StoreFront

Secure your StoreFront deployment

This article highlights areas that may have an impact on system security when deploying and configuring StoreFront.

Communication between end users and StoreFront

Citrix recommends securing communications between users’ devices and StoreFront using HTTPS. This ensures that passwords and other data sent between the client and StoreFront are encrypted. Furthermore, plain HTTP connections can be compromised by various attacks, such as man-in-the-middle attacks, particularly when connections are made from insecure locations such as public Wi-Fi hotspots. In the absence of the appropriate IIS configuration, StoreFront uses HTTP for communications.

Depending on your configuration, users may access StoreFront via a gateway or load balancer. You can terminate the HTTPS connection at the gateway or load balancer. However in this case Citrix still recommends that you secure connections between the gateway or load-balancer and StoreFront using HTTPS.

To enable HTTPS, disable HTTP and enable HSTS, see Securing StoreFront with HTTPS.

StoreFront communications with Citrix Virtual Apps and Desktops servers

Citrix recommends using the HTTPS protocol to secure data passing between StoreFront and your Citrix Virtual Apps and Desktops delivery controllers. See Install TLS server certificates on Controllers. Alternatively you can configure Windows to secure communication between the servers using IPSec.

You can configure the delivery controller and StoreFront to ensure that only trusted StoreFront servers can communicate with the delivery controller, see Manage security keys.

StoreFront communications with Cloud Connectors

Citrix recommends using the HTTPS protocol to secure data passing between StoreFront and your Cloud Connectors. See How to Enable SSL on Cloud Connectors to Secure XML Traffic. Alternatively you can configure Windows to secure communication between the servers using IPSec.

Remote access

Citrix does not recommend exposing your StoreFront server directly to the internet. Citrix recommends using a Citrix Gateway to provide authentication and access for remote users.

Microsoft Internet Information Services (IIS) hardening

You can configure StoreFront with a restricted IIS configuration. Note that this is not the default IIS configuration.

Filename extensions

You can use request filtering to configure a lists of allowed file extensions and disallow unlisted file name extensions. See IIS documentation.

StoreFront requires the following file name extensions:

  • . (blank extension)
  • .appcache
  • .aspx
  • .cr
  • .css
  • .dtd
  • .gif
  • .htm
  • .html
  • .ica
  • .ico
  • .jpg
  • .js
  • .png
  • .svg
  • .txt
  • .xml

If download or upgrade of Citrix Workspace app is enabled for a store website, StoreFront also requires these file name extensions:

  • .dmg
  • .exe

If Citrix Workspace app for HTML5 is enabled, StoreFront also requires these file name extensions:

  • .eot
  • .ttf
  • .woff
  • .wasm

Verbs

You can use request filtering to configure a list of allowed verbs and disallow unlisted verbs. See IIS documentation.

  • GET
  • POST
  • HEAD

Non-Ascii characters in URLs

If you ensure that the store name and website name only use ascii characters then StoreFront URLs do not contain ascii characters. You can use request filtering to disallow non-ascii characters. See IIS documentation.

MIME Types

You can remove OS shell MIME Types corresponding to the following file extensions:

  • .exe
  • .dll
  • .com
  • .bat
  • .csh

See IIS documentation.

Remove X-Powered-By Header

By default IIS reports that it is using ASP.NET by adding a X-Powered-By header with value ASP.NET. You can configure IIS to remove this header. See IIS Custom Headers documentation.

Remove Server header with IIS version

By default IIS reports the IIS version by adding a Server header. You can configure IIS to remove this header. See IIS request filtering documentation.

Move the StoreFront website to a separate partition

You can host the StoreFront web sites on a separate partition from the system files. Within IIS you must move the Default Web Site, or create a separate site, on the appropriate partition prior to creating your StoreFront deployment.

IIS features

For the list of IIS features installed and used by StoreFront, see System Requirements. You can remove other IIS features.

Although StoreFront does not use ISAPI filters directly, the feature is required by ASP.NET so cannot be uninstalled.

Handler Mappings

StoreFront requires the following Handler Mappings. You can remove other handler mappings.

  • ExtensionlessUrlHandler-Integrated-4.0
  • PageHandlerFactory-Integrated-4.0
  • StaticFile

See IIS Handlers Documentation.

ISAPI filters

StoreFront does not require any ISAP filters. You can remove all ISAPI filters. See IIS ISAPI Filters documentation.

.NET Authorization Rules

By default IIS servers have the “.NET Authorization Rule” set to Allow All Users. By default, the web site used by StoreFront inherits this configuration.

If you remove or change the .NET Authorization rule at the server level then you must override the rules on the web site used by StoreFront to add an allow rule for “All Users” and remove any other rules.

Application Pools

StoreFront creates a number of application pools. Do not change the application pools used by each IIS application or the identity of each pool. If you are using multiple sites, it is not possible to configure each site to use separate application pools.

