Citrix Policy Lockdown: Part 1

Citrix Policies are not the coolest thing to mess with, but they are very important and are very often overlooked from a security perspective. I hope this quick blog will help you to look at your policies differently, and help you secure your deployment. When I’m doing Citrix Security Assessments, the weak policies are usually the second biggest finding (after patching) because they usually are just defaults, and/or the filters, and/or their order, make them weaker than most clients expect them to be with some of those factors.

PatrickImage.jpg

In this article, I will go over the basics of the Citrix security policies, the scary ones you should worry about, how to check if you’re at risk and how to fix them up. Many of these settings are enabled by default because most customers need these settings but, if you look at them just one more time, in most cases, you should be able disable many of them.

Citrix Policy Big 4

  1. Copy\Paste
    1. Bi-directional
    2. Copy\Paste Write Allowed Formats - All
  2. Drive Mappings
    1. On by Default
      1. Major
        1. Client Fixed Drives
        2. Client Network Drives
        3. Client Removable Drives
      2. Minor
        1. Client Floppy Drives
        2. Client Optical Drives
  3. USB Mounts
    1. Disabled by Default
    2. Restrict the Devices
  4. Others
    1. Printer Mapping
    2. LPT Mapping
    3. COM Mapping
    4. Microphone Mapping
    5. Audio Mapping

 

Citrix Policy Security Severity Chart

 

Risk

Setting

Default Setting

High

Copy\Paste

Allowed

High

Copy\Paste Write Allowed Formats

Blank

High

Client Fixed Drives

Allowed

High

Client Network Drives

Allowed

High

Client Removable Drives

Allowed

High\Medium

Client USB Mapping

Prohibited

High\Medium

Printer Mapping

Allowed

Medium\Low

Client Floppy Drives

Allowed

Medium\Low

Client Optical Drives

Allowed

Medium\Low

LPT Mapping

Prohibited

Medium\Low

COM Mapping

Prohibited

Medium\Low

Microphone Mapping

Allowed

Low

Audio Redirection

Allowed

 

The severity of some of these items will vary, based on the setting, as well as if these items are in use or could be used in a way to harm your company.

 

Depending on whether you used a template from Citrix for user experience, or you just have an environment that has been migrated\upgraded over and over, you most likely could have a problem and not even know it. From what I have seen at hundreds of deployments, the Citrix deployment hosts the most critical items within most businesses internally and/or externally.

We will dive into each of these briefly and then go into the extreme detail later, in the Citrix Hardening guide.

