Getting Started With Citrix XenApp And XenDesktop Security

2y ago
90 Views
4 Downloads
1.21 MB
22 Pages
Last View : 2m ago
Last Download : 2m ago
Upload by : Jerry Bolanos
Transcription

Getting Started with CitrixXenApp and XenDesktopSecuritySecurity guidance for Citrix DeploymentsThis document is based on Citrix XenApp and XenDesktop 7.6 Long Term Service Release. However, the guidanceand the principles are relevant to most releases. Where release-specific details are included, these arehighlighted.

Getting Started with Citrix XenApp and XenDesktop SecurityTable of ContentsIntroduction . 3Scope and use cases . 3Audience . 3Security challenges and trends . 4Security considerations in XenApp and XenDesktop deployments . 5Security capabilities and recommendations in XenApp and XenDesktop deployments . 7Identity and access . 7Network security . 10Application security . 11Data security . 12Monitoring and Response . 13Representative deployment . 14Security Standards . 16Common Criteria. 16FIPS 140-2 with XenApp and XenDesktop . 16TSL/SSL . 17IP Security . 18Smart cards . 18Finding more information . 20Compliance and standards . 20Best Practices. 20Products . 21Last updated: 18 March 2016citrix.com

Getting Started with Citrix XenApp and XenDesktop SecurityIntroductionCitrix products offer a wide range of features and capabilities to help secure applications and datawithin Citrix XenApp and XenDesktop deployments. These features and capabilities are particularlyimportant when deploying Citrix XenApp and XenDesktop in government, finance and health sectorenvironments, where security is an essential consideration and often a regulated requirement.This document provides an overview and guidance regarding configuring Citrix environments tomitigate security threats and to comply with security standards.Further documentation is available to support the guidance in this document, providing examples anduse cases. See Finding more information. You can also consult your local Citrix representatives foradvice regarding your deployments and updates.Scope and use casesCitrix offers solutions and associated licensing models for deployments managed and hosted by thecustomer (on the customer’s premises), or deployments managed in the cloud. This document providessecurity guidance for solutions deployed on customer premises, rather than cloud deployments.The primary use case for this document is a deployment that allows local and remote users to accesspublished resources (desktops and applications) managed and hosted on the customer’s premises.This document is based on XenApp and XenDesktop 7.6 Long Term Service Release. However, theguidance and the principles are relevant to most releases. Where release-specific details are included,these are highlighted. For more information regarding the Long Term Service Release, mlAudienceThis document is designed to meet the needs of security specialists, systems integrators andconsultants responsible for designing, deploying and securing Citrix deployments.citrix.com3

Getting Started with Citrix XenApp and XenDesktop SecuritySecurity challenges and trendsIn recent years, there have been many high profile cases of security breaches and attacks. There is nosign of this relenting, endorsing the need to consider security at the design stage, to continuouslymonitor and respond to security threats and to adapt and harden the environment accordingly.It is of course essential to protect sensitive data and intellectual property. Security is becoming morecomplex with the increase in remote working and a highly mobile workforce, including adoption ofbring your own device (BOYD) work styles. The result is more unmanaged and/or unknown devicesaccessing resources.Security complexity increases with the emergence and use of more types of devices (including mobiledevices, tablets and internet-enabled devices) and additional network types (such as 3G/4G, Wi-Fi andBluetooth).Monitoring, identifying and responding to security breaches is a significant challenge and essential toensure business continuity and security of resources.Additionally, many sectors insist on certain accreditation or security compliance. For example, to deployCitrix products within US Federal environments, the deployment must be FIPS compliant.Citrix products offer substantial security features and options to help safeguard sensitive data andintellectual property, ensure business continuity, and help organizations comply with securitystandards. This document provides guidance and recommendations to help you design and manageyour Citrix deployment.The Citrix Ready Marketplace includes an extensive list of verified products, trusted solutions, andenterprise-enabled apps. See www.citrix.com/readycitrix.com4

