Cyber · Trackr The Free Compliance Library
⌘K
DoD Compliance · STIG

Citrix XenDesktop 7.x License Server Security Technical Implementation Guide

V1R2 · · · Released 26 Apr 2019 · 7 rules
Compare

Pick two releases to diff their requirements.

View

Open a previous version of this STIG.

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
Digest of Updates vs. V1R1 · 23 Aug 2018 ✎ 1

Comparison against the immediately-prior release (V1R1). Rule matching uses the Group Vuln ID. Content-change detection compares the rule’s description, check, and fix text after stripping inline markup — cosmetic-only edits aren’t flagged.

Content changes 1

  • V-81415 Medium checkfix XenDesktop License Server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
Sort by
c
XenDesktop License Server must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
AC-17 - High - CCI-000068 - V-81413 - SV-96127r1_rule
RMF Control
AC-17
Severity
H
CCI
CCI-000068
Version
CXEN-LS-000030
Vuln IDs
  • V-81413
Rule IDs
  • SV-96127r1_rule
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection, thereby providing a degree of confidentiality. The encryption strength of the mechanism is selected based on the security categorization of the information.
Checks: C-81153r1_chk

Open the License Management Console, click "Administration", and select the "Server Configuration" tab. Click the "Secure Web Server Configuration" bar and verify "Select Enable HTTPS (Default 443)" is selected. If "Select Enable HTTPS (Default 443)" is not selected, this is a finding.

Fix: F-88229r1_fix

1. Copy a valid server certificate file and server certificate key file to the \\Citrix\Licensing\LS\conf\ folder of the License Server installation directory. 2. Click “Administration” and select the "Server Configuration" tab. 3. Click the "Secure Web Server Configuration" bar. 4. Select "Enable HTTPS (Default 443)". 5. Enter a port for the HTTPS communication. 6. Enter the location of the server certificate file and the server certificate key file. 7. Stop and restart the Citrix Licensing service from the services control panel of the machine running the license server. NOTE: You may be prompted to log in after "Administration". Port should be 8082 (or desired port from PPSM group).

b
XenDesktop License Server must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
AU-12 - Medium - CCI-000171 - V-81415 - SV-96129r2_rule
RMF Control
AU-12
Severity
M
CCI
CCI-000171
Version
CXEN-LS-000135
Vuln IDs
  • V-81415
Rule IDs
  • SV-96129r2_rule
Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.
Checks: C-81155r2_chk

Identify all License Server administrators as the appropriate Active Directory domain/user or domain/group account. 1. Log on to the License Server with an administrator account. 2. Open the command line. 3. Go to C:\Program Files\Citrix\Licensing\LS or C:\Program Files (x86)\Citrix\Licensing\LS and type: udadmin -list If the desired License Server administrator account is not returned, this is a finding.

Fix: F-88231r2_fix

Identify all License Server administrators as the appropriate Active Directory domain/user or domain/group account. To change the default License Server Administrator Account, complete the following steps: 1. Log on to the License Server with an administrator account. 2. Open the command line. 3. Stop the Citrix Licensing Service: net stop "citrix licensing" 4. Go to C:\Program Files\Citrix\Licensing\LS or C:\Program Files (x86)\Citrix\Licensing\LS and type: Lmadmin.exe –defaultAdminUser domain\user Or Lmadmin.exe –defaultAdminGroup domain\adminGroup 5. Start the Citrix Licensing Service: net start "citrix licensing" 6. Log on to the License Management Console using the specified account.

b
XenDesktop License Server must protect the authenticity of communications sessions.
SC-23 - Medium - CCI-001184 - V-81417 - SV-96131r1_rule
RMF Control
SC-23
Severity
M
CCI
CCI-001184
Version
CXEN-LS-000480
Vuln IDs
  • V-81417
Rule IDs
  • SV-96131r1_rule
Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. Application communication sessions are protected using transport encryption protocols, such as SSL or TLS. SSL/TLS provide web applications with a way to authenticate user sessions and encrypt application traffic. Session authentication can be single (one-way) or mutual (two-way) in nature. Single authentication authenticates the server for the client, whereas mutual authentication provides a means for both the client and the server to authenticate each other. This requirement applies to applications that use communications sessions. This includes but is not limited to web-based applications and Service-Oriented Architectures (SOA). This requirement addresses communications protection at the application session, versus the network packet, and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Depending on the required degree of confidentiality and integrity, web services/SOA will require the use of SSL/TLS mutual authentication (two-way/bidirectional).
Checks: C-81157r1_chk

Look in \\Citrix\Licensing\LS\conf\ folder of the License Server installation directory for cert file/cert key file. Open the License Management Console, click "Administration", and select the "Server Configuration" tab. Click the "Secure Web Server Configuration" bar and verify "Select Enable HTTPS (Default 443)" is selected. If "Select Enable HTTPS (Default 443)" is not selected, this is a finding. NOTE: You may be prompted to log in after "Administration".

