Penetration Testing
Re: Securing Citrix May 25 2012 07:01AM
Paul Craig (paul ha cked net)
Ok, as a pen-tester who has spent a fair amount of time breaking
Citrix, and as the author of iKAT (which seems to always get used to
break Citrix), i thought it would only be fair to offer my 10cents,
and suggestions for securing Citrix.

Securing Citrix installations really comes down to defense in depth,
no single solution is often enough to protect against a determined
hacker. However, multiple layers can make it (very) difficult/time
consuming, and likely cause your avg hacker to simply give up.
So some nice short tips for you:

1) Dont rely on group policy. Any application that is validating
group policy can be manipulated so as to avoid group policy. The new
version of iKAT being released in-time for Defcon 20 will include a
very slick tool capable of dynamic memory patching to remove any local
group policy checks. Things such as DisableCMD, locking down Explorer,
IE, etc, all can be bypassed with 1 click.

2) SRP - Software Restriction Policies. A second generate method of
limiting the applications that can be ran on a Windows install,
although a smarter way of implementing restrictions, this is still by
passable through various methods and not recommended - unless
implemented in a white list scenario and done very carefully.

3) AppLocker - Third generation software restrictions. This time much
harder to bypass when correctly implemented. My suggestion would be
the implement App Locker restrictions on all binaries that can be
executed (whitelist), and deny ALL other binaries.
Avoid white listing applications like VBScript, Word, Excel, IE.. As
obviously you can use these applications to run other applications :)
(IE iKATs Officekat.xls)

4) Minimize, Minimize, Minimize. Remove any un-required applications,
binaries, help files, dlls, URI Handlers, File Associations. If you
are allowing access to IE or a browser, ensure that it is locked down!
ClickOnce, Java, ActiveX, should all be restricted. Turn on content
restrictions, and change the security zones for the "Internet"

5) Lock down File System ACLs. The best technique i have seen is a
inherent recursive NTFS permission on C:\ that states that any file
written by a user cannot be executed by the same user. So if you
download a binary to the Citrix machine, you cant execute it. This
of-cause does not stop WMI/VBS/VBA/JS (interpreted scripts) from being
executed, but goes along way.

6) Firewall in front of the Citrix server, block egress access to
everything un-required, (iKAT obviously!) and only allow egress access
to specific hosts on specific ports.

7) AV. Goes without saying, but a good AV system that is set to
delete any binaries will help to slow down an attacker, and will
detect any binaries used in the public version of iKAT. Set the AV to
delete + report via email to you any detection.

8) Patch management system. In reality shell on a Citrix server is
not that hard to get, and even if you try your best and implement
steps 1-7. I am willing to bet $10 that i can still pop shell.
However, when i get shell i am usually an unprivileged user with no
access, no fun. So local exploits are my next step.
Patch your Citrix server, and patch it often. Ensure that there are
no local privilege escalation exploits, no insecure services, no
insecure file permissions.
Would be worth even running an msf session and trying all the various
msf tricks to get priv-esc, that would give you a baseline.

Hope that helps.
If anyone is interested in the iKAT project, be sure to check out the
Defcon 20 release. More shells, more tricks and more scantily clad
women.

Paul Craig
>
>
>
> On Wed, May 23, 2012 at 3:59 PM, Marco Ivaldi <raptor (at) mediaservice (dot) net [email concealed]> wrote:
>>
>> Adrian,
>>
>>
>> On Wed, 16 May 2012, utf-8?Q? Adri=C3=A1n_Puente_Z. ?= wrote:
>>
>>> Hi everyone!
>>>
>>> I am looking for a good reference to secure a Citrix server to avoid a user to gain acces to the operating system. So far I have some ideas like restricting the execution of the cmd.exe and (maybe) explorer.exe from with a group policy in the domain.
>>>
>>> If you know about any document I can look at or have any experience about this that want to share I will be very thankful. Thanks in advance.
>>
>>
>> Which Citrix products are you interested in? Citrix solutions are quite powerful and complex, therefore understanding and securing them is not an easy task. Here are some resources about securely deploying Citrix XenApp, Citrix XenServer, and Citrix Access Gateway:
>>
>> http://books.google.it/books?id=1k8ykeHLCp0C&lpg=PA476&ots=ZGj2TEpEPj&dq
=securing%20citrix%20xenapp%20cmd.exe&hl=it&pg=PP1#v=onepage&q&f=false
>> http://www.citrix.com/lang/English/lp/lp_2317289.asp
>> http://support.citrix.com/servlet/KbServlet/download/20639-102-665890/us
er_security-1.0-5.5.0-en_gb.pdf
>> http://support.citrix.com/servlet/KbServlet/download/28-102-664972/Best%
20Practices%20for%20Securing%20Citrix%20Secure%20Gateway%20Deployment.pd
f
>>
>> And here are some links that help mapping Citrix attack surface (and consequently finding and fixing potential security holes):
>>
>> http://www.vulnerabilityassessment.co.uk/Citrix.html (including links)
>> http://www.vulnerabilityassessment.co.uk/citrix_tools.zip
>> http://ikat.ha.cked.net/ (iKAT, interactive Kiosk Attack Tool)
>>
>> Cheers,
>>
>> --
>> ------------------------------------------------------------------
>> Marco Ivaldi                          OPSA, OPST, OWSE, QSA, ASV
>> Senior Security Advisor
>> @ Mediaservice.net Srl                Tel: +39-011-32.72.100
>> Via Santorelli, 15                    Fax: +39-011-32.46.497
>> 10095 Grugliasco (TO) - ITALY         http://www.mediaservice.net/
>> ------------------------------------------------------------------
>> PGP Key - https://keys.mediaservice.net/m_ivaldi.asc
>>
>>
>>
>> ------------------------------------------------------------------------

>> This list is sponsored by: Information Assurance Certification Review Board
>>
>> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
>> http://www.iacertification.org
>> ------------------------------------------------------------------------

>>
>

------------------------------------------------------------------------

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus