Do you Control Thy Applications?

Application Control or Restriction policies are a very powerful security control solution. It is a very powerful way of doing things, but it is also the least deployed feature from what I have seen in all the PC and VDI deployments I have worked with over the past 19 years too.

With the release of Windows XP release in 2001 is when Software Restriction Policies first arrived and then renamed to AppLocker when Windows 7 was released. Without an application execution restriction system then you are at risk for sure even with an Antivirus solution deployed too. When execution is unrestricted and phishing email is sent with a malicious executable your only hope is your AV solution to know it is bad and block it. Defense in depth is a basic security strategy to use solutions in a layered methodology to attempt to secure the gaps between the solutions and provide an overall more secure deployment. Using Application Control\Allowlisting is a key component of any Windows security strategy.

Now there are two main ways you can do application restriction and control with Microsoft right now.

  1. AppLocker
  2. Windows Defender Application Control (WDAC)

Why is this the least deployed Security Policy?

Here are some of my guesses why it isn’t used as much.

  1. Hardly ever talked about at Microsoft Events.
    1. It isn’t that bright and shiny of a feature to get a lot of attention.
    1. Microsoft has gone over many generations\eras of their enterprise product offerings and that hasn’t helped bolster this AppLocker ability. Most of the news at these events are about the next release and just a quick overview of some of the features that are deemed most relevant in a pile of features that have been continually added.
    1. Some of the big Microsoft Product Eras:
      1. Desktop Operating System
      1. Office Products
      1. Server Operating System
      1. Exchange
      1. SQL
      1. Xbox
      1. Mobile Phones
      1. Tablets
      1. CRM, Maps, .Net
      1. Office365
      1. Azure
      1. HoloLens AR and VR
      1. Teams
  2. Not a lot of Fan Fare on the Internet overall for it
    1. With not a lot of attention at the Microsoft Events this trickles down to the internet too, where there are not lot of step-by-step guides out there on how things could\should be deployed.
    1. There also isn’t lots of chatter in the forums or on other social media about it which just further keeps it out of the mainstream deployment tasks for many deployments.
  3. Not a lot of Training
    1. Trying to find some training on how to implement it beyond just the documentation on the Microsoft website can be tough. There are lots of ways AppLocker could be deployed along with WDAC and I don’t think there is an official wrong way, but there are also ways that can make things easier for you and your users in a phased approach.
  4. Constant Windows Upgrades steal the focus
    1. Keeping up with 2 Windows Builds each year can be a more than full time job depending on the number of endpoints and the amount of applications you have to support. With a now 18-month and 30-month release cycle we don’t get an operating system for 2-10 years like we had just 5 years ago. This new faster update tempo leaves less time for new things to be introduced.  Less time each year leaves less time to add a new control like AppLocker or WDAC or other Allowlisting solutions.
  5. Bad Deployment Experiences
    1. If anyone has tried to deploy AppLocker and didn’t get a chance to do it slowly and use the “Audit only” ability, then you probably only allowed the programs you thought your users were using and you may have missed the “others” they are actually running. Then many tried to roll it out too fast and then instead of adding the missing programs when they come up, they just turn the enforcement off to get things back and operational again.
  6. Who is going to manage it?
    1. Windows or Security admins are normally the top two roles that may be on the hook for maintaining solutions. From where I have seen AppLocker or WDAC implemented over 80% were managed by the Windows team. When you make it to a pure allowlist situation there will be a good chunk of maintenance required to keep updated programs running or allowing new programs to run. Depending on how you deploy each solution will determine if every update you must change or change settings.

Pros and Cons of using AppLocker

Pros

  • Free’ish
    • If you own a Windows, then you are entitled to use AppLocker. The only cost to you past that is your time configuring, testing and then deploying it. Depending on the number of applications and the methods used it can take a while or be very quick when there may only be 20-30 applications a user “needs” to run. I have seen it take a couple days to a couple months.
      • Windows Enterprise and Education Editions (Windows 7, 8 and 10) and all Server Operating Systems.
  • Secure all the Application Launches (Long Road)
    • Denylist – Great place to start off to understand the mechanics of the AppLocker and be able to stop access to many applications that cannot be blocked via Group Policies.
    • Allowlist – Only allowing defined applications to run is a great place to be at and can eliminate a lot of potential threats but it also means that it will be a long-term relationship too.
  • Can secure things to also catch gaps in many Antivirus solutions too
    • Antivirus solutions look for known bad things and then also look for abnormal programs that are not within the windows system along with looking at possible malicious methods with good OS programs used for bad things.

