Embed Size (px)
Citation preview
1 © 2016 Citrix
2 © 2016 Citrix
3 © 2016 Citrix
We want to share with you why focusing on security is a great opportunity for your business and help our customers gain competitive differentiation through security.
and provide technical best practices you can incorporate into security based assessments and designs.
This a technical session with a lot detailed information like registry entries and PowerShell commands, which are provided for you in the notes.
4 © 2016 Citrix
2015 was the world’s wake up call..arguably the alarm has been going off since at least 2005 but there’s been more visibility in the last 3 years, due to the snowden effect and an uptick in attacks.
in the last decade there have been many high visibility breaches such as:
TJMAX | Adobe | Home Depot | Sony | Heartland | Apple | Anthem | Target | OPM | Ashley Madison
• Billions of dollars are spent on security solutions yet information remains vulnerable
• The volume of data breaches, data loss and theft, and cybercrime has increased
• – and the expectation is that they will only increase over time.
• New threats and attack vectors are emerging every day…whether its social engineering or ransom ware or denial of service.
• There is no industry sector or vertical that's safe, retail, finance, healthcare, education, government..all are targets.
5 © 2016 Citrix
We live in a world where the attacks come from anywhere.
The threat actors themselves are a lot more sophisticated and more organized. They collaborate, they’re unregulated, and profit driven
In here are disgruntled insiders, and hacktivists, sponsored attackers, professional and amateur hackers, espionage and sophisticated criminal enterprise.
There’s also regulatory pressure.
And there’s disruptive technology like mobile, Cloud, and IoT that continuously test our capabilities to defend.
These disruptive technologies and trends make our security perimeters more porous.
Data is at rest, in motion, and in use across a complex matrix of endpoints, networks, apps, and storage and employees are mobile.
You need to prepare for conversations in your accounts that address security across this matrix.
6 © 2016 Citrix
This is our opportunity
2/3 of organizations say they are increasing their security spend. And in case you are wondering who to talk to …security decision makers have a rising influence on mobility. 80% of security leaders have influence over the mobility budget – including 19% (about 1 in 5) with bottom line authority, and about another 1/3 with significant influence.
7 © 2016 Citrix
When we look at Security, Citrix maps to 5 fundamental pillars that enhance IT and Security Operations to Reduce Risk
These pillars are identity and access, network, app, and data security with monitoring and response.
They’re built on a foundation of confidentiality, integrity, and availability.
Each pillar has 3 key components that map directly to our security portfolio
I’m going to hand it over to Martin to dive deeper into recommendations on securing identity and privilege.
8 © 2016 Citrix
In security, always expect the worst. And always expect that your defenses will be penetrated. Always ask “And then what?”.
It’s not a question “if” your security will be penetrated, the question is “when”.
9 © 2016 Citrix
January 2006 – Applying the Principle of Least Privilege to User Accounts on Windows XP
• https://technet.microsoft.com/en-us/library/bb456992.aspx
Question is not “if”, but “when” a security attack will happen
• Role of PoLP is to minimize the impact if account is compromised
10 © 2016 Citrix
When talking about least privilege, most people think about delegated administration, but PoLP should apply to everything – not just administrators, but all user accounts.
11 © 2016 Citrix
12 © 2016 Citrix
While almost everyone understand the reason behind PoLP, very few people realize that it should be applied to all types of user accounts. Following example is something that we’re constantly seeing in the field.
Most customers are using groups for publishing (which is great).
13 © 2016 Citrix
But what happens when they need to assign permissions to all users that are using their Citrix environment? For example add users to local group of Remote Desktop Users and provide required NTFS permissions for user profiles or folder redirection?
14 © 2016 Citrix
Most of the time they simply use Domain Users or Authenticated Users. This is one of the examples where people don’t follow PoLP principle and don’t even know it.
15 © 2016 Citrix
Avoid using multiple group to provide access to the environment. If you require membership in multiple groups, not only you are more prone the error when provisioning access, but also you can potentially leave unnecessary privileges when you decommission access.
