SlideShare a Scribd company logo

SYN 220: XenApp and XenDesktop Security Best Practices

Citrix
Citrix

You can differentiate your company simply by having great cybersecurity. This technical session will arm you with our best practices for ensuring security across the enterprise. Watch the full session on SynergyTV and follow along with the slides here! http://live.citrixsynergy.com/2016/player/ondemandplayer.php?presentation_id=e75d7f25-2d01-4cd5-b77e-945e75905d08

Technology
1 of 66
Download to read offline
1 © 2016 Citrix
2 © 2016 Citrix
3 © 2016 Citrix We want to share with you why focusing on security is a great opportunity for your business and help our customers gain competitive differentiation through security. and provide technical best practices you can incorporate into security based assessments and designs. This a technical session with a lot detailed information like registry entries and PowerShell commands, which are provided for you in the notes.
4 © 2016 Citrix 2015 was the world’s wake up call..arguably the alarm has been going off since at least 2005 but there’s been more visibility in the last 3 years, due to the snowden effect and an uptick in attacks. in the last decade there have been many high visibility breaches such as: TJMAX | Adobe | Home Depot | Sony | Heartland | Apple | Anthem | Target | OPM | Ashley Madison • Billions of dollars are spent on security solutions yet information remains vulnerable • The volume of data breaches, data loss and theft, and cybercrime has increased • – and the expectation is that they will only increase over time. • New threats and attack vectors are emerging every day…whether its social engineering or ransom ware or denial of service. • There is no industry sector or vertical that's safe, retail, finance, healthcare, education, government..all are targets.
5 © 2016 Citrix We live in a world where the attacks come from anywhere. The threat actors themselves are a lot more sophisticated and more organized. They collaborate, they’re unregulated, and profit driven In here are disgruntled insiders, and hacktivists, sponsored attackers, professional and amateur hackers, espionage and sophisticated criminal enterprise. There’s also regulatory pressure. And there’s disruptive technology like mobile, Cloud, and IoT that continuously test our capabilities to defend. These disruptive technologies and trends make our security perimeters more porous. Data is at rest, in motion, and in use across a complex matrix of endpoints, networks, apps, and storage and employees are mobile. You need to prepare for conversations in your accounts that address security across this matrix.
6 © 2016 Citrix This is our opportunity 2/3 of organizations say they are increasing their security spend. And in case you are wondering who to talk to …security decision makers have a rising influence on mobility. 80% of security leaders have influence over the mobility budget – including 19% (about 1 in 5) with bottom line authority, and about another 1/3 with significant influence.
7 © 2016 Citrix When we look at Security, Citrix maps to 5 fundamental pillars that enhance IT and Security Operations to Reduce Risk These pillars are identity and access, network, app, and data security with monitoring and response. They’re built on a foundation of confidentiality, integrity, and availability. Each pillar has 3 key components that map directly to our security portfolio I’m going to hand it over to Martin to dive deeper into recommendations on securing identity and privilege.
8 © 2016 Citrix In security, always expect the worst. And always expect that your defenses will be penetrated. Always ask “And then what?”. It’s not a question “if” your security will be penetrated, the question is “when”.
9 © 2016 Citrix January 2006 – Applying the Principle of Least Privilege to User Accounts on Windows XP • https://technet.microsoft.com/en-us/library/bb456992.aspx Question is not “if”, but “when” a security attack will happen • Role of PoLP is to minimize the impact if account is compromised
10 © 2016 Citrix When talking about least privilege, most people think about delegated administration, but PoLP should apply to everything – not just administrators, but all user accounts.
11 © 2016 Citrix
12 © 2016 Citrix While almost everyone understand the reason behind PoLP, very few people realize that it should be applied to all types of user accounts. Following example is something that we’re constantly seeing in the field. Most customers are using groups for publishing (which is great).
13 © 2016 Citrix But what happens when they need to assign permissions to all users that are using their Citrix environment? For example add users to local group of Remote Desktop Users and provide required NTFS permissions for user profiles or folder redirection?
14 © 2016 Citrix Most of the time they simply use Domain Users or Authenticated Users. This is one of the examples where people don’t follow PoLP principle and don’t even know it.
15 © 2016 Citrix Avoid using multiple group to provide access to the environment. If you require membership in multiple groups, not only you are more prone the error when provisioning access, but also you can potentially leave unnecessary privileges when you decommission access.
16 © 2016 Citrix • User should be member of only one group to have access to both published resources as well as required Citrix infrastructure • Use proper group nesting instead of adding user to two groups • Proper nesting design helps with de-provisioning of privileges
17 © 2016 Citrix • User should be member of only one group to have access to both published resources as well as required Citrix infrastructure • Use proper group nesting instead of adding user to two groups • Proper nesting design helps with de-provisioning of privileges
18 © 2016 Citrix • User should be member of only one group to have access to both published resources as well as required Citrix infrastructure • Use proper group nesting instead of adding user to two groups • Proper nesting design helps with de-provisioning of privileges
19 © 2016 Citrix • User should be member of only one group to have access to both published resources as well as required Citrix infrastructure • Use proper group nesting instead of adding user to two groups • Proper nesting design helps with de-provisioning of privileges
20 © 2016 Citrix This is more of what people
21 © 2016 Citrix These are default roles (with exception of Custom)
22 © 2016 Citrix Ongoing process – this should not be only during initial build - Regularly review privileges and remove when no longer necessary
23 © 2016 Citrix Principle of least privilege is one of the ways how to minimize the impact after security breach. Another way is through the proper network segmentation and Kurt is going to talk about that approach. Super accounts – instead of creating multiple accounts for different roles, single powerful account is often being used.
24 © 2016 Citrix • If possible use machine identities for authentication • Hypervisor connection + PVS Principle of least privilege is one of the ways how to minimize the impact after security breach. Another way is through the proper network segmentation and Andy is going to talk about that approach.
25 © 2016 Citrix Recommended implementation steps • Same principles applies to the firewalls for example. Start with open network, make sure everything works, enable FW.
26 © 2016 Citrix
27 © 2016 Citrix Script The first thing I want to talk about is secure network zones. The concept is that sensitive data is wrapped up in multiple layers of protection called zones. Each zone has increased security requirements over the previous one. Each zone can contain one or more dedicated networks and firewalls are used to restrict communications between zones and networks within zones. Confidential data that it is transferred between or within zones should always be protected using encryption. Reference https://www.atsec.com/downloads/pdf/ISSE_2009-Secure_network_zones- Peter_Wimmer.pdf
28 © 2016 Citrix Script The outermost zone is called External and includes devices and networks that are not controlled by the organization. For example, Internet users and partner companies. Rather predictably, the external zone is the least trusted zone in the model.
29 © 2016 Citrix Script The second zone is called Presentation and includes internal client LANs and the networks containing SBC and VDI machines. This zone is the first one managed by the organization and the most likely to be attacked.
30 © 2016 Citrix Script The third zone is called Application and contains the app servers and logic used to process data. The Application zone also includes the management network because it needs to communicate with the yellow and red zones.
31 © 2016 Citrix Script The innermost zone is called the Data zone and includes important infrastructure like database servers. This is the most protected zone in the organization.
32 © 2016 Citrix Script There is one important rule that you you should remember about secure network zones. Network traffic can only move between adjacent zones, it can’t jump zones. We do this to prevent sensitive data from being accessed directly from insecure networks. Based on my experience, most customers do a really good job with the External and Presentation zones but don’t do very much with the application and data zones. There is a really big opportunity here to help customers improve their security.
33 © 2016 Citrix Script Let’s see how this concept works out for a XA / XD deployment. Each box in this diagram represents a separate network within the relevant zone The firewall between the presentation and application zones is configured to ensure that only finance desktops can access the finance app server and only Human Resources desktops can access the HR app server. The firewall between the application and data zones is configured to ensure that the database servers can only be accessed by the relevant app servers.
34 © 2016 Citrix Script This slide shows you how the secure network zone concept maps to the XA and XD control infrastructure. In this example we have three networks for the presentation zone, 1 for application and 1 for data. Remember, it’s not possible for the presentation networks to directly access the data network. This diagram also shows important communication flows between each of the infrastructure servers. We’re going to look at each of these flows and talk about why they should be encrypted and how to do it. Reference http://support.citrix.com/article/CTX137556s/documents/about/citrix-xenapp-and- xendesktop-76-fips-140-2-sample-deployments.pdf http://www.basvankaam.com/2014/11/24/the-ultimate-xendesktop-7-x-internals-cheat- sheet/
35 © 2016 Citrix Script Why StoreFront encryption is a priority because user credentials are transferred using obfuscation and not encryption. Encryption requires an algorithm and a key while Obfuscation just requires an algorithm making it much easier to crack than encryption. How So how do we encrypt StoreFront traffic? Install a private or public certificate on the StoreFront servers, and then add the certificate to the https binding for the site. It’s really important that you disable http traffic or chances are users will just bypass the encryption.