  1. Copy\Paste
    1. In some cases, it is actually needed but in most it can be disabled or tuned for directionality along with restricting different paste formats beyond just text.
    2. Client clipboard write allowed formats
      1. Blank by default which means screenshots can be easily exfiltrated out if you're giving someone a desktop session or access to an application without execution being prevented from many windows subsystems that can take advantage of this.
      2. It is highly recommended to only allow CF_Text. If the Microsoft Suite must be used beyond just text, then add CFX_OfficeDrawingShape as the other format.
      3. Many of these other methods are ways that payloads can be sent to the server\desktop or data can be sent out beyond just text. Who would have guessed there were 23 things to Copy\Paste?
        1. CF_TEXT
        2. CF_BITMAP
        3. CF_METAFILEPICT
        4. CF_SYLK
        5. CF_DIF
        6. CF_TIFF
        7. CF_OEMTEXT
        8. CF_DIB
        9. CF_PALETTE
        10. CF_PENDATA
        11. CF_RIFF
        12. CF_WAVE
        13. CF_UNICODETEXT
        14. CF_ENHMETAFILE
        15. CF_HDROP
        16. CF_LOCALE
        17. CF_DIBV5
        18. CF_OWNERDISPLAY
        19. CF_DSPTEXT
        20. CF_DSPBITMAP
        21. CF_DSPMETAFILEPICT
        22. CF_DSPENHMETAFILE
        23. CF_HTML
        24. CFX_RICHTEXT
        25. CFX_OfficeDrawingShape
        26. CFX_BIFF8
  1. Drive Mappings
    1. This is the absolute best way for employees and/or attackers to get things in and out of your environment. In most cases, it isn’t needed but, is never disabled. I have seen clients who actually need it just map their Local Drive only and all the other mappings could be disabled. Who has a floppy or optical drive anymore, can we at least turn those two off?
    2. Think about what data the user has access to on their local computers. In many cases, you may or may not be able to control those endpoints in many service provider models to third party entities.
    3. Most users will have some mapped drives on the local computer that will be mapped by default, and, who knows if your security team wanted a Citrix session to bridge that gap from a network share to their endpoint?
      1. How many SMB shares have Everyone for Share permissions along with the actual File Permissions?
      2. You could use https://www.mcafee.com/us/downloads/free-tools/sharescan.aspx to help find them on your network. There are also more advanced ways, but this is one of the easier tools to run. Make sure you let your security team know before you start blasting scans off so you don’t have to update your resume depending on your INFOSEC policies.
    4. What kind of data do you have, and what compliance body does it fall under? (HIPAA, PCI and many others.)
      1. This can make drive mappings being enabled much more severe.
    5. USB Mounts
      1. The good thing is that by default, this setting is to Prohibit these mappings.
      2. Most organizations have DLP (Data Loss Prevention\Protection) policies and a USB drive is in most cases prime candidate number 2, after email, for data exfiltration.
      3. There are many ways that mapping USB devices can also introduce instability along with other possible attacks, so filtering devices if they must be enabled is your safest bet.
        1. If you are just doing voice Dictation with a Philips device, bar code scanners, credit card readers and many other must-use cases, you should just allow that specific device only.
      4. Other Items
        1. Printer Mapping
          1. This is enabled by default and in many cases, this is needed for Application X to work and for the user to do their job. If you have an application that doesn’t need to print, then disable it or at least just limit it to just the applications that need it and exclude it from everything else.
        2. LPT Mapping
          1. Mapping these old school physical printer ports are enabled by default, but I haven’t seen them actually used in a couple hundred deployments, since most printers now are Network or USB only. I have had great success disabling this in a lot of deployments, and as always, if you don’t need it, disable it.
        3. COM Mapping
          1. This is disabled by default so usually I don’t find it enabled, but I do see it every now and then for some medical devices and in manufacturing. If it needs to be enabled, just filter it to the servers\desktops that need it.
        4. Microphone Mapping
          1. This is great for Video Conferencing, along with Dictation, but in many cases, it may not be needed and should be disabled. This may not seem very security related–being able to record your voice in applications–but it is a way that data can come in. I have been working on some testing and will have more information later in the VDI Lockdown guides.
        5. Audio Mapping
          1. This also may not seem like it is very security related item, but in many industries, an audio stream can be very sensitive data. I have seen the medical, legal, banking and science\research industries use dictation, but they have some serious Patient and Intellectual Property information in there. If someone can listen to the audio, and/or if you have mapped drives enabled, they can pull the data out. This is a stretch in many cases, but we don’t like loose ends.
          2. If you don’t need sound, I would recommend turning it off. But, if you’re doing a desktop experience, it will be needed, so I would just recommend thinking about what audio you may have that is confidential that you don’t want to get out.
          3. Sometimes audio has to be mapped to hear error messages for basic application functionality.

 

What to do? 

 

Secure it by Default!

 

In many cases, when I’m doing security assessments, I don’t just enable the “Security and Control” Policy Template and call it done\more better, because it could cause mayhem if people do have legitimate uses for some of these security controls. Depending on your setup and how far along your deployment is, you may be able to apply this template as a baseline to help secure things when you start off. Start off your Citrix deployment with this policy (if you can) and open it up per Application\User Group to open things up as needed.

 LockdownPolicy.png

Citrix Security and Control Policy Template

Next Blog

I’m working on a couple of other things that I will publish on my blog VDISecurity.org and within CUGC too.

  1. Citrix Policy Lockdown Examples and Guide
  2. Citrix Patching
  3. Citrix WEM and AppLocker Lockdown
  4. Citrix Antivirus
  5. VDI Lockdown Guide (Everything rolled into an updatable one stop shop)

 

Appendix

Thanks for all the work that Carl Webster does on keeping up with his documentation scripts and policy lists and much more!

 

Policy Listings

http://carlwebster.com/downloads/download-info/citrix-default-user-policy-settings/

http://carlwebster.com/downloads/download-info/citrix-default-computer-policy-settings/

http://carlwebster.com/downloads/download-info/citrix-policy-settings/

Documentation Scripts

http://carlwebster.com/downloads/download-info/xenappxendesktop-7-8/

Always a great overall with some good Policy information in it.

https://docs.citrix.com/content/dam/docs/en-us/xenapp-xendesktop/7-15-ltsr/downloads/Citrix%20VDI%20Handbook%207.15%20LTSR.pdf

1 Like

Please login to add your comments.

Recent Stories
How to Choose Between XenApp & XenDesktop LTSR or CR Release Train?

Citrix Policy Lockdown: Part 1

Seven Dot Sixteen!