How secure is Citrix Presentation Server after you do a default installation?

If you do a basic installation of Citrix Presentation Server without any special knowledge, you leave your system vulnerable to security breaches.

An interesting article by Robert Jaques at vnunet called "Poor Citrix set-ups leave firm vulnerable" claims that if you do a basic installation of Citrix Presentation Server without any special knowledge, you leave your system vulnerable to security breaches such as one user being able to access another user's data and private files. This article was written based on a report from a company called Global Secure Systems. I haven't been able to see the actual report--I think it's something you have to pay for--but the report's author claims that "Even in the most locked-down environment, five high-risk vulnerabilities were discovered."

What do you think? How secure is the base install of Citrix Presentation Server? (Or plain Terminal Server or Provision Networks / Quest Software's Virtual Access Suite.) Are there any "little things" you can do to make a system more secure?

Speaking personally, one of the best ideas I've heard was to remove users' "execute" permissions from everywhere except for the important system locations like the Windows and Program Files directories. If you remote the execute permissions from Temp, Temporary Internet Files, the Outlook attachment folder, and the users' home drives, that single act should prevent a lot of bad stuff from happening.

What else should we think about?

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I for one am a little skeptical about the claim made in the article.   When the article title specifically mentions "Citrix" and then the second paragraph is "Global
Secure Systems
(GSS) acknowledged that the issues it claims to have
discovered are not the fault of Citrix itself." is somewhat misleading.

Toward the end of the article, "Robin Hollington, director of consulting at GSS, said: 'Imagine how your
board would feel if they discovered that a junior clerk had subverted controls
to gain access to board members' restricted network drives.'  Is this one of the vulernabilities? or is the director making something up?  I highly doubt this was one of the vulenerabilities but a scare tatic designed to drum up business.

Perhaps there are 5 BIG vulnerabilities, buthe article only make a claim and provides nothing to back it up.  No proof, no examples, nothing.  If these vulernability are that bad,  I think its important for the rest of the world to know what they are and how they can deal with it.  Holding this type of information randsom makes the company out to look like a legal scam artist.

Anyways, we all know there are some holes and backdoors in the OS, but those are relatively minor.  A lot of time, those hole are exposed in order to make a poorly designed application work. 


When was the last time you installed a "platform" (OS or otherwise) that was secure out of the box? Personally, I'm going with never. This article is nothing more than FUD from a "security" company, that's hoping to net a few dollar from this report. I hope someone actually buys a copy and posts the results, so that we can all see what a hoax this most assuredly is...
One notable difference between Citrix and Ericom PowerTerm WebConnect that can have security implications is that we do not have anything like the .ica files. Instead connection settings are always passed directly from the server to the client using an encrypted communication channel. This information is never saved to the local drive. This means that a user cannot modify the settings specified by the administrator.

Is it safe to drive a car without any driving licence...
What append it you let the administrator set up a "allow all" rule in a firewal...
What if...

We are supposed to be trained and skills profesionals. Experienced people cost money! That's why I saw (especially since "W2K bug" and "Euro passage in 2001") a lot of basic pseudo system administrators covering task that should normally belong to senior administrator and Project managers just because they were less expensive to recruit...

Let's talk about rules...

1- no direct connexion to PS servers - WI+SG... probably AG+ workstation scan in a near futur
2- no published desktop, only published app (if home made, no web help or about feature)
3- Token authentication for all remote users
4- no direct connexion  from PS servers to network  (firewall for each applicaiton port)
5- Internet Explorer blocked (iexplorer.exe) on all servers except intranet dedicated ones and internet specials dedicated ones (reimage every night, investigating Ardence system)
6- currently testing AppSense and PowerFuse to lock down windows environment

probably much more on GPO but out of my knowledge...


...revolve around the use of published content for the most part.  They are addressed by Citrix in CTX114938 and CTX115245.  I haven't seen the report, but my guess would be that GSS used known problems in applications that were published, exploiting them by passing specially crafted command lines to the apps via a tweaked ICA file. This could allow the injection of arbitrary code and making the system vulnerable to further remote exploitation.  It makes sense and the recommendations in the Citrix CTX articles are pretty common-sense and not much of a burden to implement if you don't use content redirection.  If you do, it just means that you need to be careful about the applications you use it with and keep up on any security bulletins that may involve those particular apps.

This is not a Citrix bug, but it does exploit a feature and it is something that admins do need to be aware of.  

blah, long day already.  That should read "...revolve around the use of content redirection"

It's not immediately clear what this sentence means -- it's an awkward sentence, does this mean remove execute permissions etc.??

Thank you!!

Sounds like a bit of FUD too me. I think the best thing you can do is to whitelist allowed applications with a tool such as AppSense Application Manager.
Whoops! That's a typo. I mean "remove" the users' execute permissions. I'm fixing that now.

And this is a security risk how?  You cannot connect to another Published Application if you do not have access to it.

Modify the .ica file all you want,  it's no different that using Program Neighborhood.  If it was such a big deal, Citrix would have done something with it by now.

This is another attempt by Dan to spread FUD about Citrix and Pimp his own product.


