Remote XenApp, ICA, and Thin Client STIG

Details

Version / Release: V2R7

Published: 2012-01-10

Updated At: 2018-09-23 12:37:01

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-24276r3_rule SRC-CTX-080 MEDIUM Configure all Program Neighborhood clients with specific FQDN of the XenApp servers in the Address List. By default no servers or IP addresses are specified in the Address List box of the client. A primary requirement for the use of TLS/SSL from the Citrix Program Neighborhood client is that users must connect using the Fully Qualified Domain Name (FQDN) of
    SV-24279r2_rule SRC-CTX-090 HIGH Disable Client drive mappings on all Program Neighborhood clients. Client drive mappings are built into the standard device redirection facilities of the Citrix XenApp Server. The client drives appear as client network objects in Windows. The client’s disk drives are displayed as shared folders with mapped drive letter
    SV-24286r1_rule SRC-CTX-100 HIGH Disable Clipboard mapping on all Program Neighborhood clients. The clipboard mapping allows the XenApp server to copy or paste from its clipboard to the client machine. The clipboard mapping allows any type of data to be written to the client drive. If the XenApp server has malicious code on the server, a client work
    SV-24290r1_rule SRC-CTX-110 LOW Disable Bitmap Disk Caching. Bitmap disk cache stores graphic representations consisting of rows and columns of dots in computer memory. The value of each dot is stored in one or more bits of data. Bitmap disk caching is used as a performance measure for clients connecting over slow
    SV-24296r2_rule SRC-CTX-120 MEDIUM Configure SSL/TLS+HTTPS for the ICA client. Unencrypted XenApp client to server sessions do not protect the information transmitted from being read or viewed by anyone. Unencrypted sessions are vulnerable to a number of attacks to include man-in-the-middle attacks, TCP Hijacking, and replay. SSL/TL
    SV-24299r1_rule SRC-CTX-130 MEDIUM Upgrade Program Neighborhood clients to the required minimum version. Minor Citrix client software versions could potentially be used to an attacker’s advantage. Citrix Security Bulletin CTX116227 states that “under some circumstances, the Citrix Presentation Server Client for Windows may leave residual information in t
    SV-24311r1_rule SRC-CTX-140 MEDIUM Enable Smart Card for ICA Program Neighborhood clients. Two-factor authentication identifies users using two distinctive factors--something they have and something they know or something they are. Requiring two different forms of electronic identification reduces the risk of fraud. A physical device or token c
    SV-24315r1_rule SRC-CTX-150 MEDIUM Disable smart-card pass thru authentication. When a user selects an application on a Web Interface server, a file is sent to the browser. This file can contain a setting that instructs the client to send the user’s workstation credentials to the server. By default, the client does not honor this s
    SV-24316r1_rule SRC-CTX-160 MEDIUM Enable Smart Card for ICA Program Neighborhood Agents. Two-factor authentication identifies users using two distinctive factors--something they have and something they know or something they are. Requiring two different forms of electronic identification reduces the risk of fraud. Something a user has can be
    SV-24317r1_rule SRC-CTX-170 MEDIUM Use TLS for all communications between the Program Neighborhood Agent and the Web server. Unencrypted XenApp client to server sessions do not protect the information transmitted from being read or viewed by anyone. Unencrypted sessions are vulnerable to a number of attacks to include man-in-the-middle attacks, TCP Hijacking, and replay. Smart
    SV-24318r1_rule SRC-CTX-180 LOW Disable the option to change server URLs. Users may inadvertently change the URL to the XenApp server and not be able to access published applications. To prevent users from changing the server URL, disable the option or hide the server tab entirely.Information Assurance OfficerECSC-1