Security considerations and best practices
Note:
Your organization may need to meet specific security standards to satisfy regulatory requirements. This document does not cover this subject, because such security standards change over time. For up-to-date information on security standards and Citrix products, consult Citrix Trust Center.
Security best practices
Keep all machines in your environment up to date with security patches. One advantage is that you can use thin clients as terminals, which simplifies this task.
Protect all machines in your environment with antivirus software.
Consider using platform-specific anti-malware software.
When installing software, install to provided default paths.
- lf you install software to a file location other than the provided default path, consider adding additional security measures, such as restricted permissions, to your file location.
All network communications should be appropriately secured and encrypted to match your security policy. You can secure all communication using HTTPS. Alternatively, you can secure communication between Microsoft Windows computers using IPSec; refer to your operating system documentation for details about how to do this. In addition, communication between user devices and desktops is secured through Citrix SecureICA, which is configured by default to 128-bit encryption. You can configure SecureICA when you are creating or updating a Delivery Group.
Note:
Citrix SecureICA forms part of the ICA/HDX protocol but it is not a standards-compliant network security protocol like Transport Layer Security (TLS). You can also secure network communications between user devices and desktops using TLS. To configure TLS, see Transport Layer Security (TLS).
Apply Windows best practice for account management. Do not create an account on a template or image before it is duplicated by Machine Creation Services or Provisioning Services. Do not schedule tasks using stored privileged domain accounts. Do not manually create shared Active Directory machine accounts. These practices will help prevent a machine attack from obtaining local persistent account passwords and then using them to log on to MCS/PVS shared images belonging to others.
Firewalls
Protect all machines in your environment with perimeter firewalls, including at enclave boundaries as appropriate.
All machines in your environment should be protected by a personal firewall. When you install core components and VDAs, you can choose to have the ports required for component and feature communication opened automatically if the Windows Firewall Service is detected (even if the firewall is not enabled). You can also choose to manually configure those firewall ports. If you use a different firewall, you must manually configure it.
If you are migrating a conventional environment to this release, you may need to reposition an existing perimeter firewall or add new perimeter firewalls. For example, suppose there is a perimeter firewall between a conventional client and database server in the data center. When this release is used, that perimeter firewall must be placed so that the virtual desktop and user device are on one side, and the database servers and Delivery Controllers in the data center are on the other side. Therefore, consider creating an enclave within your data center to contain the database servers and Controllers. Also consider having protection between the user device and the virtual desktop.
Note:
TCP ports 1494 and 2598 are used for ICA and CGP and are therefore likely to be open at firewalls so that users outside the data center can access them. Citrix recommends that you do not use these ports for anything else, to avoid the possibility of inadvertently leaving administrative interfaces open to attack. Ports 1494 and 2598 are officially registered with the Internet Assigned Number Authority (http://www.iana.org/).
Application security
To prevent non-admin users from performing malicious actions, we recommend that you configure Windows AppLocker rules for installers, applications, executables and scripts on the VDA host and on the local Windows client.
Manage user privileges
Grant users only the capabilities they require. Microsoft Windows privileges continue to be applied to desktops in the usual way: configure privileges through User Rights Assignment and group memberships through Group Policy. One advantage of this release is that it is possible to grant a user administrative rights to a desktop without also granting physical control over the computer on which the desktop is stored.
Note the following when planning for desktop privileges:
- By default, when non-privileged users connect to a desktop, they see the time zone of the system running the desktop instead of the time zone of their own user device. For information on how to allow users to see their local time when using desktops, see the Manage Delivery Groups article.
- A user who is an administrator on a desktop has full control over that desktop. If a desktop is a pooled desktop rather than a dedicated desktop, the user must be trusted in respect of all other users of that desktop, including future users. All users of the desktop need to be aware of the potential permanent risk to their data security posed by this situation. This consideration does not apply to dedicated desktops, which have only a single user; that user should not be an administrator on any other desktop.
- A user who is an administrator on a desktop can generally install software on that desktop, including potentially malicious software. The user can also potentially monitor or control traffic on any network connected to the desktop.
Manage logon rights
Logon rights are required for both user accounts and computer accounts. As with Microsoft Windows privileges, logon rights continue to be applied to desktops in the usual way: configure logon rights through User Rights Assignment and group memberships through Group Policy.
The Windows logon rights are: log on locally, log on through Remote Desktop Services, log on over the network (access this computer from the network), log on as a batch job, and log on as a service.
For computer accounts, grant computers only the logon rights they require. The logon right “Access this computer from the network” is required:
- At VDAs, for the computer accounts of Delivery Controllers
- At Delivery Controllers, for the computer accounts of VDAs. See Active Directory OU-based Controller discovery.
- At StoreFront servers, for the computer accounts of other servers in the same StoreFront server group
For user accounts, grant users only the logon rights they require.
According to Microsoft, by default the group Remote Desktop Users is granted the logon right “Allow log on through Remote Desktop Services” (except on domain controllers).
Your organization’s security policy may state explicitly that this group should be removed from that logon right. Consider the following approach:
- The Virtual Delivery Agent (VDA) for Multi-session OS uses Microsoft Remote Desktop Services. You can configure the Remote Desktop Users group as a restricted group, and control membership of the group via Active Directory group policies. Refer to Microsoft documentation for more information.
- For other components of Citrix Virtual Apps and Desktops, including the VDA for Single-session OS, the group Remote Desktop Users is not required. So, for those components, the group Remote Desktop Users does not require the logon right “Allow log on through Remote Desktop Services”; you can remove it. Additionally:
- If you administer those computers via Remote Desktop Services, ensure that all such administrators are already members of the Administrators group.
- If you do not administer those computers via Remote Desktop Services, consider disabling Remote Desktop Services itself on those computers.
Although it is possible to add users and groups to the login right “Deny logon through Remote Desktop Services”, the use of deny logon rights is not generally recommended. Refer to Microsoft documentation for more information.
Configure user rights
Delivery Controller installation creates the following Windows services:
- Citrix AD Identity Service (NT SERVICE\CitrixADIdentityService): Manages Microsoft Active Directory computer accounts for VMs.
- Citrix Analytics (NT SERVICE\CitrixAnalytics): Collects site configuration usage information for use by Citrix, if this collection been approved by the site administrator. It then submits this information to Citrix, to help improve the product.
- Citrix App Library (NT SERVICE\CitrixAppLibrary): Supports management and provisioning of AppDisks, AppDNA integration, and management of App-V.
- Citrix Broker Service (NT SERVICE\CitrixBrokerService): Selects the virtual desktops or applications that are available to users.
- Citrix Configuration Logging Service (NT SERVICE\CitrixConfigurationLogging): Records all configuration changes and other state changes made by administrators to the site.
- Citrix Configuration Service (NT SERVICE\CitrixConfigurationService): Site-wide repository for shared configuration.
- Citrix Delegated Administration Service (NT SERVICE\CitrixDelegatedAdmin): Manages the permissions granted to administrators.
- Citrix Environment Test Service (NT SERVICE\CitrixEnvTest): Manages self-tests of the other Delivery Controller services.
- Citrix Host Service (NT SERVICE\CitrixHostService): Stores information about the hypervisor infrastructures used in a Citrix Virtual Apps or Citrix Virtual Desktops deployment, and also offers functionality used by the console to enumerate resources in a hypervisor pool.
- Citrix Machine Creation Services (NT SERVICE\CitrixMachineCreationService): Orchestrates the creation of desktop VMs.
- Citrix Monitor Service (NT SERVICE\CitrixMonitor): Collects metrics for Citrix Virtual Apps or Citrix Virtual Desktops, stores historical information, and provides a query interface for troubleshooting and reporting tools.
- Citrix Storefront Service (NT SERVICE\ CitrixStorefront): Supports management of StoreFront. (It is not part of the StoreFront component itself.)
- Citrix Storefront Privileged Administration Service (NT SERVICE\CitrixPrivilegedService): Supports privileged management operations of StoreFront. (It is not part of the StoreFront component itself.)
- Citrix Config Synchronizer Service (NT SERVICE\CitrixConfigSyncService): Propagates configuration data from the main site database to the Local Host Cache.
- Citrix High Availability Service (NT SERVICE\CitrixHighAvailabilityService): Selects the virtual desktops or applications that are available to users, when the main site database is unavailable.
Delivery Controller installation also creates the following Windows services. These are also created when installed with other Citrix components:
- Citrix Diagnostic Facility COM Server (NT SERVICE\CdfSvc): Supports the collection of diagnostic information for use by Citrix Support.
