Security Policies - Citrix Break Out

[Ed Schmidt1709159755]

I am curious what kind of security policies you put in place to avoid users "breaking out of citrix".   If someone was wanting to be malicious and was able to authenticate into storefront it doesnt take much for them to break out and start dropping files on the server.

 

What kind of policies have you set to avoid this type of scenario.

 

Also, how do you  manage a webbased app that you have published with Citrix to tie that down.    

[Jason Ochs1709152296]

Probably the single worst setting you could have is a Citrix Policy "Launching of non-published programs during client connection." This would allow an attacker to modify an .ica file downloaded to their PC on launch. They can change the published resource name to something like Powershell.exe to override what program is launched.  

 

Other than that, you go through Group Policies and turn off items in case they somehow got a desktop. Do some pen testing with whichever browser you publish. Make sure you can't launch apps. Simply typing in the local address in the address bar for Powershell was enough for IE! Lock down explorer too by hiding drives. Maybe prevent access to C if you can. You can create an AD group to undo the policy by setting a deny attribute in the GPO permissions. That way your admins would not be susceptible to the lock down policy. 

 

If you really want to polish it, you could enable AppLocker. This can be configured to only run processes you specify. This is an awesome way to lock it down tight, but it requires some work. I forget the name of it, but it can run in an observation mode. This will report on processes that would have been blocked if AppLocker were enabled in the event log. That will allow you to build up a list and add processes users are OK to run to the list. Once you enable this, you'd have to test future apps out with AppLocker to ensure it doesn't interfere. 

 

Hope this helps.