Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

Remote XenApp, ICA, and Thin Client STIG

  • Version/Release: V2R7
  • Published: 2012-01-10
  • Released: 2012-07-27
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

b
Configure all Program Neighborhood clients with specific FQDN of the XenApp servers in the Address List.
Medium - V-21745 - SV-24276r3_rule
RMF Control
Severity
Medium
CCI
Version
SRC-CTX-080
Vuln IDs
  • V-21745
Rule IDs
  • SV-24276r3_rule
By default no servers or IP addresses are specified in the Address List box of the client. A primary requirement for the use of TLS/SSL from the Citrix Program Neighborhood client is that users must connect using the Fully Qualified Domain Name (FQDN) of the XenApp server. This FQDN must exactly match the name on the XenApp server’s TLS/SSL certificate. Restricting clients to using only the FQDN ensures that the server farm is not vulnerable to a man-in-the-middle attack, whereby a malicious attacker could attempt to route users to a duplicate XenApp server and steal their passwords.Information Assurance OfficerECSC-1
Checks: C-26006r2_chk

Access the Full Program Neighborhood client on the workstation and perform the following: 1. Select Start > Citrix > Citrix Access Clients > Program Neighborhood 2. Right Click on the selected application (s). 3. Under the Address List, verify that Fully Qualified Domain Names listed match the certificates of the XenApp servers within the enclave. If they are not listed, this is a finding.

Fix: F-22537r2_fix

Configure all Program Neighborhood clients with specific FQDN of the XenApp servers in the Address List.

c
Disable Client drive mappings on all Program Neighborhood clients.
High - V-21746 - SV-24279r2_rule
RMF Control
Severity
High
CCI
Version
SRC-CTX-090
Vuln IDs
  • V-21746
Rule IDs
  • SV-24279r2_rule
Client drive mappings are built into the standard device redirection facilities of the Citrix XenApp Server. The client drives appear as client network objects in Windows. The client’s disk drives are displayed as shared folders with mapped drive letters. These drives can be used by Windows Explorer and other applications like any other network drive. Client drive mappings pose a security risk because they allow the client to read and write from their local drives files to the XenApp server. This allows users to transfer rogue files onto the server that could contain malware or malicious code. Transferring files from client devices to the XenApp server may use up disk space or infect the server with a virus that could affect the availability and integrity of the XenApp server.Information Assurance OfficerECSC-1
Checks: C-26007r2_chk

There are two ways to verify that client drive mappings are disabled. Each is listed below. Access the XenApp server and perform the following: Method 1 1. Select Start > Administrative Tools > Terminal Services Configuration > ICA-tcp 2. Select the Client Settings tab and verify that “Connect client drives at logon” is not checked. If it is, this is a finding. Method 2 1. Access the Local Computer Policy and Import the Citrix Presentation Server Client template (icaclient.adm). 2. Navigate to the Computer Configuration > Administrative Templates > Citrix Components > Presentation Server Client > Remoting client devices 3. Verify that “Client drive mapping” is set to Disabled. If not, this is a finding.

Fix: F-22539r2_fix

Disable Client drive mappings on all Program Neighborhood clients.

c
Disable Clipboard mapping on all Program Neighborhood clients.
High - V-21751 - SV-24286r1_rule
RMF Control
Severity
High
CCI
Version
SRC-CTX-100
Vuln IDs
  • V-21751
Rule IDs
  • SV-24286r1_rule
The clipboard mapping allows the XenApp server to copy or paste from its clipboard to the client machine. The clipboard mapping allows any type of data to be written to the client drive. If the XenApp server has malicious code on the server, a client workstation could be infected with this malicious code. Text objects may be transferred, such as passwords, which could compromise the XenApp server. This may cause information leakage and potentially infect other operating systems if the text is a string that can be run as a command or URL. As a result of these potential scenarios, the clipboard mapping will be disabled to prevent file transfers that may be malicious to client machines via the clipboard.Information Assurance OfficerECSC-1
Checks: C-26009r1_chk

