About this Document
Ensuring the integrity and security of our customers’ data and corporate information pervades all aspects of design, testing and deployment at Citrix. Citrix MetaFrame Password Manager 2.0 is a direct result of our ongoing effort to secure access in an increasingly challenging
IT environment.
A key part of this effort is our dedicated security team that trains our engineers, performs internal audits of the code base, and commissions independent third-party evaluations. To put MetaFrame Password Manager 2.0 through its paces, we hired Foundstone Strategic Security, experts in strategic security, to expose the system to a variety of threat scenarios.
This document provides a detailed look at MetaFrame Password Manager 2.0 and the results of the third-party evaluation. The first section explains the security features and benefits offered by MetaFrame Password Manager 2.0. The second section presents the findings from Foundstone.
IN C L U D E S:
(1) White Paper: Improving Security with Citrix MetaFrame Password Manager (2) Third-Party Security Assessment:
Foundstone Security Assessment of Citrix MetaFrame Password Manager 2.0
Citrix
®MetaFrame
®Password Manager
C I T R I X M E T A F R A M E P A S S W O R D M A N A G E R , V E R S I O N 2 . 0
Introduction
Citrix MetaFrame Password Manager is an enterprise single sign-on solution that simplifies user access to applications while enhancing security. This white paper describes complementary ways in which MetaFrame Password Manager enhances security.
1 Introduction 2 • Target Audience 2 • Finding More Information 2 The Password Dilemma 3 • The Usual Trade-off
3 • MetaFrame Password Manager
3 Improving Security with Enterprise Single Sign-On
3 • Components
4 • Nonintrusive Insertion 5 • Security Benefits 7 • Security Challenges 7 Security Mechanisms 7 • Access to Credentials 8 • Credentials Storage 11 • Password Change 11 • Credentials Synchronization 12 • Event Logs
12 Conclusion
TA R G E T AU D I E N C E
This white paper is designed to meet the needs of IT security architects, engineers and other specialists, as well as technical evaluators for IT products. This white paper is intended for readers with varying levels of exposure to single sign-on (SSO) solutions in general, and to Citrix®MetaFrame®Password Manager in particular.
Readers new to SSO will benefit from reading the entire document. Readers who know SSO, but who are not familiar with MetaFrame Password Manager, can start reading the section entitled, “Improving Security with Enterprise Single Sign-On” on page 3. Readers who have intimate knowledge of MetaFrame Password Manager and who are interested in the inner security mechanisms, can go directly to “Security Mechanisms” on page 7.
FI N D I N G MO R E IN F O R M AT I O N
For assistance in deploying a secure MetaFrame Password Manager solution, the following documentation is available:
The Citrix MetaFrame Password Manager 2.0 Administrator’s Guide (CTX102684) explains how to install and configure MetaFrame Password Manager on Windows®, including password policy definition, password management automation and reauthentication settings.
The online Knowledge Base (see http://support.citrix.com/kb) contains the following articles:
• Agent Security for MetaFrame Password Manager (CTX103189)
• GINA Chaining with the MetaFrame Password Manager Agent (CTX103185)
• Dealing with Forgotten Passwords and Forgotten Answers to the Secret Question (CTX103172)
• Choosing between Active Directory and File Share Synchronization for MetaFrame Password Manager (CTX103171)
• MetaFrame Password Manager in a Distributed File System Environment (CTX103186)
• File Synchronization Security for MetaFrame Password Manager (CTX103184)
• MetaFrame Password Manager Deployment Models and Scenarios (CTX103177)
• Recommendations for Using MetaFrame Password Manager with MetaFrame Secure Access Manager (CTX103188)
The Password Dilemma
Providing access to password-protected IT resources presents enterprises with a traditional dilemma: to decide between ease-of-use and security enforcement. Compromising either way to match the expectations of users or administrators entails important security implications. What is needed is to combine strong password enforcement with minimal user involvement.
TH E US U A L TR A D E-O F F
Enterprises typically rely on the user to manage numerous passwords, even though security is especially susceptible to poor password protection. In particular, a user’s natural inclination for simplicity (using a single password whenever possible), poor memory (using a spouse’s name), and carelessness (writing or recording passwords anywhere) can virtually eliminate the value of any security technology placed into the system, no matter the password policies in place.
ME TAFR A M E PA S S W O R D MA N A G E R
This is a single sign-on solution that reconciles security and usability interests to allow for an effective security strategy. Users authenticate only once with a single primary password (for domain authentication), possibly augmented with multifactor authentication devices, while MetaFrame Password Manager takes over the ongoing management of a user’s secondary credentials to access enterprise, Web and host-based applications, or any other password-protected IT resource.
MetaFrame Password Manager increases security by centralizing the definition and activation of password policies, enforcing strong passwords, applying uniform safeguards around credentials, and by imposing domain reauthentication parameters, such as to prevent walk-away breaches. Perhaps more importantly, MetaFrame Password Manager can tailor users’ exposure to passwords, ultimately cutting down all user involvement in application logons and password change events. Whereas shielding the user from all aspects of password management has clear usability merits, this also benefits security significantly. When users are no longer exposed to their own passwords, they can no longer select, store, share or otherwise mishandle their credentials. Secure ease-of-use can be achieved when MetaFrame Password Manager takes over the responsible management of a user’s credentials.