Cons

  • No easy button
    • This isn’t a solution you just go into the Group Policy Management Console and click some things and you will be done in a couple minutes like the thousands of other policies for Windows.
      • Also, the more you configure the more complicated this console will be, and auditing will become more difficult. I hope that this can be modernized and integrated with some launching analytics of what is used. Then you can step into things slowly but then be able to adjust quickly when there are issues that need to be Allowed and/or Denied.
  • Long Term Relationship
    • Have to be agile to adjust policies on a regular basis with Program Updates and New Programs. If you end up using File Hashes to define a program to run or not run then when that program gets updated the policy will need to be adjusted which may mean making a policy for the new and the old at the same time until the old is removed.
  • Smaller Support Community
    • I hope this changes this year, but there isn’t as much help and chatter that you can use to help you when your deploying or get into a weird configuration state. The good thing is the solution is pretty simple to administer but you can sometimes need help on what to do next or in this situation and that can be hard to find like so many other things with an internet search.

Pros and Cons of using Windows Defender Application Control

Pros

  • Official Windows Security Project
  • Free’ish
    • If you own a Windows, then you are entitled to use AppLocker. The only cost to you past that is your time configuring, testing and then deploying it. Depending on the number of applications and the methods used it can take a while or be very quick when there may only be 20-30 applications a user “needs” to run. I have seen it take a couple days to a couple months.
      • Windows Enterprise and Education Editions (Windows 7, 8 and 10) and all Server Operating Systems.
  • Fast to Implement
    • Once you have your master image ready to roll you run a single command to show the system what is allowed to run and anything else will not be allowed to execute.
  • Can secure things to also catch gaps in many Antivirus solutions too
    • Antivirus solutions look for known bad things and then also look for abnormal programs that are not within the windows system along with looking at possible malicious methods with good OS programs used for bad things.

Cons

  • No pretty console.
    • It uses a series of command line operations to make .p7b files that are then placed under C:\Windows\System32\CodeIntegrity to get the party started with Audit or Enforced Mode.  Editing this file and running a new scan is needed with program updates as binaries change
  • Fast to Fail
    • Since it is either on or off for everything unlike AppLocker which can just Denylist things for specific users.  You still have Audit and Enforced mode, but it is an all or nothing kind of thing.
  • Signed Applications
    • Do you have them?  If not, then you have another process that is required to get them going with WDAC to get the catalog
  • No easy button
    • This isn’t a solution you just go into the Group Policy Management Console and click some things and you will be done in a couple minutes like the thousands of other policies for Windows.
      • I hope that this can be modernized and integrated with some launching analytics of what is used. Then you can step into things slowly, but then be able to adjust quickly when there are issues that need to be Allowed and/or Denied.
  • Long Term Relationship
    • You have to be agile to adjust policies on a regular basis with Program Updates and New Programs. Every update to signed applications that have a new certificate will have to be reauthorized and if it is unsigned you may also have to make a new catalog also.
  • Even Smaller Support Community
    • Unlike AppLocker this has only been around in its current form since Windows 10. This is not as easy to administer as AppLocker because there is no GUI and all CLI commands and how it is either on or off. I think Microsoft is starting pick this as the new go forward strategy.

Other Application Limiting Options (Application Control)

This industry is normally called Application Control when you are looking for a product that does Application Allowlisting and/or control application launching. There are a couple other ways to accomplish the same thing with AppLocker under the hood and a different management UI and/or a different solution all together that uses its own methods for limiting application launches.

Antivirus Solutions

This is the most common alternate method I see deployed. Depending on your vendor this process could be easier or harder than using AppLocker. Depending on the size of the organization and the AV solution will determine your capabilities.  In many cases depending on how you have integrated your AV solution you may have ended a notification system already setup for alerts which can make deploying application control easier. Finding a deployment that has a good Windows Event Log forwarding solution is far and few between. So, with better out of the box alerting and maybe UI that is close to AppLocker then it may win in your deployment. This also comes back to who runs Application Allowlisting?  Windows or the Security teams. Another part of this equation is licensing costs for your AV, many include this feature or some charge for it as a premium add-on so check with your AV vendor.