- Citrix Telemetry Service (NT SERVICE\CitrixTelemetryService): Collects diagnostic information for analysis by Citrix, such that the analysis results and recommendations can be viewed by administrators to help diagnose issues with the site.
Delivery Controller installation also creates the following Windows service. This is not currently used. If it has been enabled, disable it.
- Citrix Remote Broker Provider (NT SERVICE\XaXdCloudProxy)
Delivery Controller installation also creates these following Windows services. These are not currently used, but must be enabled. Do not disable them.
- Citrix Orchestration Service (NT SERVICE\CitrixOrchestration)
- Citrix Trust Service (NT SERVICE\CitrixTrust)
Except for the Citrix Storefront Privileged Administration Service, these services are granted the logon right Log on as a service and the privileges Adjust memory quotas for a process, Generate security audits, and Replace a process level token. You do not need to change these user rights. These privileges are not used by the Delivery Controller and are automatically disabled.
Configure service settings
Except for the Citrix Storefront Privileged Administration service and the Citrix Telemetry Service, the Delivery Controller Windows services listed above in the Configure user rights section are configured to log on as the NETWORK SERVICE identity. Do not alter these service settings.
The Citrix Config Synchronizer Service needs the NETWORK SERVICE account to belong to the Local Administrator group on the Delivery Controller. This allows Local Host Cache to work correctly.
The Citrix Storefront Privileged Administration service is configured to log on Local System (NT AUTHORITY\SYSTEM). This is required for Delivery Controller StoreFront operations that are not normally available to services (including creating Microsoft IIS sites). Do not alter its service settings.
The Citrix Telemetry Service is configured to log on as its own service-specific identity.
You can disable the Citrix Telemetry Service. Apart from this service, and services that are already disabled, do not disable any other of these Delivery Controller Windows services.
8.3 file names
You can disable 8.3 file names on VDAs. See Microsoft fsutil documentation.
Deployment scenario security implications
Your user environment can contain either user devices that are unmanaged by your organization and completely under the control of the user, or user devices that are managed and administered by your organization. The security considerations for these two environments are generally different.
Managed user devices
Managed user devices are under administrative control; they are either under your own control, or the control of another organization that you trust. You may configure and supply user devices directly to users; alternatively, you may provide terminals on which a single desktop runs in full-screen-only mode. Follow the general security best practices described above for all managed user devices. This release has the advantage that minimal software is required on a user device.
A managed user device can be configured to be used in full-screen-only mode or in window mode:
- Full-screen-only mode: Users log on to it with the usual Log On To Windows screen. The same user credentials are then used to log on automatically to this release.
- Users see their desktop in a window: Users first log on to the user device, then log on to this release through a web site supplied with the release.
Unmanaged user devices
User devices that are not managed and administered by a trusted organization cannot be assumed to be under administrative control. For example, you might permit users to obtain and configure their own devices, but users might not follow the general security best practices described above. This release has the advantage that it is possible to deliver desktops securely to unmanaged user devices. These devices should still have basic antivirus protection that will defeat keylogger and similar input attacks.
Data storage considerations
When using this release, you can prevent users from storing data on user devices that are under their physical control. However, you must still consider the implications of users storing data on desktops. It is not good practice for users to store data on desktops; data should be held on file servers, database servers, or other repositories where it can be appropriately protected.
Your desktop environment may consist of various types of desktops, such as pooled and dedicated desktops. Users should never store data on desktops that are shared amongst users, such as pooled desktops. If users store data on dedicated desktops, that data should be removed if the desktop is later made available to other users.
Mixed-version environments
Mixed-version environments are inevitable during some upgrades. Follow best-practice and minimize the time that Citrix components of different versions co-exist. In mixed-version environments, security policy, for example, may not be uniformly enforced.
Note:
This is typical of other software products; the use of an earlier version of Active Directory only partially enforces Group Policy with later versions of Windows.
The following scenario describes a security issue that can occur in a specific mixed-version Citrix environment. When Citrix Receiver 1.7 is used to connect to a virtual desktop running the VDA in XenApp and XenDesktop 7.6 Feature Pack 2, the policy setting Allow file transfer between desktop and client is enabled in the Site but cannot be disabled by a Delivery Controller running XenApp and XenDesktop 7.1. It does not recognize the policy setting, which was released in the later version of the product. This policy setting allows users to upload and download files to their virtual desktop, which is the security issue. To work around this, upgrade the Delivery Controller (or a standalone instance of Studio) to version 7.6 Feature Pack 2 and then use Group Policy to disable the policy setting. Alternatively, use local policy on all affected virtual desktops.