Improving Security with Enterprise Single Sign-On
CO M P O N E N T S
MetaFrame Password Manager consists of three primary software components: the agent, a central credential store and the administrator console. This document provides only a brief overview of the functionalities of each component as they pertain to security. Further details on each component can be found in the Citrix MetaFrame Password Manager Evaluator’s Guide available from www.MyCitrix.com.
The Agent
The MetaFrame Password Manager agent acts on behalf of the end user, detecting and reacting automatically to password-related events. The user enters application credentials once at configuration time and then allows the agent to take over to perform all logon and password changes initiated by the applications. When a user attempts to access an application that requires authentication, the agent intercepts the application’s request for authentication, retrieves the correct logon credentials from its encrypted local store, and supplies them to the application.
The Administrator Console
The console provides administrator with control over all aspects of password management, but without providing any visibility to the actual user passwords. In particular, the console can activate individual applications for single sign-on, define strong password policies, automate agent interactions, and publish agent settings on the central store. More specifically, the administrator can configure any number of password policies with granular controls to ensure the strongest password formation is enforced for every single application.
The Central Credential Store
All users’ encrypted credentials are saved in a central store, deployed either as shared network folders, or on Microsoft®Active Directory®. The credential store also contains the first-time-use settings, application configurations, and administrative override settings as defined by the administrator. This is the central repository for all data necessary to configure generic software agents into user-specific password managers. At session start-up, an agent accesses a user’s settings and encrypted credentials from the central store and saves them locally. Then, the agent may update a number of credentials during the session. Upon termination, the agent performs a final synchronization with the central store assuring that the credentials are consistent between the local and central stores (optionally, depending on administrator configuration, the agent may also synchronize them during the course of the session). All updates are consolidated on the central store to let users reuse and maintain their credentials across sessions from any workstation within the domain.
NO N I N T R U S I V E IN S E R T I O N
The MetaFrame Password Manager agent ties into the authentication mechanisms in place. Upstream, it hooks to the winlogon authentication process (primary authentication), and downstream, it interacts with the existing logon prompt of each individual application (secondary authentication). It does not disrupt the existing chain of command other than generating, storing and submitting the credentials on behalf of the user. MetaFrame Password Manager has no need for additional hardware or software changes, new adaptors or scripts, thus avoiding potential extraneous vulnerabilities.
Primary Authentication
MetaFrame Password Manager does not affect primary authentication. That stage is still handled using either common domain authentication (such as NTLM), or alternative authentication mechanisms based on password, smart card, token or biometrics. On many Microsoft operating systems, this replacement of interface is specified and supported by Microsoft, and is achieved by replacing the Microsoft msgina.dll with the primary GINA.dll (Graphical Identification and Authentication dynamic-link library) of another authentication vendor. MetaFrame Password Manager chains its own ssogina.dll underneath the installed primary GINA.dll. This pass-through GINA performs some preprocessing in preparation for upcoming secondary authentications. MetaFrame Password Manager does not implement its own replacement user interface or authentication mechanism.
Upon successful authentication with the domain controller, the primary GINA.dll passes the primary password to the ssogina.dll. From that point on, the agent uses the primary password to unlock the user’s credentials from the store and takes over full control of secondary authentications. Once MetaFrame Password Manager submits the credentials, the application handles the authentication in the same way as when a user manually enters them.
Secondary Authentication
The agent runs locally to the logon prompt, be it the application’s native interface, a Web form or a terminal emulator. MetaFrame Password Manager detects password events by uniquely identifying the login interface through Windows control IDs, window title, form name, or unique strings, regardless of the underlying application architecture. The agent simply provides logon credentials to the local prompt and relies on the individual
applications to transmit credentials to their own data stores. From the perspective of an SSL-authenticated client- to-server connection, MetaFrame Password Manager integrates seamlessly with the established tunnel. Therefore, the current communication flow between the front end of an application and the back end is not affected by the use of MetaFrame Password Manager.
SE C U R I T Y BE N E F I T S
The protective measures implemented in MetaFrame Password Manager address security threats tied to every constituent, namely end users, the agent, the credential store, synchronization links and administrators. The risk that an unintended individual abuses the rights of a legitimate user is minimized through the following mitigations:
Consolidated Credential Store
All credentials are stored encrypted by the agent in one consistent location. By having all passwords stored securely in a uniform manner, the user no longer needs to disperse logon information in an ad hoc mix of handwritten notes and electronic files, which, despite the best efforts, remain all too exposed to the inquisitive onlooker.
Strong Passwords
Strong credentials is an effective means to thwart the threat from casual adversaries or structured dictionary attacks. The console allows for the definition of strong password policies and their activation for selected applications, whereas the agent enforces the policies whenever new passwords get created. A password policy can be specified for a single application, if required. Administrators can specify how passwords must be created using the following criteria:
• The minimum and maximum number of characters used in a password
• Whether or not alphabetical characters can be used in a password and if they can be uppercase, lowercase, or a combination of both
• Whether or not numeric characters can be used in a password
• The minimum and maximum number of numeric characters in a password
• Number of times a character can be repeated in a password
• The use of special characters
This approach has significant advantages over Password Synchronization solutions that align domain logon and all applications on the lowest common password denominator (for example, a six-character limit for certain mainframe applications). Pure password synchronization solutions might force a very weak password for all logon authentications, and organizations may end up relaxing security severely for the sake of ease-of-use.
