Jump to content
Welcome to our new Citrix community!
  • 0

Security Policies - Citrix Break Out


Ed Schmidt1709159755

Question

I am curious what kind of security policies you put in place to avoid users "breaking out of citrix".   If someone was wanting to be malicious and was able to authenticate into storefront it doesnt take much for them to break out and start dropping files on the server.

 

What kind of policies have you set to avoid this type of scenario.

 

Also, how do you  manage a webbased app that you have published with Citrix to tie that down.    

Link to comment

1 answer to this question

Recommended Posts

  • 0

Probably the single worst setting you could have is a Citrix Policy "Launching of non-published programs during client connection." This would allow an attacker to modify an .ica file downloaded to their PC on launch. They can change the published resource name to something like Powershell.exe to override what program is launched.  

 

Other than that, you go through Group Policies and turn off items in case they somehow got a desktop. Do some pen testing with whichever browser you publish. Make sure you can't launch apps. Simply typing in the local address in the address bar for Powershell was enough for IE! Lock down explorer too by hiding drives. Maybe prevent access to C if you can. You can create an AD group to undo the policy by setting a deny attribute in the GPO permissions. That way your admins would not be susceptible to the lock down policy. 

 

If you really want to polish it, you could enable AppLocker. This can be configured to only run processes you specify. This is an awesome way to lock it down tight, but it requires some work. I forget the name of it, but it can run in an observation mode. This will report on processes that would have been blocked if AppLocker were enabled in the event log. That will allow you to build up a list and add processes users are OK to run to the list. Once you enable this, you'd have to test future apps out with AppLocker to ensure it doesn't interfere. 

 

Hope this helps. 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...