16 © 2016 Citrix
• User should be member of only one group to have access to both published resources as well as required Citrix infrastructure
• Use proper group nesting instead of adding user to two groups
• Proper nesting design helps with de-provisioning of privileges
17 © 2016 Citrix
• User should be member of only one group to have access to both published resources as well as required Citrix infrastructure
• Use proper group nesting instead of adding user to two groups
• Proper nesting design helps with de-provisioning of privileges
18 © 2016 Citrix
• User should be member of only one group to have access to both published resources as well as required Citrix infrastructure
• Use proper group nesting instead of adding user to two groups
• Proper nesting design helps with de-provisioning of privileges
19 © 2016 Citrix
• User should be member of only one group to have access to both published resources as well as required Citrix infrastructure
• Use proper group nesting instead of adding user to two groups
• Proper nesting design helps with de-provisioning of privileges
20 © 2016 Citrix
This is more of what people
21 © 2016 Citrix
These are default roles (with exception of Custom)
22 © 2016 Citrix
Ongoing process – this should not be only during initial build - Regularly review privileges and remove when no longer necessary
23 © 2016 Citrix
Principle of least privilege is one of the ways how to minimize the impact after security breach. Another way is through the proper network segmentation and Kurt is going to talk about that approach.
Super accounts – instead of creating multiple accounts for different roles, single powerful account is often being used.
24 © 2016 Citrix
• If possible use machine identities for authentication
• Hypervisor connection + PVS
Principle of least privilege is one of the ways how to minimize the impact after security breach. Another way is through the proper network segmentation and Andy is going to talk about that approach.
25 © 2016 Citrix
Recommended implementation steps
• Same principles applies to the firewalls for example. Start with open network, make sure everything works, enable FW.
26 © 2016 Citrix
27 © 2016 Citrix
Script
The first thing I want to talk about is secure network zones.
The concept is that sensitive data is wrapped up in multiple layers of protection called zones. Each zone has increased security requirements over the previous one.
Each zone can contain one or more dedicated networks and firewalls are used to restrict communications between zones and networks within zones.
Confidential data that it is transferred between or within zones should always be protected using encryption.
Reference
https://www.atsec.com/downloads/pdf/ISSE_2009-Secure_network_zones-Peter_Wimmer.pdf
28 © 2016 Citrix
Script
The outermost zone is called External and includes devices and networks that are not controlled by the organization. For example, Internet users and partner companies. Rather predictably, the external zone is the least trusted zone in the model.
29 © 2016 Citrix
Script
The second zone is called Presentation and includes internal client LANs and the networks containing SBC and VDI machines. This zone is the first one managed by the organization and the most likely to be attacked.
30 © 2016 Citrix
Script
The third zone is called Application and contains the app servers and logic used to process data.
The Application zone also includes the management network because it needs to communicate with the yellow and red zones.
31 © 2016 Citrix
Script
The innermost zone is called the Data zone and includes important infrastructure like database servers. This is the most protected zone in the organization.
32 © 2016 Citrix
Script
There is one important rule that you you should remember about secure network zones. Network traffic can only move between adjacent zones, it can’t jump zones. We do this to prevent sensitive data from being accessed directly from insecure networks.
Based on my experience, most customers do a really good job with the External and Presentation zones but don’t do very much with the application and data zones. There is a really big opportunity here to help customers improve their security.
33 © 2016 Citrix
Script
Let’s see how this concept works out for a XA / XD deployment. Each box in this diagram represents a separate network within the relevant zone
The firewall between the presentation and application zones is configured to ensure that only finance desktops can access the finance app server and only Human Resources desktops can access the HR app server.
The firewall between the application and data zones is configured to ensure that the database servers can only be accessed by the relevant app servers.
34 © 2016 Citrix
Script
This slide shows you how the secure network zone concept maps to the XA and XD control infrastructure.
In this example we have three networks for the presentation zone, 1 for application and 1 for data. Remember, it’s not possible for the presentation networks to directly access the data network.
This diagram also shows important communication flows between each of the infrastructure servers. We’re going to look at each of these flows and talk about why they should be encrypted and how to do it.
Reference
http://support.citrix.com/article/CTX137556s/documents/about/citrix-xenapp-and-xendesktop-76-fips-140-2-sample-deployments.pdf
http://www.basvankaam.com/2014/11/24/the-ultimate-xendesktop-7-x-internals-cheat-sheet/
35 © 2016 Citrix
Script
Why
StoreFront encryption is a priority because user credentials are transferred using obfuscation and not encryption. Encryption requires an algorithm and a key while Obfuscation just requires an algorithm making it much easier to crack than encryption.
How
So how do we encrypt StoreFront traffic?
Install a private or public certificate on the StoreFront servers, and then add the certificate to the https binding for the site. It’s really important that you disable http traffic or chances are users will just bypass the encryption.
36 © 2016 Citrix
Script
WhyI recommend that you implement encryption for the Controller next because obfuscated credentials are also passed between StoreFront and the Delivery Controllers as well as NetScaler and the Delivery Controllers.
HowAll you have to do is install a certificate on the Controller, a private certificate is fine as it’s just going to be accessed by managed machines.