Purpose Built Solutions

There is a growing market for this type of solution based on the attack surface ever growing and limiting the execution can slow lateral movement in many attacks if implemented in a strict method. There are lots of solutions out there and some are related to also your firewall vendor like Checkpoint, Cisco, Palo or Fortinet because they all have some form of threat protection clients.

Then you have Privileged Account Management solutions like BeyondTrust and CyberArk which go into the Threat Intelligence space, but also have Application control abilities too. The main one that I have seen deployed for years is Ivanti’s Application Control (Under a couple different names, AppSense Application Manager and some others during its transitions) which had abilities that other solutions didn’t. Some solutions still don’t have the ability remove access to menus within an application like Ivanti Application Control has. Depending on your relationship and solution from your AV and/or Firewall vendor these solutions may make it easier to get started and may keep your list of vendors you need to support lower too.

PolicyPak

Then last but not least you have solutions like PolicyPak which go way beyond Application Control.  It does so many things that every Windows administrator needs to make their job easier. Their product Least Privilege Manager is amazing when it comes to reducing or eliminating practical threats by removing admin rights, limiting application launches based not only by rules, but also by file ownership to control what a user can launch automatically without a lot of tuning and policies. If a user has downloaded something shady it won’t allow it to execute. SecureRun is what PolicyPak calls this magical solution that gets configured in just a couple clicks and then define what AD group member installed the application and you’re done. Then anything that wasn’t installed by the Admins in that group will not be allowed to run as a user. Being able to limit application execution this quickly is why in my opinion it can be the best solution especially with all the other useful features that all Windows deployments could use if your running multiple browsers, Java and many other items.  Check it out!

Top 3 Things to Do to Secure Windows 10 with AppLocker

First make a GPO that applies to your Test Users and then Deny your Administrators or whoever you deem should run PowerShell to Deny the GPO from applying so they can still user PowerShell when needed, which is very often.

  1. Limit User PowerShell Access – PowerShell is a very common method for Recon and execution of malicious items as an attacker. PowerShell Restriction policies are an ok start, but there are too many ways to work around them if you have access to the console. Setting up AppLocker to block both the 32bit and 64bit versions of the shell are important but also make sure you block access to ISE also since allowing it just helps a potential attacker from making syntax errors. If you are going to Limit PowerShell, make sure you also limit Command Prompt Access with its group policy too (GPO:User Configuration/Administrative Templates/System/Prevent access to the command prompt)
    1. To get to AppLocker in your GPO Editor head here.
    1. GPO: Computer Configuration\Policies\Windows Settings\Security Settings\Application Control Policies\AppLocker
    1. These are the Paths you will want to “Deny” Access to.
      1. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      1. C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
      1. C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      1. C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe
  2. Application Auditing – What are your users launching on a daily basis?  You can use AppLocker or WDAC and the Windows Logs to find out. There is also no need to boil the ocean especially in a VDI (Server or Desktop) deployment because you can just enable it on one or some of your desktops or servers to get enough of a sampling to make your rules along with having a better application list for free. Setting up the policies for “Audit Only” is easy to do and there is a low to no risk turning it on in most deployments. Then once it is on you can just filter the logs and look for this log Event ID
    1. You should see an 8003 Event Error if you have AppLocker Enabled to “Audit Only”
    1. Then later in your journey you will eventually see this when you start enforcing the policies.
      1. You should see an 8004 Event Error if you have AppLocker Enabled to “Enforce Rules”
  3. Use Something – This may be an unlikely Top 3, but using Application Control whether using Microsoft AppLocker, WDAC, AV solution or one of the other solutions to regulate the launching of unknown applications.
    1. Level 1 – Audit Only on a couple systems to get a profile of what should be allowed to run.
      1. This may lead you to a Windows Event Log Forwarding solution so you can view these logs and know when unknown applications are launched that could have been blocked and later in the process of what was blocked.
    1. Level 2 – Limit Admin Applications (Denylist) this is a good way to get used to the mechanics and the console and you will start to get an understanding of how much work it can be to allowlist all your applications.
    1. Level 3 – Allowlist only authorized applications this will be a long road depending on the amount of applications and just like mentioned earlier this will be a long-term relationship as applications are updated and new programs are assimilated in your deployment. Most deployments that have an Application Control solution usually have a good Windows logging solution to be able to know what is being blocked and adjust policies or even start an incident response.

What to expect when deploy AppLocker or other Application Control solutions?

Just like any IT solution you deploy without proper planning and testing it isn’t going to be a good time for you or your users. You need to plan on how you want to implement and which department or group you want to start with and then if you are going to make things a standard or not for all systems.  A good application inventory will help you also to know what is expected to run on each system type.