36 © 2016 Citrix Script Why I recommend that you implement encryption for the Controller next because obfuscated credentials are also passed between StoreFront and the Delivery Controllers as well as NetScaler and the Delivery Controllers. How All you have to do is install a certificate on the Controller, a private certificate is fine as it’s just going to be accessed by managed machines. Once the certificate is installed run the command shown up here on the slide. You can find the certificate thumbprint in the details tab of the certificate. To find the GUID of the Citrix Broker Service use the PowerShell command Get- BrokerController. Reference http://support.citrix.com/article/CTX200415 How to create a web server SSL certificate manually - http://blogs.technet.com/b/pki/archive/2009/08/05/how-to-create-a-web-server-ssl- certificate-manually.aspx How to configure a port with an SSL certificate - https://msdn.microsoft.com/en- us/library/ms733791(v=vs.110).aspx Certreq.exe syntax - https://technet.microsoft.com/en-us/library/cc736326(WS.10).aspx
37 © 2016 Citrix Script Once the certificate is installed and the broker service has been configured, update StoreFront and NetScaler to use https for the XML brokers and Secure Ticket Authority. Finally, configure the XML service on the Controllers to ignore HTTP requests by setting XmlServicesEnableNonSSL to 0.
38 © 2016 Citrix Script Why You should encrypt HDX traffic to prevent an attacker from being able to watch everything that a user is doing. With the release of XenApp and XenDesktop 7.6 I is not possible to implement TLS encryption that is FIPS approved from Receiver to the VDA. How To enable TLS encryption you need to add certs to the VDAs, and then configure the VDAs and Controllers to use encryption. We’ll look at each of these steps in more detail because there are some important things to consider. Reference http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-security-article/xad-ssl.html https://www.citrix.com/blogs/2014/10/16/xenapp-and-xendesktop-7-6-security-fips-140-2- and-ssl-to-vda/ https://www.citrix.com/blogs/2014/12/11/how-to-secure-ica-connections-in-xenapp-and- xendesktop-7-6-using-ssl/ https://www.citrix.com/blogs/2015/07/13/xenapp-xendesktop-what-crypto-is-my-session- using/
39 © 2016 Citrix Script The first step is to deploy certificates to the VDAs. This is super easy for dedicated desktops but much harder for pooled desktops which are reset following a reboot. One solution is to add a wildcard certificate to the master image such as *.Citrix.com. The problem though, is that if any of the VDAs are compromised, all other VDAs are at risk. A much better option is to use Microsoft Certificate Services to automatically provision certificates using group policy. A startup script is then used to enable TLS. This approach will only work for Desktop VDAs. For Server VDAs, the ICA listener is brought up too early during the boot process, before certificates can be automatically provisioned. This doesn’t stop you implementing encryption for non-provisioned server VDAs though.
40 © 2016 Citrix Script Once you have the cert installed on the VDA you need to run a PowerShell script that enables TLS on the VDA. You can use a few different parameters with the script. The SSLMinVersion parameter can be TLS_1.0, TLS_1.1 and TLS_1.2. The script will use TLS_1.0 by default. The SSLCiperSuite parameter allows you to select your preferred cipher suite which can include Government, Commercial and All. The certificate thumbprint parameter allows you to specify which certificate you want to use. Most of the time you won’t need this parameter as you’ll just have one cert on the VDA.
41 © 2016 Citrix Script The last step is to enable encryption on the controller. There are two PowerShell commands that you need to run on each controller. The first one enables TLS for all delivery groups. You can also enable TLS for individual delivery groups if you wish. The second PowerShell command changes the address of the VDA in the ICA file from IP address to FQDN so that it matches the name in the certificate.
42 © 2016 Citrix Script Why The Controller communicates with the hypervisor to create and manage VMs. This includes the initial authentication, during which the username and password of the service account are sent over the wire. How To secure the hosting traffic use TLS encryption for XenServer and vSphere. Make sure that your customers use trusted certs rather than the default non-trusted vendor certs. If you have Hyper-V, the Controller will automatically leverage the WCF protocol to secure the traffic.
43 © 2016 Citrix Script The last network flow we’re going to take a look at is between the Controller and SQL which can include confidential data. To enable encryption, add a certificate to your SQL server, a private cert is fine. Configure the server to accept encrypted connections by opening SQL Server Configuration Manager, select the certificate that you want to use, and switch the force encryption flag to yes. Reference https://msdn.microsoft.com/en-us/library/ms191192(v=sql.110).aspx
44 © 2016 Citrix Script As you can see, all communications are now green and we have TLS between and within 3 zones and 5 networks. Once you’ve confirmed that everything works with encryption enabled, you’re ready to start locking down the traffic between zones and networks using the firewalls.
45 © 2016 Citrix Script Most customers use default port numbers now due to the availability of good network scanners but there is a really interesting use case that I want to talk about. By default, many of the FMA services use the same port for different functions. For example, the broker service uses port 80 for VDA registrations, XML requests and the SDK. This prevents us from implementing granular firewall rules for each of these different functions. The good news though is that you can configure an FMA service to use different port numbers for different functions. From a command prompt, query the executable of an FMA service to see what options you have.
46 © 2016 Citrix Script In this example, I’ve run a command that configures the broker service to use different ports for the VDAs, StoreFront and the SDK. This allows me to configure the firewalls so that NetScaler is the only machine outside of the server network able to query the XML broker. Similarly, I can limit VDA port access on the controller to the VDA network and the SDK port to the management network.
47 © 2016 Citrix One of the most important principles of security is called defense in depth (also known as castle approach). The strategy is based on the military principle that it is more difficult for an enemy to defeat a complex and multi-layered defense system than to penetrate a single barrier. What we are going to do here is to have a look at what attacked would do, based on scenario where he have access to one published application.
48 © 2016 Citrix Attacker has been able to get access to testtemp account with password “YourCompany123”. He found the account by looking for *temp**test**tst* or anything with “_”. App A (Notepad) is published to Domain Users – it is just a simple test application, so why would you have a dedicated group used for publishing, right? Combination of open test account and app published to Domain Users, he can establish a session to one of the XA servers.
49 © 2016 Citrix As the next step, he will try to break out of the application and start command prompt (or task manager etc.) to access the rest of the operating system Now, if you believe that standard GPO policies will help you…
50 © 2016 Citrix Publishing filtering should not be considered a security feature.
51 © 2016 Citrix …think again. Especially if many applications are published, it’s very tough to secure such environment. Assume that attacker will always find a way. Example above has bypassed some of the common security policies • Restrict C drive – accessing it through local host instead • Prevent access to the command prompt – PowerShell ISE is not disabled • File dialog – Using print as PDF instead So, assuming that you cannot prevent this from happening, what can you do?
52 © 2016 Citrix Goal – Explain that just by hiding something, it doesn’t mean its secured as well. Would you publish application that is available to all users (Domain Users), is extremely hard to secure (Office) and contains its own scripting engine (Office VBA) on the same server as your payroll application that is available only to a very limited number of users?
53 © 2016 Citrix Goal – Explain that just by hiding something, it doesn’t mean its secured as well. Would you publish application that is available to all users (Domain Users), is extremely hard to secure (Office) and contains its own scripting engine (Office VBA) on the same server as your payroll application that is available only to a very limited number of users?
54 © 2016 Citrix Goal – Describe that groups should we always used and specific users should be avoided. Also, if possible, try to avoid anonymous users or shared accounts. This can often be a balance between economic aspect and security aspect – but from security perspective, it should be always possible to link user account to specific name.
55 © 2016 Citrix Goal – Describe that groups should we always used and specific users should be avoided. Also, if possible, try to avoid anonymous users or shared accounts. This can often be a balance between economic aspect and security aspect – but from security perspective, it should be always possible to link user account to specific name.
56 © 2016 Citrix
57 © 2016 Citrix
58 © 2016 Citrix DNS tunneling
59 © 2016 Citrix http://blogs.technet.com/b/fdcc/archive/2011/01/25/alwaysinstallelevated-is-equivalent-to- granting-administrative-rights.aspx We have already taken enough of your time that you could spend securing your environment or selling security related services to your customers, so it is time to wrap up our presentation.
60 © 2016 Citrix So to wrap up, we want to leave you with a few actionable takeaways and tools that will help you set up your own security focused services.
61 © 2016 Citrix https://www.citrix.com/about/legal/security-compliance/common-criteria.html
62 © 2016 Citrix There are also a number of Microsoft tools to help you analyze customer environments and create a baseline configuration as well as confirm compliance to industry best practices
63 © 2016 Citrix
64 © 2016 Citrix You might be wondering how much we know about your experience with our products, and what we’re doing to improve product quality and make your experience better. Our product supportability efforts are the result of paying attention to the issues and concerns you raise when engaging with our Support teams as well as the feedback you provide to our Sales and Consulting groups. The details you see here speak to some of the work we’ve done already, and where we’re currently focused. For more details on supportability efforts, visit: www.citrix.com/supportability
65 © 2016 Citrix
66 © 2016 Citrix

