RE: Publishing Web Based Application via ICA protocol

["Welsh, Ed" <Ed.Welsh () fishnetsecurity com>]

Having just come off an assessment of a Citrix based application, I can say first hand that there are
significant challenges to properly configuring the Citrix host system.

You will need to lock down all file permissions.  Remember your context menus(right click).  A
security policy or GPO will be needed to remove that option.  The "Save as" dialogue from IE (or IE
itself) can be used to browse the host and any networks it has access to and can also be used to move,
delete, etc...

Remember that Citrix can allow a mapping of the local C: drive to a drive letter on the Citrix host.
This will allow the user to copy from their local drive very easily.  It is a good way to get viruses
or keyloggers or trojans.

Quite often simply browsing to and double clicking the explorer.exe binary from a "Save" or "Save as"
dialogue will give a complete desktop even if IE was the only published application.

My personal opinion is that a well executed web application is more secure than anything Citrix based.
In my case the client needed to make a fat client application web accessible and used Citrix to do it.
If you are simply publishing a web URL to be run in IE, it might be better off as a well secured web
front-end using high bit level SSL and some two factor authentication.

By using Citrix you are accepting the users as part of your organization and treating them in a way
similar to that of internal users.

EW
-----Original Message-----
From: Justin Clarke [mailto:justin () justinclarke com] 
Sent: Thursday, July 14, 2005 8:19 AM
To: webappsec () securityfocus com
Subject: Re: Publishing Web Based Application via ICA protocol

I have seen this type of deployment many times in the financial services sector.  The biggest problem
in this case is the use of Citrix - if misconfigured this can lead to someone being able to break out
into the operating system of Citrix, and then whereever they can get from there (potentially allowing
someone onto an Intranet or something).

My 2c

On Jul 13, 2005, at 7:05 PM, Saqib Ali wrote:

> Hello WebAppSec gurus,
>
> I have web based application that I would like to further secure by 
> tunneling it through SecureICA (Citrix) protocol. So basically I will 
> be publishing the web based application in Internet Explorer on a 
> Citrix Farm. This will prevent any files to be cached on the user's 
> local computer.
>
> I application itself requires authentication. But I would like to keep 
> the connections to the Citrix server anonymous. This way, I can delete 
> the anonymous user's windows profiles upon logoff, and thus clearing 
> any cached files and/or cookies.
>
> I am sure other people other people are doing this as well. So I would 
> like to hear about some experiences using this type of stack to secure 
> applications. What are some of the issues that I should look out for?
>
> --
> In Peace,
> Saqib Ali
> http://www.xml-dev.com/blog/




The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or 
privileged material. 
Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information 
by persons or entities
other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you 
received this communication 
in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network 
system.