Duration 44:56
16+
Play
Video

Citrix Synergy TV - SYN218 - How to protect your Citrix Workspace

Patrick Coble
Principal Consultant at VDISEC
  • Video
  • Table of contents
  • Video
Citrix Synergy Atlanta 2019
May 22 2019, Atlanta, GA, United States
Citrix Synergy Atlanta 2019
Video
Citrix Synergy TV - SYN218 - How to protect your Citrix Workspace
Available
In cart
Free
Free
Free
Free
Free
Free
Add to favorites
282
I like 0
I dislike 0
Available
In cart
Free
Free
Free
Free
Free
Free
  • Description
  • Transcript
  • Discussion

About speaker

About the talk

Topic: IT

This session will cover security best practices for Citrix Workspace deployments, as well as practical ways to secure your infrastructure using multiple techniques from Citrix, Microsoft and other solutions. In most scenarios, business critical applications are virtualized and delivered with Citrix. However, they are usually the most overlooked when it comes to security because of timing and priorities. If the application works, no other security reviews are normally completed. If you are running an EMR, banking application, mail client, browser, or any other Windows application, your business can be at risk. Learn how to defend your Citrix Workspace.Note: This session will be available for on-demand viewing post-event on Citrix Synergy TV.

Share

All right. Looks like it is game time cuz I can hear the Echo and voice of myself and must be that time and there's no more music. All right guys what 00:02 we got a lot of stuff to go over and hopefully you've read that. So we're just going to get right to it. I'm going to break down a couple things for 00:11 you first thing 386dx back when I was 8 years old turbo button 33 megahertz living the dream 200 mag hard drive $5,000. What a 00:18 damn deal right now is amazing and you never needed more than that movie hackers came out of cork board games with before that but that's what I knew. 00:28

I wanted to get into cyber security Ryan. I work at a call center to Allstate Motor Club Toys R Us South Southern Cal Edison and IBM tech support. 00:37 So I did that but then eventually I became the Y2K floppy disk put her inner outer. So I was in charge of updating over 600 computers over and over 00:47 again with Norton Ghost in BIOS updates to make sure Y2K was cool. And guess what happened that night nothing. Cool one alert. Then the next thing is 00:56 I got to go to a CNA class at while I was in high school. And anybody directory any CNAs out here. That's the OG right there at the 01:05

good stuff. That was the that was some of the best then I join the Marines did two tours in Iraq, basically two years there in ramadi 01:14 and of course, you know that picture looks super cool but Marines don't have MacBooks. All right, that's for sure. We get the leftovers from the Army 01:24 so we don't get that cool. So then I got out of the Marine Corps then I walked over and start working as a consultant anyone hear an architect right 01:32 sticks and Bubbles. That's what we draw all the time. You don't even need to really be able to write as long as you can draw on a grease board. You 01:40

can do anything, right? Cuz all you have to do is draw a you don't actually have to do it and then 2016 is when I was busted off and want to do my own 01:46 thing focus on vdi security because I saw there's a big gap. So I got to do a been doing lots of presentations. You can see Brian Madden up there and 01:53 then See that door, you'll probably figure out what that is in just a second cuz it's kind of that can slide basically I teach about the hacker side. 02:02 So I go to hacker conferences and teach people how to break into virtual desktops and I come to conferences like this to teach you how to defend your 02:10

virtual desktop appointment. So I do both sides. I'm kind of purplish red team blue team and I'm kind of an author for the baby book eventually the 02:17 big bugs coming but it's so cool. So you came here to learn about how to lock down your virtual desktop you are in the correct Session 1 spoiler 02:27 alert, there is not one single thing we're going to do that's going to just secure it and you will have no more worries ever and ever again, right? 02:36 This is a multi-step process and defense-in-depth. It's going to take awhile fry and you need to make sure you're doing testing. So what do I speak of 02:43

what do people? What are you guys? This is a self-assessment. What do you host on your virtual desktop deployment? I'm pretty sure it's 02:51 business-critical. I'm also pretty sure it's Revenue impacting when it's down something bad is happening and its data I'm sure is very 02:58 important to your business whether that's intellectual property Phi PCI, whatever compliance you're under fedgov ramp all that good stuff. 03:08 And it what can people do inside your session I bet they can do some things that you don't think that they could which means that's what an attacker 03:18

can do the same thing. It will use their weaknesses that you've left the user to be able to do whatever they want a two year old with a flamethrower 03:27 in Sims chords walking around this is what you're going to get right and then file shares. This is the most common one when we talked about ransomware 03:33 is unsecured file shares. This is a very common finding this is basically like an NTFS everyone full control and then on the share 03:40 permissions everyone full control and somewhere deep down in the Heart of Texas and payroll George open a support ticket 14 years ago so that he can 03:50

share out this payroll folder and guess what? It's still everyone full control. So if you're not looking at your permissions and running reports and 03:59 getting some get apples are using some software look at it. You probably had many more open shares than you can imagine. It's not just to see dollar 04:06 signs were worried about there's probably big big If your corporate data is at risk because of bad permissions. So knocking on the door 04:14 attackers, it only takes pressure and time to break into anything if we're talking about Mario, right? I'm going to teach you how to protect yourself 04:23