Recommended

SYN 103: Learn What’s New with XenServer
SYN 103: Learn What’s New with XenServerSYN 103: Learn What’s New with XenServer
SYN 103: Learn What’s New with XenServerCitrix
 
Citrix Strategy Brief
Citrix Strategy BriefCitrix Strategy Brief
Citrix Strategy BriefCitrix
 
Secure Remote Browser
Secure Remote BrowserSecure Remote Browser
Secure Remote BrowserCitrix
 
Who Are Citrix Customers?
Who Are Citrix Customers?Who Are Citrix Customers?
Who Are Citrix Customers?Citrix
 
SYN002: General Session
SYN002: General SessionSYN002: General Session
SYN002: General SessionCitrix
 
Automatizovaná bezpečnost – nadstandard nebo nutnost?
Automatizovaná bezpečnost – nadstandard nebo nutnost?Automatizovaná bezpečnost – nadstandard nebo nutnost?
Automatizovaná bezpečnost – nadstandard nebo nutnost?MarketingArrowECS_CZ
 
Citrix Customer Story: Franciscan Missionaries of Our Lady Health System
Citrix Customer Story: Franciscan Missionaries of Our Lady Health SystemCitrix Customer Story: Franciscan Missionaries of Our Lady Health System
Citrix Customer Story: Franciscan Missionaries of Our Lady Health SystemCitrix
 
Mike Palmer of Veritas: Debunking the myths of multi-cloud to achieve 360 Dat...
Mike Palmer of Veritas: Debunking the myths of multi-cloud to achieve 360 Dat...Mike Palmer of Veritas: Debunking the myths of multi-cloud to achieve 360 Dat...
Mike Palmer of Veritas: Debunking the myths of multi-cloud to achieve 360 Dat...Veritas Technologies LLC
 

Recommended

SYN 103: Learn What’s New with XenServer
SYN 103: Learn What’s New with XenServerSYN 103: Learn What’s New with XenServer
SYN 103: Learn What’s New with XenServerCitrix
 
Citrix Strategy Brief
Citrix Strategy BriefCitrix Strategy Brief
Citrix Strategy BriefCitrix
 
Secure Remote Browser
Secure Remote BrowserSecure Remote Browser
Secure Remote BrowserCitrix
 
Who Are Citrix Customers?
Who Are Citrix Customers?Who Are Citrix Customers?
Who Are Citrix Customers?Citrix
 
SYN002: General Session
SYN002: General SessionSYN002: General Session
SYN002: General SessionCitrix
 
Automatizovaná bezpečnost – nadstandard nebo nutnost?
Automatizovaná bezpečnost – nadstandard nebo nutnost?Automatizovaná bezpečnost – nadstandard nebo nutnost?
Automatizovaná bezpečnost – nadstandard nebo nutnost?MarketingArrowECS_CZ
 
Citrix Customer Story: Franciscan Missionaries of Our Lady Health System
Citrix Customer Story: Franciscan Missionaries of Our Lady Health SystemCitrix Customer Story: Franciscan Missionaries of Our Lady Health System
Citrix Customer Story: Franciscan Missionaries of Our Lady Health SystemCitrix
 
Mike Palmer of Veritas: Debunking the myths of multi-cloud to achieve 360 Dat...
Mike Palmer of Veritas: Debunking the myths of multi-cloud to achieve 360 Dat...Mike Palmer of Veritas: Debunking the myths of multi-cloud to achieve 360 Dat...
Mike Palmer of Veritas: Debunking the myths of multi-cloud to achieve 360 Dat...Veritas Technologies LLC
 
Looking Beyond Microsoft RDS
Looking Beyond Microsoft RDSLooking Beyond Microsoft RDS
Looking Beyond Microsoft RDSCitrix
 
Cloud Security: challenges and perspectives.
Cloud Security: challenges and perspectives.Cloud Security: challenges and perspectives.
Cloud Security: challenges and perspectives.EUBrasilCloudFORUM .
 
Citrix Netscaler Deployment Guide
Citrix Netscaler Deployment GuideCitrix Netscaler Deployment Guide
Citrix Netscaler Deployment GuideCitrix
 
Cloud security and adoption
Cloud security and adoptionCloud security and adoption
Cloud security and adoptionSudsanguan Ngamsuriyaroj
 
dinCloud q2 pr highlights
dinCloud q2 pr highlightsdinCloud q2 pr highlights
dinCloud q2 pr highlightsdinCloud Inc.
 
Citrix cloud services_total_economic_benefits_assessment_guide
Citrix cloud services_total_economic_benefits_assessment_guideCitrix cloud services_total_economic_benefits_assessment_guide
Citrix cloud services_total_economic_benefits_assessment_guideAlejandro Daricz
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architectureVladimir Jirasek
 
Modern Security for the Modern Data Center
Modern Security for the Modern Data CenterModern Security for the Modern Data Center
Modern Security for the Modern Data CenterVMware
 
Cloud Security Strategy
Cloud Security StrategyCloud Security Strategy
Cloud Security StrategyCapgemini
 
F5 Programmability & Orchestration
F5 Programmability & OrchestrationF5 Programmability & Orchestration
F5 Programmability & OrchestrationMarketingArrowECS_CZ
 
Isaca 2011 trends in virtual security v1.0
Isaca 2011 trends in virtual security v1.0Isaca 2011 trends in virtual security v1.0
Isaca 2011 trends in virtual security v1.0kimwisniewski
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityThe TNS Group
 
AWS Summit Singapore - Best Practices for Cloud Security in the Cloud Adoptio...
AWS Summit Singapore - Best Practices for Cloud Security in the Cloud Adoptio...AWS Summit Singapore - Best Practices for Cloud Security in the Cloud Adoptio...
AWS Summit Singapore - Best Practices for Cloud Security in the Cloud Adoptio...Amazon Web Services
 
8 major facts you must know before you buying a casb
8 major facts you must know before you buying a casb8 major facts you must know before you buying a casb
8 major facts you must know before you buying a casbciphercloud1
 
Introducing the Citrix Diagnostics Toolkit
Introducing the Citrix Diagnostics ToolkitIntroducing the Citrix Diagnostics Toolkit
Introducing the Citrix Diagnostics ToolkitCitrix
 
Guide to CASB Use Cases
Guide to CASB Use CasesGuide to CASB Use Cases
Guide to CASB Use CasesSachin Yadav
 
Rama Kolappan – The multi-cloud geared for the digital business
Rama Kolappan – The multi-cloud geared for the digital businessRama Kolappan – The multi-cloud geared for the digital business
Rama Kolappan – The multi-cloud geared for the digital businessVeritas Technologies LLC
 
C-Level tools for Cloud security
C-Level tools for Cloud securityC-Level tools for Cloud security
C-Level tools for Cloud securityVladimir Jirasek
 
Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)Brian K. Dickard
 
SECURE CLOUD ARCHITECTURE
SECURE CLOUD ARCHITECTURESECURE CLOUD ARCHITECTURE
SECURE CLOUD ARCHITECTUREacijjournal
 
Citrix & Canalys: Northern European Channel Partners in a State of Transforma...
Citrix & Canalys: Northern European Channel Partners in a State of Transforma...Citrix & Canalys: Northern European Channel Partners in a State of Transforma...
Citrix & Canalys: Northern European Channel Partners in a State of Transforma...Citrix
 
Transforming Business with Citrix: Customers Share Their Stories.
Transforming Business with Citrix: Customers Share Their Stories.Transforming Business with Citrix: Customers Share Their Stories.
Transforming Business with Citrix: Customers Share Their Stories.Citrix
 

More Related Content

What's hot

Looking Beyond Microsoft RDS
Looking Beyond Microsoft RDSLooking Beyond Microsoft RDS
Looking Beyond Microsoft RDSCitrix
 
Cloud Security: challenges and perspectives.
Cloud Security: challenges and perspectives.Cloud Security: challenges and perspectives.
Cloud Security: challenges and perspectives.EUBrasilCloudFORUM .
 
Citrix Netscaler Deployment Guide
Citrix Netscaler Deployment GuideCitrix Netscaler Deployment Guide
Citrix Netscaler Deployment GuideCitrix
 
dinCloud q2 pr highlights
dinCloud q2 pr highlightsdinCloud q2 pr highlights
dinCloud q2 pr highlightsdinCloud Inc.
 
Citrix cloud services_total_economic_benefits_assessment_guide
Citrix cloud services_total_economic_benefits_assessment_guideCitrix cloud services_total_economic_benefits_assessment_guide
Citrix cloud services_total_economic_benefits_assessment_guideAlejandro Daricz
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architectureVladimir Jirasek
 
Modern Security for the Modern Data Center
Modern Security for the Modern Data CenterModern Security for the Modern Data Center
Modern Security for the Modern Data CenterVMware
 
Cloud Security Strategy
Cloud Security StrategyCloud Security Strategy
Cloud Security StrategyCapgemini
 
F5 Programmability & Orchestration
F5 Programmability & OrchestrationF5 Programmability & Orchestration
F5 Programmability & OrchestrationMarketingArrowECS_CZ
 
Isaca 2011 trends in virtual security v1.0
Isaca 2011 trends in virtual security v1.0Isaca 2011 trends in virtual security v1.0
Isaca 2011 trends in virtual security v1.0kimwisniewski
 
AWS Summit Singapore - Best Practices for Cloud Security in the Cloud Adoptio...
AWS Summit Singapore - Best Practices for Cloud Security in the Cloud Adoptio...AWS Summit Singapore - Best Practices for Cloud Security in the Cloud Adoptio...
AWS Summit Singapore - Best Practices for Cloud Security in the Cloud Adoptio...Amazon Web Services
 
8 major facts you must know before you buying a casb
8 major facts you must know before you buying a casb8 major facts you must know before you buying a casb
8 major facts you must know before you buying a casbciphercloud1
 
Introducing the Citrix Diagnostics Toolkit
Introducing the Citrix Diagnostics ToolkitIntroducing the Citrix Diagnostics Toolkit
Introducing the Citrix Diagnostics ToolkitCitrix
 
Guide to CASB Use Cases
Guide to CASB Use CasesGuide to CASB Use Cases
Guide to CASB Use CasesSachin Yadav
 
Rama Kolappan – The multi-cloud geared for the digital business
Rama Kolappan – The multi-cloud geared for the digital businessRama Kolappan – The multi-cloud geared for the digital business
Rama Kolappan – The multi-cloud geared for the digital businessVeritas Technologies LLC
 
C-Level tools for Cloud security
C-Level tools for Cloud securityC-Level tools for Cloud security
C-Level tools for Cloud securityVladimir Jirasek
 
Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)Brian K. Dickard
 
SECURE CLOUD ARCHITECTURE
SECURE CLOUD ARCHITECTURESECURE CLOUD ARCHITECTURE
SECURE CLOUD ARCHITECTUREacijjournal
 

What's hot (20)

Looking Beyond Microsoft RDS
Looking Beyond Microsoft RDSLooking Beyond Microsoft RDS
Looking Beyond Microsoft RDS
 
Cloud Security: challenges and perspectives.
Cloud Security: challenges and perspectives.Cloud Security: challenges and perspectives.
Cloud Security: challenges and perspectives.
 