Getting Started with Citrix XenApp and XenDesktop SecuritySecurity considerations in XenApp and XenDesktop deploymentsThere are various security considerations when designing and deploying Citrix XenApp andXenDesktop. This diagram shows key security areas and deployment options that help assureconfidentiality, integrity and availability of resources.To ensure security, integrity and business continuity, you need to determine your IT governance, riskmanagement and compliance strategy. Your strategy should include security risk assessments,procedures, process, training and awareness.The integrity and confidentiality of data is essential. Appropriate encryption, segmentation of users andaccess to resources, and managing the location of data, helps provide compliance that is moreconsistent, enforceable and verified.You can protect against data loss outside the corporate network by restricting data access and transferto user devices. For example, employees travelling on business may lose their laptop (in a taxi forexample), or have a device seized by border control, and you can restrict and protect the data on thesedevices.You can implement privacy controls and configuration, to benefit both the organization and users.The key areas, shown in the diagram, help you optimize your deployment and mitigate security risksand achieve your security and compliance strategy:Identity and AccessWell-designed identity management and access control determines who can access resources, howthey authenticate and, once authenticated, the resources available and the level of access granted.Identity and access are an important consideration for all types of accounts including users,administrators and service accounts.Benefits of a sound identify and access strategy include secure and controlled access to resources frompersonal devices (for example, employees working remotely and employees bringing their own devicesto the office) and non-employees (for example, contractors, partners, suppliers and students).Authentication within large scale deployments is simplified, with a common URL provided to log onand access the required and relevant resources.citrix.com5

Getting Started with Citrix XenApp and XenDesktop SecurityNetwork SecurityAppropriate network security is required to ensure network traffic is secured and encrypted throughoutthe deployment, from user devices through to servers hosting resources and data. The type and level ofnetwork security required may also need to meet specific standards. For example, you may need toensure end-to-end TLS encryption and specific network Access Control Lists (ACLs).For examples of end-to-end TLS and FIPS compliant XenDesktop and XenApp deployments (includingNetScaler), see Citrix XenApp and XenDesktop 7.6 FIPS 140-2 Sample Deployments.Application SecurityApplication provisioning, hosting and monitoring must be designed to ensure applications are availableto appropriate users only and hosted across servers, as needed, to minimize security risks.Contextual application security can be enabled using application policies to ensure that applicationsonly have access to what is needed in a specific situation. You can host applications in appropriate silosand use third party tools to prevent cross application security breaches.Data SecurityProtecting data is paramount and a feature of Citrix XenApp and XenDesktop, where data is protectedin the data center. Data security can be strengthened through the configuration of Citrix virtualchannels, Windows policies and third party tools.Data security policies ensure sensitive data is kept in the data center (and off user devices), restrictingaccess to resources and sensitive data on a contextual per-application basis. For example, policies mayonly allow certain users and devices access to sensitive data and applications such as payroll data. Youcan enable and configure endpoint validation and control to ensure policy-verified access, residual datamanagement, and restrict and define the level of access to user device drives and peripherals.For examples of policy configuration to restrict access to user device drives and peripherals, see therelevant procedures in the Common Criteria Evaluated Configuration Guide for XenApp andXenDesktop 7.6, available from ance/commoncriteria.htmlMonitoring and ResponseMonitoring is central to your security risk and ongoing assessment strategy. Monitoring allows you todetermine application usage, compliance, optimization and security. Based on monitoring logs, eventsand alerts, you can proactively identify and respond to security risks.Monitoring for security related issues, enables you to check the status of your deployment and identifyirregular events or issues. You can respond as needed to address issues, refine configuration, andsupport users.citrix.com6

