acceptedCitrix Virtual Apps and Desktop 7.x Linux Virtual Delivery Agent Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 1 Benchmark Date: 28 Jan 20213.2.1.416661.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-APP-000001<GroupDescription></GroupDescription>LVDA-VD-000005The application must limit the number of concurrent sessions to three.<VulnDiscussion>Application management includes the ability to control the number of users and user sessions that utilize an application. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to DoS attacks.
This requirement may be met via the application or by utilizing information system session control provided by a web server with specialized session management capabilities. If it has been specified that this requirement will be handled by the application, the capability to limit the maximum number of concurrent single user sessions must be designed and built into the application.
This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Citrix VAD 7.x LVDADISADPMS TargetCitrix VAD 7.x LVDA5266CCI-000054Open Citrix Studio, select "Policy Panel", check for Computer Policies.
Maximum number of sessions (MaximumNumberOfSessions) policy set to "ENABLED" and limit set to "3".Open Citrix Studio, select "Policy Panel", check for Computer Policies.
Maximum number of sessions (MaximumNumberOfSessions) policy is "ENABLED" and explicitly applied to Linux Desktop/Application Delivery Groups.
If Maximum Number of Sessions policy is "DISABLED" or limit not set to "3", this is a finding.SRG-APP-000003<GroupDescription></GroupDescription>LVDA-VD-000015The application must initiate a session lock after a 15-minute period of inactivity.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their application session prior to vacating the vicinity, applications need to be able to identify when a user's application session has idled and take action to initiate the session lock.
The session lock is implemented at the point where session activity can be determined and/or controlled. This is typically at the operating system-level and results in a system lock, but may be at the application-level where the application interface window is secured instead.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Citrix VAD 7.x LVDADISADPMS TargetCitrix VAD 7.x LVDA5266CCI-000057Set value for Idle Timer
/opt/Citrix/VDA/bin/ctxreg update -k "HKLM\System\CurrentControlSet\Control\Citrix\WinStations\cgp" -v "MaxIdleTime" -d "0x0000000F"
/opt/Citrix/VDA/bin/ctxreg update -k "HKLM\System\CurrentControlSet\Control\Citrix\WinStations\tcp" -v "MaxIdleTime" -d "0x0000000F"
/opt/Citrix/VDA/bin/ctxreg update -k "HKLM\System\CurrentControlSet\Control\Citrix\WinStations\ssl" -v "MaxIdleTime" -d "0x0000000F"
where "0x0000000F" is hexadecimal for 15All timer values are defined in the registration table. Retrieve current value using the following command:
/opt/Citrix/VDA/bin/ctxreg,
/opt/Citrix/VDA/bin/ctxreg dump |grep MaxIdleTime
If MaxIdleTime is not set to "15 minutes" or less, this is a finding.SRG-APP-000014<GroupDescription></GroupDescription>LVDA-VD-000030Citrix Linux Virtual Delivery Agent must implement DoD-approved encryption.<VulnDiscussion>Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection thereby providing a degree of confidentiality. The encryption strength of mechanism is selected based on the security categorization of the information.
Satisfies: SRG-APP-000014, SRG-APP-000015, SRG-APP-000039, SRG-APP-000219, SRG-APP-000439, SRG-APP-000440, SRG-APP-000441, SRG-APP-000442</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Citrix VAD 7.x LVDADISADPMS TargetCitrix VAD 7.x LVDA5266CCI-000068CCI-001184CCI-001414CCI-001453CCI-002418CCI-002420CCI-002421CCI-002422To enable TLS encryption on the Linux VDA, a server certificate must be installed on the Citrix Broker (DDC), each Linux VDA server and root certificates must be installed on each Linux VDA server and client per DoD guidelines.
On the Linux VDA, use the enable_vdassl.sh tool to enable (or disable) TLS encryption. The tool is located in the /opt/Citrix/VDA/sbin directory. For information about options available in the tool, run the /opt/Citrix/VDA/sbin/enable_vdassl.sh -help command.
To enable TLS 1.2 on Linux VDA OS - # /opt/Citrix/VDA/bin/ctxreg update -k "HKLM\System\CurrentControlSet\Control\Citrix\WinStations\ssl" -v "SSLMinVersion" -d 0x00000004
To enable GOV ciphersuites only:
# /opt/Citrix/VDA/bin/ctxreg update -k "HKLM\System\CurrentControlSet\Control\Citrix\WinStations\ssl" -v "SSLCipherSuite" -d 0x00000001
thes restart service
# sudo /sbin/service ctxhdx restart
[root@ LVDA]# sudo /sbin/service ctxhdx restartOn the Delivery Controller, ensure the SSL encryption has been enabled for the delivery group (HdxSslEnabled:True) and the Delivery Controller uses FQDN of Linux VDA to contact target Linux VDA (DnsResolutionEnabled:True).
