Wow, it is National Cyber Security Awareness Month! What Cyber Security things have you done? I know for most Citrix admins, it is very tough to come up for air when you’re fighting Application Fires and the non-stop upgrades of Windows and Citrix. I thought I would write up a quick’ish blog on some of the Cyber Security Highlights and then some of the things you might be able to do to help secure your deployment, after testing, as always and forever.
2018 Cyber Security Highlights
- Ransomware is still alive and kicking. If you have not seen Martin Zugec's presentation on breaking the Ransomware Kill Chain, you're missing out. The main thing I can tell you is that there is a whole lot of money to be made doing Phishing Campaigns, Ransomware Campaigns, Whaling\CEO Wire Fraud, and Social Engineering, and it doesn’t seem to be able to be slowed down.
- Phishing is the number one way people get their grappling hook into your deployment. Since we are Citrix Admins, we cannot fix this problem, in most cases, because it is a training problem more than it is a technology fix. Users need to Think Twice and Click Once on strange emails, links and especially attachments. I was recently at a Hacker Conference and there are some super smooth ways to use Word and Excel to execute malicious things that, in some cases, cannot be stopped. Remember, it is way easier to Phish a company than it is to actually break in using vulnerabilities from the outside in most cases, because with one email click they are in the squishy center of your network and past the hard shell of your firewalls. There are some things we can do as Citrix Admins if you are publishing a Mail Client or an Internet Browser.
- Unpatched Systems are still one of the best ways infections happen, along with how they spread. Since patching our Servers or Desktops can cause problems with applications, it rarely gets done in most cases. I have seen PVS images that haven’t been updated in 3 to 24 months in some assessments. There are some things below that can help you out on this subject.
- Your old passwords are out there, and they are being used for blackmail along with gaining access to things because they just increment Winter17 to Winter18 and they are in like Flynn. If you have a chance, please check out https://haveibeenpwned.com and https://dehashed.com and put a couple of your emails in there and you may see your passwords from Christmas Past. With over 6.7 billion leaked credentials over the past 10 years, an old password is out there. This is more personal security advice than enterprise advice that applies to your Citrix deployment, but, the more you know.
- Rules to make your passwords more better and protect your identity:
- No Password Should Ever Be the Same for Anything.
- You should use a password manager. LastPass and KeePass are some of the big players depending on if you trust the cloud or not, and how nerdy you are.
- Every Password should be maxed out for every site. You don’t want to be the first users that are cracked when there is a breach. You want to be the last, so you have time to change the password. If you use a unique password for all your sites and the site gets breached, you can head over there and change it instead of logging into 10 or 100 other sites to make the change only to find out you were not fast enough and they are in this account and that account and your Identity has just been stolen.
- There are lots of other techniques that can be used to protect your identity that I may blog about one day.
- I do suggest that any online account that has access to money should be tied to an email address that no one knows about except you. If your email is out there on the internets you do not want someone to try resetting passwords or using your old passwords on sites you actually use. This could be a burner email from Gmail or something a lot better like Proton Mail.
2018 Top Security Findings and Things to Do About Them
Below are some of the heavy hitting items, and a couple tips for each. Many of these items I have spoken about at a bunch of conferences about VDI Security. These are just some quick tips and overviews of some of these techniques, but they can get you started. Please also remember there is no stopping everything. In the Security world, it is all about reducing risks where you can. If there are a couple settings, products you can easily deploy that can make a difference, you should try and deploy them. Security is not easy and it never stops as new techniques come out.
Windows Group Policies
- This is number one for a reason, because it is your number best line of defense when someone is on a session hosted by your system.
- Before you worry about doing your job on the servers and locking yourself out of PowerShell, RegEdit and other items when you make this “VDI Lockdown” policy, you will edit your Citrix Admins and other Admin groups to have a Deny “Apply Group Policy” for them.
- Application Whitelisting–You should be doing it. You know what needs to run on your deployment because you just published it. This can be a tedious process depending on the number of EXEs and Programs. You have AppLocker and maybe WEM, depending on your licensing edition, which is free and can do a great job. The great thing is that you don’t have to jump head first. You can just turn on logging on one of your Desktop or App Servers and see what it would have blocked, and adjust your policy before enforcing it. You will need some application blocking if you really want to try and stop people from using PowerShell. I will have a better write up on this with lots of details soon, because I have learned a lot about how to bypass AppLocker and how to counter some of those attacks, that I want to pass along to you all. Test and Test Some More and implement this. I shouldn’t be able to execute anything on your server just because you published me your EMR, Financial Application or just a Desktop.
- My Favorite Top 10 GPOs to apply to VDI\RDS Deployments. Please test a couple times, but many of these settings can be deployed without users noticing and they will make your deployment more secure. User Experience and Security is a very tough dance to do, but try your best. Remember, you want to try and make it more secure and reduce risk
- Remove Run menu from Start Menu
- Super Powerful, does way more than you think it does.
- Prevent Access to Command Prompt
- Because it's bad, test with your login scripts or launcher BAT file if they are still used.
- Prevent access to drives from My Computer
- Do they really need to roam around your drive and maybe find some files they shouldn’t?
