RE: Publishing Web Based Application via ICA protocol

["Evans, Arian" <Arian.Evans () fishnetsecurity com>]

Saqib,

I am of the opinion that it is almost impossible to
provide a secure multi-user environment on Windows.

The zero-day for terminal services that will be out
soon will likely re-enforce this. Hard to have a
buffer overflow in HTML. :)

There's an old checklist for "hacking citrix" out
there that's still sort of applicable. There's also
someone else on this list that can make a short
naughty list and post it if they are so inclined
to chime in on this thread...

With GPOs/LPOs you have a lot of control over locking
down IE's widgets which is good, so it's better than
some fat clients, but the horror of all the things
that IE can do, not to mention the ICA protocol itself,
concerns me highly.

At the very least I'd want rigorous binary auditing
tripwire style and probably something like CSA for
executable and process control.

What data is so important you can't have it cached?

The risk of exposing a windows desktop, especially
one with lots of users, may be worse,

-ae  

> -----Original Message-----
> From: Justin Clarke [mailto:justin () justinclarke com] 
> Sent: Thursday, July 14, 2005 8:19 AM
> To: webappsec () securityfocus com
> Subject: Re: Publishing Web Based Application via ICA protocol
>
> I have seen this type of deployment many times in the financial  
> services sector.  The biggest problem in this case is the use of  
> Citrix - if misconfigured this can lead to someone being able to  
> break out into the operating system of Citrix, and then whereever  
> they can get from there (potentially allowing someone onto an  
> Intranet or something).
>
> My 2c
>
> On Jul 13, 2005, at 7:05 PM, Saqib Ali wrote:
>
> > Hello WebAppSec gurus,
> >
> > I have web based application that I would like to further secure by
> > tunneling it through SecureICA (Citrix) protocol. So 
> basically I will
> > be publishing the web based application in Internet Explorer on a
> > Citrix Farm. This will prevent any files to be cached on the user's
> > local computer.
> >
> > I application itself requires authentication. But I would 
> like to keep
> > the connections to the Citrix server anonymous. This way, I 
> can delete
> > the anonymous user's windows profiles upon logoff, and thus clearing
> > any cached files and/or cookies.
> >
> > I am sure other people other people are doing this as well. 
> So I would
> > like to hear about some experiences using this type of 
> stack to secure
> > applications. What are some of the issues that I should 
> look out for?
> > -- 
> > In Peace,
> > Saqib Ali
> > http://www.xml-dev.com/blog/


The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or 
privileged material. 
Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information 
by persons or entities
other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you 
received this communication 
in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network 
system.