There are two ways to verify that the clipboard mapping is disabled. Each is listed below. Method 1 Access the XenApp server and perform the following: 1. Select Start > Administrative Tools > Terminal Services Configuration > ICA-tcp 2. Select the Client Settings tab and verify that “Clipboard mapping” is checked. If it is not checked, this is a finding. Method 2 1. Access the Local Computer Policy and Import the Citrix Presentation Server Client template (icaclient.adm). 2. Navigate to the Computer Configuration > Administrative Templates > Citrix Components > Presentation Server Client > Clipboard 3. Verify that “Clipboard” is set to Disabled. If not, this is a finding.

Fix: F-22543r1_fix

Disable Clipboard mapping on all Program Neighborhood clients.

a
Disable Bitmap Disk Caching.
Low - V-21753 - SV-24290r1_rule
RMF Control
Severity
Low
CCI
Version
SRC-CTX-110
Vuln IDs
  • V-21753
Rule IDs
  • SV-24290r1_rule
Bitmap disk cache stores graphic representations consisting of rows and columns of dots in computer memory. The value of each dot is stored in one or more bits of data. Bitmap disk caching is used as a performance measure for clients connecting over slow links. Clients connecting over high speed links do not need this and it should be disabled to improve performance and security. The bitmap cache is protected by an access control list, but the cache is stored to disk. To protect the bitmap cache data on the disk from unauthorized users, bitmap disk caching will be disabled.Information Assurance OfficerECSC-1
Checks: C-20699r1_chk

To verify the bitmap disk caching is disabled, perform the following: 1. Using a text editor, open the Appsrv.ini file located in the C:\Documents and Settings\Application Data\ICA Client directory. 2. Under the [WFClient] section, verify the value is set to ‘PersistentCacheEnabled=Off’. If it is not set to off, this is a finding.

Fix: F-18618r1_fix

Disable Bitmap Disk Caching.

b
Configure SSL/TLS+HTTPS for the ICA client.
Medium - V-21757 - SV-24296r2_rule
RMF Control
Severity
Medium
CCI
Version
SRC-CTX-120
Vuln IDs
  • V-21757
Rule IDs
  • SV-24296r2_rule
Unencrypted XenApp client to server sessions do not protect the information transmitted from being read or viewed by anyone. Unencrypted sessions are vulnerable to a number of attacks to include man-in-the-middle attacks, TCP Hijacking, and replay. SSL/TLS+HTTPS on the ICA client will ensure that all traffic is encrypted between the server and client. The server must be configured to accept SSL/TLS communication.Information Assurance OfficerECCT-1, ECCT-2
Checks: C-26011r1_chk

To configure the Program Neighborhood Client to utilize SSL/TLS perform the following steps: 1. Select Start > All Programs > Citrix > Citrix Access Clients > Program Neighborhood. 2. Right click the application set and select Application Set Settings. 3. In the Settings dialog box, verify SSL/TLS+HTTPS is selected from the Network Protocol menu. If not, this is a finding. OR 1. Exit the Program Neighborhood client if it is running. Make sure all client components, including the Connection Center, are closed. 2. Open the individual’s user-level Appsrv.ini file (default directory: %User Profile%\Application Data\ICAClient) in a text editor. 3. Locate the section named [WFClient]. 4. Verify the values of these three parameters below: SSLCIPHERS= GOV SECURECHANNELPROTOCOL= TLS SSLEnable=On 5. If any of these three values are incorrect or missing, this is a finding.

