Citrix Virtual Apps and Desktop 7.x Linux Virtual Delivery Agent Security Technical Implementation Guide

  • Version/Release: V1R1
  • Published: 2021-02-01
  • Released: 2021-01-28
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
The application must limit the number of concurrent sessions to three.
AC-10 - Medium - CCI-000054 - V-234255 - SV-234255r628796_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
LVDA-VD-000005
Vuln IDs
  • V-234255
Rule IDs
  • SV-234255r628796_rule
Application management includes the ability to control the number of users and user sessions that utilize an application. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to DoS attacks. This requirement may be met via the application or by utilizing information system session control provided by a web server with specialized session management capabilities. If it has been specified that this requirement will be handled by the application, the capability to limit the maximum number of concurrent single user sessions must be designed and built into the application. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.
Checks: C-37440r612319_chk

Open Citrix Studio, select "Policy Panel", check for Computer Policies. Maximum number of sessions (MaximumNumberOfSessions) policy is "ENABLED" and explicitly applied to Linux Desktop/Application Delivery Groups. If Maximum Number of Sessions policy is "DISABLED" or limit not set to "3", this is a finding.

Fix: F-37405r612320_fix

Open Citrix Studio, select "Policy Panel", check for Computer Policies. Maximum number of sessions (MaximumNumberOfSessions) policy set to "ENABLED" and limit set to "3".

b
The application must initiate a session lock after a 15-minute period of inactivity.
AC-11 - Medium - CCI-000057 - V-234256 - SV-234256r628796_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000057
Version
LVDA-VD-000015
Vuln IDs
  • V-234256
Rule IDs
  • SV-234256r628796_rule
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their application session prior to vacating the vicinity, applications need to be able to identify when a user's application session has idled and take action to initiate the session lock. The session lock is implemented at the point where session activity can be determined and/or controlled. This is typically at the operating system-level and results in a system lock, but may be at the application-level where the application interface window is secured instead.
Checks: C-37441r612322_chk

All timer values are defined in the registration table. Retrieve current value using the following command: /opt/Citrix/VDA/bin/ctxreg, /opt/Citrix/VDA/bin/ctxreg dump |grep MaxIdleTime If MaxIdleTime is not set to "15 minutes" or less, this is a finding.

Fix: F-37406r612323_fix

Set value for Idle Timer /opt/Citrix/VDA/bin/ctxreg update -k "HKLM\System\CurrentControlSet\Control\Citrix\WinStations\cgp" -v "MaxIdleTime" -d "0x0000000F" /opt/Citrix/VDA/bin/ctxreg update -k "HKLM\System\CurrentControlSet\Control\Citrix\WinStations\tcp" -v "MaxIdleTime" -d "0x0000000F" /opt/Citrix/VDA/bin/ctxreg update -k "HKLM\System\CurrentControlSet\Control\Citrix\WinStations\ssl" -v "MaxIdleTime" -d "0x0000000F" where "0x0000000F" is hexadecimal for 15

c
Citrix Linux Virtual Delivery Agent must implement DoD-approved encryption.
AC-17 - High - CCI-000068 - V-234257 - SV-234257r628796_rule
RMF Control
AC-17
Severity
High
CCI
CCI-000068
Version
LVDA-VD-000030
Vuln IDs
  • V-234257
Rule IDs
  • SV-234257r628796_rule
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection thereby providing a degree of confidentiality. The encryption strength of mechanism is selected based on the security categorization of the information. Satisfies: SRG-APP-000014, SRG-APP-000015, SRG-APP-000039, SRG-APP-000219, SRG-APP-000439, SRG-APP-000440, SRG-APP-000441, SRG-APP-000442
Checks: C-37442r612325_chk

On the Delivery Controller, ensure the SSL encryption has been enabled for the delivery group (HdxSslEnabled:True) and the Delivery Controller uses FQDN of Linux VDA to contact target Linux VDA (DnsResolutionEnabled:True). Execute the following commands in a PowerShell window on the Delivery Controller: # Asnp citrix.* # Get-BrokerAccessPolicyRule –DesktopGroupName ‘<GROUPNAME>’ | format-list HdxSslEnabled Where <GROUPNAME> is the target Delivery Group name. On Linux VDA, check the following: Check if SSL listener is up and running; run following command: # netstat -lptn|grep ctxhdx to see that the ctxhdx process is listening on an SSL port (443, by default). If, on the Delivery Controller, HdxSslEnabled is not set to "true", this is a finding. If, on the Delivery Controller, DnsResolutionEnabled is not set to "true", this is a finding. If, on the Linux VDS, the ctxhdx process is not listening on an SSL port (443 by default, or other approved port), this is a finding.