Hidden Credentials
Administrators also have the ability to hide the underlying application credentials from end users by automating the silent creation and submission of passwords by the agent. Hidden credentials help increase overall security since employees are unaware of the application’s actual passwords and can only access these applications through company-approved mechanisms. This also prevents the hazards that may result from the casual lending of access rights to supposedly “trusted” co-workers, as well as eliminates the chances of an adversary snooping over one’s shoulder. In addition, it certainly limits the possibilities for password theft through social engineering techniques or outright coercion. Finally, hidden credentials help relax the urgency for deactivating user accounts when it comes time to deprovision an employee.
Automated Reauthentication
The agent can be configured to invoke domain reauthentication selectively for certain critical applications, or systematically upon the next application logon or password change event after a configurable time interval has expired. Given that enterprise-wide activation of password-protected screen savers has proven an elusive goal, IT administrators are now offered the possibility to configure all agents to enforce a protective measure against walk-away breaches.
Passwords Not Exposed
Since the credentials are exchanged locally between the agent and the application, MetaFrame Password Manager does not introduce any new opportunity for “sniffing” the passwords over the network. In fact, the only time that credentials are ever transmitted on the network by MetaFrame Password Manager is for synchronization purposes between the agent and the central credential store, in which case the credentials are always passed in their encrypted form. Additionally, individual passwords are only deciphered for the brief interval where the agent submits the credentials to the application, after which the password is discarded from memory. Not storing password in clear text effectively limits their exposure to an off-line observer. Nonetheless, the agent can be configured to flush the local credential store at the end of every session, thereby minimizing the risks of an off-line attack on the local encrypted store.
Resilient Architecture
MetaFrame Password Manager’s only network component is the credential store, which itself plays no active part in performing the authentication. Moreover, the central store supports standard replication mechanisms to ensure availability of the data. Therefore, the MetaFrame Password Manager architecture can be configured to avoid central point-of-failure, thus mitigating exposure to denial-of-service (DoS) attacks or other types of unplanned outages.
Supplemental Identity Verification
Application passwords are known only to the agent. An IT administrator is exposed to neither the clear text passwords nor their encryption keys. Nevertheless, MetaFrame Password Manager uses an “identity verification question” mechanism to help prevent administrators from abusing their permissions to exploit a user’s credentials.
SE C U R I T Y CH A L L E N G E S
Given the seamless insertion between the primary and secondary authentication stages, MetaFrame Password Manager is essentially concerned with enforcing an automated management of strong passwords. Consequently, the security challenges sit at the core of password handling.
First, as a generator of passwords, MetaFrame Password Manager must ensure proper password randomization in the creation process, while observing the formation rules set by the administrator.
Second, as the unique holder of a user’s passwords, it must provide sufficient safeguards to ensure all credentials are kept thoroughly secure, before, during, after and across agent sessions.
Third, it must ensure that passwords can be recovered in the event of a primary password change, a forgotten primary password, or an accidental corruption on the client. The next section describes the mechanisms
implemented to ensure that MetaFrame Password Manager delivers single sign-on in a secure and reliable manner.
Security Mechanisms
AC C E S S TO CR E D E N T I A L S
When MetaFrame Password Manager is initially configured, the first domain authentication results in cryptographic keys getting created and encrypted for the user. MetaFrame Password Manager’s ssogina.dll generates a set of random cryptographic keys unique to the user and encrypts them using the domain password.
On subsequent primary authentication, ssogina.dll invokes a similar mechanism to compute the values needed by the agent to recover the cryptographic keys. In any case, the agent deciphers individual credentials during logon events only. It then submits the credentials to the application, thus greatly limiting the window of opportunity for an adversary.
The figure below illustrates the credentials “unlocking” mechanism.
Credential Store
Domain Controller
X%r38z!xwd9l ssogina.dll
[6]
[5]
[4] [3]
[1]
[2]
[7]
1. The user enters the domain logon credentials.
2. The primary GINA submits credentials for domain authentication.
3. The domain controller confirms successful domain authentication to primary GINA.
4. The primary GINA passes the user ID, domain and the primary password to ssogina.dll.
5. ssogina.dll preprocesses session values to be used by the agent.
6. At the password event, the agent retrieves the encrypted secondary credentials from the local store.
7. The agent decrypts secondary credentials using encryption keys and submits them locally to the application.
Since the primary password is used in protecting the credentials’ encryption, it becomes imperative for an organization to adopt strong primary passwords. One way to achieve strong passwords is by enforcing Microsoft’s recommended password policy guidelines (See: http://www.microsoft.com/ntserver/techresources/security/password.asp). However, authentication can be augmented with physical factors—something you need to have in your possession—to complement or replace the secret password. Besides, the adoption of multifactor authentication devices such as tokens, smart cards or biometrics could prove a more viable alternative than simply increasing the complexity of the primary password at the user’s expense.
Support for Multifactor Authentication
The current version of MetaFrame Password Manager already integrates with a wide variety of multifactor authentication devices. In anticipation for the broad adoption of multifactor authentication devices as an industry best practice, Citrix has established a dedicated initiative in the Citrix Alliance Partners program to support integration efforts from a growing array of multifactor authentication device vendors.