Fix: F-18621r1_fix

Configure SSL/TLS+HTTPS for the ICA client.

b
Upgrade Program Neighborhood clients to the required minimum version.
Medium - V-21758 - SV-24299r1_rule
RMF Control
Severity
Medium
CCI
Version
SRC-CTX-130
Vuln IDs
  • V-21758
Rule IDs
  • SV-24299r1_rule
Minor Citrix client software versions could potentially be used to an attacker’s advantage. Citrix Security Bulletin CTX116227 states that “under some circumstances, the Citrix Presentation Server Client for Windows may leave residual information in the client process memory. This issue is present in all versions of the Citrix Presentation Server Client prior to version 10.200.” Therefore, the minimum software version for Citrix clients will be 10.200 or higher.Information Assurance OfficerECSC-1
Checks: C-26012r1_chk

1. Select Start > All Programs > Citrix > Citrix Access Clients > Program Neighborhood. 2. Navigate to Help > About Program Neighborhood 3. If the Program Neighborhood version is not at 10.200 or higher, this is a finding.

Fix: F-18633r1_fix

Upgrade Program Neighborhood clients to the required minimum version.

b
Enable Smart Card for ICA Program Neighborhood clients.
Medium - V-21761 - SV-24311r1_rule
RMF Control
Severity
Medium
CCI
Version
SRC-CTX-140
Vuln IDs
  • V-21761
Rule IDs
  • SV-24311r1_rule
Two-factor authentication identifies users using two distinctive factors--something they have and something they know or something they are. Requiring two different forms of electronic identification reduces the risk of fraud. A physical device or token can be something a user has. Token options include smart-tokens, smart cards, and password generation tokens. Smart cards may be enabled within the Citrix XenApp Server environment. Smart cards are small plastic cards with embedded computer chips. Within the DoD environment, this would be the Common Access Card (CAC). Smart cards authenticate users to networks and computers, secure channel communications over a network, and use digital signatures for signing content. With smart cards, a user’s private key is securely stored within the smart card and never leaves the card. Using the onboard processor, all cryptographic functions, including digital signatures and decryption of session keys, occur inside the card. Smart cards will be used for authentication when users access applications and content published on servers. In addition, Citrix supports two-factor authentication for increased security. Instead of merely presenting the smart card (one factor) to conduct a transaction, a user-defined PIN (a second factor), known only to the user, is employed to prove that the cardholder is the rightful owner of the smart card.Information Assurance OfficerIAIA-1, IAIA-2
Checks: C-26013r1_chk

On the ICA workstation perform the following: 1. Select Start > All Programs > Citrix > Citrix Access Clients > Program Neighborhood. 2. Select the Logon Information tab and verify that Smart Card is selected. If not, this is a finding.

Fix: F-22553r1_fix

Enable Smart Card for ICA Program Neighborhood clients.

b
Disable smart-card pass thru authentication.
Medium - V-21762 - SV-24315r1_rule
RMF Control
Severity
Medium
CCI
Version
SRC-CTX-150
Vuln IDs
  • V-21762
Rule IDs
  • SV-24315r1_rule
When a user selects an application on a Web Interface server, a file is sent to the browser. This file can contain a setting that instructs the client to send the user’s workstation credentials to the server. By default, the client does not honor this setting; however, there is a risk that if the passthru feature is enabled on the Presentation Server Client for Win32, an attacker could send the user a file causing the user’s credentials to be sent to an unauthorized or counterfeit server.Information Assurance OfficerIAIA-1, IAIA-2
Checks: C-26014r1_chk

On the ICA workstation, perform the following: 1. Select Start > All Programs > Citrix > Citrix Access Clients > Program Neighborhood. 2. Select the Logon Information tab and verify that Pass thru authentication is not checked under Smart Card. If it is, this is a finding. OR 1. Access the Appsrv.ini file located in users’ profiles to check whether pass-thru is configured. For instance, if a user’s profile is stored locally, this file is located in C:\Documents and Settings\user\Application Data\ICAClient. 2. In the [WFClient] section, verify the following entries do not exist: EnableSSOnThruICAFile=On SSOnUserSetting=On If these two entries exist, this is a finding.