Fix: F-37407r612326_fix

To enable TLS encryption on the Linux VDA, a server certificate must be installed on the Citrix Broker (DDC), each Linux VDA server and root certificates must be installed on each Linux VDA server and client per DoD guidelines. On the Linux VDA, use the enable_vdassl.sh tool to enable (or disable) TLS encryption. The tool is located in the /opt/Citrix/VDA/sbin directory. For information about options available in the tool, run the /opt/Citrix/VDA/sbin/enable_vdassl.sh -help command. To enable TLS 1.2 on Linux VDA OS - # /opt/Citrix/VDA/bin/ctxreg update -k "HKLM\System\CurrentControlSet\Control\Citrix\WinStations\ssl" -v "SSLMinVersion" -d 0x00000004 To enable GOV ciphersuites only: # /opt/Citrix/VDA/bin/ctxreg update -k "HKLM\System\CurrentControlSet\Control\Citrix\WinStations\ssl" -v "SSLCipherSuite" -d 0x00000001 thes restart service # sudo /sbin/service ctxhdx restart [root@ LVDA]# sudo /sbin/service ctxhdx restart

b
The application must be configured to disable non-essential capabilities.
CM-7 - Medium - CCI-000381 - V-234258 - SV-234258r628796_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
LVDA-VD-000270
Vuln IDs
  • V-234258
Rule IDs
  • SV-234258r628796_rule
It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Applications are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include, but are not limited to, advertising software or browser plug-ins not related to requirements or providing a wide array of functionality not required for every mission but cannot be disabled.
Checks: C-37443r612328_chk

Run the following command on a client to disable the CEIP: /opt/Citrix/VDA/bin/ctxreg update -k "HKEY_LOCAL_MACHINE\ SOFTWARE\Citrix\CEIP" -v "CEIPSwitch" -d "1" If CEIPSwitch is not set to "1", this is a finding. Run the following command on a client to disable Google Analytics: /opt/Citrix/VDA/bin/ctxreg update -k "HKEY_LOCAL_MACHINE\ SOFTWARE\Citrix\CEIP" -v "GASwitch" -d "1" If GASwitch is not set to "1", this is a finding.

Fix: F-37408r612329_fix

Set the value of CEIPSwitch to "1" (Disabled). Set the value of GASwitch to "1" (Disabled).

b
Citrix Linux Virtual Delivery Agent (LVDA) must be configured to prohibit or restrict the use of ports, as defined in the PPSM CAL and vulnerability assessments.
CM-7 - Medium - CCI-000382 - V-234259 - SV-234259r628796_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
LVDA-VD-000275
Vuln IDs
  • V-234259
Rule IDs
  • SV-234259r628796_rule
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Applications are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services; however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the application must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.
Checks: C-37444r612331_chk

On Delivery Controllers, verify that only approved ports are used. 1. Open a command prompt. 2. Navigate to the Citrix install directory Program Files\Citrix\Broker\Service 3. Enter "BrokerService.exe /Show" to display the currently used ports. If an unapproved port is used, this is a finding.

Fix: F-37409r612332_fix

To change the VDA registration port from the default "80", create the Citrix Machine Policy and update the DDCs, as explained below: 1. Create a new Citrix Machine policy or edit an existing one. 2. Navigate to the Settings tab and select "Control Registration Port". 3. Update the Value to reflect the new port. 4. Select "OK". 5. Restart all desktops and wait until all the desktops report as Unregistered. 6. Update the DDCs VDA registration Port. 7. Restart all desktops and verify that all VDAs register successfully.

c
Citrix Linux Virtual Delivery Agent must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.
SC-23 - High - CCI-002470 - V-234260 - SV-234260r628796_rule
RMF Control
SC-23
Severity
High
CCI
CCI-002470
Version
LVDA-VD-000970
Vuln IDs
  • V-234260
Rule IDs
  • SV-234260r628796_rule
Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established. The DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates. This requirement focuses on communications protection for the application session rather than for the network packet. This requirement applies to applications that utilize communications sessions. This includes, but is not limited to, web-based applications and Service-Oriented Architectures (SOA).
Checks: C-37445r612334_chk

Verify the correct server certificate issued by authorized certificate authority is installed on Linux VDA. Navigate to folder /root/myCert/myCA/certs/ and examine certificates. If the certificates are not issued by the DoD or approved CA, this is a finding.

Fix: F-37410r612335_fix

A server certificate must be installed on each Linux VDA server and root certificates must be installed on each Linux VDA server and client. Obtain server certificates in PEM format and root certificates in CRT format from a trusted CA. A server certificate contains the following sections: - Certificate - Unencrypted private key - Intermediate certificates (optional) After obtaining required certificates, customers need to install them as follows: Upload server and CA certificates into Linux VDA server, which will be used in “Step 2: Enable SSL encryption on Linux VDA”. For example, put server.pem (name of server certificate) and myca.crt (name of CA certificate) to folder /root/myCert/myCA/certs/. Download the CA certificate (myca.crt as an example) to client host and import it into system Certificate Store on the “Trusted Root Certification Authorities” folder. Refer to "Importing Trusted CA Certificates into the Windows Certificate Store" for the instructions. Note: Ensure the client host is able to resolve the FQDN of Linux VDA; otherwise, the connection cannot be established.