Product Documentation

Improving Security (Recommendations)

Sep 15, 2015

This section suggests ways to improve security when using the Secure Gateway.

Note: The Secure Gateway is an application–specific proxy designed to achieve a corresponding level of security. It is not a firewall and should not be used as such. Citrix recommends that you use a firewall to protect servers running the Secure Gateway, Citrix XenApp, and other corporate resources from unauthorized access from the Internet and internal users.

Preventing Indexing by Search Engines

Search engines use a program that automatically retrieves Web pages and indexes the pages. This includes pages hosted on the Secure Gateway that might potentially be sensitive.

Use a global file (robots.txt) to prevent indexing by most search engines. Install it at the root of the Web server, such as sg.customer.com/robots.txt. The content of robots.txt is:

User-agent: *

Disallow: /

Changing or Restricting Ciphersuites

The process of establishing a secure connection involves negotiating the ciphersuite that is used during communications. A ciphersuite defines the type of encryption that is used—it defines the cipher algorithm and its parameters, such as the size of the keys.

Negotiation of the ciphersuite involves the user device informing the Secure Gateway which ciphersuites it is capable of handling, and the Secure Gateway informing the client which ciphersuite to use for client-server communications.

The Secure Gateway supports two main categories of ciphersuite: COM (commercial) and GOV (government). The ALL option includes both the commercial and government suites.

The COM ciphersuites are:

  • SSL_RSA_WITH_RC4_128_MD5 or {0x00,0x04}
  • SSL_RSA_WITH_RC4_128_SHA or {0x00,0x05}

The GOV ciphersuite is:

SSL_RSA_WITH_3DES_EDE_CBC_SHA or {0x00,0x0A}

Some organizations, including U.S. government organizations, require the use of government-approved cryptography to protect sensitive but unclassified data.

To change or restrict the ciphersuites

  1. Log on as an administrator to the server running the Secure Gateway.
  2. Launch the Secure Gateway Configuration wizard.
  3. Select Advanced Configuration and click Next until you see the Configure secure protocol settings screen. The default setting for ciphersuites is ALL.
  4. To restrict the ciphersuite, change the value to GOV or COM, as required. Click Next.
  5. Follow prompts until configuration is complete. Click to exit the configuration wizard.

You must restart the Secure Gateway to let configuration changes take effect.

Restricting Ciphersuite Use to Secure Communication

The ciphersuites used to secure communications between the Secure Gateway and the Secure Gateway Proxy are determined by the configuration settings on the server running the Secure Gateway Proxy. The default setting on the Secure Gateway for outgoing connections to the Secure Gateway Proxy is set to use all ciphersuites.

Security policies of some organizations may require tighter control of the ciphersuites offered by the Secure Gateway for outgoing connections to the Secure Gateway Proxy. This is achieved by modifying the SChannel registry settings.

For instructions about modifying the SChannel registry settings to restrict ciphersuites, refer to the Microsoft Knowledge Base Article Q245030, “How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll.”

Modifying Protocols to Restrict Secure Gateway Connections

The Secure Gateway handles both SSL Version 3 and TLS Version 1 protocols. In this context:

  • The Secure Gateway uses TLS Version 1 as the default
  • Internet Explorer uses SSL Versions 2 and 3 as the default

You can restrict the Secure Gateway to accept only SSL Version 3 or TLS Version 1 connections. If you decide to change the default protocol setting on the Secure Gateway, modify protocol settings on the client Web browser as well as the Gateway Client to match the protocol setting on the server running the Secure Gateway.

Citrix recommends against changing the default setting for the secure protocol used by the Secure Gateway.

Removing Unnecessary User Accounts

Citrix recommends removing all unnecessary user accounts on servers running the Secure Gateway.

Avoid creating multiple user accounts on servers running the Secure Gateway and limit the file access privileges granted to each account. Review active user accounts regularly and when personnel leave.

Removing Sample Sites Installed with IIS

An important security step is to disable or remove all sample Web applications installed by the Internet Information Services (IIS). Never install sample sites on production servers because of the many well-identified security risks they present. Some sample Web applications are installed so that you can access them only from http://localhost or the IP address 127.0.0.1. Nevertheless, you should remove the sample sites. The IISSamples, IISHelp, and Data Access virtual directories and their associated folders are good examples of sample sites that should not reside on production servers.

Securing Components that Run on IIS

To ensure that security of the Secure Gateway components is not compromised, you can do the following:

  • Set appropriate ACLs on IIS to prevent unauthorized access to executable and script files. For instructions about locking down IIS, refer to current Microsoft product documentation and online resources available from the Microsoft Web site.
  • Secure all the Secure Gateway components using SSL or TLS to ensure that data communications between all the Secure Gateway components is encrypted.

To maximize the security of the servers running the Secure Gateway components hosted by IIS, follow Microsoft security guidelines for locking down Internet Information Services on Windows Servers.

Stopping and Disabling Unused Services

Windows services introduce vulnerabilities to the computer. If a Windows service is not required by your organization, Citrix recommends that the service be disabled. For a complete list of services and their functions, see the Threats and Countermeasures Guide on the Microsoft Web site. Note that disabling a Windows service could stop the computer from functioning correctly.

Installing Service Packs and Hotfixes

Ensure that you install all operating system-specific service packs and hotfixes, including those applicable to applications and services that you are running on the system.

Ensure you do not install hotfixes for services that are not installed. Ensure you regularly review Security Bulletins from Microsoft.

Following Microsoft Security Guidelines

Citrix recommends that you review Microsoft guidelines for securing Windows servers.

In general, refer to the Microsoft Web site for current guidance to help you understand and implement the processes and decisions that must be made to get, and stay, secure.