Since the first shipping of Multi-User in 1991, Citrix® has grown in capability and usage as organisations take advantage of the many benefits of thin client technology for fat application deployments. By reducing administrative costs, improving control over the user environment and helping organisations conform to any number of legislative and regulatory standards, Citrix® is well-known and highly regarded by technology professionals and users alike.
Recent testing on some 50 projects, however, proved in every one a number of serious issues, which, when deploying Citrix® can leave organisations badly exposed and vulnerable to a serious breach of their internal systems and data.
This is categorically not an issue with Citrix® itself nor the applications it presents, but is concerned with design, implementation and management of the Citrix® environment.
Put simply, implementing Citrix®, without fully understanding these issues and careful consideration of how to mitigate them is potentially disastrous.
Current Trends & Findings
Overall, results from some 50 tests reveal:
- 100 per cent of Citrix® deployments tested were vulnerable to arbitrary code execution
- More than 80 per cent of deployments exposed commercially sensitive data
- Many breach Data Protection Act requirements
- Standard security procedures were not applied to most Citrix® deployments
The test results are of grave concern to the customers who have taken this service. The range of issues identified during assessments includes:
- Gaining read/write access to sensitive financial and trading data (offering the potential to breach SOX reporting requirements for example)
- Gaining read/write access to restricted drives (breaching basic security principles)
- Gaining read/write access to administrator accounts and passwords (breaching basic security principles)
- Gaining full access to customer & business databases (breaching DPA requirements amongst others)
- Ability to send any electronic information out of the business avoiding content monitoring software (allowing simple data and identity theft)
- Discovery of breach of copyright laws (exposing the organisations concerned to the possibility of legal action for vicarious liability)
- Discovery of "anonymously saved" pornography and in-appropriate material stored on company servers. Potentially this material could have been illegal, leading to possible seizure of the entire network by the police.
- Ability to install and run Trojan and backdoor hacking tools
Importantly, due to the nature of the issues all of these activities can be conducted "anonymously" and all were conducted whilst existing security measures were in place
We have seen that even for businesses who have invested a considerable amount of time, thought and attention in securing the Citrix® platform, high risk vulnerabilities can still be found. As a result we feel confident to state that simply working from hardening guides is not sufficient to secure the Citrix®/Windows environments. However, merely applying more and more mitigation measures can often target expenditure in the wrong areas and merely address the symptoms, not the causes. Testing is therefore essential to identify the real issues and select the appropriate controls.
Recommendations
Having stated there is a problem, it is equally important to offer the reassurance that there is a solution. There are four strands to problem resolution, which we are happy to discuss with any organisation running a Citrix® Environment. Please contact us for further information.
Alternatively, please download an overview of findings from our recent Citrix Environment Security Reviews including case study examples.
Report
Overview of findings from our recent Citrix Environment Security Reviews including case study examples.
