April 2018 – VDISecurity.org

Locking Down Citrix Policies in many environments takes a lot of planning to do it right. While you might wish you could just come in with Thor’s hammer and lock everything down, you will get explosions and a user revolt in the process. In this post, we will go over some of the questions I have made over the years to help Citrix Clients figure out what they need to have open and what they need to lock down. These questionnaires can be self-answered by yourself or edited as needed to send to some of your application owners. I would also challenge the responses on each item to understand and document why you need USB Mapping, Drive Mappings or other items. It helps you have a chain of evidence along with why your policy is the way it is.

What do you need?

What do you do with Citrix? Every deployment has different needs, and you may have to work with lots of different stakeholders to find out what they need to do their job. You may be lucky enough to have a true applications team to provide input or you may need to find the users and/or business owners. A saying that I think holds true for most Citrix deployments is “We don’t cook it, we just serve it.” We want to just serve/deliver the applications, but typically we have to support/install/configure all kinds of applications that we barely figured out how to install and run correctly.

The longer the users have had more than they need, the harder this may be to dial things back. So good luck and I hope the tools below help you make things more secure. Once we get this back for each user group then we can start making policies for each of them to allow or deny things. I hope this helps you do a quick assessment of your XenApp or XenDesktop deployment to find out what is open and closed and can help you lock your deployment down.

Sample Citrix Security Policy Planning Questions with some helpers.

What do you need outside of just your keyboard and mouse in Application X/Desktop Y?
1. This question should spark them thinking beyond just saying do you need Copy/Paste, Access to your Computer or USB Drives. Because if you start with a buffet list of options who doesn’t want a little of everything?
Do you need to copy and paste things in and or out of Application X/Desktop Y?
1. Just Text?
2. Within the Session?
3. Just out of the Session?
4. Just into the Session?
Do you need to Copy/Move anything from your computers drive into or out of Application X/Desktop Y?
1. Fixed Drives
  1. Local Drives on the Computer they are logging in from. (C Drive)
2. Network Drives
  1. Network Drives that are mapped on their local computer.
  2. In most cases Network drives are remapped if needed in the session so this could be a double map to the same resource.
3. Removable Media (Memory Cards or USB Drives)
  1. If you don’t want to map Media Cards (SD) and USB Drives, then Disable this.
  2. If allow USB Mapping, then you need this enabled also to make it work.
4. Optical
  1. Not used a lot anymore, saw it in the Federal space but not out in the wild.
5. Floppies (What’s a Floppy?)
  1. Haven’t seen it enabled post 2000 in Citrix.
6. Do you have to use any USB devices with Application X/Desktop Y?
  1. Dictation (Medical, Law)
  2. Retail (Scanners, Readers, Label)
  3. Printing (Label, Printers)
  4. Manufacturing (Random doodads)
  5. Accounting (Check Printing)
7. Do you need to Print?
  1. Most clients need it but there are instances where it should be disabled for Contractors\Third Parties or just different business units.
8. Do you have any old School LPT Printers (Weird Plug with Pins?)
  1. Haven’t seen it enabled post 2000
  2. Accounting (Check Printing)
  3. Printing (Label, Printers)
  4. Manufacturing (Old Printers)
9. Do you have any COM Devices (Serial? Weird Plug with Pins?)
  1. Manufacturing (Random doodads)
  2. Medical (Random doodads)
10. Do you need a Microphone in Application X/Desktop Y?
  1. Most clients don’t need it.
  2. Published Application and or Virtual Desktop with VOIP would need this.
  3. Dictation (Medical, Law) (Some are hooked up via USB, so it may also be able to be disabled, mileage will vary)
11. Do you need Audio in Application X/Desktop Y?
  1. Sometimes audio has to be mapped to hear error messages for basic application troubleshooting. In most cases you can still disable it.
  2. Published\Virtual Desktop with VOIP
  3. Dictation (Medical, Law)

Sample Citrix Security Policy Planning Questions Ready to Send

Application Owner,

We are working to further secure our Citrix deployment and want to understand what you need to do your job each day outside of just keyboard and mouse inputs. Through this questionnaire, we hope to ensure we are giving you and your team that you need to work, but putting in place reasonable controls to help keep our environment secure. With the ever-changing cyber security landscape, we need to do what we can to protect our company and your applications. Please fill this out and return it to us. We may schedule a follow up meeting.

What do you need outside of the beyond just your keyboard and mouse in Application X/Desktop Y?
Do you need to copy and paste things in and or out of Application X/Desktop Y?
1. Just Text?
2. Within the Session?
3. Just out of the Session?
4. Just into the Session?
Do you need to Copy\Move anything from your computers drive into or out of Application X/Desktop Y?
1. Fixed Drives
  1. Local Drives on the Computer they are logging in from. (C Drive)
2. Network Drives
  1. Network Drives that are mapped on their local computer.
3. Removable Media (Memory Cards or USB Drives)
4. Optical
5. Floppies
Do you have to use any USB devices with Application X/Desktop Y?
Do you need to Print?
Do you have any old School LPT Printers (Weird Plug with Pins?)
Do you have any COM Devices (Serial? Weird Plug with Pins?)
Do you need a Microphone in Application X/Desktop Y?
Do you need Audio in Application X/Desktop Y?