WebApp Sec mailing list archives
RE: Publishing Web Based Application via ICA protocol
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Thu, 14 Jul 2005 14:25:14 -0500
Saqib, I am of the opinion that it is almost impossible to provide a secure multi-user environment on Windows. The zero-day for terminal services that will be out soon will likely re-enforce this. Hard to have a buffer overflow in HTML. :) There's an old checklist for "hacking citrix" out there that's still sort of applicable. There's also someone else on this list that can make a short naughty list and post it if they are so inclined to chime in on this thread... With GPOs/LPOs you have a lot of control over locking down IE's widgets which is good, so it's better than some fat clients, but the horror of all the things that IE can do, not to mention the ICA protocol itself, concerns me highly. At the very least I'd want rigorous binary auditing tripwire style and probably something like CSA for executable and process control. What data is so important you can't have it cached? The risk of exposing a windows desktop, especially one with lots of users, may be worse, -ae
-----Original Message----- From: Justin Clarke [mailto:justin () justinclarke com] Sent: Thursday, July 14, 2005 8:19 AM To: webappsec () securityfocus com Subject: Re: Publishing Web Based Application via ICA protocol I have seen this type of deployment many times in the financial services sector. The biggest problem in this case is the use of Citrix - if misconfigured this can lead to someone being able to break out into the operating system of Citrix, and then whereever they can get from there (potentially allowing someone onto an Intranet or something). My 2c On Jul 13, 2005, at 7:05 PM, Saqib Ali wrote:Hello WebAppSec gurus, I have web based application that I would like to further secure by tunneling it through SecureICA (Citrix) protocol. Sobasically I willbe publishing the web based application in Internet Explorer on a Citrix Farm. This will prevent any files to be cached on the user's local computer. I application itself requires authentication. But I wouldlike to keepthe connections to the Citrix server anonymous. This way, Ican deletethe anonymous user's windows profiles upon logoff, and thus clearing any cached files and/or cookies. I am sure other people other people are doing this as well.So I wouldlike to hear about some experiences using this type ofstack to secureapplications. What are some of the issues that I shouldlook out for?-- In Peace, Saqib Ali http://www.xml-dev.com/blog/
The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material. Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system.
Current thread:
- Publishing Web Based Application via ICA protocol Saqib Ali (Jul 13)
- Re: Publishing Web Based Application via ICA protocol Justin Clarke (Jul 14)
- <Possible follow-ups>
- RE: Publishing Web Based Application via ICA protocol Welsh, Ed (Jul 14)
- Re: Publishing Web Based Application via ICA protocol Saqib Ali (Jul 14)
- Re: Publishing Web Based Application via ICA protocol Chuck (Jul 15)
- Re: Publishing Web Based Application via ICA protocol Justin Clarke (Jul 15)
- Re: Publishing Web Based Application via ICA protocol Saqib Ali (Jul 15)
- Re: Publishing Web Based Application via ICA protocol Saqib Ali (Jul 14)
- RE: Publishing Web Based Application via ICA protocol Evans, Arian (Jul 14)
- Re: Publishing Web Based Application via ICA protocol jose . varghese (Jul 15)
- Re: Publishing Web Based Application via ICA protocol Saqib Ali (Jul 16)
- RE: Publishing Web Based Application via ICA protocol Jose Varghese (Aug 02)
- Re: Publishing Web Based Application via ICA protocol Saqib Ali (Jul 16)
- RE: Publishing Web Based Application via ICA protocol Evans, Arian (Jul 18)