Note
Inserting ssogina.dll underneath the primary authentication stage facilitates the support for multifactor authentication devices. Most strong authenticators chain their own replacement or supplementary GINA upstream. For GINA-chaining purposes, third-party authenticators should be installed before installing MetaFrame Password Manager.
CR E D E N T I A L S STO R A G E
Repository
User data consist of configuration settings (application profiles, client settings, and so on), and application credentials (usernames, passwords, and third and fourth fields if required by an application). A credential store contains all the settings configured by administrators (enterprise-level configuration data and individual user/client settings), along with an encrypted version of each individual user’s credentials. These confidential credentials never appear in clear text in the store. A replica of a user’s credentials is stored in two locations:
• A local credential store
• A central credential store
Access to a user’s credentials is controlled through file permissions (security and sharing permissions) on both credentials stores. The local store consists of a single binary, memory-mapped file (MMF) and contains all configuration data and confidential credentials for that user.
The central credential store has multiple folders and files, and it can use either Microsoft Active Directory or a File Share folder. In a File Share implementation, permissions are set so that only the valid user and administrator can access the credentials. In an Active Directory deployment, each user has his or her own user directory in the tree;
the permissions on this directory are configured to allow access by the users themselves and the administrators only (Citrix provides the Active Directory schema extensions required). In either case, even if access controls were bypassed, there is no visibility to the confidential data since the keys are known only to the local agent with the valid user’s primary password. Indeed, no user has access to another user’s confidential data.
Resilience of the store is achieved through replication. The Active Directory configuration automatically leverages the built-in replication feature of Active Directory to create multiple datastores. With File Share, replication can be configured using the distributed file system (DFS) features of Windows 2000 or 2003.
Encryption
The Microsoft Crypto API is used for all cryptographic functions performed by MetaFrame Password Manager. The Crypto API cryptographic service providers contain all necessary functions for encryption, hashing and random number generation. Only approved U.S. Federal Information Processing Standards (FIPS) algorithms are used;
hashing function is performed using the SHA-1 algorithm; and encryption uses TripleDES. The use of the Microsoft Crypto API library also gives the flexibility to support alternative encryption algorithms in the future.
Cryptographic Keys
Unique random cryptographic keys are generated for each user. These keys are used to encrypt an individual user’s confidential credentials. Conversely, these same keys are also used to decrypt individual credentials when an application logon event is detected. In all instances, encryption/decryption of the credentials is only performed by the agent. To protect these cryptographic keys, MetaFrame Password Manager encrypts them using a protection key. The protection key is derived from the primary password, typically, the user-supplied password as returned by msgina.dll or some hidden password in the case of most strong authenticators. MetaFrame Password Manager hashes that value and a random salt, then derives an encryption key (e.g., the protection key) from the salted hash. The credential encryption flow is illustrated in the figure on the following page.
Note
A hash is a function that maps any data element to a binary string of a certain bit length. This mapping has two essential properties:
• It is unique for a given data element; the odds that two distinct elements are mapped to the same hash value are minimal, if not negligible. So a hash is a unique marking for the original data, without holding any of its information.
• More importantly, the hash is a one-way function. The algorithms for hashing data elements are public knowledge, but there is no way to reconstruct the original data just by knowing its hash value.
In essence, a hash is a unique identifier for a data element, but it doesn’t reveal anything about the actual data. This property is particularly well-suited for communicating knowledge of a password and avoiding password sniffing at the same time.
However, knowing the hash function and the “seed” value, an attacker could compute all hash values for a predetermined set of data elements. It would then become possible to verify a list of potential source data from a match on their hash value. This is typically what a “dictionary attack” consists of: a precalculation of most likely hash values. A salt tackles this problem. When a secret salt is added to the original data element, the hash mapping changes randomly and no longer matches that of a dictionary attacker.
The derived encryption key is used to protect the cryptographic keys. The credential encryption flow is illustrated in the figure below.
1. The user enters his domain password.
2. The password is transformed into a protection key via Crypto API.
3. The protection key is used to recover the cryptographic key via Crypto API.
4. The user’s confidential credentials are decrypted via Crypto API.
5. The application user ID and password are submitted to the application.
Identity Verification Phrase
A verification phrase is used as a backup mechanism to recover the user’s credentials in the event the primary password is lost, changed or reset. During the initial setup of MetaFrame Password Manager, the user selects a predefined question from a list (for example, “city/state/year of father’s birth,” or “year/street/price of the first house”), the answer to which, also referred to as the “verification phrase,” completes the authentication.
Administrators must avoid defining verification questions that return simplistic answers and result in an “easy guess,” such as, “What is your favorite color?” Questions that combine several data elements, as in the examples above, are highly recommended.
The verification phrase also provides an incremental measure against the compromise of a domain password.
With the identity verification question, even when a domain password gets reset, it is not possible to use the confidential credentials without knowing the user’s verification phrase.
(3)
The IT administrator can define the list of identity verification questions presented to the users, and the verification phrase has a minimum length requirement. Once the user picks a question and enters the verification phrase, the phrase is hashed with a salt, along with other variables, and then stored locally. Again, the verification phrase is never stored in clear text.
PA S S W O R D CH A N G E
When an application requests a password change, MetaFrame Password Manager intercepts the request and can generate a random password without the user being aware of it. MetaFrame Password Manager ensures that all randomly generated passwords meet the intended level of security by enforcing the password formation policies.