Fix: F-18638r2_fix

Disable smart-card pass thru authentication.

b
Enable Smart Card for ICA Program Neighborhood Agents.
Medium - V-21763 - SV-24316r1_rule
RMF Control
Severity
Medium
CCI
Version
SRC-CTX-160
Vuln IDs
  • V-21763
Rule IDs
  • SV-24316r1_rule
Two-factor authentication identifies users using two distinctive factors--something they have and something they know or something they are. Requiring two different forms of electronic identification reduces the risk of fraud. Something a user has can be a physical device sometimes referred to as a token. Token options include smart-tokens, smart cards, and password generation tokens. Smart cards may be enabled within the Citrix XenApp Server environment. Smart cards are small plastic cards with embedded computer chips. Within the DoD environment, this would be the Common Access Card (CAC). Smart cards authenticate users to networks and computers, secure channel communications over a network, and use digital signatures for signing content. With smart cards, a user’s private key is securely stored within the smart card and never leaves the card. Using the onboard processor, all cryptographic functions, including digital signatures and decryption of session keys, occur inside the card. Smart cards will be used for authentication when users access applications and content published on servers. In addition, Citrix supports two-factor authentication for increased security. Instead of merely presenting the smart card (one factor) to conduct a transaction, a user-defined PIN (a second factor), known only to the user, is employed to prove that the cardholder is the rightful owner of the smart card.Information Assurance OfficerIAIA-1, IAIA-2
Checks: C-26015r1_chk

Enabling smart card support for Program Neighborhood Agent is done through the Web Interface. On the XenApp Server perform the following: 1. Select Start > All Programs > Citrix > Management Consoles > Access Management Console 2. Navigate to Citrix Resources > Configuration Tools > Web Interface > (PNAgent Website Name) 3. Right Click on the config.xml and select Change Authentication Methods. 4. Verify that “Smart Card” is checked. If it is not, this is a finding.

Fix: F-18688r1_fix

Enable Smart Card for ICA Program Neighborhood Agents.

b
Use TLS for all communications between the Program Neighborhood Agent and the Web server.
Medium - V-21764 - SV-24317r1_rule
RMF Control
Severity
Medium
CCI
Version
SRC-CTX-170
Vuln IDs
  • V-21764
Rule IDs
  • SV-24317r1_rule
Unencrypted XenApp client to server sessions do not protect the information transmitted from being read or viewed by anyone. Unencrypted sessions are vulnerable to a number of attacks to include man-in-the-middle attacks, TCP Hijacking, and replay. Smart card logon and TLS-secured communications between the client and the server running the Web Interface are not enabled by default. TLS may be enabled by forcing URLs to apply the HTTPS protocol automatically. The XenApp server must have TLS configured as well for it to work.Information Assurance OfficerECCT-1, ECCT-2
Checks: C-26016r1_chk

To verify that TLS protocol is configured, perform the following on the XenApp server: 1. Select Start > All Programs > Citrix > Management Consoles > Access Management Console 2. Navigate to Citrix Resources > Configuration Tools > Web Interface > (PNAgent Website Name) 3. Right Click on the config.xml and select Manage Server Settings. 4. Verify that “Use SSL/TLS for communications between clients and the Web server” is checked. If it is, this is a finding.

Fix: F-22554r1_fix

Use TLS for all communications between the Program Neighborhood Agent and the Web server.

a
Disable the option to change server URLs.
Low - V-21765 - SV-24318r1_rule
RMF Control
Severity
Low
CCI
Version
SRC-CTX-180
Vuln IDs
  • V-21765
Rule IDs
  • SV-24318r1_rule
Users may inadvertently change the URL to the XenApp server and not be able to access published applications. To prevent users from changing the server URL, disable the option or hide the server tab entirely.Information Assurance OfficerECSC-1
Checks: C-26017r1_chk

On the XenApp Server perform the following: 1. Select Start > All Programs > Citrix > Management Consoles > Access Management Console 2. Navigate to Citrix Resources > Configuration Tools > Web Interface > (PNAgent Website Name) 3. Right Click on the config.xml and select Manage Server Settings. 4. Verify that “Allow users to customize the server URL” is unchecked. If it is, this is a finding.

Fix: F-18690r1_fix

Disable the option to change server URLs.