- Citrix NFuse 1.5: Part 3 - Security
- Client/Web Server Communications
- Web Server/MetaFrame Server Communications
- Client/MetaFrame Server Communications
Client/Web Server Communications
There are really two distinct security issues between the user's Web browser and the Web server:
-
Clear-text transmission of the HTML text stream—In particular, the user credentials entered on the NFuse logon screen are passed as clear text back to the Web server.
-
Cached session information maintained on the user's personal computer—This includes user credentials stored in clear-text cookies and the ICA connection files, which can also contain user credential information that can possibly be exploited to gain access to a MetaFrame server.
Secure Sockets Layer and the HTML Text Stream
The most common way to secure the transmission of HTML text between a Web browser and the server is to use the Secure Sockets Layer (SSL) protocol. SSL provides support for server and client authentication, as well as data integrity and encryption. All Web servers and Web browsers that are compatible with NFuse 1.5 provide SSL support. To enable SSL connectivity, you will need to configure SSL on the NFuse-enabled Web server. For complete details on how to set up SSL connectivity for your particular Web server, refer to the server's documentation.
In my test environment, I am running IIS 5.0 on a Windows 2000 Server. To configure my IIS server to use SSL, I would go through the following steps:
-
Acquire and install a server certificate on my Web server. This certificate verifies the identity of my Web server. Before SSL communications can be established, the Web browser must be capable of successfully matching this certificate against its list of trusted certificate authorities (CA). For my example, I am going to use a Web server certificate issued by a Microsoft Certificate Authority that is internal to my company (Noisy River). Certificates are installed and configured in IIS 5 by opening the IIS management snap-in and selecting the Properties option for your Web server. Figure 2 shows my sample IIS Web site along with the corresponding properties page. Under the Directory Security tab you will see a Server Certificate button. Until a valid certificate has been installed, the View and Edit buttons will not be available.
-
After the certificate has been installed, the next step is to configure the Web site to require SSL encryption. I simply right-click on my Web folder, select Properties, and then click Edit under the Directory Security tab. Here there is a Require Secure Channel checkbox and a Require 128-Bit Encryption checkbox, as shown in Figure 3. Once selected, an SSL secure channel is required for a user to access the Web page.
){kind=link}
IIS 5.0 Web site property page
){kind=link}
Configuring a Web page to use a secure SSL channel
When these steps are completed, an intranet user in my company should be able to connect to my site and automatically establish an SSL secure tunnel. Because a CA internal to Noisy River issued my server certificate, the first time that a user's Web browser attempts to access the NFuse site, a dialog box will appear similar to the one in Figure 4. This warns the user that while the server certificate is valid, it has not come from a CA that the browser has been configured to trust. Both Netscape and IE will provide the user with the option to trust certificates from this authority.
){kind=link}
Unknown CA security alert in IE
Once accepted, the NFuse logon screen should appear, and the closed padlock icon should appear at the bottom of the Web browser (Netscape or IE). HTTP communications between the NFuse-enabled Web server and the user's Web browser are now secure.
Web Browser Cookies
Any of the generated NFuse Web sites created by the Web Site Wizard will store the user credentials in clear text within a cookie on the user's local desktop. By default, this cookie exists only for the duration of the user's session. Although SSL will protect the transmission of this cookie information, there is still the potential for someone with access to the user's local browser to retrieve this clear-text information. Citrix provides two possible "solutions" to this problem:
-
Encrypt the data before writing it to the cookie. Citrix includes an ASP sample Web site that performs this operation. It can be found in the NFuse15\ASPEncrypt folder in the root of your NFuse Web server. The actual encryption algorithm is a simple XOR of the password to be encrypted with a randomly generated 512-byte session key. The resulting encrypted password has the same length as the original password, but the text now appears scrambled. The generated encryption session key is maintained in a server-side session object. The Web pages associated with the ASPEncrypt example include a large amount of information that describes exactly what operations are being performed.
-
Instead of maintaining the user credentials in a cookie, they can be stored in session variables on the Web server. This session information is unique to each user that is connected to the Web server. For example, the following ASP text would store the user ID and domain information in the session object:
Session("nfuseUserID") = user
Session("nfuseDomain") = domain
For complete information on session variables and their properties, consult an ASP or JSP (JavaServer Pages) reference.
Cached ICA Files and ICA Session Tickets
When a user clicks on an application link, the corresponding ICA file is downloaded and processed by the user's ICA client to establish the actual connection to the appropriate MetaFrame server. Typically this file is stored in the browser's local file cache and, as a result, can be a potential target for an attacker trying to gain access to the MetaFrame environment.
The real vulnerability lies not in the fact that by default the ICA file includes the user ID (in clear text), domain (also in clear text), and password (encrypted with Citrix's Basic encryption scheme), but that any ICA client can use this file to automatically log onto any MetaFrame server that the user has access to. If an attacker is capable of stealing an ICA file, then as long as the user does not change his password, that file can be used over and over again to launch the application with the user's credentials. The file could quite easily be edited to allow the attacker to establish a full desktop session on a MetaFrame server unless the appropriate security existed on the server to limit the user to a specific published application.
