetting potential customers.
Dan Shappir wrote Re: Re: Re: Re: Interesting difference between Citrix and Ericom PowerTerm WebConnect
on 01-11-2008 11:13 AM

Brian,

Regarding ICA files - I will deffer to you as you obviously know more about Citrix than I ever will.

Regarding my original post: when I read in your article "Citrix Presentation Server? (Or plain Terminal Server or Provision Networks / Quest Software's Virtual Access Suite.)" I had mistakingly assumed that you were interested in all SBC products and not just those particular three. In my original post I therefore pointed out one particular technical difference between CPS and Ericom PowerTerm WebConnect that according to other posters here may have security implications. I did not even say that Ericom PowerTerm WebConnect  as a whole was more or less secure than CPS.

Given that according to you my POV is not welcome here I will stop.

Guest wrote Re: Re: Re: Re: Interesting difference between Citrix and Ericom PowerTerm WebConnect
on 01-11-2008 3:34 PM

The ICA file issue is not related to some of the past ICA file security issues (lack of ticketing, weak credential protection, etc).  This type of exploit could be used if a common 3rd party program had a know buffer overflow that could be exploited from the command line (or via an associated document type).  An attacker could create an ica file (or a file with a commonly associated file type) with some best guesses at the application name, and send those out in mass via email.   If the application was common enough (an MS Office app, for example) then odds are that with enough targets it would be feasible that they could get a few hits.  If you read ctx114938 it addresses this scenario, so Citrix obviously does not consider it FUD. 

I do think that the headline here is misleading, since enabling client to server content redirection and adding the %* to the published app location are not default behaviors in PS4 or 4.5.  This whole thing is not really a Citrix problem, it's a problem with the applications running on the server and admins not considering all of the implications of how those applications could be exposed to exploitation. 

Patrick Rouse wrote Re: Re: Could someone please explain the remark about 'remote the users execute permissions'??
on 01-11-2008 8:25 PM
One thing I really like that Login Consultants does is to setup Software Restriction Policies so users can only execute files from directories where they do not have write permissions, which safeguards against executing malicious content downloaded from the Internet.  Perhaps this is what you were referring to Brian.
Patrick Rouse wrote SRS (Software Restriction Policies)
on 01-11-2008