Randomization is performed through a function that calls a random generator function from one of Crypto API’s service providers.
CR E D E N T I A L S SY N C H R O N I Z AT I O N
Synchronization is required in order to keep all agents up-to-date with the latest changes of credentials. As an example, a user might invoke an application published on a MetaFrame Presentation Server farm. This session might execute on a different server than the one used in the previous session. Since the agent runs locally to the application, previous password updates made on a different server must somehow be known to the ongoing session, regardless of the node on which it is currently running. Furthermore, the central credential store also proves an effective backup and restore solution in the event the client gets corrupted.
Updates
Credential synchronization is performed at the record level. The agent compares the encrypted credential records from the local store and the central store and merges them by date and time, overwriting the older records with the newer. If over the course of the session a password change is required, this will also be reflected in the user’s local credential store. During the next synchronization, the central credential store would receive all updated credential records. Again, all credentials are passed in their encrypted form.
Should the administrator configure the agent to delete the local credential store on shutdown, a synchronization is forced at start-up. An administrator can also control how often synchronization occurs though settings available in the console.
Synchronizing end-user credentials to a central credential store enables mobility, eases deployment and simplifies administration.
Recovery
The central credential store also provides for credential recovery. Should a user’s local store get corrupted or deleted, the credentials can still be restored through the central store. In this event, the next time the agent is executed, a synchronization occurs and a new copy of the user’s local credential file will be created.
In the case where the agent’s binary executable gets corrupted, the agent would have to be reinstalled, but the installation process will reuse the existing local credentials store and user information. The agent detects the current settings and resumes execution.
EV E N T LO G S
The agent logs all single sign-on events to the Windows Event Log, building toward the consolidation of all audit and reporting views provided by the central Microsoft platform. Administrators can also configure the level of event-logging capability within MetaFrame Password Manager. The agent reports all events related to:
• Credential use
• Credential changes
• MetaFrame Password Manager events
• MetaFrame Password Manager feature use
MetaFrame Password Manager helps organizations comply with mandated information security regulations, such as Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), and Sarbanes-Oxley Act (SOA).
Conclusion
Citrix MetaFrame Password Manager is a single sign-on solution that improves enterprise security, in particular for those organizations that still rely on individuals to manage their own passwords. MetaFrame Password Manager stores, submits, updates and recovers application passwords in a secure manner through the following mechanisms:
• Definition of password formation policies and systematic enforcement of strong passwords
• Automation of all aspects of application password management, which can ultimately be tailored to shield end users from any password-related responsibility
• No credentials in clear text on the store or over the network; only FIPS-approved cryptographic algorithms used
• Synchronization and recovery performed through central credential store
• Seamless interoperability with most multifactor authentication devices
MetaFrame Password Manager delivers user convenience in a secure manner. It provides IT administrators with practical means of enforcing uniform security policies across the organization and limiting user access to company-approved mechanisms. Citrix MetaFrame Password Manager is a single sign-on solution that effectively reconciles the security and usability interests of large and small enterprises alike.
About Citrix: Citrix Systems, Inc. (Nasdaq:CTXS) is the global leader in access infrastructure solutions and the most trusted name in enterprise access. Citrix software enables people in businesses, government agencies, and educational institutions to securely, easily and instantly access the on-demand enterprise, from anywhere, anytime, using any device, over any connection. Nearly 50 million people in more than 120,000 organizations rely on the Citrix MetaFrame Access Suite to do their jobs. Citrix customers include 100% of the Fortune 100 companies, 99% of the Fortune 500 and 92% of the Fortune Global 500. Based in Fort Lauderdale, Florida, Citrix has offices in 26 countries, and more than 7,000 channel and alliance partners in more than 100 countries. For more information, visit www.citrix.com.
W O R L D W I D E H E A D Q U A RT E R S
C i t r i x S y s t e m s , I n c . 851 West Cypress Creek Road Fort Lauderdale, FL 33309 USA Tel: +1 (800) 393 1888 Tel: +1 (954) 267 3000
E U R O P E A N H E A D Q U A RT E R S
C i t r i x S y s t e m s I n t e r n a t i o n a l G m b H Rheinweg 9 8200 Schaffhausen Switzerland
Tel: +41 (52) 635 7700
A S I A PA C I F I C H E A D Q U A RT E R S
C i t r i x S y s t e m s H o n g K o n g L t d . Suite 3201, 32nd Floor One International Finance Centre 1 Harbour View Street Central
Hong Kong Tel: +852 2100 5000
C I T R I X O N L I N E D I V I S I O N
5385 Hollister Avenue Santa Barbara, CA 93111 Tel: +1 (805) 690 6400
w w w. c i t r i x . c o m
Citrix Worldwide
©2004 Citrix Systems, Inc. All rights reserved. Citrix®and MetaFrame®are registered trademarks of Citrix Systems, Inc. in the United States and other countries. Microsoft®, Windows®, Windows NT®, and Active Directory®are registered trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks and registered trademarks are the property of their respective owners.
Notice
Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Citrix Systems, Inc.
An Analysis by Foundstone
®, Inc.