Getting Started with Citrix XenApp and XenDesktop SecuritySecurity capabilities and recommendations in XenApp andXenDesktop deploymentsCitrix products offer many security features that can be configured to suit your environment,requirements, risk assessment and compliance. You need to review your security requirements andconfigure the products and features appropriately.Security should be a key consideration during the planning phase. Configuring, testing and refiningyour deployment in a staging environment, ahead of rolling out a production deployment, is highlyrecommended.To ensure ongoing mitigation against security threats, continuous monitoring, auditing andassessment of your deployment is also essential.Citrix recommends the following security design and implementation options to help address securitychallenges and threats.Identity and accessTo determine identity and access needs, consider and confirm the requirements for each type ofaccount, defining the identity, authentication and access rights and privileges. Each account typepresents different challenges and requires specific identity and access configuration.Account typeIdentityAccessUserAuthentication, as defined byadministrator. The authenticationrequired is tailored to yourenvironment (for example, twofactor authentication may berequired).Based on their privileges, users are ableto access appropriate publishedresources.AdministratorAuthentication to provide access tomanagement tools and consoles.Administrators have direct access tomanagement tools and consoles,usually from within the network, withaccess to security sensitive resourcesand data. Administrators requireelevated privileges.Service AccountAutonomous service account used byspecific program/process. Programspecific authentication.Specific privileges to access programs,resources, and scripts.citrix.com7

Getting Started with Citrix XenApp and XenDesktop SecurityIdentity and authenticationYou need to determine how users must authenticate to access resources and review the requiredauthentication policies.When considering identity and authentication in a secure environment, multi-factor authentication isrecommended. For example, a combination of user name, password, plus additional methods such ashardware or software-based token access. Multi-factor authentication is likely to be mandatory forremote access. Depending on your security requirements and policies, multi-factor authenticationcould be extended to within the corporate environment and network.Smart card authentication is mandatory within certain environments. For example, in the USDepartment of Defense, smart card access is used to authenticate all users, local and remote. Smartcard access is supported and can be configured in a XenApp and XenDesktop deployment. For moredetail, see Smart Card Support.StoreFront and, optionally, NetScaler are deployed and configured to manage access to publishedresources and data. For remote access, NetScaler is recommended. For internal access, StoreFront isoften appropriate. However, the exact configuration depends on your security risks and needs.To avoid security breaches, ensure appropriate password policies are in place. For example, thepassword policy may require passwords to comprise at least eight characters and include at least oneupper case letter and one number or symbol. The password expiration period must also be defined.Other rules such as whether or not previous passwords can be reused may be defined. It is important tohave a password policy in place and to ensure it is applied to all accounts (users, administrators andservice accounts).Access and privilegesLeast privilegeFor all account types (users, administrators and service accounts), you should grant the minimumprivileges needed to allow completion of tasks. This is often referred to as the principle of leastprivilege.Some organizations achieve this through granting elevated privileges to confirm everything works,then reset to minimum privileges and gradually increase privileges until the account has adequateprivileges to perform the required tasks.User privileges - publishingFor publishing purposes, use Active Directory groups and policies. Configure the required privileges forthe relevant AD group and add the appropriate users to the group. Avoid publishing to all users(Domain Users), individual user accounts, anonymous (non-authenticated) users or shared accounts.citrix.com8

