Secure your StoreFront deployment

This article highlights areas that may have an impact on system security when deploying and configuring StoreFront.

Configure Microsoft Internet Information Services (IIS)

You can configure StoreFront with a restricted IIS configuration. Note that this is not the default IIS configuration.

Filename extensions

You can disallow unlisted file name extensions.

StoreFront requires the following file name extensions in Request Filtering:

• . (blank extension)
• .appcache
• .aspx
• .cr
• .css
• .dtd
• .gif
• .htm
• .html
• .ica
• .ico
• .jpg
• .js
• .png
• .svg
• .txt
• .xml

If download or upgrade of Citrix Workspace app is enabled for Citrix Receiver for Web, StoreFront also requires these file name extensions:

• .dmg
• .exe

If Citrix Workspace app for HTML5 is enabled, StoreFront also requires these file name extensions:

• .eot
• .ttf
• .woff

MIME Types

You can remove MIME Types corresponding to the following file types:

• .exe
• .dll
• .com
• .bat
• .csh

Request Filtering

StoreFront requires the following HTTP verbs in Request Filtering. You can disallow unlisted verbs.

• GET
• POST
• HEAD

Other Microsoft IIS settings

StoreFront does not require:

• ISAPI filters
• ISAPI extensions
• CGI programs
• FastCGI programs

Important:

• Do not configure IIS Authorization Rules. StoreFront supports authentication directly, and does not use or support IIS authentication.
• Do not select Client certificates: Require, in the SSL Settings for the StoreFront site. StoreFront installation configures the appropriate pages of the StoreFront site with this setting.
• StoreFront requires cookies. The Use Cookies setting must be selected. Do not select the cookieless/Use URI setting.
• StoreFront requires Full Trust. Do not set the global .NET trust level to High or lower.
• StoreFront does not support a separate application pool for each site. Do not modify these site settings. However, you can set the application pool idle time-out, and the amount of virtual memory an application pool uses.

Configure user rights

Note:

Microsoft IIS is enabled as part of StoreFront installation. Microsoft IIS grants the logon right Log on as a batch job, and the privilege Impersonate a client after authentication to the built-in group IIS_IUSRS. This is normal Microsoft IIS installation behavior. Do not change these user rights. Refer to Microsoft documentation for details.

When you install StoreFront, its application pools are granted the logon right Log on as a service and the privileges Adjust memory quotas for a process, Generate security audits, and Replace a process level token. This is normal installation behavior when application pools are created. The application pools are Citrix Configuration Api, Citrix Delivery Services Resources, Citrix Delivery Services Authentication, and Citrix Receiver for Web.

You do not need to change these user rights. These privileges are not used by StoreFront and are automatically disabled.

StoreFront installation creates the following Windows services:

• Citrix Configuration Replication (NT SERVICE\CitrixConfigurationReplication)
• Citrix Cluster Join (NT SERVICE\CitrixClusterService)
• Citrix Peer Resolution (NT SERVICE\Citrix Peer Resolution Service)
• Citrix Credential Wallet (NT SERVICE\CitrixCredentialWallet)
• Citrix Subscriptions Store (NT SERVICE\CitrixSubscriptionsStore)
• Citrix Default Domain Services (NT SERVICE\CitrixDefaultDomainService)

If you configure StoreFront Kerberos constrained delegation for XenApp 6.5, this creates the Citrix StoreFront Protocol Transition service (NT SERVICE\SYSTEM). This service requires a privilege not normally granted to Windows services.

Configure service settings

The StoreFront Windows services listed above in the “Configure user rights” section are configured to log on as the NETWORK SERVICE identity; do not change this configuration. The Citrix StoreFront Protocol Transition service logs on as SYSTEM; do not change this configuration.

Configure group memberships

When you configure a StoreFront server group, the following services are added to the Administrators security group:

• Citrix Configuration Replication (NT SERVICE\CitrixConfigurationReplication)
• Citrix Cluster Join (NT SERVICE\CitrixClusterService) . This service is only seen on servers which are part of a group, and only runs while the join is in progress.

These group memberships are required for StoreFront to operate correctly, to:

• Create, export, import and delete certificates, and set access permissions on them
• Read and write the Windows registry
• Add and remove Microsoft .NET Framework assemblies in the Global Assembly Cache (GAC)
• Access the folder Program Files\Citrix\<StoreFrontLocation>
• Add, modify, and remove IIS app pool identities and IIS web applications
• Add, modify, and remove local security groups and firewall rules
• Add and remove Windows services and PowerShell snap-ins
• Register Microsoft Windows Communication Framework (WCF) endpoints

In updates to StoreFront, this list of operations might change without notice.