Remote PC Access security considerations
Remote PC Access implements the following security features:
- Smart card use is supported.
- When a remote session connects, the office PC’s monitor appears as blank.
- Remote PC Access redirects all keyboard and mouse input to the remote session, except CTRL+ALT+DEL and USB-enabled smart cards and biometric devices.
- SmoothRoaming is supported for a single user only.
- When a user has a remote session connected to an office PC, only that user can resume local access of the office PC. To resume local access, the user presses Ctrl-Alt-Del on the local PC and then logs on with the same credentials used by the remote session. The user can also resume local access by inserting a smart card or leveraging biometrics, if your system has appropriate third-party Credential Provider integration. This default behavior can be overridden by enabling Fast User Switching via Group Policy Objects (GPOs) or by editing the registry.
Note:
Citrix recommends that you do not assign VDA administrator privileges to general session users.
Automatic assignments
By default, Remote PC Access supports automatic assignment of multiple users to a VDA. In XenDesktop 5.6 Feature Pack 1, administrators could override this behavior using the RemotePCAccess.ps1 PowerShell script. This release uses a registry entry to allow or prohibit multiple automatic remote PC assignments; this setting applies to the entire Site.
Caution:
Editing the registry incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.
To restrict automatic assignments to a single user:
On each Controller in the Site, set the following registry entry:
HKEY\_LOCAL\_MACHINE\Software\Citrix|DesktopServer
Name: AllowMultipleRemotePCAssignments
Type: REG_DWORD
Data: 0 = Disable multiple user assignment, 1 = (Default) Enable multiple user assignment.
If there are any existing user assignments, remove them using SDK commands for the VDA to subsequently be eligible for a single automatic assignment.
- Remove all assigned users from the VDA:
$machine.AssociatedUserNames | %{ Remove-BrokerUser-Name $_ -Machine $machine
- Remove the VDA from the Delivery Group:
$machine | Remove-BrokerMachine -DesktopGroup $desktopGroup
Restart the physical office PC.
Security Keys
You can use Security Keys to ensure that only authorized StoreFront servers and Citrix Gateway appliances are able to connect to DaaS via the cloud connectors. This is especially important if you have enabled XML trust.
StoreFront
Client access is normally provided by deploying Citrix StoreFront. For more information on StoreFront security, see StoreFront documentation.
Connecting to Delivery Controllers using HTTPS
It is recommended that you encrypt connections from StoreFront to the delivery controller using HTTPS. This requires that you have enabled Enable HTTPS on Delivery Controllers. To configure StoreFront to connect using HTTPS, see Add resource feeds for Citrix Desktops as a Service and Add Citrix Gateway appliance. Alternatively you can configure Windows to secure communication between the servers using IPSec.
XML trust
By default, when StoreFront connects to the delivery controller for actions such as enumeration and launch, StoreFront must pass through the user’s Active Directory credentials so that DaaS can authenticate the user and check the user’s group membership. However when using other authentication methods such as domain pass-through, smart cards or SAML, StoreFront does not have the active directory password. In this case you must enable “XML Trust”. With XML trust enabled, CVAD allows StoreFront to perform actions on behalf of a user such as enumerating and launching applications without validating the user’s password. Before enabling XML trust, use Security Keys or another mechanism such as firewalls or IPsec to ensure that only trusted StoreFront servers are able to connect to the Cloud Connectors.
Use the Citrix Virtual Apps and Desktops PowerShell SDK to check, enable, or disable the XML trust setting.
- To check the XML trust setting’s current value, run
Get-BrokerSite
and inspect the value ofTrustRequestsSentToTheXMLServicePort
. - To enable or disable XML trust, run
Set-BrokerSite
with parameterTrustRequestsSentToTheXmlServicePort
.
NetScaler gateway
You can use an on-premise NetScaler gateway HDX proxy functionality to provide remote access to resources. The Gateway must be able to reach the delivery controller to redeem STA tickets. It is recommended you use HTTPS, see Enable HTTPS on Delivery Controllers and Configuring the Secure Ticket Authority on NetScaler Gateway.
If you have enabled Security keys then you must configure the gateway to include the keys.