Product Documentation

Security recommendations

Apr 27, 2015

Session Recording is designed to be deployed within a secure network and accessed by administrators, and as such, is secure. Out-of-the-box deployment is designed to be simple and security features such as digital signing and encryption can be configured optionally.

Communication between Session Recording components is achieved through Internet Information Services (IIS) and Microsoft Message Queuing (MSMQ). IIS provides the web services communication link between each Session Recording component. MSMQ provides a reliable data transport mechanism for sending recorded session data from the Session Recording Agent to the Session Recording Server.

Consider these security recommendations when planning your deployment:

  • Ensure servers running Session Recording components are physically secure. If possible, lock these computers in a secure room to which only authorized personnel can gain direct access.
  • Isolate servers running Session Recording components on a separate subnet or domain.
  • Protect the recorded session data from users accessing other servers by installing a firewall between the Session Recording Server and other servers.
  • Keep the Session Recording Admin Server and SQL database up to date with the latest security updates from Microsoft.
  • Restrict nonadministrators from logging on to the administration machine.
  • Strictly limit who is authorized to make recording policy changes and view recorded sessions.
  • Install digital certificates, use the Session Recording file signing feature, and set up TLS communications in IIS.
  • Set up MSMQ to use HTTPS as its transport by setting the MSMQ protocol listed in the Session Recording Agent Properties dialog box to HTTPS. For more information, see Troubleshoot MSMQ.
  • Use TLS 1.2 and disable SSLv2, SSLv3, and RC4 cipher on the Session Recording Server and Session Recording Database. For more information, see the Microsoft articles http://support.microsoft.com/default.aspx?scid=kb;en-us;187498 and http://support.microsoft.com/kb/245030/en-us.
  • Use playback protection. Playback protection is a Session Recording feature that encrypts recorded files before they are downloaded to the Session Recording Player. By default, this option is enabled and is in the Session Recording Server Properties.
  • Do not deploy Session Recording on a public cloud such as Amazon Web Services (AWS).
  • Follow NSIT guidance for cryptographic key lengths and cryptographic algorithms.

For information about configuring Session Recording features, see http://support.citrix.com/article/CTX200868.

Install certificates

On the computer on which the Session Recording Server is installed, the IIS Web server sends its server certificate to the client when establishing a TLS connection from the Session Recording Agent, Session Recording Player, or Session Recording Policy Console. When receiving a server certificate, the Session Recording Agent, Session Recording Player, or Policy Console determines which Certificate Authority (CA) issued the certificate and if the CA is trusted by the client. If the CA is not trusted, the certificate is declined and an error is logged in the Application Event log for the Session Recording Agent or an error message appears to the user in the Session Recording Player or Policy Console.

A server certificate is installed by gathering information about the server and requesting a CA to issue a certificate for that server. You must specify the correct information when requesting a server certificate and ensure the server name is specified correctly. If the fully qualified domain name (FQDN) is used for connecting clients (Session Recording Agent, Session Recording Player, and Policy Console) the certificate information specified to the CA must use the FQDN of the server rather than the NetBIOS name. If you specify NetBIOS names, do not specify the FQDN when requesting a server certificate. Install the server certificate into the local server’s certificate store. Install the issuing CA certificate on each connecting client.

Your organization may have a private CA that issues server certificates that you can use with Session Recording. If you are using a private CA, ensure each client device has the issuing CA certificate installed. Refer to Microsoft documentation about using certificates and certificate authorities. Alternatively, some companies and organizations currently act as CAs, including VeriSign, Baltimore, Entrust, and their respective affiliates.

All certificates have an expiration date defined by the CA. To find the expiration date, check the properties of the certificate. Ensure certificates are renewed before the expiration date to prevent any errors occurring in Session Recording.

The Session Recording installation is configured to use HTTPS by default and requires that you configure the default Web site with a server certificate issued from a CA. If you need instructions for installing server certificates in IIS, consult your IIS documentation.