Getting Started with Citrix XenApp and XenDesktop SecurityAdministrator privilegesAccounts for administrators and support staff require elevated privileges. As with other account types,use groups (AD groups, for example) to provide access. The group must: Include the relevant users (administrators or support personnel)Be configured to allow access to the required consoles onlyBe based on role (access and privileges needed to complete tasks)Be configured to allow the level of logging required by governance and regulatory complianceRegularly review reports to determine whether users can be removed from the group. This isparticularly important with administrator accounts; roles and responsibilities are likely to changeregularly and therefore group membership and management rights may need to be modifiedaccordingly.Ensure you have at least two users allocated to each group so there is no risk of only one personavailable to complete tasks (as that could result in a single point of failure).Do not use default names and passwords for administrator accounts and, as with other accounts,ensure an appropriate password policy (and strong authentication) is in place.Your deployment will include various administrator accounts, across various systems. For example,administrators for management of XenApp and XenDesktop, administrators to manage your datastorage, administrators to manage your database infrastructure. Ensure you monitor and track alladministrator accounts as they are all likely to have elevated privileges and data access.Note that NetScaler, XenApp and XenDesktop (and other third party tools) include default delegatedadministrator roles. This may be a consideration when configuring AD groups for administratorpurposes and roles. Consult the relevant product guides for more information on default roles.Service account privilegesWith elevated privileges and often poor password management (for example, password never expires),and in some cases access to multiple components, service accounts can be a target for security attacks.Avoid using a single service account for multiple components or programs (avoid aggregated ‘superaccounts’).As with all accounts, ensure proper password policies are in place. Where a service account is a localcomputer account (rather than a domain account), it is necessary to manually update the passwordregularly.Access RightsYou can configure SmartAccess, a feature of XenApp and XenDesktop, to help secure your deployment.SmartAccess allows you to control access to published applications and desktops based on NetScalerGateway session policies. You configure pre-authentication and post-authentication conditions thatmust be validated to access published resources. These conditions can cover sec

important when deploying Citrix XenApp and XenDesktop in government, finance and health sector environments, where security is an essential consideration and often a regulated requirement. This document provides an overview and guidance regarding configuring Citrix environments to mitigate security threats and to comply with security standards.

Related Documents:

VMware ESX Host Best Practices for Citrix XenApp –Provides proven VMware best practices for vSphere hosts running XenApp workloads. Includes guidance in the areas of CPU, memory, storage, and networking. Citrix XenApp on vSphere Best Practices – Deploying Citrix XenApp on vSphere requires that proven best practices for the XenApp application continue to be followed. The focus in this section is on

current Citrix XenApp 6.5 deployments to Citrix XenApp 7.x very shortly. While any software upgrade can be challenging for an organization, what makes this move from XenApp 6.5 to 7.x even more significant is the host of changes that Citrix has introduced in the 7.x releases. Among the many differences in Citrix XenApp and XenDesktop 7.x, the

citrix.com.cn 2 B § g XenApp ¼ XenDesktop 7.6 Feature Pack 3 , Ï7-( W 功能特性 XenApp 高级版 XenApp 企业版 XenApp 铂金版 XenDesktop VDI 版 XenDesktop 企业版 XenDesktop 铂金版 DesktopPlayer(插件*) 可将XenDesktop 的优势带给 Windows 笔记本和MacBook 用户 , 使他们可以在笔记本上运

XenApp Secure Browser Installation with a Citrix Lifecycle Management Blueprint March 2016 . Table of contents . When you deploy this blueprint, you will need to supply the location of the XenApp 7.8 ISO that Lifecycle Management will use to install XenApp. During deployment, you will supply this location as a fully qualified UNC .

Xoserve recommends users review and upgrade their Citrix receiver to a version compatible with Citrix XenApp 7.15 LTSR, current Citrix documentation recommends the use of Citrix Workspace app or Citrix receiver version 4.9 or later. Users who do not want to use or upgrade the Citrix receiver

There is no Citrix Client after update push for upgrade from Citrix Plug-in 11.2 to Citrix Receiver 3.3. Issue. SCCM successfully uninstalled Citrix Plug-in 11.2, but the install of Citrix Receiver 3.3 did not process. Resolution. Run the "Citrix Receiver 3.3 Up

Citrix Receiver 3.3 correctly, all older version of the Citrix Client must be uninstalled. The following steps should be taken to make sure The all old Citrix Clients are uninstalled, and then install the new Citrix Receiver 3.3. . Once you uninstall a

*offer third-grade summer reading camp focused on non-proficient readers, and *identify and implement appropriate intensive reading interventions for K-12 students who are reading below grade level. 3. In regard to district-level monitoring of student achievement progress, please address the following: A. Who at the district level is responsible for collecting and reviewing student progress .