On Wed, 16 May 2012, utf-8?Q? Adri=C3=A1n_Puente_Z. ?= wrote:
> Hi everyone!
>
> I am looking for a good reference to secure a Citrix server to avoid a user
> to gain acces to the operating system. So far I have some ideas like
> restricting the execution of the cmd.exe and (maybe) explorer.exe from with
> a group policy in the domain.
>
> If you know about any document I can look at or have any experience about
> this that want to share I will be very thankful. Thanks in advance.
Which Citrix products are you interested in? Citrix solutions are quite
powerful and complex, therefore understanding and securing them is not an
easy task. Here are some resources about securely deploying Citrix XenApp,
Citrix XenServer, and Citrix Access Gateway:
http://books.google.it/books?id=1k8ykeHLCp0C&lpg=PA476&ots=ZGj2TEpEPj&dq
=securing%20citrix%20xenapp%20cmd.exe&hl=it&pg=PP1#v=onepage&q&f=false
http://www.citrix.com/lang/English/lp/lp_2317289.asp
http://support.citrix.com/servlet/KbServlet/download/20639-102-665890/us
er_security-1.0-5.5.0-en_gb.pdf
http://support.citrix.com/servlet/KbServlet/download/28-102-664972/Best%
20Practices%20for%20Securing%20Citrix%20Secure%20Gateway%20Deployment.pd
f
And here are some links that help mapping Citrix attack surface (and
consequently finding and fixing potential security holes):
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
On Wed, 16 May 2012, utf-8?Q? Adri=C3=A1n_Puente_Z. ?= wrote:
> Hi everyone!
>
> I am looking for a good reference to secure a Citrix server to avoid a user
> to gain acces to the operating system. So far I have some ideas like
> restricting the execution of the cmd.exe and (maybe) explorer.exe from with
> a group policy in the domain.
>
> If you know about any document I can look at or have any experience about
> this that want to share I will be very thankful. Thanks in advance.
Which Citrix products are you interested in? Citrix solutions are quite
powerful and complex, therefore understanding and securing them is not an
easy task. Here are some resources about securely deploying Citrix XenApp,
Citrix XenServer, and Citrix Access Gateway:
http://books.google.it/books?id=1k8ykeHLCp0C&lpg=PA476&ots=ZGj2TEpEPj&dq
=securing%20citrix%20xenapp%20cmd.exe&hl=it&pg=PP1#v=onepage&q&f=false
http://www.citrix.com/lang/English/lp/lp_2317289.asp
http://support.citrix.com/servlet/KbServlet/download/20639-102-665890/us
er_security-1.0-5.5.0-en_gb.pdf
http://support.citrix.com/servlet/KbServlet/download/28-102-664972/Best%
20Practices%20for%20Securing%20Citrix%20Secure%20Gateway%20Deployment.pd
f
And here are some links that help mapping Citrix attack surface (and
consequently finding and fixing potential security holes):
http://www.vulnerabilityassessment.co.uk/Citrix.html (including links)
http://www.vulnerabilityassessment.co.uk/citrix_tools.zip
http://ikat.ha.cked.net/ (iKAT, interactive Kiosk Attack Tool)
Cheers,
--
------------------------------------------------------------------
Marco Ivaldi OPSA, OPST, OWSE, QSA, ASV
Senior Security Advisor
@ Mediaservice.net Srl Tel: +39-011-32.72.100
Via Santorelli, 15 Fax: +39-011-32.46.497
10095 Grugliasco (TO) - ITALY http://www.mediaservice.net/
------------------------------------------------------------------
PGP Key - https://keys.mediaservice.net/m_ivaldi.asc
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
[ reply ]