- Remove “Map Network Drive” and “Disconnect Network Drive”
- Do you have all your SMB shares secured? In most cases they are wide open (Remember Share and NTFS Permissions on top of disabling old SMB Versions too) I normally see admins mapping drives for the users so they don’t need to be able to do it on their own without your control.
- Prohibit access to the Control Panel and PC Settings
- Because its bad, most deployments there is no need for the user to be messing around in there. I have seen outages because a user googled a problem and went to “repair” or “fix” something because they had access to do.
- No Computers Near Me in Network Locations and No Entire Network in Network Locations
- Goes back to allowing Map Network Drives, a user can see in some cases your whole deployment from just a Windows Explorer screen and click around and find treasures.
- Prohibit adding items (Desktop)
- Being able to create a shortcut can allow a user or attacker to do all types of fun things.
- Prevent access to registry editing tools
- Restrict these applications from being launch from Help
- This is my personal favorite because it is how I break out of most applications I do testing on and there can be this simple fix. “iexplorer.exe,cmd.exe,regedit.exe,mmc.exe,powershell.exe” and whatever other browser or EXE something in your application tries to launch.
- Add the Microsoft Office Templates and Look around, there are tons of great settings in there to block things.
- Do you really need Macros enabled?
Mail Client Security
- Since Phishing is the most common way for someone to get in your deployment if you are running Mail Clients for your users in your virtual desktops or RDS boxes you can slow things down from there.
- Apply those Microsoft Office Templates, tons of great settings in there.
- You must do some application whitelisting to make sure they cannot just run anything, and AV. Newer Versions of Office and Windows have some amazing security features in them.
- You may want to block attachment file types but if you need the full Office experience that can be tough. If you can block Macros, please do.
- Internet Links clicked within the email can be your arch nemesis if you are not controlling that internet access and they can just download the malware and be allowed to execute it.
Internet Browser Security
- So many deployments do not control internet access on their Virtual Desktops or RDS servers because they are on the internal network and that VLAN got forgot because it is the weird PVS one from a couple years ago.
- If you don’t need Internet\Intranet Access you can block it all with a Blackhole proxy configuration on the serve that point it to 127.0.0.1
- If you need some Internet\Intranet Access make a Proxy Server using Whitelisting to only your approved sites.
- If you need Full Internet Access then please use something like Citrix Secure Browser and or Secure Web Gateway so if someone needs to go to Facebook\Gmail they will launch a Secure Browser that is hosted in another datacenter that is secured and locked down and if they click on an email and get a virus your environment doesn’t get one. It is a really awesome technology and you should check it out. https://www.citrix.com/virtualization/secure-browser.html and https://www.citrix.com/products/citrix-secure-web-gateway/
- It ain’t easy being patchy. Try to get in a rhythm if you can, then if you take that to the next level then Automate the Windows side. Windows patches don’t seem to ever be able to stop breaking things here and there, but you are safer with the patches than without, so you have to try.
- If you haven’t heard of CTP Trond Eirik Haavarstein aka Eric (https://xenappblog.com) and his Automation Framework or his Virtual Expo you are missing out. You can take his class and learn how to make an Image Factory and the new images will just be built each month, now I know some applications will not like that but if you have 10+ images it is well worth the time to try, it might not automate the whole thing but if it can save you some time it will be worth it.
- Our update world is going to be turned upside down in the next couple years with Windows 10 builds only good for 30 months so depending on the number of images you maintain you may never stop upgrading and you might have to start from scratch on each build since some of the in-place upgrades don’t go too smooth. Automate if you can because you may have to in just a couple months to keep up.
- Optimize it too!
- Do your exclusions but run something, some AVs have a very mature Application and DLL blocking techniques integrated.
- There will be some performance impacts but in my eyes, it is the price of doing business, some AVs are worse than others but that is a another bigger topic for another day\blog.
Citrix ADC GeoBlock
- I got lucky to be able to do a Citrix ADC Security focused presentation a couple weeks ago at the Great Lakes Citrix User Group XL event and it helped me show all the awesome things a Citrix ADC can do for Security.
- The Three Amigos of Citrix ADC Security I focused on:
- If you can setup GeoIP Blocking, you can eliminate a couple billion IPs from even being able to get to your site. I will have a matching blog to this presentation before Thanksgiving, so you will learn more then. This may not work for everyone, but it is a good start for most that are very local to a specific country.
- https://support.citrix.com/article/CTX130701. (Actually a great start)
- Add locationFile "/var/netscaler/inbuilt_db/Citrix_Netscaler_InBuilt_GeoIP_DB.csv”
- Show locationparameter (Make sure the DB is good and you have stuff in there)
- Add responder policy Pol_Drop_Non_US CLIENT.IP.SRC.MATCHES_LOCATION(\"*.US.*.*.*.*\").NOT DROP
- Bind lb vserver -policyName Pol_Drop_Non_US -priority 100 (Bind this to your LBs and AAA and other IPs, responder policies for the Win!)
- Set locationParameter -matchWildcardtoany YES (Lets wildcards work)
I promise I will get back on the VDI Lockdown blogging bandwagon. I have been running around a lot and working on a book. I hope everyone is having a great week and I hope some of these security tips helped you out on the Citrix and/or the personal sides of your life.
One more time, make sure you test these changes before deploying them.