Fix: F-88233r1_fix

1. Copy a valid server certificate file and server certificate key file into the \\Citrix\Licensing\LS\conf\ folder of the License Server installation directory. 2. Click "Administration" and select the "Server Configuration" tab. 3. Click the "Secure Web Server Configuration" bar. 4. Select "Enable HTTPS (Default 443)". 5. Enter a port for the HTTPS communication. 6. Enter the location of the server certificate file and the server certificate key file. 7. Stop and restart the Citrix Licensing service from the services control panel of the machine running the license server.

b
XenDesktop License Server must prohibit the use of cached authenticators after an organization-defined time period.
IA-5 - Medium - CCI-002007 - V-81419 - SV-96133r1_rule
RMF Control
IA-5
Severity
M
CCI
CCI-002007
Version
CXEN-LS-000880
Vuln IDs
  • V-81419
Rule IDs
  • SV-96133r1_rule
If cached authentication information is out of date, the validity of the authentication information may be questionable.
Checks: C-81159r1_chk

1. Click "Administration" and select the "Server Configuration" tab. 2. Click the "Web Server Configuration" bar and "Session Timeout". 3. Verify Session Timeout is set to “10”. If Session Timeout is not set to “10”, this is a finding.

Fix: F-88235r1_fix

1. Click "Administration" and select the "Server Configuration" tab. 2. Click the Web Server Configuration bar. 3. For Session Timeout, enter the value of “10” (minutes).

b
XenDesktop License Server must protect the confidentiality and integrity of transmitted information.
SC-8 - Medium - CCI-002418 - V-81421 - SV-96135r1_rule
RMF Control
SC-8
Severity
M
CCI
CCI-002418
Version
CXEN-LS-001000
Vuln IDs
  • V-81421
Rule IDs
  • SV-96135r1_rule
Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepted and read or altered. This requirement applies only to applications that are distributed or can allow access to data non-locally. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, applications need to leverage transmission protection mechanisms, such as TLS, SSL VPNs, or IPsec. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa.
Checks: C-81161r1_chk

Open the License Management Console, click "Administration", and select the "Server Configuration" tab. Click the "Secure Web Server Configuration" bar and verify "Select Enable HTTPS (Default 443)" is selected. If "Select Enable HTTPS (Default 443)" is not selected, this is a finding.

Fix: F-88237r1_fix

1. Copy a valid server certificate file and server certificate key file into the \\Citrix\Licensing\LS\conf\ folder of the License Server installation directory. 2. Click "Administration" and select the "Server Configuration" tab. 3. Click the "Secure Web Server Configuration" bar. 4. Select "Enable HTTPS (Default 443)". 5. Enter a port for the HTTPS communication. 6. Enter the location of the server certificate file and the server certificate key file. 7. Stop and restart the Citrix Licensing service from the services control panel of the machine running the license server.

c
XenDesktop License Server must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution Systems (PDS).
SC-8 - High - CCI-002421 - V-81423 - SV-96137r1_rule
RMF Control
SC-8
Severity
H
CCI
CCI-002421
Version
CXEN-LS-001005
Vuln IDs
  • V-81423
Rule IDs
  • SV-96137r1_rule
Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions that have common application in digital signatures, checksums, and message authentication codes. This requirement applies only to applications that are distributed or can allow access to data non-locally. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, applications need to leverage transmission protection mechanisms, such as TLS, SSL VPNs, or IPsec. Alternative physical protection measures include PDS. PDSs are used to transmit unencrypted classified National Security Information (NSI) through an area of lesser classification or control. Since the classified NSI is unencrypted, the PDS must provide adequate electrical, electromagnetic, and physical safeguards to deter exploitation.
Checks: C-81163r1_chk

Open the License Management Console, click "Administration", and select the "Server Configuration" tab. Click the "Secure Web Server Configuration" bar and verify "Select Enable HTTPS (Default 443)" is selected. If "Select Enable HTTPS (Default 443)" is not selected, this is a finding.

Fix: F-88239r1_fix

1. Copy a valid server certificate file and server certificate key file into the \\Citrix\Licensing\LS\conf\ folder of the License Server installation directory. 2. Click "Administration" and select the "Server Configuration" tab. 3. Click the "Secure Web Server Configuration" bar. 4. Select "Enable HTTPS (Default 443)". 5. Enter a port for the HTTPS communication. 6. Enter the location of the server certificate file and the server certificate key file. 7. Stop and restart the Citrix Licensing service from the services control panel of the machine running the license server.

b
XenDesktop License Server must maintain the confidentiality and integrity of information during reception.
SC-8 - Medium - CCI-002422 - V-81425 - SV-96139r1_rule
RMF Control
SC-8
Severity
M
CCI
CCI-002422
Version
CXEN-LS-001015
Vuln IDs
  • V-81425
Rule IDs
  • SV-96139r1_rule
Information can be unintentionally or maliciously disclosed or modified during reception including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. This requirement applies only to applications that are distributed or can allow access to data non-locally. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When receiving data, applications need to leverage protection mechanisms, such as TLS, SSL VPNs, or IPsec.
Checks: C-81165r1_chk

Open the License Management Console, click "Administration", and select the "Server Configuration" tab. Click the "Secure Web Server Configuration" bar and verify "Select Enable HTTPS (Default 443)" is selected. If "Select Enable HTTPS (Default 443)" is not selected, this is a finding.

Fix: F-88241r1_fix

1. Copy a valid server certificate file and server certificate key file into the \\Citrix\Licensing\LS\conf\ folder of the License Server installation directory. 2. Click "Administration" and select the "Server Configuration" tab. 3. Click the "Secure Web Server Configuration" bar. 4. Select "Enable HTTPS (Default 443)". 5. Enter a port for the HTTPS communication. 6. Enter the location of the server certificate file and the server certificate key file. 7. Stop and restart the Citrix Licensing service from the services control panel of the machine running the license server.