Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Open Citrix Studio, select "Policy Panel", check for Computer Policies. Maximum number of sessions (MaximumNumberOfSessions) policy is "ENABLED" and explicitly applied to Linux Desktop/Application Delivery Groups. If Maximum Number of Sessions policy is "DISABLED" or limit not set to "3", this is a finding.
Open Citrix Studio, select "Policy Panel", check for Computer Policies. Maximum number of sessions (MaximumNumberOfSessions) policy set to "ENABLED" and limit set to "3".
All timer values are defined in the registration table. Retrieve current value using the following command: /opt/Citrix/VDA/bin/ctxreg, /opt/Citrix/VDA/bin/ctxreg dump |grep MaxIdleTime If MaxIdleTime is not set to "15 minutes" or less, this is a finding.
Set value for Idle Timer /opt/Citrix/VDA/bin/ctxreg update -k "HKLM\System\CurrentControlSet\Control\Citrix\WinStations\cgp" -v "MaxIdleTime" -d "0x0000000F" /opt/Citrix/VDA/bin/ctxreg update -k "HKLM\System\CurrentControlSet\Control\Citrix\WinStations\tcp" -v "MaxIdleTime" -d "0x0000000F" /opt/Citrix/VDA/bin/ctxreg update -k "HKLM\System\CurrentControlSet\Control\Citrix\WinStations\ssl" -v "MaxIdleTime" -d "0x0000000F" where "0x0000000F" is hexadecimal for 15
On the Delivery Controller, ensure the SSL encryption has been enabled for the delivery group (HdxSslEnabled:True) and the Delivery Controller uses FQDN of Linux VDA to contact target Linux VDA (DnsResolutionEnabled:True). Execute the following commands in a PowerShell window on the Delivery Controller: # Asnp citrix.* # Get-BrokerAccessPolicyRule –DesktopGroupName ‘<GROUPNAME>’ | format-list HdxSslEnabled Where <GROUPNAME> is the target Delivery Group name. On Linux VDA, check the following: Check if SSL listener is up and running; run following command: # netstat -lptn|grep ctxhdx to see that the ctxhdx process is listening on an SSL port (443, by default). If, on the Delivery Controller, HdxSslEnabled is not set to "true", this is a finding. If, on the Delivery Controller, DnsResolutionEnabled is not set to "true", this is a finding. If, on the Linux VDS, the ctxhdx process is not listening on an SSL port (443 by default, or other approved port), this is a finding.
To enable TLS encryption on the Linux VDA, a server certificate must be installed on the Citrix Broker (DDC), each Linux VDA server and root certificates must be installed on each Linux VDA server and client per DoD guidelines. On the Linux VDA, use the enable_vdassl.sh tool to enable (or disable) TLS encryption. The tool is located in the /opt/Citrix/VDA/sbin directory. For information about options available in the tool, run the /opt/Citrix/VDA/sbin/enable_vdassl.sh -help command. To enable TLS 1.2 on Linux VDA OS - # /opt/Citrix/VDA/bin/ctxreg update -k "HKLM\System\CurrentControlSet\Control\Citrix\WinStations\ssl" -v "SSLMinVersion" -d 0x00000004 To enable GOV ciphersuites only: # /opt/Citrix/VDA/bin/ctxreg update -k "HKLM\System\CurrentControlSet\Control\Citrix\WinStations\ssl" -v "SSLCipherSuite" -d 0x00000001 thes restart service # sudo /sbin/service ctxhdx restart [root@ LVDA]# sudo /sbin/service ctxhdx restart
Run the following command on a client to disable the CEIP: /opt/Citrix/VDA/bin/ctxreg update -k "HKEY_LOCAL_MACHINE\ SOFTWARE\Citrix\CEIP" -v "CEIPSwitch" -d "1" If CEIPSwitch is not set to "1", this is a finding. Run the following command on a client to disable Google Analytics: /opt/Citrix/VDA/bin/ctxreg update -k "HKEY_LOCAL_MACHINE\ SOFTWARE\Citrix\CEIP" -v "GASwitch" -d "1" If GASwitch is not set to "1", this is a finding.
Set the value of CEIPSwitch to "1" (Disabled). Set the value of GASwitch to "1" (Disabled).
On Delivery Controllers, verify that only approved ports are used. 1. Open a command prompt. 2. Navigate to the Citrix install directory Program Files\Citrix\Broker\Service 3. Enter "BrokerService.exe /Show" to display the currently used ports. If an unapproved port is used, this is a finding.
To change the VDA registration port from the default "80", create the Citrix Machine Policy and update the DDCs, as explained below: 1. Create a new Citrix Machine policy or edit an existing one. 2. Navigate to the Settings tab and select "Control Registration Port". 3. Update the Value to reflect the new port. 4. Select "OK". 5. Restart all desktops and wait until all the desktops report as Unregistered. 6. Update the DDCs VDA registration Port. 7. Restart all desktops and verify that all VDAs register successfully.
Verify the correct server certificate issued by authorized certificate authority is installed on Linux VDA. Navigate to folder /root/myCert/myCA/certs/ and examine certificates. If the certificates are not issued by the DoD or approved CA, this is a finding.
A server certificate must be installed on each Linux VDA server and root certificates must be installed on each Linux VDA server and client. Obtain server certificates in PEM format and root certificates in CRT format from a trusted CA. A server certificate contains the following sections: - Certificate - Unencrypted private key - Intermediate certificates (optional) After obtaining required certificates, customers need to install them as follows: Upload server and CA certificates into Linux VDA server, which will be used in “Step 2: Enable SSL encryption on Linux VDA”. For example, put server.pem (name of server certificate) and myca.crt (name of CA certificate) to folder /root/myCert/myCA/certs/. Download the CA certificate (myca.crt as an example) to client host and import it into system Certificate Store on the “Trusted Root Certification Authorities” folder. Refer to "Importing Trusted CA Certificates into the Windows Certificate Store" for the instructions. Note: Ensure the client host is able to resolve the FQDN of Linux VDA; otherwise, the connection cannot be established.