Knowing what your endgame is very important too. The goal for any application control deployment should be the total allowlisting of all applications that users interact with or whatever is equivalent for the solution you pick. Getting to that goal will take some time and you shouldn’t think this will can be done over a weekend without some planning and testing.

There will be bumps in the road when you start to “Enforce” your policies, there will be something that you didn’t think users were using and or even ones they didn’t launch during your auditing and planning phase. If you put most of your effort in planning, auditing and testing you will be able to have less bumps along the way and provide a better solution too. There will be programs that you did define, but after an upgrade you will need to either update the rules, replace the rules or add new rules during the upgrade period until you can remove them after the upgrade is replaced. Keeping track of these type of things will be something new that you haven’t had to do before an application control solution. Also know that if you are allowing an older version of a program to run you may still be better off than most because you are limiting applications from launching, but you also need to know where your threats are based on what is allowed to run.

I hope this has helped explain a little bit about Microsoft AppLocker, Microsoft Defender Application Control and some of the other Application Control options and what they can do for you and what you have to do for them. You will see and hear more about AppLocker and WDAC from me later this year in much more detail. Your mileage will vary with each of these solutions based on your applications and your update tempo and staffing. Running some application control solution is highly recommended in any windows deployment to help slow and/or stop the attackers.

If you want to learn more about AppLocker then I suggest following @OddvarMoe on Twitter and his blog https://oddvar.moe he has done so much work as a Microsoft MVP and a Red Teamer to work to get the word out on how to get AppLocker going, how to Harden it and how bypasses work.  He was the first to talk about a LOLBIN (Living off the Land Binaries) which is a methodology of using known good windows programs to do malicious or unintended things because they are trusted. He has now started LOLBAS (Living off the Land Binaries and Scripts) which incorporates some of the scripts that Windows has to do things too.  I would check out his GitHub because there is awesome stuff for Red Teamers (Attackers) and Blue Teams (Defenders).

Microsoft Documentation Links

https://docs.microsoft.com/en-us/windows/security/threat-protection/applocker/applocker-policies-deployment-guide

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control

Great way to deploy AppLocker is using AaronLocker Scripts.  Great Documentation!  I highly recommend starting with this because it helps automate a lot of the rules getting created based on where the user has rights to write.

https://github.com/microsoft/AaronLocker

Great Visual Timeline of Microsoft History

https://www.computerhope.com/history/windows.htm

https://en.wikipedia.org/wiki/Timeline_of_Microsoft

Citrix Policy Lockdown 1.1: Planning

Locking Down Citrix Policies in many environments takes a lot of planning to do it right. While you might wish you could just come in with Thor’s hammer and lock everything down, you will get explosions and a user revolt in the process.  In this post, we will go over some of the questions I have made over the years to help Citrix Clients figure out what they need to have open and what they need to lock down.  These questionnaires can be self-answered by yourself or edited as needed to send to some of your application owners.  I would also challenge the responses on each item to understand and document why you need USB Mapping, Drive Mappings or other items. It helps you have a chain of evidence along with why your policy is the way it is.

What do you need?

What do you do with Citrix?  Every deployment has different needs, and you may have to work with lots of different stakeholders to find out what they need to do their job. You may be lucky enough to have a true applications team to provide input or you may need to find the users and/or business owners.  A saying that I think holds true for most Citrix deployments is “We don’t cook it, we just serve it.” We want to just serve/deliver the applications, but typically we have to support/install/configure all kinds of applications that we barely figured out how to install and run correctly.

The longer the users have had more than they need, the harder this may be to dial things back.  So good luck and I hope the tools below help you make things more secure.  Once we get this back for each user group then we can start making policies for each of them to allow or deny things.  I hope this helps you do a quick assessment of your XenApp or XenDesktop deployment to find out what is open and closed and can help you lock your deployment down.

Sample Citrix Security Policy Planning Questions with some helpers.