StoreFront installation also creates the following local security groups:

• CitrixClusterMembers
• CitrixCWServiceReadUsers
• CitrixCWServiceWriteUsers
• CitrixDelegatedAuthenticatorUsers
• CitrixDelegatedDirectoryClaimFactoryUsers
• CitrixPNRSUsers
• CitrixStoreFrontPTServiceUsers
• CitrixSubscriptionServerUsers
• CitrixSubscriptionsStoreServiceUsers
• CitrixSubscriptionsSyncUsers

StoreFront maintains the membership of these security groups. They are used for access control within StoreFront, and are not applied to Windows resources such as files and folders. Do not modify these group memberships.

Certificates in StoreFront

Server certificates

Server certificates are used for machine identification and Transport Layer Security (TLS) transport security in StoreFront. If you decide to enable ICA file signing, StoreFront can also use certificates to digitally sign ICA files.

To enable email-based account discovery for users installing Citrix Workspace app on a device for the first time, you must install a valid server certificate on the StoreFront server. The full chain to the root certificate must also be valid. For the best user experience, install a certificate with a Subject or Subject Alternative Name entry of discoverReceiver.domain, where domain is the Microsoft Active Directory domain containing your users’ email accounts. Although you can use a wildcard certificate for the domain containing your users’ email accounts, you must first ensure that the deployment of such certificates is permitted by your corporate security policy. Other certificates for the domain containing your users’ email accounts can also be used, but users will see a certificate warning dialog box when Citrix Workspace app first connects to the StoreFront server. Email-based account discovery cannot be used with any other certificate identities. For more information, see Configure email-based account discovery.

If your users configure their accounts by entering store URLs directly into Citrix Workspace app and do not use email-based account discovery, the certificate on the StoreFront server need only be valid for that server and have a valid chain to the root certificate.

Token management certificates

Authentication services and stores each require certificates for token management. StoreFront generates a self-signed certificate when an authentication service or store is created. Self-signed certificates generated by StoreFront should not be used for any other purpose.

Citrix Delivery Services certificates

StoreFront holds a number of certificates in a custom Windows certificate store (Citrix Delivery Services). The Citrix Configuration Replication service, Citrix Credential Wallet service, and Citrix Subscriptions Store service use these certificates. Each StoreFront server in a cluster has a copy of these certificates. These services do not rely on TLS for secure communications, and these certificates are not used as TLS server certificates. These certificates are created when a StoreFront store is created or StoreFront is installed. Do not modify the contents of this Windows certificate store.

Code signing certificates

StoreFront includes a number of PowerShell scripts (.ps1) in the folder in <InstallDirectory>\Scripts. The default StoreFront installation does not use these scripts. They simplify the configuration steps for specific and infrequent tasks. These scripts are signed, allowing StoreFront to support PowerShell execution policy. We recommend the AllSigned policy. (The Restricted policy is not supported, as this prevents PowerShell scripts from executing.) StoreFront does not alter the PowerShell execution policy.

Although StoreFront does not install a code signing certificate in the Trusted Publishers store, Windows can automatically add the code signing certificate there. This happens when the PowerShell script is executed with the Always run option. (If you select the Never run option, the certificate is added to the Untrusted Certificates store, and StoreFront PowerShell scripts will not execute.) Once the code signing certificate has been added to the Trusted Publishers store, its expiration is no longer checked by Windows. You can remove this certificate from the Trusted Publishers store after the StoreFront tasks have been completed.

StoreFront communications with Citrix Virtual Apps servers

In a production environment, Citrix recommends using the Internet Protocol security (IPsec) or HTTPS protocols to secure data passing between StoreFront and your servers. IPsec is a set of standard extensions to the Internet Protocol that provides authenticated and encrypted communications with data integrity and replay protection. Because IPsec is a network-layer protocol set, higher level protocols can use it without modification. HTTPS uses the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols to provide strong data encryption.

The SSL Relay can be used to secure data traffic between StoreFront and Citrix Virtual Apps servers. The SSL Relay is a default component of Citrix Virtual Apps that performs host authentication and data encryption.

Citrix recommends that you disable TLS 1.0 and 1.1 support in the Web Server hosting StoreFront. You should enforce this via group policy objects, which create the necessary registry settings on the StoreFront server to disable older protocols like TLS 1.0 and TLS 1.1. See also the Microsoft TLS/SSL Settings reference topic.

Secure User Access to StoreFront using HTTPS

Citrix recommends securing communications between StoreFront and users’ devices using HTTPS. This is because plain HTTP connections can be compromised by various attacks, such as man-in-the-middle attacks, particularly when connections are made from insecure locations such as public Wi-Fi hotspots. To use HTTPS, StoreFront requires that the Microsoft Internet Information Services (IIS) instance hosting the authentication service and associated stores is configured for HTTPS. In the absence of the appropriate IIS configuration, StoreFront uses HTTP for communications. Citrix strongly recommends that you do not enable unsecured user connections to StoreFront in a production environment.