April, 2004
Table of Contents
Table of Contents ...2
Introduction and Background...3
Summary...4
Scope and Approach...6
Findings and Recommended Product Enhancements ...8
About Foundstone, Citrix and This Report...13
Introduction and Background
The Citrix MetaFrame Password Manager 2.0 product, introduced in September 2003, provides enterprise-level single sign-on functionality, enabling users to authenticate just once with a single set of credentials to gain access to a variety of applications, systems and web sites that require secondary logons. Because the system centralizes the management and retention of user and password information, it would be considered a high value target by anyone seeking to compromise a computer environment.
Due to the impact that would be associated with the compromise of this product, Citrix commissioned an external security review of Citrix MetaFrame Password Manager 2.0 by Foundstone. The objective of this review was to determine the product’s exposure to a variety of threat conditions that were considered to be the most likely avenues of attack against the Citrix MetaFrame Password Manager 2.0 product.
This paper describes the results of the security assessment of the Citrix MetaFrame Password Manager 2.0 product which was conducted by Foundstone during March of 2004. The remainder of this document describes:
• Foundstone’s conclusions about the security of the Citrix MetaFrame Password Manager 2.0 product.
• The testing approach taken by Foundstone during the course of the evaluation.
• Findings and recommendations associated with the security assessment.
Summary
Foundstone concluded that the Citrix MetaFrame Password Manager 2.0 product was well designed from a security perspective. Strong encryption, buffer overflow prevention, appropriate use of operating system and registry permissions and the presence of anti-tampering techniques such as checksums to prevent unauthorized changes in data were all evidence of a solid security framework built into the product. Although several risk factors were noted during the assessment, Citrix was able to respond to each issue either by providing recommended configuration settings to reduce the likelihood that the product would be deployed with the less secure option or, in one instance, by developing a fix to address the concern.
As described later in this document, there are other environmental factors that the product cannot be protected against, such as risks associated with the design of the applications that Citrix MetaFrame Password Manager 2.0 interacts with and risks that are associated with the Windows operating system. While all of those risks are real, they do not speak to the security engineered into the Citrix MetaFrame Password Manager 2.0 product. Within this context, Citrix has utilized good security practices and has developed a solid platform.
Foundstone believes that the Citrix MetaFrame Password Manager 2.0 product demonstrates a solid approach to security and conforms with best practices Foundstone has seen in the software industry.
The major testing areas, findings and recommendations are reflected in the table below:
TEST OBJECTIVE RESULT RISK 1 Does the product prevent end users from
gaining access to other user settings and credentials?
Yes. Credential information could not be viewed or modified with both file server based and Active Directory based central credential stores. With file server based central credential store, other non-sensitive data, such as application settings and configuration options could be viewed, but not modified.
Low
2 Does the product prevent administrators from gaining access to other user settings or credentials?
Yes. Administrators cannot view or alter credential information but can view and alter non-sensitive data such as application URL and configuration names.
Low
3 Are end users and administrators protected against attempts to gain access to their settings and credentials via brute force attacks?
Yes. Verified in testing. Data is encrypted using TripleDES encryption.
None identified
4 Are end user credentials properly protected with encryption when stored centrally or locally?
Yes. Strong TripleDES salted encryption is used.
Each user’s data is encrypted using per-user keys.
None identified
5 Are end user credentials properly protected with encryption while being transmitted?
Yes. Only non-sensitive settings can be sniffed during synchronization. All credential information is encrypted.
Low
The definitions of the risk ratings listed in the table above are:
• High Risk: The vulnerability would allow an attacker to gain access to sensitive information such as authentication credentials and the likelihood that the exploit could be exercised is relatively high because the knowledge required is not considered rare or there are few safeguards that would prevent such an attack.
• Medium Risk: The vulnerability would allow an attacker to gain access to sensitive information such as authentication credentials but there are mitigating conditions such as policies, procedures or physical factors that would reduce the likelihood the exploit would be successfully exercised.
• Low Risk: The vulnerability would allow an attacker to gain access to non-sensitive information such as application settings, application history or configuration options.
Scope and Approach
This section describes the testing approach taken by Foundstone. In addition, the scope of the testing is discussed here in order to clearly describe several activities that were outside the primary objectives of this review.
The assessment was performed as a “blackbox” review in which Foundstone was provided with the same information that any purchaser of the software would have. Specifically, Foundstone had access to the installation disks and associated documentation but no information about the source code or architecture of the product was provided by Citrix.
The review was composed of the following major steps:
1. Established a test environment that allowed three product configurations (desktop, server and mixed modes), two operating systems scenarios (Windows 2000 and Windows XP) and two synchronization deployments (Active Directory & File Share) to be evaluated.
2. Reviewed product documentation and other publicly available product information to finalize an attack tree and testing objectives.
3. Monitored the installations of the product to attempt to gain intelligence about the product and its architecture.
4. Conducted tests of the product’s security in desktop, mixed and server modes in the two AD and File Share deployments for two different operating environments: Windows 2000 and Windows XP.
5. Summarized the findings from the testing; noting both positive aspects as well as areas for improvement.
Several different attack scenarios were assessed during the testing. Foundstone assembled a detailed attack tree that contained all scenarios Foundstone could identify that would allow it to assess how well passwords were protected from inappropriate exposure. The following situations were reflected in the attack tree:
• Verify that one user cannot view other user’s information.
• Assess whether malicious administrators can access or change another user’s or administrator’s information.
