Citrix Virtual Apps and Desktop 7.x License Server Security Technical Implementation Guide

  • Version/Release: V1R1
  • Published: 2021-02-01
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
c
Citrix License Server must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
AC-17 - High - CCI-000068 - V-234222 - SV-234222r628795_rule
RMF Control
AC-17
Severity
High
CCI
CCI-000068
Version
CVAD-LS-000030
Vuln IDs
  • V-234222
Rule IDs
  • SV-234222r628795_rule
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection, thereby providing a degree of confidentiality. The encryption strength of the mechanism is selected based on the security categorization of the information.
Checks: C-37407r611917_chk

Open the License Management Console, click "Administration", and select the "Server Configuration" tab. Click the "Secure Web Server Configuration" bar and verify "Select Enable HTTPS (Default 443)" is selected. If "Select Enable HTTPS (Default 443)" is not selected, this is a finding.

Fix: F-37372r611918_fix

1. Copy a valid server certificate file and server certificate key file to the \\Citrix\Licensing\LS\conf\ folder of the License Server installation directory. 2. Click “Administration” and select the "Server Configuration" tab. 3. Click the "Secure Web Server Configuration" bar. 4. Select "Enable HTTPS (Default 443)". 5. Enter a port for the HTTPS communication. 6. Enter the location of the server certificate file and the server certificate key file. 7. Stop and restart the Citrix Licensing service from the services control panel of the machine running the license server. NOTE: The user may be prompted to log in after "Administration". Port must be 8082 (or desired port from PPSM group).

b
Citrix License Server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
AU-12 - Medium - CCI-000171 - V-234223 - SV-234223r628795_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000171
Version
CVAD-LS-000135
Vuln IDs
  • V-234223
Rule IDs
  • SV-234223r628795_rule
Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.
Checks: C-37408r611920_chk

Identify all License Server administrators as the appropriate Active Directory domain/user or domain/group account. 1. Log on to the License Server with an administrator account. 2. To open the License Administration Console on the computer on which it is installed: Start menu, choose All Programs >> Citrix >> License Administration Console. 3. To open the console on a remote server or cluster, navigate the browser to one of the following URL options: a. Caution-https://License server name:Web service port b. Caution-https://Client access point name:Web service port c. Caution-https://IP:Web service port 4. In the top right corner of the console, select Administration. 5. Select >> Settings >> Accounts. 6. Identify all License Server administrators as the appropriate Active Directory domain/user or domain/group account. If the desired License Server administrator account is not returned, this is a finding.

Fix: F-37373r611921_fix

A default administrator account is created during the installation of the License Administration Console. Use the administrator account to first log on to the console and then configure more users. For Active Directory installations, domain\InstallUser** and BUILTIN\Administrators are added. 1. In the top right corner of the console, select Administration. 2. Select >> Settings >> Accounts. 3. Under User Administration, select Add to add appropriate domain users and groups. 4. Check the box to the left of the default accounts created during installation and any other necessary accounts, select Remove. 5. Click Vendor Daemon Configuration and select Administer in the Citrix vendor daemon line. Select Stop, wait 10 seconds. Select Start. 6. Log on to the License Management Console using the specified account.

b
Citrix License Server must protect the authenticity of communications sessions.
SC-23 - Medium - CCI-001184 - V-234224 - SV-234224r628795_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-001184
Version
CVAD-LS-000480
Vuln IDs
  • V-234224
Rule IDs
  • SV-234224r628795_rule
Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. Application communication sessions are protected using transport encryption protocols, such as SSL or TLS. SSL/TLS provide web applications with a way to authenticate user sessions and encrypt application traffic. Session authentication can be single (one-way) or mutual (two-way) in nature. Single authentication authenticates the server for the client, whereas mutual authentication provides a means for both the client and the server to authenticate each other. This requirement applies to applications that use communications sessions. This includes but is not limited to web-based applications and Service-Oriented Architectures (SOA). This requirement addresses communications protection at the application session, versus the network packet, and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Depending on the required degree of confidentiality and integrity, web services/SOA will require the use of SSL/TLS mutual authentication (two-way/bidirectional).
Checks: C-37409r611923_chk

Look in \\Citrix\Licensing\LS\conf\ folder of the License Server installation directory for cert file/cert key file. Open the License Management Console, click "Administration", and select the "Server Configuration" tab. Click the "Secure Web Server Configuration" bar and verify "Select Enable HTTPS (Default 443)" is selected. If "Select Enable HTTPS (Default 443)" is not selected, this is a finding. NOTE: The user may be prompted to log in after "Administration".