  1. What do you need outside of just your keyboard and mouse in Application X/Desktop Y?
    1. This question should spark them thinking beyond just saying do you need Copy/Paste, Access to your Computer or USB Drives. Because if you start with a buffet list of options who doesn’t want a little of everything?
  2. Do you need to copy and paste things in and or out of Application X/Desktop Y?
    1. Just Text?
    2. Within the Session?
    3. Just out of the Session?
    4. Just into the Session?
  3. Do you need to Copy/Move anything from your computers drive into or out of Application X/Desktop Y?
    1. Fixed Drives
      1. Local Drives on the Computer they are logging in from. (C Drive)
    2. Network Drives
      1. Network Drives that are mapped on their local computer.
      2. In most cases Network drives are remapped if needed in the session so this could be a double map to the same resource.
    3. Removable Media (Memory Cards or USB Drives)
      1. If you don’t want to map Media Cards (SD) and USB Drives, then Disable this.
      2. If allow USB Mapping, then you need this enabled also to make it work.
    4. Optical
      1. Not used a lot anymore, saw it in the Federal space but not out in the wild.
    5. Floppies (What’s a Floppy?)
      1. Haven’t seen it enabled post 2000 in Citrix.
    6. Do you have to use any USB devices with Application X/Desktop Y?
      1. Dictation (Medical, Law)
      2. Retail (Scanners, Readers, Label)
      3. Printing (Label, Printers)
      4. Manufacturing (Random doodads)
      5. Accounting (Check Printing)
    7. Do you need to Print?
      1. Most clients need it but there are instances where it should be disabled for Contractors\Third Parties or just different business units.
    8. Do you have any old School LPT Printers (Weird Plug with Pins?)
      1. Haven’t seen it enabled post 2000
      2. Accounting (Check Printing)
      3. Printing (Label, Printers)
      4. Manufacturing (Old Printers)
    9. Do you have any COM Devices (Serial? Weird Plug with Pins?)
      1. Manufacturing (Random doodads)
      2. Medical (Random doodads)
    10. Do you need a Microphone in Application X/Desktop Y?
      1. Most clients don’t need it.
      2. Published Application and or Virtual Desktop with VOIP would need this.
      3. Dictation (Medical, Law) (Some are hooked up via USB, so it may also be able to be disabled, mileage will vary)
    11. Do you need Audio in Application X/Desktop Y?
      1. Sometimes audio has to be mapped to hear error messages for basic application troubleshooting. In most cases you can still disable it.
      2. Published\Virtual Desktop with VOIP
      3. Dictation (Medical, Law)

Sample Citrix Security Policy Planning Questions Ready to Send

Application Owner,

We are working to further secure our Citrix deployment and want to understand what you need to do your job each day outside of just keyboard and mouse inputs.  Through this questionnaire, we hope to ensure we are giving you and your team that you need to work, but putting in place reasonable controls to help keep our environment secure.  With the ever-changing cyber security landscape, we need to do what we can to protect our company and your applications.  Please fill this out and return it to us. We may schedule a follow up meeting.

  1. What do you need outside of the beyond just your keyboard and mouse in Application X/Desktop Y?
  2. Do you need to copy and paste things in and or out of Application X/Desktop Y?
    1. Just Text?
    2. Within the Session?
    3. Just out of the Session?
    4. Just into the Session?
  3. Do you need to Copy\Move anything from your computers drive into or out of Application X/Desktop Y?
    1. Fixed Drives
      1. Local Drives on the Computer they are logging in from. (C Drive)
    2. Network Drives
      1. Network Drives that are mapped on their local computer.
    3. Removable Media (Memory Cards or USB Drives)
    4. Optical
    5. Floppies
  4. Do you have to use any USB devices with Application X/Desktop Y?
  5. Do you need to Print?
  6. Do you have any old School LPT Printers (Weird Plug with Pins?)
  7. Do you have any COM Devices (Serial? Weird Plug with Pins?)
  8. Do you need a Microphone in Application X/Desktop Y?
  9. Do you need Audio in Application X/Desktop Y?

 

Upcoming VDI Lockdown Blogs

  1. Citrix Clipboard Lockdown
  2. Citrix Device Mapping Lockdown
  3.  Citrix USB Lockdown
  4. Citrix Printing and “The Others” Lockdown
  5.  Citrix Policy Lockdown How-To
  6. And a couple others along with an EBook with all these articles in one document

Previous Lockdown Blogs

https://www.mycugc.org/blogs/cugc-blogs/2017/11/30/citrix-policy-lockdown-part-1

Appendix

Thanks for all the work that Carl Webster does on keeping up with his documentation scripts and policy lists and much more.