Citrix Netscaler Deployment Guide
Citrix Netscaler Deployment GuideCitrix Netscaler Deployment Guide
Citrix Netscaler Deployment Guide
 
Cloud security and adoption
Cloud security and adoptionCloud security and adoption
Cloud security and adoption
 
dinCloud q2 pr highlights
dinCloud q2 pr highlightsdinCloud q2 pr highlights
dinCloud q2 pr highlights
 
Citrix cloud services_total_economic_benefits_assessment_guide
Citrix cloud services_total_economic_benefits_assessment_guideCitrix cloud services_total_economic_benefits_assessment_guide
Citrix cloud services_total_economic_benefits_assessment_guide
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architecture
 
Modern Security for the Modern Data Center
Modern Security for the Modern Data CenterModern Security for the Modern Data Center
Modern Security for the Modern Data Center
 
Cloud Security Strategy
Cloud Security StrategyCloud Security Strategy
Cloud Security Strategy
 
F5 Programmability & Orchestration
F5 Programmability & OrchestrationF5 Programmability & Orchestration
F5 Programmability & Orchestration
 
Isaca 2011 trends in virtual security v1.0
Isaca 2011 trends in virtual security v1.0Isaca 2011 trends in virtual security v1.0
Isaca 2011 trends in virtual security v1.0
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
AWS Summit Singapore - Best Practices for Cloud Security in the Cloud Adoptio...
AWS Summit Singapore - Best Practices for Cloud Security in the Cloud Adoptio...AWS Summit Singapore - Best Practices for Cloud Security in the Cloud Adoptio...
AWS Summit Singapore - Best Practices for Cloud Security in the Cloud Adoptio...
 
8 major facts you must know before you buying a casb
8 major facts you must know before you buying a casb8 major facts you must know before you buying a casb
8 major facts you must know before you buying a casb
 
Introducing the Citrix Diagnostics Toolkit
Introducing the Citrix Diagnostics ToolkitIntroducing the Citrix Diagnostics Toolkit
Introducing the Citrix Diagnostics Toolkit
 
Guide to CASB Use Cases
Guide to CASB Use CasesGuide to CASB Use Cases
Guide to CASB Use Cases
 
Rama Kolappan – The multi-cloud geared for the digital business
Rama Kolappan – The multi-cloud geared for the digital businessRama Kolappan – The multi-cloud geared for the digital business
Rama Kolappan – The multi-cloud geared for the digital business
 
C-Level tools for Cloud security
C-Level tools for Cloud securityC-Level tools for Cloud security
C-Level tools for Cloud security
 
Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)Cloud Computing Risk Management (Multi Venue)
Cloud Computing Risk Management (Multi Venue)
 
SECURE CLOUD ARCHITECTURE
SECURE CLOUD ARCHITECTURESECURE CLOUD ARCHITECTURE
SECURE CLOUD ARCHITECTURE
 

Viewers also liked

Citrix & Canalys: Northern European Channel Partners in a State of Transforma...
Citrix & Canalys: Northern European Channel Partners in a State of Transforma...Citrix & Canalys: Northern European Channel Partners in a State of Transforma...
Citrix & Canalys: Northern European Channel Partners in a State of Transforma...Citrix
 
Transforming Business with Citrix: Customers Share Their Stories.
Transforming Business with Citrix: Customers Share Their Stories.Transforming Business with Citrix: Customers Share Their Stories.
Transforming Business with Citrix: Customers Share Their Stories.Citrix
 
SYN 305: Architecting Citrix on Microsoft Azure
SYN 305: Architecting Citrix on Microsoft AzureSYN 305: Architecting Citrix on Microsoft Azure
SYN 305: Architecting Citrix on Microsoft AzureCitrix
 
The Digital Disconnect in South Africa
The Digital Disconnect in South AfricaThe Digital Disconnect in South Africa
The Digital Disconnect in South AfricaCitrix
 
Digital or die? British boardrooms divided on digital transformation
Digital or die? British boardrooms divided on digital transformationDigital or die? British boardrooms divided on digital transformation
Digital or die? British boardrooms divided on digital transformationCitrix
 
2016 Cyber Threat Defense Report
2016 Cyber Threat Defense Report2016 Cyber Threat Defense Report
2016 Cyber Threat Defense ReportCitrix
 
Highlights from 2015 Citrix Customer Case Studies
Highlights from 2015 Citrix Customer Case StudiesHighlights from 2015 Citrix Customer Case Studies
Highlights from 2015 Citrix Customer Case StudiesCitrix
 
SYN 208: Power HDX 3D Applications with Intel and NVIDIA GPUs.
SYN 208: Power HDX 3D Applications with Intel and NVIDIA GPUs. SYN 208: Power HDX 3D Applications with Intel and NVIDIA GPUs.
SYN 208: Power HDX 3D Applications with Intel and NVIDIA GPUs. Citrix
 
Citrix CTO Perspective: The Application Delivery Continuum
Citrix CTO Perspective: The Application Delivery ContinuumCitrix CTO Perspective: The Application Delivery Continuum
Citrix CTO Perspective: The Application Delivery ContinuumCitrix
 
SYN303: Receiver + StoreFront + Gateway
SYN303: Receiver + StoreFront + GatewaySYN303: Receiver + StoreFront + Gateway
SYN303: Receiver + StoreFront + GatewayCitrix
 
SYN 214: Linux Virtual Desktop Capabilities, Use Cases, Architecture, and Dep...
SYN 214: Linux Virtual Desktop Capabilities, Use Cases, Architecture, and Dep...SYN 214: Linux Virtual Desktop Capabilities, Use Cases, Architecture, and Dep...
SYN 214: Linux Virtual Desktop Capabilities, Use Cases, Architecture, and Dep...Citrix
 
SYN111: What's New and Exciting with XenMobile
SYN111: What's New and Exciting with XenMobileSYN111: What's New and Exciting with XenMobile
SYN111: What's New and Exciting with XenMobileCitrix
 
„So nutzen Sie Xing & Co für Ihren Vertriebserfolg“
„So nutzen Sie Xing & Co für Ihren Vertriebserfolg“„So nutzen Sie Xing & Co für Ihren Vertriebserfolg“
„So nutzen Sie Xing & Co für Ihren Vertriebserfolg“Citrix
 
SYN240: Next-Generation Management and Analytics
SYN240: Next-Generation Management and AnalyticsSYN240: Next-Generation Management and Analytics
SYN240: Next-Generation Management and AnalyticsCitrix
 
Citrix Mobile Analytics Report September 2014: Mobile subscriber data usage t...
Citrix Mobile Analytics Report September 2014: Mobile subscriber data usage t...Citrix Mobile Analytics Report September 2014: Mobile subscriber data usage t...
Citrix Mobile Analytics Report September 2014: Mobile subscriber data usage t...Citrix
 
SYN 321: Securing the Published Browser
SYN 321: Securing the Published BrowserSYN 321: Securing the Published Browser
SYN 321: Securing the Published BrowserCitrix
 
12 Game Changing Ways to Mobilize Teaching and Learning
12 Game Changing Ways to Mobilize Teaching and Learning12 Game Changing Ways to Mobilize Teaching and Learning
12 Game Changing Ways to Mobilize Teaching and LearningCitrix
 

Viewers also liked (17)

Citrix & Canalys: Northern European Channel Partners in a State of Transforma...
Citrix & Canalys: Northern European Channel Partners in a State of Transforma...Citrix & Canalys: Northern European Channel Partners in a State of Transforma...
Citrix & Canalys: Northern European Channel Partners in a State of Transforma...
 
Transforming Business with Citrix: Customers Share Their Stories.
Transforming Business with Citrix: Customers Share Their Stories.Transforming Business with Citrix: Customers Share Their Stories.
Transforming Business with Citrix: Customers Share Their Stories.
 
SYN 305: Architecting Citrix on Microsoft Azure
SYN 305: Architecting Citrix on Microsoft AzureSYN 305: Architecting Citrix on Microsoft Azure
SYN 305: Architecting Citrix on Microsoft Azure
 
The Digital Disconnect in South Africa
The Digital Disconnect in South AfricaThe Digital Disconnect in South Africa
The Digital Disconnect in South Africa
 
Digital or die? British boardrooms divided on digital transformation
Digital or die? British boardrooms divided on digital transformationDigital or die? British boardrooms divided on digital transformation
Digital or die? British boardrooms divided on digital transformation
 
2016 Cyber Threat Defense Report
2016 Cyber Threat Defense Report2016 Cyber Threat Defense Report
2016 Cyber Threat Defense Report
 
Highlights from 2015 Citrix Customer Case Studies
Highlights from 2015 Citrix Customer Case StudiesHighlights from 2015 Citrix Customer Case Studies
Highlights from 2015 Citrix Customer Case Studies
 
SYN 208: Power HDX 3D Applications with Intel and NVIDIA GPUs.
SYN 208: Power HDX 3D Applications with Intel and NVIDIA GPUs. SYN 208: Power HDX 3D Applications with Intel and NVIDIA GPUs.
SYN 208: Power HDX 3D Applications with Intel and NVIDIA GPUs.
 
