Mitigating Security Risks with Citrix Server Hardening and Encryption Management

Mitigating Security Risks with Citrix Server Hardening and Encryption

Management

Mitigating Security Risks with Citrix Server Hardening and Encryption

Management

N. Brian Stearman Systems Engineer

Citrix Systems Barry Flanagan

Senior Systems Engineer Citrix Systems

N. Brian Stearman Systems Engineer

Citrix Systems

Barry Flanagan

Non Disclosure Agreement

•

This presentation is

Citrix Confidential

Objectives…

•

Secure remote access

•

Citrix security architecture

•

Brief look at encryption/certificates

•

Security Basics

Why are we here?

“I need to mobilize my workforce,

making access to the information and tools needed for their jobs as easy as ordering a book from Amazon.com, with the security of a traditional VPN.”

Solution…

Citrix Security Architecture

Secure Gateway Architecture (External Users) DNS Server ICA Client Web Browser Secure Gateway Server 4 43 Web InterfaceServer 44 3 Web Site R S A A ce /A ge nt 5

.0 80 STA

Citrix Confidential

Secure Gateway Architecture (Internal Users) DNS Server ICA Client Web Browser Secure Gateway Server 4 43 Web Inerface Web Server 4

43 _{Web Site}

R S A A ce /A ge n t 5. 0 STA 8 0 1 49 4 _MetaFrame Server

80 XML Service

DNS Server

80

Technical Requirements

Secure Gateway

• Windows 2000 or Solaris (SPARC) server –

SSL/TLS gateway between ICA clients and Metaframe farm.

• Microsoft Windows 2000 Server with SP 2

or later.

• Recommended minimum requirements for

Citrix Confidential

Technical Requirements

Web Server

• Metaframe Web Interface 1.61 or later

• IIS5, Apache or Tomcat

Secure Ticket Authority

• Windows 2000 + IIS5, Recommended

minimum requirements for Windows 2000 Server

Technical Requirements

• ICA client version 6.3 or later (to take advantage of TLS security)

Encryption

Encryption

Defined:

“…The transformation or scrambling of data into an unreadable format using a

mathematical algorithm.” Benefits:

• Protects against eavesdropping or

password sniffing

Citrix Confidential

SSL vs. TLS

SSL v3 Key Material Generation

master_secret =

MD5(pre_master_secret + SHA('A' + pre_master_secret + ClientHello.random + ServerHello.random)) + MD5(pre_master_secret + SHA('BB' + pre_master_secret +

ClientHello.random + ServerHello.random)) +

MD5(pre_master_secret + SHA('CCC' + pre_master_secret + ClientHello.random + ServerHello.random));

key_block =

MD5(master_secret + SHA(`A' + master_secret + ServerHello.random +

ClientHello.random)) +

MD5(master_secret + SHA(`BB' + master_secret + ServerHello.random +

ClientHello.random)) +

MD5(master_secret + SHA(`CCC' + master_secret + ServerHello.random +

SSL vs. TLS

TLS v1 Key Material Generation

PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR

P_SHA-1(S2, label + seed); master_secret = PRF(pre_master_secret, "master secret",

ClientHello.random + ServerHello.random)

key_block = PRF(SecurityParameters.master_secret, "key expansion", SecurityParameters.server_random +

Intro to SSL/Certificates

Why SSL

•The threats:

– _{Server masquerading} – Network sniffers

•Secure Sockets Layer (SSL) provides:

– Authentication

• Digital certificates prove identity on the Internet

• This prevents “man-in-the-middle” or DNS attacks

– Encryption

• Using 128-bit key lengths

• This prevents network sniffers from viewing your

Citrix Confidential

19

SSL Certificates

A certificate consists of

– A public key

– Information about the certificate

• The subject name (as an X.500 distinguished name)

• The issuer name (as an X.500 distinguished name)

• Period of validity (not-before and not-after dates)

• Serial number (assigned by the issuer)

• Description of the public key and signature algorithms

used (public key is nearly always RSA)

SSL Certificates

• A new concept for many of our customers

• Need to be very careful – can be difficult

• Obtain certificates from:

– Private Certificate Authority (CA)

– Public CA

– Evaluation cert from Public CA (Baltimore,

Verisign)

• Possible need to install root CA on Client. Windows 6.20 ICA client supports all

Citrix Confidential

Could I see some ID please?

• SSL Certificates are like Driver’s Licenses

Driver’s License SSL Certificate

Issued to Individual citizens Individual users or servers

Issued by Department of Motor

Vehicles (DMV) Certifying Authority (CA)

Verification mechanism

DMV hologram,

well-known license format CA digital signature, public key, thumbprint

Application requirements

Birth certificate, Social

security number, etc. Business license, Dun & Bradstreet number, etc.

Public usage Prove identity; operate a

vehicle on public roads Prove identity; operate a secure web server on public networks

I trust it because

I trust the DMV to

Server Certificates

• Server certificates are

unique to a particular server name

• The “subject” of the

certificate is the FQDN of the server

• Server certificates also

include fields dictating what the certificate can be used for

• View the Certification

Citrix Confidential

Root Certificates

• Root certificates (aka

CA certificates) are self-signed entities that are used to verify server certificates

• If you trust a CA, install

their root certificate.