Execute the following commands in a PowerShell window on the Delivery Controller:
# Asnp citrix.*
# Get-BrokerAccessPolicyRule –DesktopGroupName ‘<GROUPNAME>’ | format-list HdxSslEnabled
Where <GROUPNAME> is the target Delivery Group name.
On Linux VDA, check the following:
Check if SSL listener is up and running; run following command:
# netstat -lptn|grep ctxhdx
to see that the ctxhdx process is listening on an SSL port (443, by default).
If, on the Delivery Controller, HdxSslEnabled is not set to "true", this is a finding.
If, on the Delivery Controller, DnsResolutionEnabled is not set to "true", this is a finding.
If, on the Linux VDS, the ctxhdx process is not listening on an SSL port (443 by default, or other approved port), this is a finding.SRG-APP-000141<GroupDescription></GroupDescription>LVDA-VD-000270The application must be configured to disable non-essential capabilities.<VulnDiscussion>It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
Applications are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
Examples of non-essential capabilities include, but are not limited to, advertising software or browser plug-ins not related to requirements or providing a wide array of functionality not required for every mission but cannot be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Citrix VAD 7.x LVDADISADPMS TargetCitrix VAD 7.x LVDA5266CCI-000381Set the value of CEIPSwitch to "1" (Disabled).
Set the value of GASwitch to "1" (Disabled).Run the following command on a client to disable the CEIP:
/opt/Citrix/VDA/bin/ctxreg update -k "HKEY_LOCAL_MACHINE\ SOFTWARE\Citrix\CEIP" -v "CEIPSwitch" -d "1"
If CEIPSwitch is not set to "1", this is a finding.
Run the following command on a client to disable Google Analytics:
/opt/Citrix/VDA/bin/ctxreg update -k "HKEY_LOCAL_MACHINE\ SOFTWARE\Citrix\CEIP" -v "GASwitch" -d "1"
If GASwitch is not set to "1", this is a finding.SRG-APP-000142<GroupDescription></GroupDescription>LVDA-VD-000275Citrix Linux Virtual Delivery Agent (LVDA) must be configured to prohibit or restrict the use of ports, as defined in the PPSM CAL and vulnerability assessments.<VulnDiscussion>In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.
Applications are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services; however, doing so increases risk over limiting the services provided by any one component.
To support the requirements and principles of least functionality, the application must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Citrix VAD 7.x LVDADISADPMS TargetCitrix VAD 7.x LVDA5266CCI-000382To change the VDA registration port from the default "80", create the Citrix Machine Policy and update the DDCs, as explained below:
1. Create a new Citrix Machine policy or edit an existing one.
2. Navigate to the Settings tab and select "Control Registration Port".
3. Update the Value to reflect the new port.
4. Select "OK".
5. Restart all desktops and wait until all the desktops report as Unregistered.
6. Update the DDCs VDA registration Port.
7. Restart all desktops and verify that all VDAs register successfully.On Delivery Controllers, verify that only approved ports are used.
1. Open a command prompt.
2. Navigate to the Citrix install directory Program Files\Citrix\Broker\Service
3. Enter "BrokerService.exe /Show" to display the currently used ports.
If an unapproved port is used, this is a finding.SRG-APP-000427<GroupDescription></GroupDescription>LVDA-VD-000970Citrix Linux Virtual Delivery Agent must only allow the use of DoD PKI established certificate authorities for verification of the establishment of protected sessions.<VulnDiscussion>Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established.
The DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates.
This requirement focuses on communications protection for the application session rather than for the network packet.
This requirement applies to applications that utilize communications sessions. This includes, but is not limited to, web-based applications and Service-Oriented Architectures (SOA).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Citrix VAD 7.x LVDADISADPMS TargetCitrix VAD 7.x LVDA5266CCI-002470A server certificate must be installed on each Linux VDA server and root certificates must be installed on each Linux VDA server and client.
Obtain server certificates in PEM format and root certificates in CRT format from a trusted CA. A server certificate contains the following sections:
- Certificate
- Unencrypted private key
- Intermediate certificates (optional)
After obtaining required certificates, customers need to install them as follows:
Upload server and CA certificates into Linux VDA server, which will be used in “Step 2: Enable SSL encryption on Linux VDA”. For example, put server.pem (name of server certificate) and myca.crt (name of CA certificate) to folder /root/myCert/myCA/certs/.
Download the CA certificate (myca.crt as an example) to client host and import it into system Certificate Store on the “Trusted Root Certification Authorities” folder. Refer to "Importing Trusted CA Certificates into the Windows Certificate Store" for the instructions. Note: Ensure the client host is able to resolve the FQDN of Linux VDA; otherwise, the connection cannot be established.Verify the correct server certificate issued by authorized certificate authority is installed on Linux VDA.
Navigate to folder /root/myCert/myCA/certs/ and examine certificates.
If the certificates are not issued by the DoD or approved CA, this is a finding.