WebApp Sec mailing list archives
RE: Publishing Web Based Application via ICA protocol
From: "Welsh, Ed" <Ed.Welsh () fishnetsecurity com>
Date: Thu, 14 Jul 2005 13:23:58 -0500
Having just come off an assessment of a Citrix based application, I can say first hand that there are significant challenges to properly configuring the Citrix host system. You will need to lock down all file permissions. Remember your context menus(right click). A security policy or GPO will be needed to remove that option. The "Save as" dialogue from IE (or IE itself) can be used to browse the host and any networks it has access to and can also be used to move, delete, etc... Remember that Citrix can allow a mapping of the local C: drive to a drive letter on the Citrix host. This will allow the user to copy from their local drive very easily. It is a good way to get viruses or keyloggers or trojans. Quite often simply browsing to and double clicking the explorer.exe binary from a "Save" or "Save as" dialogue will give a complete desktop even if IE was the only published application. My personal opinion is that a well executed web application is more secure than anything Citrix based. In my case the client needed to make a fat client application web accessible and used Citrix to do it. If you are simply publishing a web URL to be run in IE, it might be better off as a well secured web front-end using high bit level SSL and some two factor authentication. By using Citrix you are accepting the users as part of your organization and treating them in a way similar to that of internal users. EW -----Original Message----- From: Justin Clarke [mailto:justin () justinclarke com] Sent: Thursday, July 14, 2005 8:19 AM To: webappsec () securityfocus com Subject: Re: Publishing Web Based Application via ICA protocol I have seen this type of deployment many times in the financial services sector. The biggest problem in this case is the use of Citrix - if misconfigured this can lead to someone being able to break out into the operating system of Citrix, and then whereever they can get from there (potentially allowing someone onto an Intranet or something). My 2c On Jul 13, 2005, at 7:05 PM, Saqib Ali wrote:
Hello WebAppSec gurus, I have web based application that I would like to further secure by tunneling it through SecureICA (Citrix) protocol. So basically I will be publishing the web based application in Internet Explorer on a Citrix Farm. This will prevent any files to be cached on the user's local computer. I application itself requires authentication. But I would like to keep the connections to the Citrix server anonymous. This way, I can delete the anonymous user's windows profiles upon logoff, and thus clearing any cached files and/or cookies. I am sure other people other people are doing this as well. So I would like to hear about some experiences using this type of stack to secure applications. What are some of the issues that I should look out for? -- In Peace, Saqib Ali http://www.xml-dev.com/blog/
The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material. Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system.
Current thread:
- Publishing Web Based Application via ICA protocol Saqib Ali (Jul 13)
- Re: Publishing Web Based Application via ICA protocol Justin Clarke (Jul 14)
- <Possible follow-ups>
- RE: Publishing Web Based Application via ICA protocol Welsh, Ed (Jul 14)
- Re: Publishing Web Based Application via ICA protocol Saqib Ali (Jul 14)
- Re: Publishing Web Based Application via ICA protocol Chuck (Jul 15)
- Re: Publishing Web Based Application via ICA protocol Justin Clarke (Jul 15)
- Re: Publishing Web Based Application via ICA protocol Saqib Ali (Jul 15)
- Re: Publishing Web Based Application via ICA protocol Saqib Ali (Jul 14)
- RE: Publishing Web Based Application via ICA protocol Evans, Arian (Jul 14)
- Re: Publishing Web Based Application via ICA protocol jose . varghese (Jul 15)
- Re: Publishing Web Based Application via ICA protocol Saqib Ali (Jul 16)
- RE: Publishing Web Based Application via ICA protocol Jose Varghese (Aug 02)
- Re: Publishing Web Based Application via ICA protocol Saqib Ali (Jul 16)
- RE: Publishing Web Based Application via ICA protocol Evans, Arian (Jul 18)