Product Documentation

Security recommendations

Sep 23, 2016

Session Recording is designed to be deployed within a secure network and accessed by administrators, and as such, is secure. Out-of-the-box deployment is designed to be simple and security features such as digital signing and encryption can be configured optionally.

Communication between Session Recording components is achieved through Internet Information Services (IIS) and Microsoft Message Queuing (MSMQ). IIS provides the web services communication link between each Session Recording component. MSMQ provides a reliable data transport mechanism for sending recorded session data from the Session Recording Agent to the Session Recording Server.

Consider these security recommendations when planning your deployment:

  • Ensure you properly isolate the different administrator roles in the corporate network, in the Session Recording system, or on individual machines. By not doing so, security threats that can impact the system functionality or abuse the system might occur. Citrix recommends that you assign different administrator roles to different persons or accounts that you do not allow general session users to have administrator privileges to the VDA system.
    • XenApp and XenDesktop administrators should not grant VDA local admin role to any users of published apps or desktops.  If the local admin role is a requirement, protect the Session Recording Agent components with Windows mechanisms or 3rd-party solutions.
    • Separately assign the Session Recording database administrator and Session Recording policy administrator.
    • Citrix recommends that you do not assign VDA administrator privileges to general session users, especially when using Remote PC Access.
    • Session Recording Server local administration account must be strictly protected
    • Control access to machines installed with Session Recording Player. If a user is not authorized as the Player role, do not grant that user local administrator role for any player machine. Disable anonymous access.
    • Citrix recommends using a physical machine as a storage server for Session Recording.
  • Session Recording records session graphics activities without regard to the sensitivity of the data. Under certain circumstances, sensitive data (including but not limited to user credentials, privacy information, and third-party screens) might be recorded unintentionally. Take the following measures to prevent risks:

+  Disable core memory dump for VDA machines unless for specific troubleshooting cases.

To disable core memory dump:

1. Right-click My Computer, and then click Properties.
2. Click the Advanced tab, and then under Startup and Recovery, click Settings.
3. Under Write Debugging Information, select (none).

See the Microsoft article https://support.microsoft.com/en-us/kb/307973.

+  Session owners should notify attendees that online meetings and remote assistance software might get recorded if a desktop session is being recorded.

+  Ensure log on credentials or security information does not appear in all local and Web applications published or used inside the corporation or they are recorded by Session Recording.

+  Users should close any application that might expose sensitive information before switching to a remote ICA session.

+  We recommend only automatic authentication methods (for example, single sign on, smartcard) for accessing published desktops or Software as a Service (SaaS) applications.

  • Session Recording relies on certain hardware and hardware infrastructure (for example, corporate network devices, operation system) to function properly and to meet security needs. Take measures at the infrastructure levels to prevent damage or abuse to those infrastructures and make the Session Recording function secure and reliable.
    • Properly protect and keep network infrastructure supporting Session Recording available.
    • Citrix recommends using a 3rd-party security solution or Windows mechanism to protect Session Recording components. Session Recording components include:
      • On Session Recording Server
        • Processes: SsRecStoragemanager.exe and SsRecAnalyticsService.exe
        • Services: CitrixSsRecStorageManager and CitrixSsRecAnalyticsService
        • All files in Session Recording Server installation folder
        • Registry keys at HKLM\Software\Citrix\SmartAuditor\Server
      • On Session Recording Agent
        • Process: SsRecAgent.exe
        • Service: CitrixSmAudAgent
        • All files in Session Recording Agent installation folder
        • Registry keys at HKLM\Software\Citrix\SmartAuditor\Agent
  • Set the access control list (ACL) for Message Queuing (MSMQ) at Session Recording Server to restrict VDA or VDI machines that can send MSMQ data to the Session Recording Server and prevent unauthorized machines from sending data to the Session Recording Server. 

1)  Install server feature Directory Service Integration on each Session Recording Server and VDA or VDI machine where Session Recording is enabled, and then restart the Message Queuing service.

2)  From the Windows Start menu on each Session Recording Server, open Administrative Tools > Computer Management.

3)  Open Services and Applications > Message Queuing > Private Queues.

4)  Click on the private queue citrixsmauddata to open the Properties page and select the Security tab.

localized image

5)   Add the computers or security groups of the VDA machines that will send MSMQ data to this server and grant them Send Message permission.

localized image
  • Properly protect the event log for the Session Record Server and Session Recording Agents. Citrix recommends leveraging a Windows or 3rd-party remote logging solution to protect the event log or redirect the event log to the remote server. 
  • Ensure servers running Session Recording components are physically secure. If possible, lock these computers in a secure room to which only authorized personnel can gain direct access.
  • Isolate servers running Session Recording components on a separate subnet or domain.
  • Protect the recorded session data from users accessing other servers by installing a firewall between the Session Recording Server and other servers.
  • Keep the Session Recording Admin Server and SQL database up to date with the latest security updates from Microsoft.
  • Restrict nonadministrators from logging on to the administration machine.
  • Strictly limit who is authorized to make recording policy changes and view recorded sessions.
  • Install digital certificates, use the Session Recording file signing feature, and set up TLS communications in IIS.
  • Set up MSMQ to use HTTPS as its transport by setting the MSMQ protocol listed in the Session Recording Agent Properties dialog box to HTTPS. For more information, see Troubleshoot MSMQ.
  • Use TLS 1.0 and disable SSLv2, SSLv3, and RC4 cipher on the Session Recording Server and Session Recording Database. For more information, see the Microsoft articles http://support.microsoft.com/default.aspx?scid=kb;en-us;187498 and http://support.microsoft.com/kb/245030/en-us.
  • Use playback protection. Playback protection is a Session Recording feature that encrypts recorded files before they are downloaded to the Session Recording Player. By default, this option is enabled and is in the Session Recording Server Properties.
  • Do not deploy Session Recording on a public cloud such as Amazon Web Services (AWS).
  • Follow NSIT guidance for cryptographic key lengths and cryptographic algorithms.

For information about configuring Session Recording features, see http://support.citrix.com/article/CTX200868.