The follow is a sample ICA file that I copied from the Temporary Internet Files directory on a Windows 98 desktop that had been used to access a published application via an NFuse-enabled Web server.
[WFClient] Version=2 ClientName=nrsc-joeuser [ApplicationServers] MS PowerPoint 2000= [MS PowerPoint 2000] Address=10.25.125.85 InitialProgram=#MS PowerPoint 2000 DesiredColor=2 TransportDriver=TCP/IP WinStationDriver=ICA 3.0 Username=joeuser Domain=nrsc Password=0009a89b5289528d4a905c DesiredHRES=640 DesiredVRES=480 TWIMode=On [EncRC5-0] DriverNameWin32=pdc0n.dll [EncRC5-40] DriverNameWin32=pdc40n.dll [EncRC5-56] DriverNameWin32=pdc56n.dll [EncRC5-128] DriverNameWin32=pdc128n.dll
Once I have this file, the first thing I can do is comment out the InitialProgram and TWIMode lines. The first change tells the ICA client to try to launch a full desktop instead of the specific published application, while the second change turns off the seamless windows mode. Unless connections on the MetaFrame server (10.25.125.85) have been limited to allowing only published application connections then these changes will allow me to run a full desktop session as joeuser.
Fortunately, the MetaFrame administrator has a few options available at her disposal to try to make the actual ICA file more secure:
-
Completely remove user credentials from the template.ica file
-
Use Citrix session tickets for user authentication instead of the standard user ID, domain, and password triplet
Removing User Credentials from the template.ica file
If you go in and modify the template.ica file for your Web site, you can completely remove any reference to the user's logon credentials. Without these credentials, the ICA file will not provide any additional information that could be used to compromise a user's account. The downside to this is that your users will be prompted to log onto every MetaFrame server that they connect to before being able to run the published application. To remove the stored credentials delete the following lines from the template.ica file:
<[NFuse_IFSESSIONFIELD sessionfield="NFUSE_ENCRYPTIONLEVEL" value="basic"]> Username=[NFuse_User] Domain=[NFuse_Domain] Password=[NFuse_PasswordScrambled] <[/NFuse_IFSESSIONFIELD]>
Implementing Session Ticketing
With the release of NFuse 1.5, Citrix has included a new user authentication security mechanism known as session ticketing. Session ticketing replaces the traditional process of passing the user ID, password, and domain to a MetaFrame server for logon. Instead, a session ticket is requested from the Citrix server farm by the Web server for the user before sending the ICA file. This session ticket information is placed into the ICA file, where it is then used by the client to perform user authentication. By default, session tickets are configured to have a timeout period of 200 seconds. After this time, or after the ticket has been used to authenticate the user, it expires and is no longer valid.
To use session tickets, you must have Service Pack 2 installed and Feature Release 1 activated on all servers that will be publishing applications. This is because FR1 includes updates to the MetaFrame server so that it can process session ticket logons properly. Nothing will happen if a user attempts to launch an application using a session ticket against a MetaFrame server that does not have FR1 activated. Session tickets are currently not supported with the initial release of the XML Service for Unix.
You can specify that you want to use ticketing during the generation of a Web site using the Web Site Wizard, or you can modify an existing site to use tickets simply by replacing the following user credential information in your template.ica file
<[NFuse_IFSESSIONFIELD sessionfield="NFUSE_ENCRYPTIONLEVEL" value="basic"]> Username=[NFuse_User] Domain=[NFuse_Domain] Password=[NFuse_PasswordScrambled] <[/NFuse_IFSESSIONFIELD]>
with the following two lines:
AutoLogonAllows=ON [NFuse_Ticket]
The AutoLogonAllow option is used so that the ticket information is passed through if an encryption level higher than Basic is required to connect to the MetaFrame server. By default, autologon is not supported for any ICA session that is using security greater than Basic. This is because the user credential information is passed during an autologon before the actual establishment of a strong encryption session between the client and the server. I will talk more about ICA session encryption a little later in this article.
If I once again look at the cached ICA file (assuming that I have not turned off caching), I will see the following information instead of the regular user authentication data:
AutologonAllowed=ON Username=joeuser Domain=\6D4F78F34C1FC0D6 ClearPassword=E515275B5A8E8B
The backslash (\) character signals to the MetaFrame server that the standard user credentials have not been provided. Instead, a session ticket is to be used. The ticket is extracted and used to retrieve the domain and password information that is then used to log on the user. If someone attempts to use a ticket that has either expired or already been used, then the standard message displayed when an invalid password or user ID has been provided will appear. Essentially, the ICA file itself is useless, and a new one will need to be retrieved to allow the user to log onto either the same or a different MetaFrame server.