Important: Hide your Web Interface / NFuse servers from search engines

Thomas Koetzing was recently talking about features he’d like to see in future versions of Citrix's Web Interface, and one thing he mentioned was that he’d like to see an option in the administration GUI to configure the robots.txt.

Thomas Koetzing was recently talking about features he’d like to see in future versions of Citrix's Web Interface, and one thing he mentioned was that he’d like to see an option in the administration GUI to configure the robots.txt. I think this is a fantastic idea and it would bring this important security issue to the forefront.

The problem is that most people who use Citrix's Web Interface or NFuse products forget that all websites are indexed by Google, MSN, and other search engines. This means that typing a few specific keywords into a web search box can instantly deliver the URLs to hundreds of Citrix Web Interface login pages. For example, doing a Google search on "MetaFrame Presentation Server Login" (with quotes) will deliver you directly to the Web Interface login pages for over 70 companies. "MetaFrame XP Login" will net you almost 300. Of course you can also perform custom searches with these words and selected Citrix-only web paths ("/metaframe/defauly/login.aspx," etc.) to find literally thousands of corporate Web Interface front doors. (This will work even if you've changed your default text.) Attackers could also even focus their attack on a specific company by including those names as keywords in their searches.

So what's the big deal? I’d be willing to bet that a fair number of these sites would be accessible via administrator/password, admin/12345, administrator/administrator, test/test, or similar user credentials.

It's also important to remember that your WI Admin and PNAgent Admin sites are also generally accessible via the Internet, so an attacker could build a fairly elaborate phishing scheme where they point your Web Interface server towards their farm to collect even more credentials.

This issue is something that most Citrix administrators probably don’t think about which is why I’d like to bring it into the spotlight here. Fortunately there’s a really easy way to fix this, and fixing this problem should take less than a minute for each Web Interface server you have.

To prevent this, you need to create a robots.txt file. As a matter of convention, any search engine spider that visits your site will first look for a file called robots.txt. This is a simple text file that you can use to give instructions to search engine indexers as to whether they are allowed to index your site and if so which pages they’re allowed to visit.

If your Web Interface or NFuse server is on its website, you can disallow all indexing by all search engines by creating a file called robots.txt with the following two lines:

User-agent: *
Disallow: /

You can also build more elaborate robots.txt files that block only certain pages or only certain search engines. Check out this robots.txt tutorial for more information.

Once this file is created put it in the root of your web server and you’re all set. Important: You’ll want to make sure that it’s in the root and that it’s accessible via or whatever. Do not place it in the /Citrix/MetaFrame folder or else it won’t work.

Of course excluding your site from search engines doesn't count as "real" security and is not a replacement for having good passwords and/or using two-factor authentication. However, it does ensure that an attacker or prankster will have an easier time finding someone else, and that should make your life easier.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

If your stupid enough to offer WI directly on the Internet without 2-factor authentication you deserved to be "hacked".
People with 2-factor authentication are the ones that feel so safe that they forget about the WIAdmin page and the local Admin account.

Using the WIAdmin pages to disable the 2-factor authentication is done within seconds... and one reason why WI 4.0 has no WIAdmin site anymore.
It get's even worse.
Most admins who do not use the CSG product, put the WI on the same server as citrix is. They just open port 1494 and 80, and are ready to go.

A true story on this:

When thomas first posted this trick, of course i had to try.
I found a few victims in google, telnetted them on 1494 and created custom ica files to get a validation screen.

I ended up on some mexican server having:
- Local admin without a password (thank you compaq smartstart cdrom)
- Only run published apps not activated. (there was my desktop)
- Shadowing possible without notification.
- Server 2 was 1 ip up, and same configured.

I felt sorry for the admin, and send a message to all logged on users to call the admin, and have him read a text file i left on the server (with some advise)
30 min past, and nothing happened.
I then decided to push the users, and added a "legalenoticetext" to the server, resulting in every app started, got my messagebox.
Then the *** hit the fan. Within minutes 3 admin sessions came in, and i discovered that shadowing worked without notification.

At that time i was getting my own personal video show of an admin, clicking AD, CCC, CMC and whatever he could get his hands on in sheer panic.
All of a sudden the mouseclicks stopped, so i asumed he gave up.

I took over his session, started notedpad, and explained to him what his basics were and how he could fix it. (of course i had to fix it myself, as he did not really understand)

I must say, best evening i ever had on the web using citrix.
So how do you enable two factor authentication on the wiadmin page and WI 2.x or 3.x???
That's the point, there is no 2-factor authentication for the wiadmin page!
If a hacker find a WI at Google he could use the local admin account (with a bad pwd) to disable the 2-factor authentication...

Here is the original post and advice I did about one year ago
All you need to do it edit IIS to not allow access to WIadmin page from That is the ip that CSG hits WIadmin from.

You can still work on your pages, but only with the real IP over HTTP which should not be accessable from the internet. (HTTPS to CSG only)


If your stupid enough to offer WI directly on the Internet without 2-factor authentication you deserved to be "hacked".

Well I think you've just called about 90% of the Fortune 500 companies stupid then. LOL

Oh that's cruel man. Poor admin probably filled his pants that day. I love it!

I can't understand why anyone would not use the FREE Secure Gateway.
Having WI open is just begging for trouble.
I've done many SG/WI installs, and in each case I put a PIX 501 in front of the Secure Gateway, and limited traffic to the gateway to 443. $500 well spent for the customer.
Another benefit - if you only open port 443 to the SG, the crawlers cannot reach your site to index it. At least, I'm assuming that's why none of my many customers show up on the list. All of the sites I tested had port 80 open.
HTTPS sites show up too. Try the first hit on google. You're making dangerous assumptions....
The issue here isn't what port number you're running it over. The issue is:

1) Allowing the robots to index the page.
2) Exposing WIAdmin.

I used to do that all the time when I would find people stuff open. I find they really don't like it and end up yelling at you. I don't even bother anymore.
You can easily enable client authentication for the WIAdmin page. This will require the client to authenitcate itself to the IIS server via a certificate. You can put your certificates on a smart card or eToken.