Citrix XenDesktop 7.x License Server Security Technical Implementation Guide

V1R1 2018-08-28       U_Citrix_XenDesktop_7-x_License_Server_STIG_V1R1_Manual-xccdf.xml
V1R2 2019-03-20       U_Citrix_XenDesktop_7-x_License_Server_STIG_V1R2_Manual-xccdf.xml
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]
Comparison
All 7
No Change 6
Updated 1
Added 0
Removed 0
V-81413 No Change
Findings ID: CXEN-LS-000030 Rule ID: SV-96127r1_rule Severity: high CCI: CCI-000068

Discussion

Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.

Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.

Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection, thereby providing a degree of confidentiality. The encryption strength of the mechanism is selected based on the security categorization of the information.

Checks

Open the License Management Console, click "Administration", and select the "Server Configuration" tab.

Click the "Secure Web Server Configuration" bar and verify "Select Enable HTTPS (Default 443)" is selected.

If "Select Enable HTTPS (Default 443)" is not selected, this is a finding.

Fix

1. Copy a valid server certificate file and server certificate key file to the \\Citrix\Licensing\LS\conf\ folder of the License Server installation directory.
2. Click “Administration” and select the "Server Configuration" tab.
3. Click the "Secure Web Server Configuration" bar.
4. Select "Enable HTTPS (Default 443)".
5. Enter a port for the HTTPS communication.
6. Enter the location of the server certificate file and the server certificate key file.
7. Stop and restart the Citrix Licensing service from the services control panel of the machine running the license server.
NOTE: You may be prompted to log in after "Administration".
Port should be 8082 (or desired port from PPSM group).
V-81415 Updated
Findings ID: CXEN-LS-000135 Rule ID: SV-96129r21_rule Severity: medium CCI: CCI-000171

Discussion

Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one.

The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.

Checks

Identify all License Server administrators as the appropriate Active Directory domain/user or domain/group account.

1. Log on to the License Server with an administrator account.

2. Open the command line.

3. Go to C:\Program Files\Citrix\Licensing\LS or C:\Program Files (x86)\Citrix\Licensing\LS and type:
udadmin -list

If the desired License Server administrator account is not returned, this is a finding.

Fix

Identify all License Server administrators as the appropriate Active Directory domain/user or domain/group account.

To change the default License Server Administrator Account, complete the following steps:

1. Log on to the License Server with an administrator account.

2. Open the command line.

3. Stop the Citrix Licensing Service:
net stop "citrix licensing"

4. Go to C:\Program Files\Citrix\Licensing\LS or C:\Program Files (x86)\Citrix\Licensing\LS and type:
Lmadmin.exe –defaultAdminUser domain\user
Or
Lmadmin.exe –defaultAdminGroup domain\adminGroup
5. Start the Citrix Licensing Service:
net start "citrix licensing"

6. Log on to the License Management Console using the specified account.
V-81417 No Change
Findings ID: CXEN-LS-000480 Rule ID: SV-96131r1_rule Severity: medium CCI: CCI-001184

Discussion

Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.

Application communication sessions are protected using transport encryption protocols, such as SSL or TLS. SSL/TLS provide web applications with a way to authenticate user sessions and encrypt application traffic. Session authentication can be single (one-way) or mutual (two-way) in nature. Single authentication authenticates the server for the client, whereas mutual authentication provides a means for both the client and the server to authenticate each other.

This requirement applies to applications that use communications sessions. This includes but is not limited to web-based applications and Service-Oriented Architectures (SOA).

This requirement addresses communications protection at the application session, versus the network packet, and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Depending on the required degree of confidentiality and integrity, web services/SOA will require the use of SSL/TLS mutual authentication (two-way/bidirectional).

Checks

Look in \\Citrix\Licensing\LS\conf\ folder of the License Server installation directory for cert file/cert key file.

Open the License Management Console, click "Administration", and select the "Server Configuration" tab.

Click the "Secure Web Server Configuration" bar and verify "Select Enable HTTPS (Default 443)" is selected.

If "Select Enable HTTPS (Default 443)" is not selected, this is a finding.

NOTE: You may be prompted to log in after "Administration".

Fix

1. Copy a valid server certificate file and server certificate key file into the \\Citrix\Licensing\LS\conf\ folder of the License Server installation directory.
2. Click "Administration" and select the "Server Configuration" tab.
3. Click the "Secure Web Server Configuration" bar.
4. Select "Enable HTTPS (Default 443)".
5. Enter a port for the HTTPS communication.
6. Enter the location of the server certificate file and the server certificate key file.
7. Stop and restart the Citrix Licensing service from the services control panel of the machine running the license server.
V-81419 No Change
Findings ID: CXEN-LS-000880 Rule ID: SV-96133r1_rule Severity: medium CCI: CCI-002007

Discussion

If cached authentication information is out of date, the validity of the authentication information may be questionable.