Citrix CTO Perspective: The Application Delivery Continuum
Citrix CTO Perspective: The Application Delivery ContinuumCitrix CTO Perspective: The Application Delivery Continuum
Citrix CTO Perspective: The Application Delivery Continuum
 
SYN303: Receiver + StoreFront + Gateway
SYN303: Receiver + StoreFront + GatewaySYN303: Receiver + StoreFront + Gateway
SYN303: Receiver + StoreFront + Gateway
 
SYN 214: Linux Virtual Desktop Capabilities, Use Cases, Architecture, and Dep...
SYN 214: Linux Virtual Desktop Capabilities, Use Cases, Architecture, and Dep...SYN 214: Linux Virtual Desktop Capabilities, Use Cases, Architecture, and Dep...
SYN 214: Linux Virtual Desktop Capabilities, Use Cases, Architecture, and Dep...
 
SYN111: What's New and Exciting with XenMobile
SYN111: What's New and Exciting with XenMobileSYN111: What's New and Exciting with XenMobile
SYN111: What's New and Exciting with XenMobile
 
„So nutzen Sie Xing & Co für Ihren Vertriebserfolg“
„So nutzen Sie Xing & Co für Ihren Vertriebserfolg“„So nutzen Sie Xing & Co für Ihren Vertriebserfolg“
„So nutzen Sie Xing & Co für Ihren Vertriebserfolg“
 
SYN240: Next-Generation Management and Analytics
SYN240: Next-Generation Management and AnalyticsSYN240: Next-Generation Management and Analytics
SYN240: Next-Generation Management and Analytics
 
Citrix Mobile Analytics Report September 2014: Mobile subscriber data usage t...
Citrix Mobile Analytics Report September 2014: Mobile subscriber data usage t...Citrix Mobile Analytics Report September 2014: Mobile subscriber data usage t...
Citrix Mobile Analytics Report September 2014: Mobile subscriber data usage t...
 
SYN 321: Securing the Published Browser
SYN 321: Securing the Published BrowserSYN 321: Securing the Published Browser
SYN 321: Securing the Published Browser
 
12 Game Changing Ways to Mobilize Teaching and Learning
12 Game Changing Ways to Mobilize Teaching and Learning12 Game Changing Ways to Mobilize Teaching and Learning
12 Game Changing Ways to Mobilize Teaching and Learning
 

Similar to SYN 220: XenApp and XenDesktop Security Best Practices

8 Experts on Flawless App Delivery
8 Experts on Flawless App Delivery8 Experts on Flawless App Delivery
8 Experts on Flawless App DeliveryMighty Guides, Inc.
 
Investigation on Challenges in Cloud Security to Provide Effective Cloud Comp...
Investigation on Challenges in Cloud Security to Provide Effective Cloud Comp...Investigation on Challenges in Cloud Security to Provide Effective Cloud Comp...
Investigation on Challenges in Cloud Security to Provide Effective Cloud Comp...ijcnes
 
UTSpeaks: Clearing up the Cloud - How should we navigate the pitfalls of IT’s...
UTSpeaks: Clearing up the Cloud - How should we navigate the pitfalls of IT’s...UTSpeaks: Clearing up the Cloud - How should we navigate the pitfalls of IT’s...
UTSpeaks: Clearing up the Cloud - How should we navigate the pitfalls of IT’s...University of Technology, Sydney
 
the_role_of_resilience_data_in_ensuring_cloud_security.pptx
the_role_of_resilience_data_in_ensuring_cloud_security.pptxthe_role_of_resilience_data_in_ensuring_cloud_security.pptx
the_role_of_resilience_data_in_ensuring_cloud_security.pptxsarah david
 
Whitepaper: Security of the Cloud
Whitepaper: Security of the CloudWhitepaper: Security of the Cloud
Whitepaper: Security of the CloudCloudSmartz
 
the_role_of_resilience_data_in_ensuring_cloud_security.pdf
the_role_of_resilience_data_in_ensuring_cloud_security.pdfthe_role_of_resilience_data_in_ensuring_cloud_security.pdf
the_role_of_resilience_data_in_ensuring_cloud_security.pdfsarah david
 
The evolution of IT in a cloud world
The evolution of IT in a cloud worldThe evolution of IT in a cloud world
The evolution of IT in a cloud worldZscaler
 
How to Monitor Digital Dependencies Across Your Modern IT Stack
How to Monitor Digital Dependencies Across Your Modern IT StackHow to Monitor Digital Dependencies Across Your Modern IT Stack
How to Monitor Digital Dependencies Across Your Modern IT StackThousandEyes
 
How to Monitor Digital Dependencies Across Your Modern IT Stack
How to Monitor Digital Dependencies Across Your Modern IT StackHow to Monitor Digital Dependencies Across Your Modern IT Stack
How to Monitor Digital Dependencies Across Your Modern IT StackThousandEyes
 
Presentation cisco cloud security
Presentation cisco cloud securityPresentation cisco cloud security
Presentation cisco cloud securityxKinAnx
 
Improving Cloud Visibility, Accountability & Security
Improving Cloud Visibility, Accountability & SecurityImproving Cloud Visibility, Accountability & Security
Improving Cloud Visibility, Accountability & SecurityDoug Copley
 
IRJET- An Overview on Cloud Computing and Challenges
IRJET- An Overview on Cloud Computing and ChallengesIRJET- An Overview on Cloud Computing and Challenges
IRJET- An Overview on Cloud Computing and ChallengesIRJET Journal
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsUlf Mattsson
 
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDCThe Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDCCloudflare
 
Cloud Data Protection for the Masses
Cloud Data Protection for the MassesCloud Data Protection for the Masses
Cloud Data Protection for the MassesIRJET Journal
 

Similar to SYN 220: XenApp and XenDesktop Security Best Practices (20)

8 Experts on Flawless App Delivery
8 Experts on Flawless App Delivery8 Experts on Flawless App Delivery
8 Experts on Flawless App Delivery
 
Investigation on Challenges in Cloud Security to Provide Effective Cloud Comp...
Investigation on Challenges in Cloud Security to Provide Effective Cloud Comp...Investigation on Challenges in Cloud Security to Provide Effective Cloud Comp...
Investigation on Challenges in Cloud Security to Provide Effective Cloud Comp...
 
UTSpeaks: Clearing up the Cloud - How should we navigate the pitfalls of IT’s...
UTSpeaks: Clearing up the Cloud - How should we navigate the pitfalls of IT’s...UTSpeaks: Clearing up the Cloud - How should we navigate the pitfalls of IT’s...
UTSpeaks: Clearing up the Cloud - How should we navigate the pitfalls of IT’s...
 
the_role_of_resilience_data_in_ensuring_cloud_security.pptx
the_role_of_resilience_data_in_ensuring_cloud_security.pptxthe_role_of_resilience_data_in_ensuring_cloud_security.pptx
the_role_of_resilience_data_in_ensuring_cloud_security.pptx
 
Whitepaper: Security of the Cloud
Whitepaper: Security of the CloudWhitepaper: Security of the Cloud
Whitepaper: Security of the Cloud
 
Security of the Cloud
Security of the CloudSecurity of the Cloud
Security of the Cloud
 
Understanding the Cloud
Understanding the CloudUnderstanding the Cloud
Understanding the Cloud
 
the_role_of_resilience_data_in_ensuring_cloud_security.pdf
the_role_of_resilience_data_in_ensuring_cloud_security.pdfthe_role_of_resilience_data_in_ensuring_cloud_security.pdf
the_role_of_resilience_data_in_ensuring_cloud_security.pdf
 
The evolution of IT in a cloud world
The evolution of IT in a cloud worldThe evolution of IT in a cloud world
The evolution of IT in a cloud world
 
How to Monitor Digital Dependencies Across Your Modern IT Stack
How to Monitor Digital Dependencies Across Your Modern IT StackHow to Monitor Digital Dependencies Across Your Modern IT Stack
How to Monitor Digital Dependencies Across Your Modern IT Stack
 
How to Monitor Digital Dependencies Across Your Modern IT Stack
How to Monitor Digital Dependencies Across Your Modern IT StackHow to Monitor Digital Dependencies Across Your Modern IT Stack
How to Monitor Digital Dependencies Across Your Modern IT Stack
 
Presentation cisco cloud security
Presentation cisco cloud securityPresentation cisco cloud security
Presentation cisco cloud security
 
Improving Cloud Visibility, Accountability & Security
Improving Cloud Visibility, Accountability & SecurityImproving Cloud Visibility, Accountability & Security
Improving Cloud Visibility, Accountability & Security
 
IRJET- An Overview on Cloud Computing and Challenges
IRJET- An Overview on Cloud Computing and ChallengesIRJET- An Overview on Cloud Computing and Challenges
IRJET- An Overview on Cloud Computing and Challenges
 
cloud1_aggy.pdf
cloud1_aggy.pdfcloud1_aggy.pdf
cloud1_aggy.pdf
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDCThe Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
 
Cloud Data Protection for the Masses
Cloud Data Protection for the MassesCloud Data Protection for the Masses
Cloud Data Protection for the Masses
 
J3602068071
J3602068071J3602068071
J3602068071
 

More from Citrix

Building The Digital Workplace
Building The Digital WorkplaceBuilding The Digital Workplace
Building The Digital WorkplaceCitrix
 
