A major part of any computing environment is security. As you have probably noticed, we have not dwelled much on security in the preceeding chapters. That's due to the fact that when you focus on the security of your MetaFrame XP environment, you need to do it from end-to-end. You can't just "do a little security here, and a little there." For example, it would have done no good to talk about security of NFuse in the NFuse chapter because even if you did everything NFuse-related to tighten security you might have overlooked a major security hole somewhere else.
To prevent this, we will analyze the security elements of a complete MetaFrame XP system in this chapter. We will systematically analyze every MetaFrame XP component, taking note of what the potential security risks are and what to do to minimize each of them.
Let's begin by reviewing all of the components that make up a MetaFrame XP system. This will help us design the components of our security plan. We can represent the individual components as layers in the complete MetaFrame XP system, as shown in Figure 15.1. (These layers are kind of like the OSI model applied to MetaFrame.)
Figure 15.1: MetaFrame XP layers
Using the MetaFrame XP components outlined in the Figure 15.1 as our guide, we can methodically step through each one, analyzing the security as we go along. We'll start from the server layer and move our way down to the user layer, touching on the security aspects of each component.
After we study the security requirements and techniques related to each of these technical components, we'll look at what it takes to build a secure administrative environment.
One thing that you must remember as you read this chapter is that it focuses primarily on the security of the MetaFrame XP components. This chapter is not meant to be an end-to-end security manual. Your MetaFrame XP environment is only as secure as its weakest link, and often human elements are involved that no technical manual can prepare you for.
Security Configuration Layers
Before diving into the technical details of the security options, we need to take another look at the different layers in which many of the security-related settings can be made. For example, the encryption level of an ICA session can be configured as a property of the server connection, the ICA client, a Citrix user policy (with Feature Release 2), or the published application. Beyond that, applications launched via an ICA file can also have the level of encryption configured within the ICA file itself.
When a single parameter is configured in multiple locations with conflicting settings, the most restrictive configuration will always take precedence. Referring to Figure 15.2, if the client device and the published application were configured for a minimum of 40-bit encryption, but the server connection was set to a minimum of 128-bit, no session connecting via that connection would be able to connect at anything less than 128-bit. Even though the client and application are set lower, they must still traverse the connection configured for the 128-bit minimum.In this example, we can say that the "client layer" was set to 40-bit encryption, and the "connection layer" and "published application layer" were encryption was set to 128-bit.
Figure 15.2: Example security parameter configured at multiple layers
Figure 15.3 shows all of the possible layers where one security parameter can be configured. Of course, not every security parameter can be configured at every layer. It's important to look at the MetaFrame XP settings and determine the proper layer that the security parameter should be applied. Do all users require 128-bit encryption or only users connecting to certain applications? Maybe only users coming from specific IP addresses need encryption?
- Farm: Every MetaFrame XP server in the entire server farm.
- Server: All users connecting to one server.
- Application: All users connecting to one particular published application, even across multiple servers.
- Connection: All users attaching via one defined server connection. Multiple connections can exist on one server.
- Client: All users connecting from one ICA client device, regardless of the user rights or the server or farm hosting the ICA session.
- Citrix User Policy: All users to which the policy is applied.
- Users: User profile settings. These settings follow the user, regardless of the farm, server, or connection used.
- ICA File: Settings affect anyone using the ICA file, regardless of settings in other locations.
Figure 15.3: Various configuration scope layers
Throughout this chapter we'll look at dozens more security settings configurable at all layers. Beyond that, the appendix of this book contains a "MetaFrame XP Component Configuration" chart detailing every setting within the MetaFrame XP environment and listing the layer where it can be configured.