Checks

1. Click "Administration" and select the "Server Configuration" tab.
2. Click the "Web Server Configuration" bar and "Session Timeout".
3. Verify Session Timeout is set to “10”.

If Session Timeout is not set to “10”, this is a finding.

Fix

1. Click "Administration" and select the "Server Configuration" tab.
2. Click the Web Server Configuration bar.
3. For Session Timeout, enter the value of “10” (minutes).
V-81421 No Change
Findings ID: CXEN-LS-001000 Rule ID: SV-96135r1_rule Severity: medium CCI: CCI-002418

Discussion

Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepted and read or altered.

This requirement applies only to applications that are distributed or can allow access to data non-locally. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, applications need to leverage transmission protection mechanisms, such as TLS, SSL VPNs, or IPsec.

Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa.

Checks

Open the License Management Console, click "Administration", and select the "Server Configuration" tab.

Click the "Secure Web Server Configuration" bar and verify "Select Enable HTTPS (Default 443)" is selected.

If "Select Enable HTTPS (Default 443)" is not selected, this is a finding.

Fix

1. Copy a valid server certificate file and server certificate key file into the \\Citrix\Licensing\LS\conf\ folder of the License Server installation directory.
2. Click "Administration" and select the "Server Configuration" tab.
3. Click the "Secure Web Server Configuration" bar.
4. Select "Enable HTTPS (Default 443)".
5. Enter a port for the HTTPS communication.
6. Enter the location of the server certificate file and the server certificate key file.
7. Stop and restart the Citrix Licensing service from the services control panel of the machine running the license server.
V-81423 No Change
Findings ID: CXEN-LS-001005 Rule ID: SV-96137r1_rule Severity: high CCI: CCI-002421

Discussion

Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions that have common application in digital signatures, checksums, and message authentication codes.

This requirement applies only to applications that are distributed or can allow access to data non-locally. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, applications need to leverage transmission protection mechanisms, such as TLS, SSL VPNs, or IPsec.

Alternative physical protection measures include PDS. PDSs are used to transmit unencrypted classified National Security Information (NSI) through an area of lesser classification or control. Since the classified NSI is unencrypted, the PDS must provide adequate electrical, electromagnetic, and physical safeguards to deter exploitation.

Checks

Open the License Management Console, click "Administration", and select the "Server Configuration" tab.

Click the "Secure Web Server Configuration" bar and verify "Select Enable HTTPS (Default 443)" is selected.

If "Select Enable HTTPS (Default 443)" is not selected, this is a finding.

Fix

1. Copy a valid server certificate file and server certificate key file into the \\Citrix\Licensing\LS\conf\ folder of the License Server installation directory.
2. Click "Administration" and select the "Server Configuration" tab.
3. Click the "Secure Web Server Configuration" bar.
4. Select "Enable HTTPS (Default 443)".
5. Enter a port for the HTTPS communication.
6. Enter the location of the server certificate file and the server certificate key file.
7. Stop and restart the Citrix Licensing service from the services control panel of the machine running the license server.
V-81425 No Change
Findings ID: CXEN-LS-001015 Rule ID: SV-96139r1_rule Severity: medium CCI: CCI-002422

Discussion

Information can be unintentionally or maliciously disclosed or modified during reception including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information.

This requirement applies only to applications that are distributed or can allow access to data non-locally. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When receiving data, applications need to leverage protection mechanisms, such as TLS, SSL VPNs, or IPsec.

Checks

Open the License Management Console, click "Administration", and select the "Server Configuration" tab.

Click the "Secure Web Server Configuration" bar and verify "Select Enable HTTPS (Default 443)" is selected.

If "Select Enable HTTPS (Default 443)" is not selected, this is a finding.

Fix

1. Copy a valid server certificate file and server certificate key file into the \\Citrix\Licensing\LS\conf\ folder of the License Server installation directory.
2. Click "Administration" and select the "Server Configuration" tab.
3. Click the "Secure Web Server Configuration" bar.
4. Select "Enable HTTPS (Default 443)".
5. Enter a port for the HTTPS communication.
6. Enter the location of the server certificate file and the server certificate key file.
7. Stop and restart the Citrix Licensing service from the services control panel of the machine running the license server.