Maximize your Investment in Microsoft Office 365 with Citrix Workspace
Maximize your Investment in Microsoft Office 365 with Citrix Workspace Maximize your Investment in Microsoft Office 365 with Citrix Workspace
Maximize your Investment in Microsoft Office 365 with Citrix Workspace Citrix
 
XenApp on Google Cloud Deployment Guide
XenApp on Google Cloud Deployment GuideXenApp on Google Cloud Deployment Guide
XenApp on Google Cloud Deployment GuideCitrix
 
Deploying Citrix XenApp & XenDesktop Service on Google Cloud Platform
Deploying Citrix XenApp & XenDesktop Service on Google Cloud PlatformDeploying Citrix XenApp & XenDesktop Service on Google Cloud Platform
Deploying Citrix XenApp & XenDesktop Service on Google Cloud PlatformCitrix
 
Manage Risk by Protecting the Apps and Data That Drive Business Productivity
Manage Risk by Protecting the Apps and Data That Drive Business ProductivityManage Risk by Protecting the Apps and Data That Drive Business Productivity
Manage Risk by Protecting the Apps and Data That Drive Business ProductivityCitrix
 
How do Organizations Plan to Assure Application Delivery in a Multi-Cloud World?
How do Organizations Plan to Assure Application Delivery in a Multi-Cloud World?How do Organizations Plan to Assure Application Delivery in a Multi-Cloud World?
How do Organizations Plan to Assure Application Delivery in a Multi-Cloud World?Citrix
 
Workforce Flexibility Can Drive Greater Engagement & Productivity
Workforce Flexibility Can Drive Greater Engagement & ProductivityWorkforce Flexibility Can Drive Greater Engagement & Productivity
Workforce Flexibility Can Drive Greater Engagement & ProductivityCitrix
 
Citrix Cloud Services: Total Economic Benefits Assessment Guide
Citrix Cloud Services: Total Economic Benefits Assessment GuideCitrix Cloud Services: Total Economic Benefits Assessment Guide
Citrix Cloud Services: Total Economic Benefits Assessment GuideCitrix
 
The Growing U.S. IT Productivity Gap
The Growing U.S. IT Productivity GapThe Growing U.S. IT Productivity Gap
The Growing U.S. IT Productivity GapCitrix
 
Citrix Cloud Services: Total Economic Benefits Assessment Guide
Citrix Cloud Services: Total Economic Benefits Assessment GuideCitrix Cloud Services: Total Economic Benefits Assessment Guide
Citrix Cloud Services: Total Economic Benefits Assessment GuideCitrix
 
Citrix Synergy 2017: Technology Keynote Sketch Notes
Citrix Synergy 2017: Technology Keynote Sketch NotesCitrix Synergy 2017: Technology Keynote Sketch Notes
Citrix Synergy 2017: Technology Keynote Sketch NotesCitrix
 
Citrix Synergy 2017: Malcolm Gladwell Innovation Super Session Sketch Notes
Citrix Synergy 2017: Malcolm Gladwell Innovation Super Session Sketch NotesCitrix Synergy 2017: Malcolm Gladwell Innovation Super Session Sketch Notes
Citrix Synergy 2017: Malcolm Gladwell Innovation Super Session Sketch NotesCitrix
 
Synergy 2017: Colin Powell Innovation Super Session Sketch Notes
Synergy 2017: Colin Powell Innovation Super Session Sketch NotesSynergy 2017: Colin Powell Innovation Super Session Sketch Notes
Synergy 2017: Colin Powell Innovation Super Session Sketch NotesCitrix
 
Manage risk by protecting apps, data and usage
Manage risk by protecting apps, data and usageManage risk by protecting apps, data and usage
Manage risk by protecting apps, data and usageCitrix
 
Enterprise Case Study: Enabling a More Mobile Way of Working
Enterprise Case Study: Enabling a More Mobile Way of Working Enterprise Case Study: Enabling a More Mobile Way of Working
Enterprise Case Study: Enabling a More Mobile Way of Working Citrix
 
Life in the Digital Workspace
Life in the Digital WorkspaceLife in the Digital Workspace
Life in the Digital WorkspaceCitrix
 
Comparing traditional workspaces to digital workspaces
Comparing traditional workspaces to digital workspacesComparing traditional workspaces to digital workspaces
Comparing traditional workspaces to digital workspacesCitrix
 
4 Ways to Ensure a Smooth Windows 10 Migration
4 Ways to Ensure a Smooth Windows 10 Migration4 Ways to Ensure a Smooth Windows 10 Migration
4 Ways to Ensure a Smooth Windows 10 MigrationCitrix
 
Citrix Paddington
Citrix PaddingtonCitrix Paddington
Citrix PaddingtonCitrix
 
The Security Compliance Countdown: How to Get Ahead of the GDPR [Infographic]
The Security Compliance Countdown: How to Get Ahead of the GDPR [Infographic]The Security Compliance Countdown: How to Get Ahead of the GDPR [Infographic]
The Security Compliance Countdown: How to Get Ahead of the GDPR [Infographic]Citrix
 

More from Citrix (20)

Building The Digital Workplace
Building The Digital WorkplaceBuilding The Digital Workplace
Building The Digital Workplace
 
Maximize your Investment in Microsoft Office 365 with Citrix Workspace
Maximize your Investment in Microsoft Office 365 with Citrix Workspace Maximize your Investment in Microsoft Office 365 with Citrix Workspace
Maximize your Investment in Microsoft Office 365 with Citrix Workspace
 
XenApp on Google Cloud Deployment Guide
XenApp on Google Cloud Deployment GuideXenApp on Google Cloud Deployment Guide
XenApp on Google Cloud Deployment Guide
 
Deploying Citrix XenApp & XenDesktop Service on Google Cloud Platform
Deploying Citrix XenApp & XenDesktop Service on Google Cloud PlatformDeploying Citrix XenApp & XenDesktop Service on Google Cloud Platform
Deploying Citrix XenApp & XenDesktop Service on Google Cloud Platform
 
Manage Risk by Protecting the Apps and Data That Drive Business Productivity
Manage Risk by Protecting the Apps and Data That Drive Business ProductivityManage Risk by Protecting the Apps and Data That Drive Business Productivity
Manage Risk by Protecting the Apps and Data That Drive Business Productivity
 
How do Organizations Plan to Assure Application Delivery in a Multi-Cloud World?
How do Organizations Plan to Assure Application Delivery in a Multi-Cloud World?How do Organizations Plan to Assure Application Delivery in a Multi-Cloud World?
How do Organizations Plan to Assure Application Delivery in a Multi-Cloud World?
 
Workforce Flexibility Can Drive Greater Engagement & Productivity
Workforce Flexibility Can Drive Greater Engagement & ProductivityWorkforce Flexibility Can Drive Greater Engagement & Productivity
Workforce Flexibility Can Drive Greater Engagement & Productivity
 
Citrix Cloud Services: Total Economic Benefits Assessment Guide
Citrix Cloud Services: Total Economic Benefits Assessment GuideCitrix Cloud Services: Total Economic Benefits Assessment Guide
Citrix Cloud Services: Total Economic Benefits Assessment Guide
 
The Growing U.S. IT Productivity Gap
The Growing U.S. IT Productivity GapThe Growing U.S. IT Productivity Gap
The Growing U.S. IT Productivity Gap
 
Citrix Cloud Services: Total Economic Benefits Assessment Guide
Citrix Cloud Services: Total Economic Benefits Assessment GuideCitrix Cloud Services: Total Economic Benefits Assessment Guide
Citrix Cloud Services: Total Economic Benefits Assessment Guide
 
Citrix Synergy 2017: Technology Keynote Sketch Notes
Citrix Synergy 2017: Technology Keynote Sketch NotesCitrix Synergy 2017: Technology Keynote Sketch Notes
Citrix Synergy 2017: Technology Keynote Sketch Notes
 
Citrix Synergy 2017: Malcolm Gladwell Innovation Super Session Sketch Notes
Citrix Synergy 2017: Malcolm Gladwell Innovation Super Session Sketch NotesCitrix Synergy 2017: Malcolm Gladwell Innovation Super Session Sketch Notes
Citrix Synergy 2017: Malcolm Gladwell Innovation Super Session Sketch Notes
 
Synergy 2017: Colin Powell Innovation Super Session Sketch Notes
Synergy 2017: Colin Powell Innovation Super Session Sketch NotesSynergy 2017: Colin Powell Innovation Super Session Sketch Notes
Synergy 2017: Colin Powell Innovation Super Session Sketch Notes
 
Manage risk by protecting apps, data and usage
Manage risk by protecting apps, data and usageManage risk by protecting apps, data and usage
Manage risk by protecting apps, data and usage
 
Enterprise Case Study: Enabling a More Mobile Way of Working
Enterprise Case Study: Enabling a More Mobile Way of Working Enterprise Case Study: Enabling a More Mobile Way of Working
Enterprise Case Study: Enabling a More Mobile Way of Working
 
Life in the Digital Workspace
Life in the Digital WorkspaceLife in the Digital Workspace
Life in the Digital Workspace
 
Comparing traditional workspaces to digital workspaces
Comparing traditional workspaces to digital workspacesComparing traditional workspaces to digital workspaces
Comparing traditional workspaces to digital workspaces
 
4 Ways to Ensure a Smooth Windows 10 Migration
4 Ways to Ensure a Smooth Windows 10 Migration4 Ways to Ensure a Smooth Windows 10 Migration
4 Ways to Ensure a Smooth Windows 10 Migration
 
