Blame Bad Citrix Admins for Poor Site Security, Expert Says

Web site administrators too often don't know how to use the security tools Citrix ships with its products.

Overworked, undereducated or lazy Citrix administrators are neglecting to install even the free SSL VPN that Citrix ships with products, users say, presenting the dismaying scenario of sites full of holes on domains that include government and military sites.

"I feel most of the problem is, simply put, really bad admins who are not following even the basics," Douglas A. Brown, president and chief technology officer of DABCC, based in Naples, Fla., said in an e-mail exchange. DABCCs offerings include Citrix support.

Security researcher Petko D. Petkov—aka "pdp"—said in an Oct. 4 posting that his recent testing of Citrix gateways led him to "tons" of "wide-open" Citrix instances, including 10 on government domains and four on military domains.

Petkov said he has found that searching on Google or Yahoo for files with Citrixs proprietary ICA (Independent Computing Architecture) extension returns files that offer up dangerously useful information about which server a given site is running on, the underlying transport mechanism and the remote application that Citrix will open. He said he has found several "critical" applications that he was afraid to even poke at, such as Citrix portals running a global logistics system application and a U.S. federal funding program.

Some users are disgruntled by the idea that Citrix technology might get a black eye from this embarrassing state of affairs, given that its bad Citrix administrators who are to blame.

"[Petkov] made a very valid point: Yeah, you can hack into Citrix via ICA files. You can brute-force your way in through there and what have you," Brown said in an interview with eWEEK. "But thats not the way its [supposed to be] implemented. If there are environments out there that havent followed basic practices 101 and implemented various technologies that ship with [Citrix] Presentation Manager, I dont think thats Citrixs fault."

During his years of working as a Citrix engineer, including working for Citrix itself, Brown said he walked into plenty of organizations where Web administrators would stick a server on the Internet and just leave it at that. "After [Citrix released an Internet log-in box], you started getting a lot of people that are very apprehensive about security or technologies theyre not necessarily good at, right? So you have these poor administrators who say Ill just stick a Citrix box out there, Ill create a hole in my firewall back to my Citrix server and stick [the application its running] out there."

Citrix has numerous security components that can be used to avoid putting up an insecure site. Citrix Presentation Server has a feature, Secure Gateway, which only needs to be turned on. That feature protects any application delivered via CPS.

Citrix Access Gateway also ships as an SSL (Secure Sockets Layer) VPN appliance that secures both ICA and non-ICA traffic. Access Gateway licenses come free with all versions of Presentation Server. To use them, customers must purchase the Access Gateway appliance, however.

Citrix also has a gateway product that maintains ICA file information that is only valid for less than 1 minute, which would render useless the information returned in a Google or Yahoo search such as those done by Petkov, Brown said.

"Citrix has … a slew of other stuff. Citrix sees itself not necessarily as a security company but one that can supply secure access," Brown said. "But the admin has to deploy it. He cant just install the server and be done with it. [This problem] comes down to poor, poor administrators."


Will Microsoft buy Citrix? Click here to read more.

The problem, in other words, isnt a lack of options for securing Citrix instances; the problem is that administrators arent using them. Thats due to a host of reasons: administrators being told to get a Citrix box up right away within a constant "its a fire" time frame, administrators being overworked and a lack of education as to how to do Citrix deployments securely, Brown said.

"We need to give them the education and time to do their job properly," he said. "Its not just government [and military domains that have security holes in their Citrix deployments]. Its .edu and .coms [as well]. Everybodys guilty of poor security practices, period," Brown said.

"If anything, this shows that administrators need to be aware that software is vulnerable. If you allow a way for a user to come into your company, you create a way for a hacker to come into your company. If you dont lock that door, youre guilty of anything that happens. If I dont the lock door to my house, thats my fault. Softwares not secure by nature; we have to secure it," he said.

Resources for secure Citrix deployment include a free e-book Brown wrote back when he was working for Citrix, available here. Its dated regarding screens but the essentials are still valid, he said.

DABCC has also recently released a book titled "Securing Microsoft Terminal Services" that addresses how to secure a Terminal Services/Citrix environment.

Citrixs security resources are available here.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.