Under the Recycling settings, you can set the application pool idle time-out and Virtual Memory Limit. Note that when the “Citrix Receiver for Web” application pool recycles it causes users logged in through a web browser to be logged out, therefore it is set by default to recycle at 02:00 each day to minimize disruption. If you change any of the recycling settings this may result in users being logged off at other times of the day.

Required settings

  • Do not change the IIS Authentication settings. StoreFront manages authentication and configures directories of the StoreFront site with the appropriate authentication settings.
  • For the StoreFront server under SSL Settings, do not select Client certificates: Require. StoreFront installation configures the appropriate pages of the StoreFront site with this setting.
  • StoreFront requires cookies for session state and other functionality. On certain directories, under Session State, Cookie Settings, Mode must be set to Use Cookies.
  • StoreFront requires .NET Trust Level to be set to Full Trust. Do not set the .NET trust level to any other value.

Configure user rights

Note:

Microsoft IIS is enabled as part of StoreFront installation. Microsoft IIS grants the logon right Log on as a batch job, and the privilege Impersonate a client after authentication to the built-in group IIS_IUSRS. This is normal Microsoft IIS installation behavior. Do not change these user rights. Refer to Microsoft documentation for details.

When you install StoreFront, its application pools are granted the logon right Log on as a service and the privileges Adjust memory quotas for a process, Generate security audits, and Replace a process level token. This is normal installation behavior when application pools are created. The application pools are Citrix Configuration Api, Citrix Delivery Services Resources, Citrix Delivery Services Authentication, and Citrix Receiver for Web.

You do not need to change these user rights. These privileges are not used by StoreFront and are automatically disabled.

StoreFront installation creates the following Windows services:

  • Citrix Configuration Replication (NT SERVICE\CitrixConfigurationReplication)
  • Citrix Cluster Join (NT SERVICE\CitrixClusterService)
  • Citrix Peer Resolution (NT SERVICE\Citrix Peer Resolution Service)
  • Citrix Credential Wallet (NT SERVICE\CitrixCredentialWallet)
  • Citrix Subscriptions Store (NT SERVICE\CitrixSubscriptionsStore)
  • Citrix Default Domain Services (NT SERVICE\CitrixDefaultDomainService)

If you configure StoreFront Kerberos constrained delegation for XenApp 6.5, this creates the Citrix StoreFront Protocol Transition service (NT SERVICE\SYSTEM). This service requires a privilege not normally granted to Windows services.

Configure service settings

The StoreFront Windows services listed above in the “Configure user rights” section are configured to log on as the NETWORK SERVICE identity; do not change this configuration. The Citrix StoreFront Protocol Transition service logs on as SYSTEM; do not change this configuration.

Configure group memberships

When you configure a StoreFront server group, the following services are added to the Administrators security group:

  • Citrix Configuration Replication (NT SERVICE\CitrixConfigurationReplication)
  • Citrix Cluster Join (NT SERVICE\CitrixClusterService) . This service is only seen on servers which are part of a group, and only runs while the join is in progress.

These group memberships are required for StoreFront to operate correctly, to:

  • Create, export, import and delete certificates, and set access permissions on them
  • Read and write the Windows registry
  • Add and remove Microsoft .NET Framework assemblies in the Global Assembly Cache (GAC)
  • Access the folder Program Files\Citrix\<StoreFrontLocation>
  • Add, modify, and remove IIS app pool identities and IIS web applications
  • Add, modify, and remove local security groups and firewall rules
  • Add and remove Windows services and PowerShell snap-ins
  • Register Microsoft Windows Communication Framework (WCF) endpoints

In updates to StoreFront, this list of operations might change without notice.

StoreFront installation also creates the following local security groups:

  • CitrixClusterMembers
  • CitrixCWServiceReadUsers
  • CitrixCWServiceWriteUsers
  • CitrixDelegatedAuthenticatorUsers
  • CitrixDelegatedDirectoryClaimFactoryUsers
  • CitrixPNRSReplicators
  • CitrixPNRSUsers
  • CitrixStoreFrontAdministrators
  • CitrixSubscriptionServerUsers
  • CitrixSubscriptionsStoreServiceUsers
  • CitrixSubscriptionsSyncUsers

StoreFront maintains the membership of these security groups. They are used for access control within StoreFront, and are not applied to Windows resources such as files and folders. Do not modify these group memberships.

Certificates in StoreFront

Server certificates

Server certificates are used for machine identification and Transport Layer Security (TLS) transport security in StoreFront. If you decide to enable ICA file signing, StoreFront can also use certificates to digitally sign ICA files.

For more information see Communication between end users and StoreFront and Ica file signing.

Token management certificates

Authentication services and stores each require certificates for token management. StoreFront generates a self-signed certificate when an authentication service or store is created. Self-signed certificates generated by StoreFront should not be used for any other purpose.