Citrix Paddington
Citrix PaddingtonCitrix Paddington
Citrix Paddington
 
The Security Compliance Countdown: How to Get Ahead of the GDPR [Infographic]
The Security Compliance Countdown: How to Get Ahead of the GDPR [Infographic]The Security Compliance Countdown: How to Get Ahead of the GDPR [Infographic]
The Security Compliance Countdown: How to Get Ahead of the GDPR [Infographic]
 

Recently uploaded

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

SYN 220: XenApp and XenDesktop Security Best Practices

  • 1. 1 © 2016 Citrix
  • 2. 2 © 2016 Citrix
  • 3. 3 © 2016 Citrix We want to share with you why focusing on security is a great opportunity for your business and help our customers gain competitive differentiation through security. and provide technical best practices you can incorporate into security based assessments and designs. This a technical session with a lot detailed information like registry entries and PowerShell commands, which are provided for you in the notes.
  • 4. 4 © 2016 Citrix 2015 was the world’s wake up call..arguably the alarm has been going off since at least 2005 but there’s been more visibility in the last 3 years, due to the snowden effect and an uptick in attacks. in the last decade there have been many high visibility breaches such as: TJMAX | Adobe | Home Depot | Sony | Heartland | Apple | Anthem | Target | OPM | Ashley Madison • Billions of dollars are spent on security solutions yet information remains vulnerable • The volume of data breaches, data loss and theft, and cybercrime has increased • – and the expectation is that they will only increase over time. • New threats and attack vectors are emerging every day…whether its social engineering or ransom ware or denial of service. • There is no industry sector or vertical that's safe, retail, finance, healthcare, education, government..all are targets.
  • 5. 5 © 2016 Citrix We live in a world where the attacks come from anywhere. The threat actors themselves are a lot more sophisticated and more organized. They collaborate, they’re unregulated, and profit driven In here are disgruntled insiders, and hacktivists, sponsored attackers, professional and amateur hackers, espionage and sophisticated criminal enterprise. There’s also regulatory pressure. And there’s disruptive technology like mobile, Cloud, and IoT that continuously test our capabilities to defend. These disruptive technologies and trends make our security perimeters more porous. Data is at rest, in motion, and in use across a complex matrix of endpoints, networks, apps, and storage and employees are mobile. You need to prepare for conversations in your accounts that address security across this matrix.
  • 6. 6 © 2016 Citrix This is our opportunity 2/3 of organizations say they are increasing their security spend. And in case you are wondering who to talk to …security decision makers have a rising influence on mobility. 80% of security leaders have influence over the mobility budget – including 19% (about 1 in 5) with bottom line authority, and about another 1/3 with significant influence.
  • 7. 7 © 2016 Citrix When we look at Security, Citrix maps to 5 fundamental pillars that enhance IT and Security Operations to Reduce Risk These pillars are identity and access, network, app, and data security with monitoring and response. They’re built on a foundation of confidentiality, integrity, and availability. Each pillar has 3 key components that map directly to our security portfolio I’m going to hand it over to Martin to dive deeper into recommendations on securing identity and privilege.
  • 8. 8 © 2016 Citrix In security, always expect the worst. And always expect that your defenses will be penetrated. Always ask “And then what?”. It’s not a question “if” your security will be penetrated, the question is “when”.
  • 9. 9 © 2016 Citrix January 2006 – Applying the Principle of Least Privilege to User Accounts on Windows XP • https://technet.microsoft.com/en-us/library/bb456992.aspx Question is not “if”, but “when” a security attack will happen • Role of PoLP is to minimize the impact if account is compromised
  • 10. 10 © 2016 Citrix When talking about least privilege, most people think about delegated administration, but PoLP should apply to everything – not just administrators, but all user accounts.
  • 11. 11 © 2016 Citrix
  • 12. 12 © 2016 Citrix While almost everyone understand the reason behind PoLP, very few people realize that it should be applied to all types of user accounts. Following example is something that we’re constantly seeing in the field. Most customers are using groups for publishing (which is great).
  • 13. 13 © 2016 Citrix But what happens when they need to assign permissions to all users that are using their Citrix environment? For example add users to local group of Remote Desktop Users and provide required NTFS permissions for user profiles or folder redirection?
  • 14. 14 © 2016 Citrix Most of the time they simply use Domain Users or Authenticated Users. This is one of the examples where people don’t follow PoLP principle and don’t even know it.
  • 15. 15 © 2016 Citrix Avoid using multiple group to provide access to the environment. If you require membership in multiple groups, not only you are more prone the error when provisioning access, but also you can potentially leave unnecessary privileges when you decommission access.
  • 16. 16 © 2016 Citrix • User should be member of only one group to have access to both published resources as well as required Citrix infrastructure • Use proper group nesting instead of adding user to two groups • Proper nesting design helps with de-provisioning of privileges
  • 17. 17 © 2016 Citrix • User should be member of only one group to have access to both published resources as well as required Citrix infrastructure • Use proper group nesting instead of adding user to two groups • Proper nesting design helps with de-provisioning of privileges
  • 18. 18 © 2016 Citrix • User should be member of only one group to have access to both published resources as well as required Citrix infrastructure • Use proper group nesting instead of adding user to two groups • Proper nesting design helps with de-provisioning of privileges
  • 19. 19 © 2016 Citrix • User should be member of only one group to have access to both published resources as well as required Citrix infrastructure • Use proper group nesting instead of adding user to two groups • Proper nesting design helps with de-provisioning of privileges
  • 20. 20 © 2016 Citrix This is more of what people
  • 21. 21 © 2016 Citrix These are default roles (with exception of Custom)
  • 22. 22 © 2016 Citrix Ongoing process – this should not be only during initial build - Regularly review privileges and remove when no longer necessary
  • 23. 23 © 2016 Citrix Principle of least privilege is one of the ways how to minimize the impact after security breach. Another way is through the proper network segmentation and Kurt is going to talk about that approach. Super accounts – instead of creating multiple accounts for different roles, single powerful account is often being used.
  • 24. 24 © 2016 Citrix • If possible use machine identities for authentication • Hypervisor connection + PVS Principle of least privilege is one of the ways how to minimize the impact after security breach. Another way is through the proper network segmentation and Andy is going to talk about that approach.
  • 25. 25 © 2016 Citrix Recommended implementation steps • Same principles applies to the firewalls for example. Start with open network, make sure everything works, enable FW.
  • 26. 26 © 2016 Citrix
  • 27. 27 © 2016 Citrix Script The first thing I want to talk about is secure network zones. The concept is that sensitive data is wrapped up in multiple layers of protection called zones. Each zone has increased security requirements over the previous one. Each zone can contain one or more dedicated networks and firewalls are used to restrict communications between zones and networks within zones. Confidential data that it is transferred between or within zones should always be protected using encryption. Reference https://www.atsec.com/downloads/pdf/ISSE_2009-Secure_network_zones- Peter_Wimmer.pdf
  • 28. 28 © 2016 Citrix Script The outermost zone is called External and includes devices and networks that are not controlled by the organization. For example, Internet users and partner companies. Rather predictably, the external zone is the least trusted zone in the model.
  • 29. 29 © 2016 Citrix Script The second zone is called Presentation and includes internal client LANs and the networks containing SBC and VDI machines. This zone is the first one managed by the organization and the most likely to be attacked.
  • 30. 30 © 2016 Citrix Script The third zone is called Application and contains the app servers and logic used to process data. The Application zone also includes the management network because it needs to communicate with the yellow and red zones.
  • 31. 31 © 2016 Citrix Script The innermost zone is called the Data zone and includes important infrastructure like database servers. This is the most protected zone in the organization.
  • 32. 32 © 2016 Citrix Script There is one important rule that you you should remember about secure network zones. Network traffic can only move between adjacent zones, it can’t jump zones. We do this to prevent sensitive data from being accessed directly from insecure networks. Based on my experience, most customers do a really good job with the External and Presentation zones but don’t do very much with the application and data zones. There is a really big opportunity here to help customers improve their security.
  • 33. 33 © 2016 Citrix Script Let’s see how this concept works out for a XA / XD deployment. Each box in this diagram represents a separate network within the relevant zone The firewall between the presentation and application zones is configured to ensure that only finance desktops can access the finance app server and only Human Resources desktops can access the HR app server. The firewall between the application and data zones is configured to ensure that the database servers can only be accessed by the relevant app servers.
  • 34. 34 © 2016 Citrix Script This slide shows you how the secure network zone concept maps to the XA and XD control infrastructure. In this example we have three networks for the presentation zone, 1 for application and 1 for data. Remember, it’s not possible for the presentation networks to directly access the data network. This diagram also shows important communication flows between each of the infrastructure servers. We’re going to look at each of these flows and talk about why they should be encrypted and how to do it. Reference http://support.citrix.com/article/CTX137556s/documents/about/citrix-xenapp-and- xendesktop-76-fips-140-2-sample-deployments.pdf http://www.basvankaam.com/2014/11/24/the-ultimate-xendesktop-7-x-internals-cheat- sheet/
  • 35. 35 © 2016 Citrix Script Why StoreFront encryption is a priority because user credentials are transferred using obfuscation and not encryption. Encryption requires an algorithm and a key while Obfuscation just requires an algorithm making it much easier to crack than encryption. How So how do we encrypt StoreFront traffic? Install a private or public certificate on the StoreFront servers, and then add the certificate to the https binding for the site. It’s really important that you disable http traffic or chances are users will just bypass the encryption.