Please read what I actually wrote rather than reply to your own conceptions of my statements. I wrote "that can have security implications", not "that is a security hole". Sure, through proper configuration and attention to detail a Citrix expert can configure a server so that a hacked .ica file cannot be used to compromise it. But if details are overlooked or mistakes are made then this can become a vulnerability. As a poster below wrote:

I haven't seen the report, but my guess would be that GSS used known problems in applications that were published, exploiting them by passing specially crafted command lines to the apps via a tweaked ICA file. This could allow the injection of arbitrary code and making the system vulnerable to further remote exploitation

CPS is a good product and we strive to emulate (and extend) much of the functionality that it provides. This does not mean that we don't improve on it's design where we can. Not allowing end-users to save and edit configuration files is such an improvement IMO.


>> if home made, no web help or about feature


just curious what is the danger in having an "About" screen for a homemade app? 

a "about screen" can include information like hyperlink that launch IE on the server even if you never published it... from it user can polute the server with browsing... not a security problem (but could become one) but more a production stability problem.
Given that Brians site is "Your independent application delivery resource", I don't know about other people, but I for one would appreciate you keeping your marketing colleteral to your own website, as it seems that jumping on every bandwagon passing, and offering your sales pitch to a technical audience is very tiresome. Don't you have your own forum you can put your propaganda on, or does no one read it?
I don't think that the ICA file thing is a real issue in Citrix implementations anymore. Web Interface now writes directly to the ICA client object instead of creating ICA files, and since 2001 it's written tickets into those files instead of actual user credentials. (I'm not talking about the Secure Ticket Authority. I'm talking about NFuse ticketing that's been a feature since way back in Version 1.5.)

I know there have been some articles in the mainstream press about ICA file security implications, but I think those have all been FUD.

Finally, I think I agree with the guest Dan. Again, you know I like Ericom's products and I like your blog, but I think you just gotta chill out a bit. It seems that every time anyone posts anything on this site mentioning an issue about Citrix, you're right there posting "Well with Ericom this is not an issue." I know you can claim that it is technically accurate, but when you post as a response to "I don't like this about Citrix" and not to "what else is out there that doesn't have this," then you are doing some hard core marketing that rubs people the wrong way.

Do what you want of course! But if I were in your position, I wouldn't want to be cramming Ericom down everyone's throat when they didn't ask for it.
Apparently Dan is not doing Ericom any favors today by upsetting potential customers.


Regarding ICA files - I will deffer to you as you obviously know more about Citrix than I ever will.

Regarding my original post: when I read in your article "Citrix Presentation Server? (Or plain Terminal Server or Provision Networks / Quest Software's Virtual Access Suite.)" I had mistakingly assumed that you were interested in all SBC products and not just those particular three. In my original post I therefore pointed out one particular technical difference between CPS and Ericom PowerTerm WebConnect that according to other posters here may have security implications. I did not even say that Ericom PowerTerm WebConnect  as a whole was more or less secure than CPS.

Given that according to you my POV is not welcome here I will stop.


The ICA file issue is not related to some of the past ICA file security issues (lack of ticketing, weak credential protection, etc).  This type of exploit could be used if a common 3rd party program had a know buffer overflow that could be exploited from the command line (or via an associated document type).  An attacker could create an ica file (or a file with a commonly associated file type) with some best guesses at the application name, and send those out in mass via email.   If the application was common enough (an MS Office app, for example) then odds are that with enough targets it would be feasible that they could get a few hits.  If you read ctx114938 it addresses this scenario, so Citrix obviously does not consider it FUD. 

I do think that the headline here is misleading, since enabling client to server content redirection and adding the %* to the published app location are not default behaviors in PS4 or 4.5.  This whole thing is not really a Citrix problem, it's a problem with the applications running on the server and admins not considering all of the implications of how those applications could be exposed to exploitation. 

One thing I really like that Login Consultants does is to setup Software Restriction Policies so users can only execute files from directories where they do not have write permissions, which safeguards against executing malicious content downloaded from the Internet.  Perhaps this is what you were referring to Brian.
Tom, actually Group Policy can be configured to only allow execution of files from specific directories, so one can say to only allow files to execute from %ProgramFiles% and some other company specific places, but not from %HomeDir%. This has nothing to do with NTFS Permissions.

Brian,  Then why don't you stick to the subject matter of this site, which is Citrix.  That's what we all come here to learn about.  Stop cramming Provision down our throats, no one is interested.

We only allow allow exe's bat, vbs etc to be run from Windows, Program Files, and thats it. I found it absolutely amazing what users try to run, Doom95, Norton95 installs, DonkeyKong. Mostly our users try to run these programs from shares or home drives or MyDocuments and it is all blocked. We also have restrictive NTFS permissions set on the Windows and Program Files. If you dont use something like software restriction policies your crazyyy.

Hi Guys

 Upfront, Yes I do work for a Vendor (AppSense) but no, not here to push our bandwagon, just trying to put forward some info and a point of view.

 Is a paper I wrote for my Sans Gold Certification, I've had some good feedback on it so anyone looking for ideas on how to secure CPS/TS could have a read.

Just from my 4 years working with AppSense and talking to hundreds of clients specifically about security, I know that MOST (around 95+%) of the sites I go into have vulnerabilities to do with unauthorised executeables on their CPS/TS servers. These same organisations typically have the same issues on their desktops.

 My point is it's not a product issue linked to CPS/TS, it's a security issue usually linked to a lack of testing/monitoring.

 To put it simply, the security teams at these companies don't know what they don't know.

Catch ya





Heading from vnunet

Security firm claims many organisation fail to install Citrix correctly

What a suprise a security firm saying there are security issues.  They're not just after businees are they LOL

Bit of a pointless article