Abusing Citrix – food for thought on securing your builds!

Some nice work by SynJunkie. A blog in 4 parts, so far…

Check it out <here>

Whether you’re a GPO user or have taken on-board AppSense or some other such tools, I suggest this will give you areas to concentrate your security on.  I will be checking my current AppSense configurations to see if we are suitably covered!

PL

Citrix XenApp 5.0 – Build Part 3 – Security

In my opinion, there are a few too many easy ways to get onto your Citrix servers by default.

I like to make sure there are no anonymous ways to log on to each server.

Firstly I disable the Anonymous local accounts:

net user anon000 /active:no > nul

net user anon001 /active:no > nul
net user anon002 /active:no > nul
net user anon003 /active:no > nul
net user anon004 /active:no > nul
net user anon005 /active:no > nul
net user anon006 /active:no > nul
net user anon007 /active:no > nul
net user anon008 /active:no > nul
net user anon009 /active:no > nul
net user anon010 /active:no > nul
net user anon011 /active:no > nul
net user anon012 /active:no > nul
net user anon013 /active:no > nul
net user anon014 /active:no > nul

Then for good measure, I remove these from the Remote Desktop Users local group

net localgroup “Remote Desktop Users” Anon000 /delete > nul
net localgroup “Remote Desktop Users” Anon001 /delete > nul
net localgroup “Remote Desktop Users” Anon002 /delete > nul
net localgroup “Remote Desktop Users” Anon003 /delete > nul
net localgroup “Remote Desktop Users” Anon004 /delete > nul
net localgroup “Remote Desktop Users” Anon005 /delete > nul
net localgroup “Remote Desktop Users” Anon006 /delete > nul
net localgroup “Remote Desktop Users” Anon007 /delete > nul
net localgroup “Remote Desktop Users” Anon008 /delete > nul
net localgroup “Remote Desktop Users” Anon009 /delete > nul
net localgroup “Remote Desktop Users” Anon010 /delete > nul
net localgroup “Remote Desktop Users” Anon011 /delete > nul
net localgroup “Remote Desktop Users” Anon012 /delete > nul
net localgroup “Remote Desktop Users” Anon013 /delete > nul
net localgroup “Remote Desktop Users” Anon014 /delete > nul  

And after that, I delete the Anonymous local group:

net localgroup “Anonymous” /delete > nul

The reason behind all this is to use “Remote Desktop Users” as the gateway to your server.  If you are happy to have domain users gain access to the server, then there is no reason not to simply add that to the RDU group.  At my company, we are a little more restrictive and mindful of our security needs, we do it a little different.

A global group is required for each application and the users that need access to that application get added to that global group.

These global groups are then added to the RDU local group on the server(s) that host that specific application.

Some time ago we asked the question, who uses the RDP protocol to log on to the servers when we add XenApp/PS/MF etc…  and the answer was only the server operations/administrators.

So in addition to everything we do here, we have removed the Remote Desktop Users group from the RDP-TCP protocol permissions (Administrator Tools/Terminal Services Configuration).  To do this I use a handy command line tool called TSCONSEC which is freely available from http://www.thincomputing.net  

tsconsec.exe /t:R /a:”Remote Desktop Users” /p: /q

This effectively removes RDU from the RDP-TCP protocol, allowing only the local Administrator group to log on via RDP.

As Alexander Orlov would say…”Simples”.

Now it’s time to reboot again.  I will add Roll Up 3 after this and, although it’s not always necessary to do this after the core XenApp installation, there are many references to it being recommended.  I’m in the reboot here camp so, go on, push the button…PL