Fix: F-37374r611924_fix

1. Copy a valid server certificate file and server certificate key file into the \\Citrix\Licensing\LS\conf\ folder of the License Server installation directory. 2. Click "Administration" and select the "Server Configuration" tab. 3. Click the "Secure Web Server Configuration" bar. 4. Select "Enable HTTPS (Default 443)". 5. Enter a port for the HTTPS communication. 6. Enter the location of the server certificate file and the server certificate key file. 7. Stop and restart the Citrix Licensing service from the services control panel of the machine running the license server.

b
Citrix License Server must prohibit the use of cached authenticators after an organization-defined time period.
IA-5 - Medium - CCI-002007 - V-234225 - SV-234225r628795_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-002007
Version
CVAD-LS-000880
Vuln IDs
  • V-234225
Rule IDs
  • SV-234225r628795_rule
If cached authentication information is out of date, the validity of the authentication information may be questionable.
Checks: C-37410r611926_chk

1. Click "Administration" and select the "Server Configuration" tab. 2. Click the "Web Server Configuration" bar and "Session Timeout". 3. Verify Session Timeout is set to “10”. If Session Timeout is not set to “10”, this is a finding.

Fix: F-37375r611927_fix

1. Click "Administration" and select the "Server Configuration" tab. 2. Click the Web Server Configuration bar. 3. For Session Timeout, enter the value of “10” (minutes).

b
Citrix License Server must protect the confidentiality and integrity of transmitted information.
SC-8 - Medium - CCI-002418 - V-234226 - SV-234226r628795_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002418
Version
CVAD-LS-001000
Vuln IDs
  • V-234226
Rule IDs
  • SV-234226r628795_rule
Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepted and read or altered. This requirement applies only to applications that are distributed or can allow access to data non-locally. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, applications need to leverage transmission protection mechanisms, such as TLS, SSL VPNs, or IPsec. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa.
Checks: C-37411r611929_chk

Open the License Management Console, click "Administration", and select the "Server Configuration" tab. Click the "Secure Web Server Configuration" bar and verify "Select Enable HTTPS (Default 443)" is selected. If "Select Enable HTTPS (Default 443)" is not selected, this is a finding.

Fix: F-37376r611930_fix

1. Copy a valid server certificate file and server certificate key file into the \\Citrix\Licensing\LS\conf\ folder of the License Server installation directory. 2. Click "Administration" and select the "Server Configuration" tab. 3. Click the "Secure Web Server Configuration" bar. 4. Select "Enable HTTPS (Default 443)". 5. Enter a port for the HTTPS communication. 6. Enter the location of the server certificate file and the server certificate key file. 7. Stop and restart the Citrix Licensing service from the services control panel of the machine running the license server.

c
Citrix License Server must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution Systems (PDS).
SC-8 - High - CCI-002421 - V-234227 - SV-234227r628795_rule
RMF Control
SC-8
Severity
High
CCI
CCI-002421
Version
CVAD-LS-001005
Vuln IDs
  • V-234227
Rule IDs
  • SV-234227r628795_rule
Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions that have common application in digital signatures, checksums, and message authentication codes. This requirement applies only to applications that are distributed or can allow access to data non-locally. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, applications need to leverage transmission protection mechanisms, such as TLS, SSL VPNs, or IPsec. Alternative physical protection measures include PDS. PDSs are used to transmit unencrypted classified National Security Information (NSI) through an area of lesser classification or control. Since the classified NSI is unencrypted, the PDS must provide adequate electrical, electromagnetic, and physical safeguards to deter exploitation.
Checks: C-37412r611932_chk

Open the License Management Console, click "Administration", and select the "Server Configuration" tab. Click the "Secure Web Server Configuration" bar and verify "Select Enable HTTPS (Default 443)" is selected. If "Select Enable HTTPS (Default 443)" is not selected, this is a finding.

Fix: F-37377r611933_fix

1. Copy a valid server certificate file and server certificate key file into the \\Citrix\Licensing\LS\conf\ folder of the License Server installation directory. 2. Click "Administration" and select the "Server Configuration" tab. 3. Click the "Secure Web Server Configuration" bar. 4. Select "Enable HTTPS (Default 443)". 5. Enter a port for the HTTPS communication. 6. Enter the location of the server certificate file and the server certificate key file. 7. Stop and restart the Citrix Licensing service from the services control panel of the machine running the license server.

b
Citrix License Server must maintain the confidentiality and integrity of information during reception.
SC-8 - Medium - CCI-002422 - V-234228 - SV-234228r628795_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002422
Version
CVAD-LS-001015
Vuln IDs
  • V-234228
Rule IDs
  • SV-234228r628795_rule
Information can be unintentionally or maliciously disclosed or modified during reception including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. This requirement applies only to applications that are distributed or can allow access to data non-locally. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When receiving data, applications need to leverage protection mechanisms, such as TLS, SSL VPNs, or IPsec.
Checks: C-37413r611935_chk

Open the License Management Console, click "Administration", and select the "Server Configuration" tab. Click the "Secure Web Server Configuration" bar and verify "Select Enable HTTPS (Default 443)" is selected. If "Select Enable HTTPS (Default 443)" is not selected, this is a finding.

Fix: F-37378r611936_fix

1. Copy a valid server certificate file and server certificate key file into the \\Citrix\Licensing\LS\conf\ folder of the License Server installation directory. 2. Click "Administration" and select the "Server Configuration" tab. 3. Click the "Secure Web Server Configuration" bar. 4. Select "Enable HTTPS (Default 443)". 5. Enter a port for the HTTPS communication. 6. Enter the location of the server certificate file and the server certificate key file. 7. Stop and restart the Citrix Licensing service from the services control panel of the machine running the license server.