Policy Listings

http://carlwebster.com/downloads/download-info/citrix-default-user-policy-settings/

http://carlwebster.com/downloads/download-info/citrix-default-computer-policy-settings/

http://carlwebster.com/downloads/download-info/citrix-policy-settings/

Documentation Scripts

http://carlwebster.com/downloads/download-info/xenappxendesktop-7-8/

Always a great overall with some good Policy information in it.

https://docs.citrix.com/content/dam/docs/en-us/xenapp-xendesktop/7-15-ltsr/downloads/Citrix%20VDI%20Handbook%207.15%20LTSR.pdf

Citrix Policy Lockdown 1.0

Citrix Default Policies are Insecure
Citrix Default Policies are Insecure

Citrix Policies are not the coolest thing to mess with but they are very important and are very often overlooked from a security perspective.  I hope this quick blog will help you look at your policies differently and help you secure your deployment.  When I’m doing Citrix Security Assessments the weak policies are usually the second biggest finding (After Patching) because they usually are just defaults and or the filters and or their order make them weaker than most clients expect them to be with some of those factors.

In this article, I will go over the basics of the Citrix security policies, the scary ones you should worry about, how to check if you’re at risk and how to fix them up.  Many of these settings are enabled by default because most customers need these settings but if you look at them just one more time in most cases you should be able disable many of them.

Citrix Policy Big 4

  1. Copy\Paste
    1. Bi-directional
    2. Copy\Paste Write Allowed Formats – All
  2. Drive Mappings
    1. On by Default
      1. Major
        1. Client Fixed Drives
        2. Client Network Drives
        3. Client Removable Drives
      2. Minor
        1. Client Floppy Drives
        2. Client Optical Drives
      3. USB Mounts
        1. Disabled by Default
        2. Restrict the Devices
      4. Others
        1. Printer Mapping
        2. LPT Mapping
        3. COM Mapping
        4. Microphone Mapping
        5. Audio Mapping

Citrix Policy Security Severity Chart

Risk Setting Default Setting
High Copy\Paste Allowed
High Copy\Paste Write Allowed Formats Blank
High Client Fixed Drives Allowed
High Client Network Drives Allowed
High Client Removable Drives Allowed
High\Medium Client USB Mapping Prohibited
High\Medium Printer Mapping Allowed
Medium\Low Client Floppy Drives Allowed
Medium\Low Client Optical Drives Allowed
Medium\Low LPT Mapping Prohibited
Medium\Low COM Mapping Prohibited
Medium\Low Microphone Mapping Allowed
Low Audio Redirection Allowed

The severity of some of these items will vary based on the setting and if these items are in use or if they could be used in a way to harm your company.

Depending on if you used a template from Citrix for user experience you just have an environment that has been migrated\upgraded over and over you most likely could have a problem and not even know it.  From what I have seen at hundreds of deployments is that the Citrix deployment hosts the most critical items within most businesses internally and or externally.

We will dive into each of these briefly and then go into the extreme detail later which will be in the Citrix Hardening guide.

