Sam Taylor

Hi All, We had a recent incident which broke many of our Virtual Desktops, the below message was being received: Upon contacting Citrix, they asked us to set the below key's value to 0 to remediate: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Ica\GroupPolicy Name: EnforceUserPolicyEvaluationSuccess Type: REG_DWORD Value: 0 I've had a look through some of the Citrix documentation which describes setting the key's value to 0: Known issues | Citrix Virtual Apps and Desktops 7 2203 LTSR Fixed issues | Citrix Virtual Apps and Desktops 7 2203 LTSR One of the above states: "Session Manager terminates session launches when the Group Policy evaluation fails. This is to prevent user access to resources that are restricted through Group Policy. The following user-implemented fix provides a registry toggle for administrators to dismiss the enforcement, which helps end users to connect to sessions even if the Group Policy evaluation fails:" Can anyone help us out with understanding what this means in practical terms, what are the security implications of having this disabled?

Thanks Nicola, this is the way to collect the logs we want - Splunk is also not required

@Nicola Campaci Thanks for the response and the article, good to know - I saw there's a recent 14.1 release but haven't yet seen if the release provides any new features

Hi All, I'm looking into our organisations logging setup for the Netscaler appliances, we had originally thought we had a relatively complete logging setup for the Netscalers - the below screencap shows our configured logging levels on the Logging Profile. We have it setup to ship logs into our SIEM, and this seems to be fine - we are getting logs sent such as the below showing a user signed into one of the appliances: <134> 01/01/2024:12:00:00 GMT Netscaler1 0-PPE-0 : default CLI CMD_EXECUTED 38785 0 : User XYZ - ADM_User NONE - Remote_ip 1.1.1.1 - Command "login XYZ "*"" - Status "Success" Netscaler is also logging when commands are executed in the NetscalerCLI (Initial shell the user is dropped into when they SSH in - these events are also logging the source IP in the events): <134> 01/01/2024:12:00:00 GMT Netscaler1 0-PPE-0 : default CLI CMD_EXECUTED 40048 0 : User XYZ - ADM_User NONE - Remote_ip 1.1.1.1 - Command "show ns runningConfig" - Status "Success" The issue we're having is that we want the OS level logs, I'll bullet point a few things we're keen to grab: - When a user SSH's into the box we should be grabbing the auth log showing the source/destination IP and port (Auth.log?) - When a user drops into Bash we should be able to see the commands executed (bash.log? We expected to see this in the 'CMD EXECUTED' Events but they don't appear to be sent with our current setup) - System events (Device is being shutdown, restarted etc.) - File write/delete events? This might be something separate from the above points but we'd be keen to monitor some of the file paths where webshells were commonly observed being written to when exploited by CVE-2023-3519 (Exploitation of Citrix Zero-Day by Possible Espionage Actors (CVE-2023-3519) | Mandiant) I suspect that for the first three bulletpoints we could perhaps use auditd but someone better informed please correct me, many thanks in advance for any feedback. Cheers!🙂