Check: CVAD-DC-000030
Citrix Virtual Apps and Desktop 7.x Delivery Controller STIG:
CVAD-DC-000030
(in versions v1 r2 through v1 r1)
Title
Citrix Delivery Controller must implement DoD-approved encryption. (Cat I impact)
Discussion
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection, thereby providing a degree of confidentiality. The encryption strength of mechanism is selected based on the security categorization of the information. Satisfies: SRG-APP-000014, SRG-APP-000015, SRG-APP-000039, SRG-APP-000142, SRG-APP-000172, SRG-APP-000219, SRG-APP-000224, SRG-APP-000416, SRG-APP-000439, SRG-APP-000440, SRG-APP-000441, SRG-APP-000442, SRG-APP-000514
Check Content
Enforcement is via TLS encryption. To verify, open the Registry Editor on each Delivery Controller and find the following key name: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\DesktopServer 1. Verify that the XmlServicesSslPort registry key exists with the correct value for SSL port. By default, it is set to "443". 2. Verify XmlServicesEnableNonSsl is set to "0". 3. Verify the corresponding registry value to ignore HTTPS traffic, XmlServicesEnableSsl, is not set to "0". If "XmlServicesSslPort" is not set to the desired port, this is a finding. If "XmlServicesEnableNonSsl" is not set to "0", this is a finding. If XmlServicesEnableSsl is not set to "1", this is a finding. To verify the FIPS Cipher Suites used: 1. From the Group Policy Management Console, go to Computer Configuration >> Administrative Templates >> Networks >> SSL Configuration Settings. 2. Double-click "SSL Cipher Suite Order" and verify the "Enabled" option is checked. 3. Verify the correct Cipher Suites are listed in the correct order per current DoD guidelines. If the "Enabled" option is not checked or the correct Cipher Suites are not listed in the correct order per current DoD guidelines, this is a finding.
Fix Text
Obtain and install root certificate(s) for server certificates installed on VDAs, SQL Server(s), Storefront, and VM Host (VMware VCenter, Hyper-V, XenServer). To install a TLS server certificate on the Delivery Controller without IIS: 1. Log on to each Delivery Controller with a domain account that has Administrator rights. 2. Obtain a TLS server certificate and install it on the Delivery Controller, and assign it to a port using netsh, using Microsoft server instructions. 3. Configure the Delivery Controller with the certificate. To install a TLS server certificate on the Delivery Controller with IIS: 1. Add the server certificate per the Microsoft server instructions. 2. From IIS Manager, select the IIS site on which HTTPS will be enabled and select "Bindings" under "Edit Site". 3. Click "Add", select "Type" as https, and port number as "443". Select the SSL Certificate that was installed and click "OK". To configure the Delivery Controller to use the no configured TLS port: 1. Change the XML TLS service port use the following command: BrokerService –WiSslPort <port number> 2. Open the Registry Editor on the CVAD Controller and find the following key name: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\DesktopServer 3. Verify that the "XmlServicesSslPort" DWORD value exists with the correct value for SSL port. By default, it is set to "443". If it does not exist, add it. 4. Verify that the "XmlServicesEnableSsl" DWORD value exists and is set to "1". If it does not exist, add it. 5. Reboot the Delivery Controller to ensure all changes take effect. Perform the following only after ensuring all references to the Delivery Controllers on StoreFront servers and gateway proxy devices are set to use https and working. This includes STA references. Now disable non-TLS communication with the XML port. 1. Open the Registry Editor on the CVAD Controller and find the following key name: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\DesktopServer 2. Add the DWORD value "XmlServicesEnableNonSsl" and set it to "1". 3. Reboot the Delivery Controller. If XmlServicesEnableSsl is not set to "1", this is a finding. Notes: If the XML service port number on the Delivery Controller needs to be changed, update the IIS port number as well under "Bindings" to match the new value. To change the default VDA registration port: 1. Log on to the Delivery Controller server with a domain account that has Administrator rights. 2. Open the command prompt window and type these commands: %SystemDrive% Cd %ProgramFiles%\Citrix\Broker\Service BrokerService.exe –VDAport 8888 3. Launch Server Manager from the Start menu. 4. In the Server Manager, go to the "Local Server" properties window and edit the "Windows Firewall" setting. Click "Advanced Settings". 5. Click "Inbound Rules". 6. Create a new inbound rule with the following settings: a) In the Rule type screen, click "Port". Click "Next". b) In the Protocol and Ports screen, select "Specific local ports" and type "8888". Click "Next". c) In the Action screen, accept the default value "Allow the connection" and click "Next". d) In the Profile screen, accept the default values and click "Next". e) In the Name screen, type a name for the rule (example: Citrix VDA Registration Port) and click "Finish". To configure the SSL Cipher Suite Order Group Policy setting manually, follow these steps: 1. At a command prompt, enter "gpedit.msc", and press "Enter". The Local Group Policy Editor is displayed. 2. Go to Computer Configuration >> Administrative Templates >> Network >> SSL Configuration Settings. 3. Under SSL Configuration Settings, select "SSL Cipher Suite Order". 4. In the SSL Cipher Suite Order pane, scroll to the bottom. Follow the instructions that are labeled "How to modify this setting".
Additional Identifiers
Rule ID: SV-234565r810853_rule
Vulnerability ID: V-234565
Group Title: SRG-APP-000014
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000068 |
The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions. |
CCI-000197 |
The information system, for password-based authentication, transmits only cryptographically-protected passwords. |
CCI-000382 |
The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services. |
CCI-001184 |
The information system protects the authenticity of communications sessions. |
CCI-001188 |
The information system generates unique session identifiers for each session with organization-defined randomness requirements. |
CCI-001414 |
The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies. |
CCI-001453 |
The information system implements cryptographic mechanisms to protect the integrity of remote access sessions. |
CCI-002418 |
The information system protects the confidentiality and/or integrity of transmitted information. |
CCI-002420 |
The information system maintains the confidentiality and/or integrity of information during preparation for transmission. |
CCI-002421 |
The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by organization-defined alternative physical safeguards. |
CCI-002422 |
The information system maintains the confidentiality and/or integrity of information during reception. |
CCI-002450 |
The information system implements organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. |
Controls
Number | Title |
---|---|
AC-4 |
Information Flow Enforcement |
AC-17 (2) |
Protection Of Confidentiality / Integrity Using Encryption |
CM-7 |
Least Functionality |
IA-5 (1) |
Password-Based Authentication |
SC-8 |
Transmission Confidentiality And Integrity |
SC-8 (1) |
Cryptographic Or Alternate Physical Protection |
SC-8 (2) |
Pre / Post Transmission Handling |
SC-13 |
Cryptographic Protection |
SC-23 |
Session Authenticity |
SC-23 (3) |
Unique Session Identifiers With Randomization |