When setting up a XenDesktop 7.6 proof of concept (PoC) for any government agency, you must implement several security standards, including Federal Information Processing Standards 140-2 (FIPS 140-2), United States Government Configuration Baseline (USGCB), Security Technical Implementation Guide (STIG), and Common Criteria. Some standards, including FIPS 140, require special versions of Citrix appliances to be compliant.
Consider the following information for a public sector PoC:
- The Virtual Delivery Agent on XenApp 7.6 and XenDesktop 7.6 can natively speak TLS/AES and FIPS without the use of network-level security, such as IPsec, and without the use of separate application components such as SSL Relay. For more information, see http://blogs.citrix.com/2014/10/16/xenapp-and-xendesktop-7-6-security-fips-140-2-and-ssl-to-vda/.
- The FIPS-enabled NetScaler MPX-FIPS appliances are FIPS 140-2 Level 2 compliant and are hardware-ready for Level 3 compliance. The NetScaler appliances offer encrypted and FIPS-secured communication between the following:
- Citrix Receiver endpoints and the NetScaler appliance
- The NetScaler appliance and XenApp and/or XenDesktop VDA and StoreFront
For more information for secure deployments of NetScaler, see http://support.citrix.com/article/CTX129514.
- You must enable the Remote Desktop Session Host Configuration policy Always prompt for password upon connection on any public sector PoC. This policy sets a password requirement for remote desktop connections so that users receive two password prompts — one when they log on to StoreFront and one when they open their desktops. For more information about this policy, see http://support.citrix.com/article/CTX138924.
- When changing any USGCB settings that may conflict with a Citrix feature, you must submit a Plan of Actions and Milestones (POA&M) waiver that states why the functionality of the feature outweighs the specific security setting that is in conflict. Examples include:
- Using a FIPS-compliant algorithm for encryptions can cause issues with Citrix Provisioning Services.
- LAN Manager authentication level – Send NTLMv2 response only can cause issues with the domain and member servers.
For more information about settings and conflicts, see http://blogs.citrix.com/2012/05/21/usgcb-modifications-with-xendesktop/
- Government administration lockdown prevents the StoreFront 2.0 Cluster Service feature from adding server to the server groups. This feature is added during the installation, but the domain policy removes local administrators. You must add the NT SERVICE\CitrixConfigurationReplication and NT SERVICE\CitrixClusterService to the local admins group on both servers to resolve the issue. For more information, see http://support.citrix.com/article/CTX138744.
- For STIGS compliance for XenApp 7.6 and XenDesktop 7.6, look for the up-to-date guide when available.
- Set up the PoC as if it will go to production at any moment. As soon as a high-level official tests the PoC, it becomes a production environment.
- Even with a PoC, set up multiple components on multiple servers for redundancy.
- The Configuration Logging database should be a separate database so Citrix administrators cannot have access to the database.
- Citrix releases security advisories for each product. You can register for Citrix security advisory notifications by signing in to Citrix.com/support and adding an alert to your profile at Support.citrix.com/profile/watches.
- Secure every connection. If you can secure the connection with TLS, do so.
- A different team sets up and manages the SQL databases than the one who sets up the PoC. The SQL database should be created before the PoC installation has started.
- Follow lockdown guidance from XenApp and XenDesktop Common Criteria security targets, as well as deployment standards for your organization.