  1. Copy\Paste
    1. In some cases, it is actually needed but in most it can be disabled or tuned for directionality along with restricting different paste formats beyond just text.
    2. Client clipboard write allowed formats
      1. Blank by default which means screenshots can be easily exfiltrated out if your giving someone a desktop session or access to an application without execution being prevented from many windows subsystems that can take advantage of this.
      2. It is highly recommended to only allow CF_Text. If the Microsoft Suite must be used beyond just text then add CFX_OfficeDrawingShape as the other format.
  • Many of these other methods are ways that payloads can be sent to the server\desktop or data can be sent out beyond just text. Who would have guessed there were 23 things to Copy\Paste?
    1. CF_TEXT
    2. CF_BITMAP
    3. CF_METAFILEPICT
    4. CF_SYLK
    5. CF_DIF
    6. CF_TIFF
    7. CF_OEMTEXT
    8. CF_DIB
    9. CF_PALETTE
    10. CF_PENDATA
    11. CF_RIFF
    12. CF_WAVE
    13. CF_UNICODETEXT
    14. CF_ENHMETAFILE
    15. CF_HDROP
    16. CF_LOCALE
    17. CF_DIBV5
    18. CF_OWNERDISPLAY
    19. CF_DSPTEXT
    20. CF_DSPBITMAP
    21. CF_DSPMETAFILEPICT
    22. CF_DSPENHMETAFILE
    23. CF_HTML
    24. CFX_RICHTEXT
    25. CFX_OfficeDrawingShape
    26. CFX_BIFF8
  1. Drive Mappings
    1. This is the absolute best way for employees and or attackers to get things in and out of your environment. In most cases it isn’t needed but is never disabled.  I have seen clients where they actually need it to just map their Local Drive only and all the other mappings could be disabled.  Who has a floppy or optical drive anymore, can we at least turn those two off?
    2. Think about what data the user has access to on their local computers, in many cases you may or may not be able to control those endpoints in many service provider models to third party entities.
    3. Most users will have some mapped drives on the local computer that will be mapped by default and who knows if your security team wanted a Citrix session to bridge that gap from a network share to their endpoint.
      1. How many SMB shares have Everyone for Share permissions along with the actual File Permissions?
      2. You could use https://www.mcafee.com/us/downloads/free-tools/sharescan.aspx to help find them on your network, there are also more advanced ways but this is one of the easier tools to run. Make sure you let your security team know before you start blasting scans off so you don’t have to update your resume depending on your INFOSEC policies.
    4. What kind of data do you have, and what compliance body does it fall under? (HIPAA, PCI and many others)
      1. This can make drive mappings being enabled much more severe.
    5. USB Mounts
      1. The good thing is that by default this setting it to Prohibit these mappings.
      2. Most organizations have DLP (Data Loss Prevention\Protection) policies and a USB drive is in most cases prime candidate number 2 after email for data exfiltration.
      3. There are many ways that mapping USB devices can also introduce instability along with other possible attacks, so filtering devices if they must be enabled is your safest bet.
        1. If you are just doing voice Dictation with a Philips device, bar code scanners, credit card readers and many other must use cases you should just allow that specific device only.
      4. Other Items
        1. Printer Mapping
          1. This is enabled by default and in many cases, this is needed for Application X to work and for the user to do their job. If you have an application that doesn’t need to print then disable it or at least just limit it to just the applications that need it and exclude if from everything else.
        2. LPT Mapping
          1. Mapping these old school physical printer ports are enabled by default but I haven’t seen them actually used in a couple hundred deployments since most printers now are Network or USB only now. I have had great success disabling this in a lot of deployments and like always if you don’t need it disable it.
        3. COM Mapping
          1. This is disabled by default so usually I don’t find it enabled but I do see it every now and then for some medical devices and in manufacturing. If it needs to be enabled just filter it to the servers\desktops that need it.
        4. Microphone Mapping
          1. This is great for Video Conferencing along with Dictation but in many cases, it may not be needed and should be disabled. This may not seem very security related being able to record your voice in applications but it is a way that data can come in.  I have been working on some testing and will have more information later in the VDI Lockdown guides.
        5. Audio Mapping
          1. This also may not seem like it is very security related item too, but in many industries an audio stream can be very sensitive data. I have seen the medical, legal, banking and science\research industries use dictation, but they have some serious Patient and Intellectual Property information in them.    If someone can listen to the audio and or if you have mapped drives enabled they can pull the data out.  This is a stretch in many cases but we don’t like loose ends.
          2. If you don’t need sound I would recommend turning it off but if you’re doing a desktop experience it will be needed but I would just recommend thinking about what audio you may have that is confidential that you don’t want to get out.
  • Sometimes audio has to be mapped to hear error messages for basic application functionality.

What to do?

Secure it by Default!

Citrix Secure Policy Template
Citrix Secure Policy Template

In many cases when I’m doing security assessments I don’t just enable the “Security and Control” Policy Template and call it done\more better, because it could cause mayhem if people do have legitimate uses for some of these security controls.  Depending on your setup and how far along your deployment is, you may be able to apply this use this template as a baseline to help secure things when you start off.  Starting off your Citrix deployment off with this policy if you can and open it up per Application\User Group to open things up as needed.

Next Blog

I’m working on a couple other things that I will publish on my blog VDISecurity.org and within CUGC too.

  1. Citrix Policy Lockdown Examples and Guide
  2. Citrix Patching
  3. Citrix WEM and AppLocker Lockdown
  4. Citrix Antivirus
  5. VDI Lockdown Guide (Everything rolled into an updatable one stop shop)

Appendix

Thanks for all the work that Carl Webster does on keeping up with his documentation scripts and policy lists and much more.

