OK, time for accuracy... The hotfix roll-up I applied is PSE450W2K3R07.msp. Knowing there have been a few releases of Citrix servers since PM 4.5, I was careful about picking patches, etc so designated.
A Citrix vendor installed everything. It has only one application - an extension of our medical records system. The Big Company that paid for the Citrix system accesses it via a published (published in public DNS; MIP'd through the firewall) web interface. It does have a VeriSign certificate installed. Only the one server and app in the server farm (not much usage - only a couple of users at a time). At least, fixed since October, I have whacked SSL1, SSL2, and "weak ciphers". (They did not catch it last week, but SSL3 and TLS1.0 are no longer secure, either - more fun!) Thanks for your attention... -- richard From: Webster [mailto:[email protected]] Sent: Friday, January 20, 2012 12:18 PM To: NT System Admin Issues Subject: Re: Citrix security frustrations Did you install the hotfix on an HRP07 server? If so, I am surprised it allowed you to install it. That hotfix is for HRP06. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com<http://www.carlwebster.com/> From: Richard McClary <[email protected]<mailto:[email protected]>> Reply-To: NT Issues <[email protected]<mailto:[email protected]>> Date: Fri, 20 Jan 2012 17:34:48 +0000 To: NT Issues <[email protected]<mailto:[email protected]>> Subject: RE: Citrix security frustrations Is that the Citrix hot fix roll-up that ended in "07"? Did that... For WebDAV, it is our Citrix server - it has IIS 6.0 (with WebDAV "prohibited"). Not sure how do-able is an upgrade to IIS 7.0 (without major assistance)... -- richard From: Webster [mailto:[email protected]] Sent: Friday, January 20, 2012 11:02 AM To: NT System Admin Issues Subject: Re: Citrix security frustrations Why have you not installed HRP7 on your servers? What server is failing on WebDAV? Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com<http://www.carlwebster.com/> From: Richard McClary <[email protected]<mailto:[email protected]>> Reply-To: NT Issues <[email protected]<mailto:[email protected]>> Date: Fri, 20 Jan 2012 14:41:59 +0000 To: NT Issues <[email protected]<mailto:[email protected]>> Subject: Citrix security frustrations Greetings! PCI Compliance scan on our Citrix system ("old" Presentation Server 4.5 on IIS 6.0) done back in October included these remediation steps: Disable WebDAV: As per instructions, I went into the IIS manager, web extensions, and saw it was "Prohibited". It still is. However, the scan done last week shows the same thing - indicates nothing was done. Disable TLS Renegotiation: According to the Citrix site, the solution is to apply Hot Fix PSE450R06W2K3030. So, after seeking the version for PS 4.5 and applying it, guess what? "Disable TLS Renegotiation" again. @#*& !!! ??? I mean, it's bad enough that SSL 3.0 and TLS 1.0 have been cracked (no mention of that in the scan report), but this stuff (which is supposed to have been remedied by those who have been faithfully applying MS patches over the years) is nuts! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to Animals(r) (ASPCA(r)) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to Animals® (ASPCA®) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
