Citrix Virtual Apps and Desktop 7.x Windows Virtual Delivery Agent Security Technical Implementation Guide

  • Version/Release: V1R1
  • Published: 2021-02-01
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected].
c
Citrix Windows Virtual Delivery Agent must implement DoD-approved encryption.
AC-17 - High - CCI-000068 - V-234253 - SV-234253r628798_rule
RMF Control
AC-17
Severity
High
CCI
CCI-000068
Version
CVAD-VD-000030
Vuln IDs
  • V-234253
Rule IDs
  • SV-234253r628798_rule
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection thereby providing a degree of confidentiality. The encryption strength of mechanism is selected based on the security categorization of the information. Satisfies: SRG-APP-000014, SRG-APP-000015, SRG-APP-000039, SRG-APP-000219, SRG-APP-000439, SRG-APP-000440, SRG-APP-000441, SRG-APP-000442
Checks: C-37438r612302_chk

A DoD approved VPN, or gateway/proxy, must be leveraged to access the Windows VDA from a remote network. This VPN, or gateway, must handle user authentication and tunneling of Citrix traffic. The VPN, or gateway, must meet the DoD encryption requirements, such as FIPS 140-2, for the environment. If no VPN, or gateway/proxy, is used for remote access to the VDA, this is a finding. If the VPN, or gateway/proxy, does not authenticate the remote user before providing access to the VDA, this is a finding. If the VPN, or gateway/proxy, fails to meet the DoD encryption requirements for the environment, this is a finding.

Fix: F-37403r612303_fix

Implement a DoD-approved VPN or gateway/proxy that will authenticate user access and tunnel/proxy traffic to the Windows VDA. Ensure the VPN or gateway/proxy is configured to authenticate the user before accessing the environment, and meets the DoD encryption requirements, such as FIPS 140-2, for the environment.

b
Citrix Windows Virtual Delivery Agent must be configured to prohibit or restrict the use of ports, as defined in the PPSM CAL and vulnerability assessments.
CM-7 - Medium - CCI-000382 - V-234254 - SV-234254r628798_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
CVAD-VD-000275
Vuln IDs
  • V-234254
Rule IDs
  • SV-234254r628798_rule
To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Applications are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web service); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the application must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.
Checks: C-37439r612305_chk

Some organizations consider port 80 to be a non-secure port regardless of the protocol. Ensure VDA registration traffic to the Delivery Controller is occurring on an approved port. To verify the Delivery Controller is using an approved port, perform the following: 1. On each the Delivery Controller, open a command prompt. 2. Navigate to the Citrix install directory Program Files\Citrix\Broker\Service. 3. Run the command "BrokerService.exe /Show" to display the currently used "VDA Port". 4. Ensure the port in use on each Delivery Controller matches and is approved by the DoD organization. To verify the Windows VDA is using the approved port for registration, perform the following: 1. In Active Directory, open the Group Policy object used to apply VDA settings to the Windows VDA. 2. Navigate to Computer Configuration >> Policies >> Citrix Policies. 3. Edit the "Unfiltered Policy", or the custom policy used to apply Delivery Controller settings in the GPO. 4. Under the "Settings" tab, find the Virtual Delivery Agent Setting called "Controller registration port". 5. Ensure the port number matches the approved port set on the Delivery Controller. If an unapproved port is used, this is a finding.

Fix: F-37404r612306_fix

Some organizations consider port 80 to be a non-secure port regardless of the protocol. It is necessary to set the Delivery Controller and VDAs to use an approved port for registration traffic. To set the registration port on the broker to an approved port (e.g., 8080) perform the following: 1. On each the Delivery Controller, open a command prompt. 2. Navigate to the Citrix install directory Program Files\Citrix\Broker\Service. 3. Run the command "BrokerService.exe -VDAPort 8080" to set the registration port to 8080. Replace 8080 with an approved port in the organization. 4. Run the command "BrokerService.exe /Show" to verify the VDA Port is changed. To configure the Windows VDA to use the approved port set on the Delivery Controller, perform the following: 1. In Active Directory, open the Group Policy object used to apply VDA settings to the Windows VDA. If this GPO does not yet exist, create it. 2. Navigate to Computer Configuration >> Policies >> Citrix Policies. 3. Edit the "Unfiltered Policyā€¯ or create a custom Citrix policy to apply Delivery Controller settings in the GPO. 4. Under the "Settings" tab, find the Virtual Delivery Agent Setting called "Controller registration port". 5. Click "Add" to enable the setting and specify the approved port set on the Delivery Controller. 6. Ensure this GPO is linked to the OUs with the relevant Windows VDAs.