Secure your StoreFront deployment
This article highlights areas that may have an impact on system security when deploying and configuring StoreFront.
Communication between end users and StoreFront
Citrix recommends securing communications between users’ devices and StoreFront using HTTPS. This ensures that passwords and other data sent between the client and StoreFront are encrypted. Furthermore, plain HTTP connections can be compromised by various attacks, such as man-in-the-middle attacks, particularly when connections are made from insecure locations such as public Wi-Fi hotspots. In the absence of the appropriate IIS configuration, StoreFront uses HTTP for communications.
Depending on your configuration, users may access StoreFront via a gateway or load balancer. You can terminate the HTTPS connection at the gateway or load balancer. However in this case Citrix still recommends that you secure connections between the gateway or load-balancer and StoreFront using HTTPS.
To enable HTTPS, disable HTTP and enable HSTS, see Securing StoreFront with HTTPS.
StoreFront communications with Citrix Virtual Apps and Desktops servers
Citrix recommends using the HTTPS protocol to secure data passing between StoreFront and your Citrix Virtual Apps and Desktops delivery controllers. See Install TLS server certificates on Controllers. Alternatively you can configure Windows to secure communication between the servers using IPSec.
You can configure the delivery controller and StoreFront to ensure that only trusted StoreFront servers can communicate with the delivery controller, see Manage security keys.
StoreFront communications with Cloud Connectors
Citrix recommends using the HTTPS protocol to secure data passing between StoreFront and your Cloud Connectors. See How to Enable SSL on Cloud Connectors to Secure XML Traffic. Alternatively you can configure Windows to secure communication between the servers using IPSec.
Citrix does not recommend exposing your StoreFront server directly to the internet. Citrix recommends using a Citrix Gateway to provide authentication and access for remote users.
Microsoft Internet Information Services (IIS) hardening
You can configure StoreFront with a restricted IIS configuration. Note that this is not the default IIS configuration.
You can use request filtering to configure a lists of allowed file extensions and disallow unlisted file name extensions. See IIS documentation.
StoreFront requires the following file name extensions:
- . (blank extension)
If download or upgrade of Citrix Workspace app is enabled for a store website, StoreFront also requires these file name extensions:
If Citrix Workspace app for HTML5 is enabled, StoreFront also requires these file name extensions:
You can use request filtering to configure a list of allowed verbs and disallow unlisted verbs. See IIS documentation.
If you ensure that the store name and website name only use ascii characters then StoreFront URLs do not contain ascii characters. You can use request filtering to disallow non-ascii characters. See IIS documentation.
You can remove OS shell MIME Types corresponding to the following file extensions:
See IIS documentation.
By default IIS reports that it is using ASP.NET by adding a
X-Powered-By header with value
ASP.NET. You can configure IIS to remove this header. See IIS Custom Headers documentation.
By default IIS reports the IIS version by adding a
Server header. You can configure IIS to remove this header. See IIS request filtering documentation.
You can host the StoreFront web sites on a separate partition from the system files. Within IIS you must move the Default Web Site, or create a separate site, on the appropriate partition prior to creating your StoreFront deployment.
For the list of IIS features installed and used by StoreFront, see System Requirements. You can remove other IIS features.
Although StoreFront does not use ISAP filters directly, the feature is required by ASP.NET so cannot be uninstalled.
StoreFront requires the following Handler Mappings. You can remove other handler mappings.
StoreFront does not require any ISAP filters. You can remove all ISAPI filters. See IIS ISAPI Filters documentation.
By default IIS servers have the “.NET Authorization Rule” set to Allow All Users. By default, the web site used by StoreFront inherits this configuration.
If you remove or change the .NET Authorization rule at the server level then you must override the rules on the web site used by StoreFront to add an allow rule for “All Users” and remove any other rules.
StoreFront creates a number of application pools. Do not change the application pools used by each IIS application or the identity of each pool. If you are using multiple sites, it is not possible to configure each site to use separate application pools.
Under the Recycling settings, you can set the application pool idle time-out and Virtual Memory Limit. Note that when the “Citrix Receiver for Web” application pool recycles it causes users logged in through a web browser to be logged out, therefore it is set by default to recycle at 02:00 each day to minimize disruption. If you change any of the recycling settings this may result in users being logged off at other times of the day.