• Determine if the application is susceptible to a brute force attack against the credential store.
• Verify that sensitive data is encrypted when at rest within the application.
• Verify that data is encrypted when being transmitted between the central credential store and the Citrix MetaFrame Password Manager agent.
For the purposes of this assessment, sensitive data was considered to be authentication credentials while non-sensitive data was considered to be application settings, application history and user configuration options. All references in the Findings and Recommendations section use these definitions.
A number of different tools were used to perform the testing. Those tools were:
• Filemon – Used to monitor file and DLL access and modification
• Regmon – Used to monitor registry access and modification
• APImon – Used to monitor API calls
• Ethereal – Used to capture network traffic
• SoftIce – Software debugger used to reverse engineer Citrix
• IDAPro – Software disassembler used for binary analysis and reverse engineering
• Dumpbin – Binary analysis tool
This exercise focused primarily on evaluating the Citrix MetaFrame Password Manager 2.0 product, not vulnerabilities within the operating environment that it resides. Accordingly, Foundstone did not focus extensively on the environmental risk associated with:
• Vulnerabilities in other applications that may be installed on the same platform as the Citrix MetaFrame Password Manager 2.0 product.
• Vulnerabilities within the operating system that may allow an administrator to compromise the system level passwords.
Consequently, activities that could be performed by rogue system administrators such as installing Trojans, executing key stroke loggers to capture user credentials or cracking the NTLM hash were considered to be outside the scope of this assessment. While all of those activities were possible, none speak to the security engineered into the Citrix MetaFrame Password Manager 2.0 product – which was the focus of this effort. These vulnerabilities are inherent within the Windows operating system environment and exist irrespective of the presence or absence of the Citrix MetaFrame Password Manager 2.0 product.
Overall, the focus during this security assessment was on issues associated with the design and implementation of the Citrix MetaFrame Password Manager 2.0 product that would expose users or organizations to unnecessary risk.
As in any security assessment, the scope of Foundstone’s testing activities was not confined to the identification of vulnerabilities. Foundstone also identified positive findings that reflect strong security practices and those instances have been summarized in the Findings and Recommended Product Enhancements section of this document.
Findings and Recommended Product Enhancements
This section describes the major findings and associated recommendations made to Citrix that were identified during the security assessment. The positive findings are listed at the beginning of this section while additional findings are organized by the major testing areas described in the Scope and Approach section of this document.
There were a number of positive findings during the security assessment that clearly indicate security was a major consideration during the design and development of Citrix MetaFrame Password Manager 2.0. The major positive observations included:
• Strong encryption using the Triple-DES algorithm is used to protect sensitive information in the central credential store. This puts limits on the ability of users and administrators to gain access to sensitive information.
• Debugging tools cannot be used effectively to obtain additional information about the way the application processes data.
• Operating system and registry permissions restrict a user from writing to another user’s settings.
• Citrix MetaFrame Password Manager 2.0 has protected against an administrator changing a user’s password to gain access to the credential store by requiring the user to answer a secret question when a password is changed.
• Citrix MetaFrame Password Manager 2.0 guarded against brute force attacks on the credential store by allowing only three attempts to guess authentication credentials before logging the user out and requiring the user to log back into Windows. This safeguard, in conjunction with the strong encryption algorithm used, made a brute force attack impractical to execute.
• Anti-data tampering techniques and checksums have been utilized to prevent alterations to user registry information, the central password store data and password synchronization data.
• Secure coding practices or some form of consistent development guidelines appear to have been in effect given that no buffer overflow conditions were identified in the application.
While many positive aspects were noted during this review, there were also some areas where improvements could be made.
In the sections below, Foundstone has summarized the findings and recommendations associated with each of the major attack vectors described earlier in this document.
Finding 1.1 Impact: Low
Mitigation: Configure Windows file share access controls to limit user access
No security issues were identified that would allow one user to obtain information about another user’s authentication credentials. While some limited information could be obtained about other users, this information is not deemed sensitive and was viewed as a low risk item.
Specifically, the only information that one user could obtain about another user was their Password Manager settings, the names of the applications they had accessed and the URLs of the applications.
The Password Manager settings information was available in the file share and active directory central credential stores. However, the application and URL information was available only in the file share central credential store.
Recommended Enhancement: Foundstone’s recommendation was to change the Windows file share access controls for the central password store to prevent one user from being able to view another user’s information. Ideally, this would be done in the installation process so that no decisions would be required by the installer.
2. Protection Against Malicious Administrator Activity
Finding 2.1 Impact: Medium
Mitigation: Apply Citrix hot fix MPME100W001
One of the most significant findings of the review was that authentication credentials were occasionally found to be encoded but not encrypted in both the desktop and mixed modes.
Credentials encoded with the base64 algorithm could be decoded and, consequently, it would have been possible for an administrator to gain access to user credentials in those situations.
It is important to note that this risk only exists in the event an administrator inadvertently fails to configure the agent to point to a central credential store. Such deployment would confine the user to a standalone operation with no synchronization capability for secondary credentials and administrative settings, a configuration that is unlikely to be encountered in a typical Password Manager deployment. This was a medium risk finding due to the fact that a malicious administrator would have the ability to obtain user authentication credentials in these cases.