Once the certificate is installed run the command shown up here on the slide.
You can find the certificate thumbprint in the details tab of the certificate.
To find the GUID of the Citrix Broker Service use the PowerShell command Get-BrokerController.
Reference
http://support.citrix.com/article/CTX200415
How to create a web server SSL certificate manually -http://blogs.technet.com/b/pki/archive/2009/08/05/how-to-create-a-web-server-ssl-certificate-manually.aspx
How to configure a port with an SSL certificate - https://msdn.microsoft.com/en-us/library/ms733791(v=vs.110).aspx
Certreq.exe syntax - https://technet.microsoft.com/en-us/library/cc736326(WS.10).aspx
37 © 2016 Citrix
Script
Once the certificate is installed and the broker service has been configured, update StoreFront and NetScaler to use https for the XML brokers and Secure Ticket Authority.
Finally, configure the XML service on the Controllers to ignore HTTP requests by setting XmlServicesEnableNonSSL to 0.
38 © 2016 Citrix
Script
WhyYou should encrypt HDX traffic to prevent an attacker from being able to watch everything that a user is doing.
With the release of XenApp and XenDesktop 7.6 I is not possible to implement TLS encryption that is FIPS approved from Receiver to the VDA.
HowTo enable TLS encryption you need to add certs to the VDAs, and then configure the VDAs and Controllers to use encryption.
We’ll look at each of these steps in more detail because there are some important things to consider.
Reference
http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-security-article/xad-ssl.html
https://www.citrix.com/blogs/2014/10/16/xenapp-and-xendesktop-7-6-security-fips-140-2-and-ssl-to-vda/
https://www.citrix.com/blogs/2014/12/11/how-to-secure-ica-connections-in-xenapp-and-xendesktop-7-6-using-ssl/
https://www.citrix.com/blogs/2015/07/13/xenapp-xendesktop-what-crypto-is-my-session-using/
39 © 2016 Citrix
Script
The first step is to deploy certificates to the VDAs.
This is super easy for dedicated desktops but much harder for pooled desktops which are reset following a reboot. One solution is to add a wildcard certificate to the master image such as *.Citrix.com. The problem though, is that if any of the VDAs are compromised, all other VDAs are at risk.
A much better option is to use Microsoft Certificate Services to automatically provision certificates using group policy. A startup script is then used to enable TLS.
This approach will only work for Desktop VDAs. For Server VDAs, the ICA listener is brought up too early during the boot process, before certificates can be automatically provisioned. This doesn’t stop you implementing encryption for non-provisioned server VDAs though.
40 © 2016 Citrix
Script
Once you have the cert installed on the VDA you need to run a PowerShell script that enables TLS on the VDA. You can use a few different parameters with the script.
The SSLMinVersion parameter can be TLS_1.0, TLS_1.1 and TLS_1.2. The script will use TLS_1.0 by default.
The SSLCiperSuite parameter allows you to select your preferred cipher suite which can include Government, Commercial and All.
The certificate thumbprint parameter allows you to specify which certificate you want to use. Most of the time you won’t need this parameter as you’ll just have one cert on the VDA.
41 © 2016 Citrix
Script
The last step is to enable encryption on the controller.
There are two PowerShell commands that you need to run on each controller. The first one enables TLS for all delivery groups. You can also enable TLS for individual delivery groups if you wish.
The second PowerShell command changes the address of the VDA in the ICA file from IP address to FQDN so that it matches the name in the certificate.
42 © 2016 Citrix
Script
Why
The Controller communicates with the hypervisor to create and manage VMs. This includes the initial authentication, during which the username and password of the service account are sent over the wire.
How
To secure the hosting traffic use TLS encryption for XenServer and vSphere. Make sure that your customers use trusted certs rather than the default non-trusted vendor certs.
If you have Hyper-V, the Controller will automatically leverage the WCF protocol to secure the traffic.
43 © 2016 Citrix
Script
The last network flow we’re going to take a look at is between the Controller and SQL which can include confidential data.
To enable encryption, add a certificate to your SQL server, a private cert is fine.
Configure the server to accept encrypted connections by opening SQL Server Configuration Manager, select the certificate that you want to use, and switch the force encryption flag to yes.
Reference
https://msdn.microsoft.com/en-us/library/ms191192(v=sql.110).aspx
44 © 2016 Citrix
Script
As you can see, all communications are now green and we have TLS between and within 3 zones and 5 networks. Once you’ve confirmed that everything works with encryption enabled, you’re ready to start locking down the traffic between zones and networks using the firewalls.