Policy Listings

http://carlwebster.com/downloads/download-info/citrix-default-user-policy-settings/

http://carlwebster.com/downloads/download-info/citrix-default-computer-policy-settings/

http://carlwebster.com/downloads/download-info/citrix-policy-settings/

Documentation Scripts

http://carlwebster.com/downloads/download-info/xenappxendesktop-7-8/

Always a great overall with some good Policy information in it.

https://docs.citrix.com/content/dam/docs/en-us/xenapp-xendesktop/7-15-ltsr/downloads/Citrix%20VDI%20Handbook%207.15%20LTSR.pdf

Default VDI Related Passwords

Below is a collection of passwords from over the years that be very helpful when attacking and or administering a VDI deployment.

Citrix

NetScaler

UN.   nsroot

PW.  nsroot

VMware

 

Dell Thin Clients

ThinOS

Default BIOS Password “Fireport”

Hold Delete during Power On to get to the BIOS

Press and Hold G During Power Up to Factory Reset

Citrix XenDesktop, XenApp And VMware Horizon Security Blog

Disclaimer, I’m not a fancy writer with great English writing skills, I just figure it out and type stuff and try to tell it in a way that I hope people learn and little something laugh a bit (because it isn’t that serious).  I make up words and type with a southern drawl and I also have lots of Patrick’isms that I have used over the years speaking with thousands of people that have stuck (might have to make a short page on some of them to keep them organized).

I have had a great and blessed IT career over the past 18 years and I have worked my way up at so many levels that I know this is my time to give back what little I can.  I’m not an expert in really anything other than eating and a being a movie and music fan.  I have been Noob’ed and RTFM’ed with the best of them and I have learned a lot over the years.  I have also had great mentors at every IT job I had  I have worked at in a couple different roles listed below

  1. Customer Support Rep (People called me)
  2. Y2K Floppy Flinger (NT4, Novell, Exchange, Metaframe)
  3. Marine Corps Random awesomeness (Unix, Presentation Server, Exchange, Banyan Vines, 2000, 2003, Other Computer Nerdy Thingys)
  4. CHD Meridian (Security Nerd Turned Citrix Nerd (Because the Print Spoolers and the eBay servers were killing things and they needed help)
  5. LPS Integration (EUC Nerd to Architect to Director (Nerd and Deal Wrangler))
    1. Working at a Partner gave me a different perspective and also gave me the ability to work with over 500 clients in that 8+ years and see how other nerds did things. I got to directly work with people at LPS and at other clients that were smarter than me which pushed me to be “more better”.
    2. I got to participate in PTAB and PTEC and run around with some of the smartest Citrix and VMware nerds there are in the world, I got to meet lots of great speakers and build some great friendships.
  6. Patrick Coble Consulting (aka Contractor Scum hunting for work)
    1. I wanted to get back to my roots a bit and see if I could do something on my own at my own speed to try and to be a better dad and have a tempo I could control or at least try to.
  7. VDISecurity.org Creation (Changing gears for sure)
    1. Now that I’m out doing my own thing I have time to do some things. (or least I think I do) I have always wanted to do get back to my security roots but I never had the time before at LPS. I have seen the fundamental insecurity of VDI deployments for over 8 years (Not counting old school Ctirix and RDS deployments before then).  The problem is VDI security from all three major vendors Citrix, Microsoft and VMware (Workspot, I still love that Demo Coat Brad Peterson) is kinda ok, but the problem in almost all cases the VDI admin has a much different goal for survival in the IT Thunder Dome and Security isn’t on the side of the cage as normal battle weapon (I hope to be the guy throwing it in the cage).  The VDI admins survival depends on the system being up and not really secure beyond just saying “I have a lock sign in the URL bar so this thing is legit yo”.  I hope to write some blogs and maybe an Amazon Jiblet or two on things and trends I have seen and how to fix them.
    2. I have had a lot of great mentors over the years and I hope I’m trying to do this thing right, because I’m not expert but I changed my VDINinja handle to VDIHacker because that is my focus now. I hope to show the vulnerabilities and how to fix them, because I was way too fat and slow to be a Real Ninja.

I hope those couple items give you an idea of where I’m from and where I’m going (cotton eyed joe) to get a sense of things to come.  I hope I can pay homage to many of the greats in our IT world that are way more smarter than me and hopefully shine a light on the dark side of VDI to hopefully help some people along the way.

I hope I can get enough nerd cred and chances to present and give this new thing a shot.

Some of the topics I’m hoping to nerd out on in no particular order.

 

  1. VDI Security Mission
  2. Citrix Security Overview
  3. RDS Security Overview
  4. Horizon Security Overview
  5. SSL Everything.