Citrix Delivery Services certificates

StoreFront holds a number of certificates in a custom Windows certificate store (Citrix Delivery Services). The Citrix Configuration Replication service, Citrix Credential Wallet service, and Citrix Subscriptions Store service use these certificates. Each StoreFront server in a cluster has a copy of these certificates. These services do not rely on TLS for secure communications, and these certificates are not used as TLS server certificates. These certificates are created when a StoreFront store is created or StoreFront is installed. Do not modify the contents of this Windows certificate store.

Code signing certificates

StoreFront includes a number of PowerShell scripts (.ps1) in the folder in <InstallDirectory>\Scripts. The default StoreFront installation does not use these scripts. They simplify the configuration steps for specific and infrequent tasks. These scripts are signed, allowing StoreFront to support PowerShell execution policy. We recommend the AllSigned policy. (The Restricted policy is not supported, as this prevents PowerShell scripts from executing.) StoreFront does not alter the PowerShell execution policy.

Although StoreFront does not install a code signing certificate in the Trusted Publishers store, Windows can automatically add the code signing certificate there. This happens when the PowerShell script is executed with the Always run option. (If you select the Never run option, the certificate is added to the Untrusted Certificates store, and StoreFront PowerShell scripts will not execute.) Once the code signing certificate has been added to the Trusted Publishers store, its expiration is no longer checked by Windows. You can remove this certificate from the Trusted Publishers store after the StoreFront tasks have been completed.

Disabling legacy TLS versions

Citrix recommends that you disable TLS 1.0 and 1.1 for both client and server communication on the Windows server. You can do this via Group Policy or alternatively via Windows registry settings. See Microsoft documentation.

StoreFront security separation

If you deploy any web applications in the same web domain (domain name and port) as StoreFront, then any security risks in those web applications could potentially reduce the security of your StoreFront deployment. Where a greater degree of security separation is required, Citrix recommends that you deploy StoreFront in a separate web domain.

ICA file signing

StoreFront provides the option to digitally sign ICA files using a specified certificate on the server so that versions of Citrix Workspace app that support this feature can verify that the file originates from a trusted source. ICA files can be signed using any hash algorithm supported by the operating system running on the StoreFront server, including SHA-1 and SHA-256. For more information, see Enable ICA file signing.

User change password

You can enable users logging on through a web browser with Active Directory domain credentials to change their passwords, either at any time or only when they have expired. However, this exposes sensitive security functions to anyone who can access any of the stores that use the authentication service. If your organization has a security policy that reserves user password change functions for internal use only, ensure that none of the stores are accessible from outside your corporate network. When you create the authentication service, the default configuration prevents users from changing their passwords, even if they have expired. For more information, see Enable users to change their passwords.

Customizations

To strengthen security, do not write customizations that load content or scripts from servers not under your control. Copy the content or script into the website custom folder where you are making the customizations. If StoreFront is configured for HTTPS connections, ensure that any links to custom content or scripts also use HTTPS.

Security Headers

When viewing a store website through a web browser, StoreFront returns the following security related headers that place restrictions on the web browser.

Header name Value Description
content-security-policy frame-ancestors 'none' This prevents other sites from embedding a StoreFront websites within a frame which avoids click-jacking attacks. StoreFront uses inline scripts and styles so it is not possible to use a content-security-policy that blocks these. StoreFront websites only display content configured by administrators and do not display any user-entered content, therefore there is no need to block inline scripts.
X-Content-Type-Options nosniff This avoid MIME type sniffing.
X-Frame-Options deny This prevents other sites from embedding StoreFront websites within a frame which avoids click-jacking attacks. It is obsoleted by content-security-policy to frame-ancestors 'none' but is understood by some older browsers that do not support content-security-policy
X-XSS-Protection 1; mode=block Used by some browsers to mitigate against XSS (cross-site-scripting) attacks

Cookies

StoreFront uses several cookies. Some of the cookies used in the operation of the website are as follows:

Cookie Description
ASP.NET_SessionId Tracks the user’s session including authentication status. Has HttpOnly set.
CtxsAuthId To prevent session fixation attacks, StoreFront in addition tracks whether the user is authenticated using this cookie. It has HttpOnly set.
CsrfToken Used to prevent cross-site request forgery via the standard Cookie-to-header token pattern. The server sets a token in the cookie. The client reads the token from the cookie and includes the token in the query string or a header in subsequent requests. This cookie is required to have HttpOnly not set so the client JavaScript can read it.
CtxsDeviceId Identifies the device. Has HttpOnly set.

StoreFront sets a number of other cookies to track user state, some of which need to be read by JavaScript so do not have HttpOnly set. These cookies do not contain any information relating to authentication or other confidential information.

Additional security information

Note:

This information may change at any time, without notice.

Your organization may want to perform security scans of StoreFront for regulatory reasons. The preceding configuration options can help to eliminate some findings in security scan reports.

If there is a gateway between the security scanner and StoreFront, particular findings may relate to the gateway rather than to StoreFront itself. Security scan reports usually do not distinguish these findings (for example, TLS configuration). Because of this, technical descriptions in security scan reports can be misleading.