Actually one can craft SCE scripts to handle the Citrix Consulting Services
recommended hardening and the NT hardening.
All registry settings can be done in one shot. Chris Brenton actually
discusses the crafting of these type of scripts in one of SANS NT tutorial
presentations Also again mentioned in Eugene Schultz's NT
presentation.. Also a good read is the Windows 2000 Registry Handbook. It
also includes some basic SCE scripting.
The MINK (Mini-Installer for Kerberos) takes care of the Microsoft
Installation of Kerberos except for a few odds and ends of moving a couple
of .dll files here and there.
The router configuration is less than 10 lines long, well not including the
Logon warning banner. Since only you are only allowing one protocol across
the router and denying everything else.
A Defense in Depth security architecture does require some planning, but
the administravia/implementation is relatively straight forward and should
take less than 1 week to setup and test if all required information is
collected and documented.
85% of the work is documenting as one goes along, the other 15% is
assembling the pieces.
The Citrix Consulting Services hardening guide is far less complex than
reading Sun Tzu in Mandarin Chinese so I think a majority of the folks will
be thankful.. :)
For those who suffer from frequent Heartburn, a large bottle of Tums should
be stored in your desk drawer, or maybe trying to lay off the Spicy Indian
Food.. :)
/m
At 01:08 PM 7/13/00 -0700, [EMAIL PROTECTED] wrote:
>Mark,
>Your right, if you do all those things you'll be in good shape. The MAJOR
>concern I'm talking about is that all the things that you have mentioned
>are not trival things to do. They have a fair amount of complexity to
>them. I have a copy of Citrix Consulting Services hardening guide. It's
>57 pages long, two thirds of which deal with registry settings
>alone. The associated Win2K hardening guide is another 50 pages.
>
>If we move into the second scenerio then we can add the complexity of a
>three interface firewall configuration, router configs, and the
>complexities of adding Kerberos. These may be common place for some of us
>but it's enough to most security administrator serious heartburn!
>
>Bill Stackpole, CISSP
>
>
>
>
>[EMAIL PROTECTED]
>
>07/13/00 11:09 AM
>
> To: [EMAIL PROTECTED], [EMAIL PROTECTED]
> cc: [EMAIL PROTECTED]
> Subject: Re: Citrx Metaframe/NT4-TSE
>
>If the Windows TSE box is configured and secured properly after the Citrix
>MetaFrame Server is successfully installed, it is not as vulnerable as one
>would suspect.
>
>If you were to take a security position where the concern was people
>outside the organization logging into the designated Metaframe server, one
>can implement a external Citrix MetaFrame server on the DMZ with two NIC
>cards, disable the routing between the two, stick a designated router
>between the two, add one permit rule with logging, enable the kerberos
>auth scheme on the router in order to talk to a Kerberos for TSE on the
>internal Citrix Metaframe server..
>
>So therefore each session from a external user to the External Citrix box
>would initiate a kerberized session to the internal Citrix Metaframe box,
>all transparent to the user. Whether or not the initial login function is
>weak or not, the additional layers of both Citrix protocol and Kerberos
>would provide the defense in depth type architecture that is transparent to
>the user and easy to implement and maintain.. Actually no maintenance
>except typical admin (add, change, delete) stuff
>
>So I am very confused about the MAJOR concerns..
>
>
>/hope this helps
>
>/m
>
>At 01:19 PM 7/13/00 -0400, [EMAIL PROTECTED] wrote:
>
> >Never had any trouble getting the protocol to function through a
> >firewall but there are some MAJOR concerns with letting people login on
> >to a Citrix server located inside your security boundary, starting with a
> >weak encryption scheme for the login function, followed by, once your are
> >logged into the box you can exploit all kinds of NT vulnerabilities and/or
> >attack other systems on the network.
> >
> >Locking down a Citrix box and the underlying OS are no trivial matter.
> >
> >Bill Stackpole, CISSP
> >
> >
> >
> >[EMAIL PROTECTED]
> >Sent by: [EMAIL PROTECTED]
> >
> >07/13/00 05:27 AM
> >
> > To: [EMAIL PROTECTED]
> > cc:
> > Subject: Citrx Metaframe/NT4-TSE
> >
> > Has anyone had experiences good or bad with passing Metaframe thru a
> > firewall?
> >
> >-
> >[To unsubscribe, send mail to [EMAIL PROTECTED] with
> >"unsubscribe firewalls" in the body of the message.]
> >
>
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