In response to the finding described above, Citrix engineered a fix (MPME100W001) that encrypted user authentication credentials so that the unencrypted credentials were no longer available.
Foundstone tested the effects of the fix and verified that Foundstone could no longer identify unencrypted user credentials.
Finding 2.2 Impact: Low Mitigation: None
A second finding was that it was possible in mixed mode to alter the user’s application settings, including URLs, and have that information be posted when the user synchronized with the server.
This issue would allow an administrator to alter history associated with user activity. This was considered to be a low risk vulnerability because there is little value in being able to alter history information associated with a user’s activity.
Recommended Enhancement: Foundstone recommended that Citrix consider performing integrity checking on the central store URL and application settings to prevent an administrator from altering user history. However, based on the little risk associated with this finding, it is not clear that there is sufficient benefit to warrant making the change.
3. Protection Against Credential Store Brute Force Attacks
Finding 3.1 Impact: Low
Mitigation: Encourage strong password formation policies on primary passwords
The only finding in this area was that it is possible to determine if a user account has a blank network password as well as what the approximate length of a non-blank network password is. This was considered to be a low risk finding since it provides insight into the best accounts to focus a brute force attack upon but the encryption algorithm still makes it difficult to take advantage of this information. Furthermore, Citrix’s documentation recommends that strong network passwords be required to reduce the likelihood that this will be an effective avenue of attack.
Recommended Enhancement: The current practices used to prevent a brute force attack against the credential store appeared to be appropriate and are consistent with industry best practices. The only recommendation was to consider implementing an approach to make it more difficult to detect a blank password or determine its approximate length. A possible approach to accomplish this is via integrity controls such as a keyed hash algorithm.
Finding 4.1 Impact: None
Mitigation: None required
Foundstone attempted to break the encryption that is used consistently across the desktop, server and mixed modes. A number of application credentials as well as registry settings were targeted and the encryption was found to be strong. No data elements were decrypted and the information was not compromised. Through its testing, Foundstone determined that Citrix employed a Triple-DES algorithm with a salt to achieve its encryption. This level of encryption is very robust and was not broken. The level of encryption in use, TripleDES, is considered to be appropriate and consistent with industry best practices.
5. Encryption of Data in Transit
Finding 5.1 Impact: Medium
Mitigation: Set strict URL matching for application definitions
By default, Citrix MetaFrame Password Manager 2.0 does not distinguish between HTTP and HTTPS URLs. This can result in the unintentional passing of unencrypted authentication credentials across a network when a user accesses the HTTP version of the login page, and credentials were previously saved for the HTTPS version. This was considered a medium risk finding because it only exists if there are both HTTP and HTTPS versions of a login page and the user fails to use the secure site.
Recommended Enhancement: Citrix MetaFrame Password Manager 2.0 has a configuration setting to require strict URL matching that distinguishes between HTTP and HTTPS URLs. Foundstone’s recommendation was to enable strict URL matching as a default setting to reduce the likelihood that credentials are unintentionally sent unencrypted.
Finding 5.2 Impact: Low Mitigation: None
The second finding was that the data synchronization link is not encrypted, although authentication credentials are already encrypted and are not at risk of being disclosed during transmission. This was considered a low risk finding because only URL and application information was exposed to tampering.
Recommended Enhancement: As mentioned in an earlier recommendation, Foundstone recommended that Citrix consider implementing integrity checking for the central store URL and application information to prevent an administrator from altering user history. However, based on the limited risk associated with this finding, it is not clear that there is sufficient benefit to warrant making the change.
About Foundstone
Foundstone Inc., experts in strategic security, offers a unique combination of software, services, and education to help organizations continuously and measurably protect the most important assets from the most critical threats. Through a strategic approach to security, Foundstone identifies and implements the right balance of technology, people, and process to manage digital risk and leverage security investments more effectively. The company has one of the most dominant security talent pools ever assembled, and has authored ten books, including the best seller Hacking Exposed.
Foundstone is headquartered in Orange County, CA, and has offices in New York and Washington, D.C. For more information about Foundstone and Foundstone Enterprise Risk Solutions, visit www.foundstone.com, or call 877.91.FOUND within the U.S, and 949.297.5600 outside the U.S.
About Citrix
Citrix Systems, Inc. (Nasdaq:CTXS) is the global leader in access infrastructure solutions and the most trusted name in enterprise access. Citrix software enables people in businesses, government agencies, and educational institutions to securely, easily and instantly access the on-demand enterprise, from anywhere, anytime, using any device, over any connection. Nearly 50 million people in more than 120,000 organizations rely on the Citrix MetaFrame Access Suite to do their jobs. Citrix customers include 100% of the Fortune 100 companies, 99% of the Fortune 500, and 92% of the Fortune Global 500. Based in Fort Lauderdale, Florida, Citrix has offices in 22 countries, and more than 7,000 channel and alliance partners in more than 100 countries.
For more information visit http://www.citrix.com.
About This Report
Application security is a relative concept in that no application can be completely secure and no amount of testing can disclose all possible vulnerabilities. Accordingly, neither Foundstone, nor this report guarantees the security of the Citrix MetaFrame Password Manager 2.0 product. Foundstone hereby disclaims responsibility for, and shall not be liable for claims, losses or damages resulting from use of the Citrix MetaFrame Password Manager 2.0, vulnerabilities therein or system penetrations related thereto."