• Windows ships with

Client needs the root, server needs a cert

Citrix Confidential

Default root certificates

• Root certificates need to be installed into the Windows operating system

Citrix Confidential

Common Threats

What attacks are we securing

against?

Brute Force password crack IP spoofing

Security…in a nutshell

Security basics:

• _{Design well – including physical security}

• Audit – Third-party, or self-assessment tools

• _{Lockdown local file system – Windows or}

Unix

• _{Maintain required hot fixes and security}

patches

File System

Securing Windows

Securing the Windows 2000 File system:

• DumpSec

• Hyena

• Windows 2000 Resource kit tools

All means of checking or dumping file system, share, printer and other system resource

Citrix Confidential

Securing Windows

File

Permissions

Securing Windows

Share list

Citrix Confidential

Securing Windows

• Keep up with manufacturer security patches and fixes

– http://www.Microsoft.com/security/

• Use some form of host –based security scanner to check vulnerabilities

– Symantec Net Recon

– ISS System Scanner

Citrix Confidential

Metaframe Policy – Create OU

Start, click Programs then Administrative Tools, then Active Directory Users and Computer, then Action and New

Metaframe Policy – Move servers

Citrix Confidential

Local Security Policy - Server

Open the Local Computer Policy and drill down to:

Computer Configuration, Administrative

Templates, System,

Group Policy folder and

doube-click to select User Group Policy loopback

Citrix Confidential

Assign GPO Permissions

Citrix Confidential

Design

Firewall

• Traffic cop to control protocol access to protected networks

Demilitarized Zone – What is it?

• A perimeter network – also known as a DMZ – is an additional network added between a

protected and external network to provide another layer of security.

• _{Location of public resources like FTP, Telnet}

and Web servers

Physical Security

Secure Ticket Authority:

• Security server

• Contains important connection information

• Isapi.dll service CAN run on Citrix/file server

Citrix Confidential

Auditing

Auditing local events

• MMC Security and Analysis Snap-in

• Event log size increased to 500MB

• Regular backups on event log

• Audit specific objects:

• Account management • Logon events

Authentication

• Secure Gateway is a remote access solution

• Use some form of secure authentication as with VPN

• Use industry standard, two-factor authentication

– Certificates

– Token-based such as RSA SecureID

– Secure Computing

Citrix Confidential

Two-factor Authentication

Two-factor Authentication

Citrix Confidential

Alternate Authentication

Local User Authentication

•

Use Windows NT LAN Manager (NTLM)

for authentication only if local or GPO

specifies NTLMv2 authentication only.

•

MMC Security and Analysis + Security

Templates

•

Modify Securews template to specify

Authentication

New

Citrix Confidential

Locking down IIS

• Microsoft IIS lockdown tool

• Secure the server

• Alternative to manual changes

Locking down IIS

To lock down Metaframe Web Interface on Microsoft IIS:

Citrix Confidential

Locking down IIS

Click next to leave

Locking down IIS

Citrix Confidential

Locking down IIS

Uncheck

Locking down IIS

Citrix Confidential

Locking down IIS

Locking down IIS

Citrix Confidential

Locking down IIS

Locking down IIS

Citrix Confidential

Locking down IIS

Local Policy

Password Policy

–

History requirement

–

Password age

–

Character length

–

Force requirements to be met

User Accounts

– Disable unnecessary user accounts

Citrix Confidential

Unused Services

• Default Windows 2000 servers have about 31 unneeded services

– Computer Browser, DHCP, DFS, Fax Service, Internet Connection Sharing, Messenger…

• Disable in the Services MMC Snap-in on Windows 2000

• Applies equally to Solaris

– Armoring Solaris II, July 2002, Lance Spitner

Citrix Confidential

Additional Resources…

• _{“Applied Cryptography” by Bruce Schneier}

• _{“Hacking Exposed”, Second Edition}

• “Solaris Security”, Sun Microsystems

• _{www.tweakcitrix.com}

• _www.nsa.gov

• www.itwhitepapers.com

• _{www.citrix.com}

• _{www.securityfocus.com}

Citrix Authorized Training

• With Citrix training:

– Learn tips and techniques for managing and administering Citrix software

– Obtain valuable lab time for hands-on practice

– Prepare for Citrix certification exams

– Learn quickly and efficiently in the classroom

• New courses and certification include:

– CTX-720x Citrix Web Interface Elite Administration

– CTX-6100 Citrix Core Technologies and Architecture

– Citrix Certified Integration Architect (CCIA) program to be launched in Q4 2003

• Available worldwide from 350 Citrix Authorized Learning Centers (CALCs)

• To find a CALC near you, go to Training Locations from www.citrix.com/training

Access Central Citrix Technology Lab

Access Central Citrix Technology Lab

Sago Ballroom

Thank You!