45 © 2016 Citrix
Script
Most customers use default port numbers now due to the availability of good network scanners but there is a really interesting use case that I want to talk about. By default, many of the FMA services use the same port for different functions. For example, the broker service uses port 80 for VDA registrations, XML requests and the SDK. This prevents us from implementing granular firewall rules for each of these different functions.
The good news though is that you can configure an FMA service to use different port numbers for different functions. From a command prompt, query the executable of an FMA service to see what options you have.
46 © 2016 Citrix
Script
In this example, I’ve run a command that configures the broker service to use different ports for the VDAs, StoreFront and the SDK.
This allows me to configure the firewalls so that NetScaler is the only machine outside of the server network able to query the XML broker.
Similarly, I can limit VDA port access on the controller to the VDA network and the SDK port to the management network.
47 © 2016 Citrix
One of the most important principles of security is called defense in depth (also known as castle approach). The strategy is based on the military principle that it is more difficult for an enemy to defeat a complex and multi-layered defense system than to penetrate a single barrier.
What we are going to do here is to have a look at what attacked would do, based on scenario where he have access to one published application.
48 © 2016 Citrix
Attacker has been able to get access to test\temp account with password “YourCompany123”. He found the account by looking for *temp*\*test*\*tst* or anything with “_”.
App A (Notepad) is published to Domain Users – it is just a simple test application, so why would you have a dedicated group used for publishing, right?
Combination of open test account and app published to Domain Users, he can establish a session to one of the XA servers.
49 © 2016 Citrix
As the next step, he will try to break out of the application and start command prompt (or task manager etc.) to access the rest of the operating system
Now, if you believe that standard GPO policies will help you…
50 © 2016 Citrix
Publishing filtering should not be considered a security feature.
51 © 2016 Citrix
…think again. Especially if many applications are published, it’s very tough to secure such environment. Assume that attacker will always find a way.
Example above has bypassed some of the common security policies
• Restrict C drive – accessing it through local host instead
• Prevent access to the command prompt – PowerShell ISE is not disabled
• File dialog – Using print as PDF instead
So, assuming that you cannot prevent this from happening, what can you do?
52 © 2016 Citrix
Goal – Explain that just by hiding something, it doesn’t mean its secured as well.
Would you publish application that is available to all users (Domain Users), is extremely hard to secure (Office) and contains its own scripting engine (Office VBA) on the same server as your payroll application that is available only to a very limited number of users?
53 © 2016 Citrix
Goal – Explain that just by hiding something, it doesn’t mean its secured as well.
Would you publish application that is available to all users (Domain Users), is extremely hard to secure (Office) and contains its own scripting engine (Office VBA) on the same server as your payroll application that is available only to a very limited number of users?
54 © 2016 Citrix
Goal – Describe that groups should we always used and specific users should be avoided. Also, if possible, try to avoid anonymous users or shared accounts. This can often be a balance between economic aspect and security aspect – but from security perspective, it should be always possible to link user account to specific name.
55 © 2016 Citrix
Goal – Describe that groups should we always used and specific users should be avoided. Also, if possible, try to avoid anonymous users or shared accounts. This can often be a balance between economic aspect and security aspect – but from security perspective, it should be always possible to link user account to specific name.
56 © 2016 Citrix
57 © 2016 Citrix
58 © 2016 Citrix
DNS tunneling
59 © 2016 Citrix
http://blogs.technet.com/b/fdcc/archive/2011/01/25/alwaysinstallelevated-is-equivalent-to-granting-administrative-rights.aspx
We have already taken enough of your time that you could spend securing your environment or selling security related services to your customers, so it is time to wrap up our presentation.
60 © 2016 Citrix
So to wrap up, we want to leave you with a few actionable takeaways and tools that will help you set up your own security focused services.
61 © 2016 Citrix
https://www.citrix.com/about/legal/security-compliance/common-criteria.html
62 © 2016 Citrix
There are also a number of Microsoft tools to help you analyze customer environments and create a baseline configuration as well as confirm compliance to industry best practices
63 © 2016 Citrix
64 © 2016 Citrix
You might be wondering how much we know about your experience with our products, and what we’re doing to improve product quality and make your experience better.
Our product supportability efforts are the result of paying attention to the issues and concerns you raise when engaging with our Support teams as well as the feedback you provide to our Sales and Consulting groups.
The details you see here speak to some of the work we’ve done already, and where we’re currently focused.
For more details on supportability efforts, visit: www.citrix.com/supportability
65 © 2016 Citrix
66 © 2016 Citrix