If StoreFront is not configured for HTTPS it displays the following warning:

Configure IIS for HTTPS

To configure Microsoft Internet Information Services (IIS) for HTTPS on the StoreFront server:

1. Use the Internet Information Services (IIS) Manager console to import an SSL server certificate.
2. Add an IIS binding over HTTPS (443) to the default web site.

For detailed instructions, see CTX200292.

Configure IIS for HSTS

The user’s client device is vulnerable even after you enable HTTPS on the server side. For example, a man-in-the-middle attacker could spoof the StoreFront server and trick the user into connecting to the spoof server over plain HTTP. They could then get access to sensitive information such as the user’s credentials. The solution is to ensure that the user’s browser doesn’t attempt to access the RfWeb server over HTTP. You can achieve this with the HTTP Strict Transport Security (HSTS).

When HSTS is enabled, the server indicates to web browsers that requests to the web site should only ever be made over HTTPS. If a user attempts to access the URL using HTTP, the browser will automatically switch to using HTTPS instead. This ensures client-side validation of a secure connection as well as the server-side validation in IIS.

The web browser maintains this validation for a configured period.

1. From the Start menu, open Citrix StoreFront.
2. For each store, go to Manage Receiver for Web Sites.
3. For each web site, go to Configure and select the Advanced Settings tab.
4. Tick Enable strict transport security.

5. Optionally change the Strict transport security policy duration setting from its default of 90 days.

   

Note:

Enabling HSTS affects all web sites on the same domain. For example, if the Receiver for Web site is accessible at https://www.company.com/Citrix/StoreWeb, then the HSTS policy will apply to all web sites under https://www.company.com, which may not be desired.

Change StoreFront server base URL from HTTP to HTTPS

If you install and configure Citrix StoreFront without first installing and configuring an SSL certificate, StoreFront uses HTTP for communications.

If you install and configure an SSL certificate at some time later, use the following procedure to ensure StoreFront and its services use HTTPS connections.

1. In the Citrix StoreFront management console, in the left pane select Server Group.
2. In the Actions pane, select Change Base URL.

3. Update the base URL to start https: and click OK.

   

StoreFront security separation

If you deploy any web applications in the same web domain (domain name and port) as StoreFront, then any security risks in those web applications could potentially reduce the security of your StoreFront deployment. Where a greater degree of security separation is required, Citrix recommends that you deploy StoreFront in a separate web domain.

Delivering SaaS and web apps through Storefront

You can securely deliver your web and SaaS applications to users through your StoreFront store. With Citrix Cloud and the Access Control Sync for StoreFront utility, employ enhanced security and web-filtering policies for these apps to protect your users and network from malware and data leaks. Users access their StoreFront store as usual to launch the web and SaaS apps that you have configured in Citrix Cloud. For more information see Access control for SaaS and Web apps in StoreFront.

ICA file signing

StoreFront provides the option to digitally sign ICA files using a specified certificate on the server so that versions of Citrix Workspace app that support this feature can verify that the file originates from a trusted source. ICA files can be signed using any hash algorithm supported by the operating system running on the StoreFront server, including SHA-1 and SHA-256. For more information, see Enable ICA file signing.

User change password

You can enable Receiver for Web site users logging on with Active Directory domain credentials to change their passwords, either at any time or only when they have expired. However, this exposes sensitive security functions to anyone who can access any of the stores that use the authentication service. If your organization has a security policy that reserves user password change functions for internal use only, ensure that none of the stores are accessible from outside your corporate network. When you create the authentication service, the default configuration prevents Receiver for Web site users from changing their passwords, even if they have expired. For more information, see Optimize the user experience.

Customizations

To strengthen security, do not write customizations that load content or scripts from servers not under your control. Copy the content or script into the Citrix Receiver for Web site custom folder where you are making the customizations. If StoreFront is configured for HTTPS connections, ensure that any links to custom content or scripts also use HTTPS.

Additional security information

Note:

This information may change at any time, without notice.

Your organization may want to perform security scans of StoreFront for regulatory reasons. The preceding configuration options can help to eliminate some findings in security scan reports.

If there is a gateway between the security scanner and StoreFront, particular findings may relate to the gateway rather than to StoreFront itself. Security scan reports usually do not distinguish these findings (for example, TLS configuration). Because of this, technical descriptions in security scan reports can be misleading.

When interpreting security scan reports, note the following:

• HTML pages in StoreFront may not include clickjacking protection (by Content Security Policy or X-Frame-Options response headers). However, these HTML pages consist only of static content, and therefore clickjacking attacks are not relevant.

• The version of Microsoft IIS and the use of ASP.NET are visible in HTTP headers. However, this information is already apparent from the presence of StoreFront itself, because it relies on these technologies.

• When launching applications and desktops, StoreFront uses a token to protect against cross-site request forgery (CSRF). This token is sent as a cookie in a response without being marked as Secure or HttpOnly. When later sent in a request, the token is included in the query string of a URL. However, StoreFront does not rely on this mechanism to authenticate HTTP requests.