  • 36. 36 © 2016 Citrix Script Why I recommend that you implement encryption for the Controller next because obfuscated credentials are also passed between StoreFront and the Delivery Controllers as well as NetScaler and the Delivery Controllers. How All you have to do is install a certificate on the Controller, a private certificate is fine as it’s just going to be accessed by managed machines. Once the certificate is installed run the command shown up here on the slide. You can find the certificate thumbprint in the details tab of the certificate. To find the GUID of the Citrix Broker Service use the PowerShell command Get- BrokerController. Reference http://support.citrix.com/article/CTX200415 How to create a web server SSL certificate manually - http://blogs.technet.com/b/pki/archive/2009/08/05/how-to-create-a-web-server-ssl- certificate-manually.aspx How to configure a port with an SSL certificate - https://msdn.microsoft.com/en- us/library/ms733791(v=vs.110).aspx Certreq.exe syntax - https://technet.microsoft.com/en-us/library/cc736326(WS.10).aspx
  • 37. 37 © 2016 Citrix Script Once the certificate is installed and the broker service has been configured, update StoreFront and NetScaler to use https for the XML brokers and Secure Ticket Authority. Finally, configure the XML service on the Controllers to ignore HTTP requests by setting XmlServicesEnableNonSSL to 0.
  • 38. 38 © 2016 Citrix Script Why You should encrypt HDX traffic to prevent an attacker from being able to watch everything that a user is doing. With the release of XenApp and XenDesktop 7.6 I is not possible to implement TLS encryption that is FIPS approved from Receiver to the VDA. How To enable TLS encryption you need to add certs to the VDAs, and then configure the VDAs and Controllers to use encryption. We’ll look at each of these steps in more detail because there are some important things to consider. Reference http://docs.citrix.com/en-us/xenapp-and-xendesktop/7-6/xad-security-article/xad-ssl.html https://www.citrix.com/blogs/2014/10/16/xenapp-and-xendesktop-7-6-security-fips-140-2- and-ssl-to-vda/ https://www.citrix.com/blogs/2014/12/11/how-to-secure-ica-connections-in-xenapp-and- xendesktop-7-6-using-ssl/ https://www.citrix.com/blogs/2015/07/13/xenapp-xendesktop-what-crypto-is-my-session- using/
  • 39. 39 © 2016 Citrix Script The first step is to deploy certificates to the VDAs. This is super easy for dedicated desktops but much harder for pooled desktops which are reset following a reboot. One solution is to add a wildcard certificate to the master image such as *.Citrix.com. The problem though, is that if any of the VDAs are compromised, all other VDAs are at risk. A much better option is to use Microsoft Certificate Services to automatically provision certificates using group policy. A startup script is then used to enable TLS. This approach will only work for Desktop VDAs. For Server VDAs, the ICA listener is brought up too early during the boot process, before certificates can be automatically provisioned. This doesn’t stop you implementing encryption for non-provisioned server VDAs though.
  • 40. 40 © 2016 Citrix Script Once you have the cert installed on the VDA you need to run a PowerShell script that enables TLS on the VDA. You can use a few different parameters with the script. The SSLMinVersion parameter can be TLS_1.0, TLS_1.1 and TLS_1.2. The script will use TLS_1.0 by default. The SSLCiperSuite parameter allows you to select your preferred cipher suite which can include Government, Commercial and All. The certificate thumbprint parameter allows you to specify which certificate you want to use. Most of the time you won’t need this parameter as you’ll just have one cert on the VDA.
  • 41. 41 © 2016 Citrix Script The last step is to enable encryption on the controller. There are two PowerShell commands that you need to run on each controller. The first one enables TLS for all delivery groups. You can also enable TLS for individual delivery groups if you wish. The second PowerShell command changes the address of the VDA in the ICA file from IP address to FQDN so that it matches the name in the certificate.
  • 42. 42 © 2016 Citrix Script Why The Controller communicates with the hypervisor to create and manage VMs. This includes the initial authentication, during which the username and password of the service account are sent over the wire. How To secure the hosting traffic use TLS encryption for XenServer and vSphere. Make sure that your customers use trusted certs rather than the default non-trusted vendor certs. If you have Hyper-V, the Controller will automatically leverage the WCF protocol to secure the traffic.
  • 43. 43 © 2016 Citrix Script The last network flow we’re going to take a look at is between the Controller and SQL which can include confidential data. To enable encryption, add a certificate to your SQL server, a private cert is fine. Configure the server to accept encrypted connections by opening SQL Server Configuration Manager, select the certificate that you want to use, and switch the force encryption flag to yes. Reference https://msdn.microsoft.com/en-us/library/ms191192(v=sql.110).aspx
  • 44. 44 © 2016 Citrix Script As you can see, all communications are now green and we have TLS between and within 3 zones and 5 networks. Once you’ve confirmed that everything works with encryption enabled, you’re ready to start locking down the traffic between zones and networks using the firewalls.
  • 45. 45 © 2016 Citrix Script Most customers use default port numbers now due to the availability of good network scanners but there is a really interesting use case that I want to talk about. By default, many of the FMA services use the same port for different functions. For example, the broker service uses port 80 for VDA registrations, XML requests and the SDK. This prevents us from implementing granular firewall rules for each of these different functions. The good news though is that you can configure an FMA service to use different port numbers for different functions. From a command prompt, query the executable of an FMA service to see what options you have.
  • 46. 46 © 2016 Citrix Script In this example, I’ve run a command that configures the broker service to use different ports for the VDAs, StoreFront and the SDK. This allows me to configure the firewalls so that NetScaler is the only machine outside of the server network able to query the XML broker. Similarly, I can limit VDA port access on the controller to the VDA network and the SDK port to the management network.
  • 47. 47 © 2016 Citrix One of the most important principles of security is called defense in depth (also known as castle approach). The strategy is based on the military principle that it is more difficult for an enemy to defeat a complex and multi-layered defense system than to penetrate a single barrier. What we are going to do here is to have a look at what attacked would do, based on scenario where he have access to one published application.
  • 48. 48 © 2016 Citrix Attacker has been able to get access to testtemp account with password “YourCompany123”. He found the account by looking for *temp**test**tst* or anything with “_”. App A (Notepad) is published to Domain Users – it is just a simple test application, so why would you have a dedicated group used for publishing, right? Combination of open test account and app published to Domain Users, he can establish a session to one of the XA servers.
  • 49. 49 © 2016 Citrix As the next step, he will try to break out of the application and start command prompt (or task manager etc.) to access the rest of the operating system Now, if you believe that standard GPO policies will help you…
  • 50. 50 © 2016 Citrix Publishing filtering should not be considered a security feature.
  • 51. 51 © 2016 Citrix …think again. Especially if many applications are published, it’s very tough to secure such environment. Assume that attacker will always find a way. Example above has bypassed some of the common security policies • Restrict C drive – accessing it through local host instead • Prevent access to the command prompt – PowerShell ISE is not disabled • File dialog – Using print as PDF instead So, assuming that you cannot prevent this from happening, what can you do?
  • 52. 52 © 2016 Citrix Goal – Explain that just by hiding something, it doesn’t mean its secured as well. Would you publish application that is available to all users (Domain Users), is extremely hard to secure (Office) and contains its own scripting engine (Office VBA) on the same server as your payroll application that is available only to a very limited number of users?
  • 53. 53 © 2016 Citrix Goal – Explain that just by hiding something, it doesn’t mean its secured as well. Would you publish application that is available to all users (Domain Users), is extremely hard to secure (Office) and contains its own scripting engine (Office VBA) on the same server as your payroll application that is available only to a very limited number of users?
  • 54. 54 © 2016 Citrix Goal – Describe that groups should we always used and specific users should be avoided. Also, if possible, try to avoid anonymous users or shared accounts. This can often be a balance between economic aspect and security aspect – but from security perspective, it should be always possible to link user account to specific name.
  • 55. 55 © 2016 Citrix Goal – Describe that groups should we always used and specific users should be avoided. Also, if possible, try to avoid anonymous users or shared accounts. This can often be a balance between economic aspect and security aspect – but from security perspective, it should be always possible to link user account to specific name.
  • 56. 56 © 2016 Citrix
  • 57. 57 © 2016 Citrix
  • 58. 58 © 2016 Citrix DNS tunneling
  • 59. 59 © 2016 Citrix http://blogs.technet.com/b/fdcc/archive/2011/01/25/alwaysinstallelevated-is-equivalent-to- granting-administrative-rights.aspx We have already taken enough of your time that you could spend securing your environment or selling security related services to your customers, so it is time to wrap up our presentation.
  • 60. 60 © 2016 Citrix So to wrap up, we want to leave you with a few actionable takeaways and tools that will help you set up your own security focused services.
  • 61. 61 © 2016 Citrix https://www.citrix.com/about/legal/security-compliance/common-criteria.html
  • 62. 62 © 2016 Citrix There are also a number of Microsoft tools to help you analyze customer environments and create a baseline configuration as well as confirm compliance to industry best practices
  • 63. 63 © 2016 Citrix
  • 64. 64 © 2016 Citrix You might be wondering how much we know about your experience with our products, and what we’re doing to improve product quality and make your experience better. Our product supportability efforts are the result of paying attention to the issues and concerns you raise when engaging with our Support teams as well as the feedback you provide to our Sales and Consulting groups. The details you see here speak to some of the work we’ve done already, and where we’re currently focused. For more details on supportability efforts, visit: www.citrix.com/supportability
  • 65. 65 © 2016 Citrix
  • 66. 66 © 2016 Citrix