- Do not change the IIS Authentication settings. StoreFront manages authentication and configures directories of the StoreFront site with the appropriate authentication settings.
- For the StoreFront server under SSL Settings, do not select Client certificates: Require. StoreFront installation configures the appropriate pages of the StoreFront site with this setting.
- StoreFront requires .NET Trust Level to be set to Full Trust. Do not set the .NET trust level to any other value.
Configure user rights
Microsoft IIS is enabled as part of StoreFront installation. Microsoft IIS grants the logon right Log on as a batch job, and the privilege Impersonate a client after authentication to the built-in group IIS_IUSRS. This is normal Microsoft IIS installation behavior. Do not change these user rights. Refer to Microsoft documentation for details.
When you install StoreFront, its application pools are granted the logon right Log on as a service and the privileges Adjust memory quotas for a process, Generate security audits, and Replace a process level token. This is normal installation behavior when application pools are created. The application pools are Citrix Configuration Api, Citrix Delivery Services Resources, Citrix Delivery Services Authentication, and Citrix Receiver for Web.
You do not need to change these user rights. These privileges are not used by StoreFront and are automatically disabled.
StoreFront installation creates the following Windows services:
- Citrix Configuration Replication (NT SERVICE\CitrixConfigurationReplication)
- Citrix Cluster Join (NT SERVICE\CitrixClusterService)
- Citrix Peer Resolution (NT SERVICE\Citrix Peer Resolution Service)
- Citrix Credential Wallet (NT SERVICE\CitrixCredentialWallet)
- Citrix Subscriptions Store (NT SERVICE\CitrixSubscriptionsStore)
- Citrix Default Domain Services (NT SERVICE\CitrixDefaultDomainService)
If you configure StoreFront Kerberos constrained delegation for XenApp 6.5, this creates the Citrix StoreFront Protocol Transition service (NT SERVICE\SYSTEM). This service requires a privilege not normally granted to Windows services.
Configure service settings
The StoreFront Windows services listed above in the “Configure user rights” section are configured to log on as the NETWORK SERVICE identity; do not change this configuration. The Citrix StoreFront Protocol Transition service logs on as SYSTEM; do not change this configuration.
Configure group memberships
When you configure a StoreFront server group, the following services are added to the Administrators security group:
- Citrix Configuration Replication (NT SERVICE\CitrixConfigurationReplication)
- Citrix Cluster Join (NT SERVICE\CitrixClusterService) . This service is only seen on servers which are part of a group, and only runs while the join is in progress.
These group memberships are required for StoreFront to operate correctly, to:
- Create, export, import and delete certificates, and set access permissions on them
- Read and write the Windows registry
- Add and remove Microsoft .NET Framework assemblies in the Global Assembly Cache (GAC)
- Access the folder Program Files\Citrix\<StoreFrontLocation>
- Add, modify, and remove IIS app pool identities and IIS web applications
- Add, modify, and remove local security groups and firewall rules
- Add and remove Windows services and PowerShell snap-ins
- Register Microsoft Windows Communication Framework (WCF) endpoints
In updates to StoreFront, this list of operations might change without notice.
StoreFront installation also creates the following local security groups:
StoreFront maintains the membership of these security groups. They are used for access control within StoreFront, and are not applied to Windows resources such as files and folders. Do not modify these group memberships.
Certificates in StoreFront
Server certificates are used for machine identification and Transport Layer Security (TLS) transport security in StoreFront. If you decide to enable ICA file signing, StoreFront can also use certificates to digitally sign ICA files.
Authentication services and stores each require certificates for token management. StoreFront generates a self-signed certificate when an authentication service or store is created. Self-signed certificates generated by StoreFront should not be used for any other purpose.
StoreFront holds a number of certificates in a custom Windows certificate store (Citrix Delivery Services). The Citrix Configuration Replication service, Citrix Credential Wallet service, and Citrix Subscriptions Store service use these certificates. Each StoreFront server in a cluster has a copy of these certificates. These services do not rely on TLS for secure communications, and these certificates are not used as TLS server certificates. These certificates are created when a StoreFront store is created or StoreFront is installed. Do not modify the contents of this Windows certificate store.
StoreFront includes a number of PowerShell scripts (.ps1) in the folder in <InstallDirectory>\Scripts. The default StoreFront installation does not use these scripts. They simplify the configuration steps for specific and infrequent tasks. These scripts are signed, allowing StoreFront to support PowerShell execution policy. We recommend the AllSigned policy. (The Restricted policy is not supported, as this prevents PowerShell scripts from executing.) StoreFront does not alter the PowerShell execution policy.
Although StoreFront does not install a code signing certificate in the Trusted Publishers store, Windows can automatically add the code signing certificate there. This happens when the PowerShell script is executed with the Always run option. (If you select the Never run option, the certificate is added to the Untrusted Certificates store, and StoreFront PowerShell scripts will not execute.) Once the code signing certificate has been added to the Trusted Publishers store, its expiration is no longer checked by Windows. You can remove this certificate from the Trusted Publishers store after the StoreFront tasks have been completed.
Disabling legacy TLS versions
Citrix recommends that you disable TLS 1.0 and 1.1 for both client and server communication on the Windows server. You can do this via Group Policy or alternatively via Windows registry settings. See Microsoft documentation.
StoreFront security separation
If you deploy any web applications in the same web domain (domain name and port) as StoreFront, then any security risks in those web applications could potentially reduce the security of your StoreFront deployment. Where a greater degree of security separation is required, Citrix recommends that you deploy StoreFront in a separate web domain.
ICA file signing
StoreFront provides the option to digitally sign ICA files using a specified certificate on the server so that versions of Citrix Workspace app that support this feature can verify that the file originates from a trusted source. ICA files can be signed using any hash algorithm supported by the operating system running on the StoreFront server, including SHA-1 and SHA-256. For more information, see Enable ICA file signing.
User change password
You can enable users logging on through a web browser with Active Directory domain credentials to change their passwords, either at any time or only when they have expired. However, this exposes sensitive security functions to anyone who can access any of the stores that use the authentication service. If your organization has a security policy that reserves user password change functions for internal use only, ensure that none of the stores are accessible from outside your corporate network. When you create the authentication service, the default configuration prevents users from changing their passwords, even if they have expired. For more information, see Enable users to change their passwords.
To strengthen security, do not write customizations that load content or scripts from servers not under your control. Copy the content or script into the website custom folder where you are making the customizations. If StoreFront is configured for HTTPS connections, ensure that any links to custom content or scripts also use HTTPS.
When viewing a store website through a web browser, StoreFront returns the following security related headers that place restrictions on the web browser.
||This prevents other sites from embedding a StoreFront websites within a frame which avoids click-jacking attacks. StoreFront uses inline scripts and styles so it is not possible to use a content-security-policy that blocks these. StoreFront websites only display content configured by administrators and do not display any user-entered content, therefore there is no need to block inline scripts.|
||This avoid MIME type sniffing.|
||This prevents other sites from embedding StoreFront websites within a frame which avoids click-jacking attacks. It is obsoleted by
||Used by some browsers to mitigate against XSS (cross-site-scripting) attacks|
StoreFront uses several cookies. Some of the cookies used in the operation of the website are as follows:
||Tracks the user’s session including authentication status. Has
||To prevent session fixation attacks, StoreFront in addition tracks whether the user is authenticated using this cookie. It has
||Used to prevent cross-site request forgery via the standard Cookie-to-header token pattern. The server sets a token in the cookie. The client reads the token from the cookie and includes the token in the query string or a header in subsequent requests. This cookie is required to have
||Identifies the device. Has
HttpOnly set. These cookies do not contain any information relating to authentication or other confidential information.
Additional security information
This information may change at any time, without notice.
Your organization may want to perform security scans of StoreFront for regulatory reasons. The preceding configuration options can help to eliminate some findings in security scan reports.
If there is a gateway between the security scanner and StoreFront, particular findings may relate to the gateway rather than to StoreFront itself. Security scan reports usually do not distinguish these findings (for example, TLS configuration). Because of this, technical descriptions in security scan reports can be misleading.
In this article
- Communication between end users and StoreFront
- StoreFront communications with Citrix Virtual Apps and Desktops servers
- StoreFront communications with Cloud Connectors
- Remote access
- Microsoft Internet Information Services (IIS) hardening
- Configure user rights
- Configure service settings
- Configure group memberships
- Certificates in StoreFront
- Disabling legacy TLS versions
- StoreFront security separation
- ICA file signing
- User change password
- Security Headers
- Additional security information