against level 1 through 6 to 7 Mario, but level 8 you're on your own right persistent attackers going to get in that's just the way it's going to 04:32 work. They're going to attack your people and those people will be attacking you rhyme some threats hacking there's a lot of people they can make 04:41 thousands of dollars a day in their jammies sending spear phishing emails and ransomware request and then it's over a trillion dollar industry that's 04:50 working against you everyday. So however much you're spending on it. There's bending it probably 50 to a hundred times more. So one thing to know to 04:59

is it's also just email fishing is a great Revenue stream, especially when you get to wailing there was someone that actually was able to get 100 05:07 million dollars from Facebook and Google By sending them bad POS and they just paid it for over a year. This happens all the time people wire money. 05:16 And so that's what we're going to kind of break into and then your bad password habits are going to come back to bite you if any of you are using the 05:25 same password for multiple science when that side gets breached all their sides get breached and that's exactly what happens to user account. When I 05:34

look at bridge data. That's what I go for right? I just put in company name. I see 752 accounts and one of those passwords is probably going to work 05:42 to get in it probably was spring 2019 or 2012 announce. I just got change of the spring 2019. So it's pretty easy. So most people are in 5 to 10 05:50 breaches. What does that look like? There's / 6.4 billion searchable records over 600 GB of data that's on the internet right now that I 05:59 can search about every single one of you And your users can do the same thing and more importantly the attackers are doing that every single day. 06:09

There's artificial intelligence and machine learning that's going through those databases to correlate LinkedIn Facebook social networks email 06:17 addresses and banking to be able to make a profile on you to say Patrick banks at Fifth Third Bank Patrick. Does this Patrick does that an attack 06:24 those things send bad passwords passwords Brian Bosworth harvesting all that good stuff. So there's lots of big names here hundreds and hundreds of 06:33 millions of records from some of these single companies equal up to the 6.4 billion dollars. If you've never heard of D, hash. Cam is a great place 06:40

for you to type in your email address and see how many breaches and how many times you have been personally affected and I would also go there and put 06:48 in your domain company axe.com and see how many threats there are to your environment right. Now today any of those people you find their 06:57 go change make them change their password. That's exactly what I would do if that's what I Security audits. So what's happened in 07:07 2008 with the Advent of virtual desktops virtual desktops meant that we can get all our users in one centralized place. But what's happened even with 07:17

all the machine creation services in PBS and it's the clones and all these Technologies. We actually patch them less than a PC and it's because if we 07:26 crack it we buy it and when there's application problems, we don't cook it. We just serve it. We can't control the applications. We are just two 07:35 delivers, right? So this is a big problem that happens and PCs are in most cases when I assess more up-to-date than the virtual desktop. 07:43 They can be months behind your data is worth way more than any product that you have and that's what everyone's after that's what those breeches are 07:52

about. That's what cybersecurity is all about. And so would whistleblowers and leaks within your own organization Insider threats are still a big 08:01 deal. And if you're allowing people to get access to things they shouldn't Access to the Tiger has access to those exact same things. So penetration 08:08 testing methods. This is a good one. Very very expensive glass door more expensive maglock. What is greater than a glass door 08:16 when were trying to break in and do a penetration test? A can of compressed air 99 cents is all it takes to defeat $150,000 security 08:25

system in a 20,000 dollar door. Simple things turn it upside down. What about over here? We've got this nice door. We've got our access card reader. 08:35 We've got a bump guard so I can't do bump keys and shim it and I've even got a biometric reader. How can I get past this? What's greater than that? 08:45 Basically a fancy coat hanger with a string on it slide it underneath the door open the door from the inside. That's all it takes. And this is what an 08:55 attacker does all the time. And so what can your users do what are they published what DLP things have you thought about what can they copy 09:04

in and out of their session right? It's a big deal from there. And then the next two most important things where people checking their email and where 09:14 they're going to the internet wherever that is. Those are the most dangerous places in your whole environment. So if you have Internet Explorer 09:22 browser or a male client publishing your scissors employment or VI, it is the most dangerous thing. You can actually published ever. So from there. 09:30 How do we break into people's deployments? We Recon we DNS can we use show Dan wygal and Google dorks? Does anyone know who Google dork is basically 09:39

it's a cool search term. So this is a way that I can find any Citrus appointment in the whole world by just searching Google cuz it's soup. So I can 09:48 type in there and I can find all these companies that are using it. You should search your own URL. You can actually ask Google to remove your url. 09:56 You can actually ask showed and to remove your url. You can actually move Weigel. You can remove these entries so that it makes you makes your 10:05 Haystack a little smaller than everybody else's right. There's nice and easy ways to do it the next thing breach day to just like we talked about the 10:14

new problem with Cloud as we have all talked about. It before is API Keys people are terrible bottom and lots of private Repose become public 10:21 Repose and does API Keys get out in the wild and someone all the sudden spins up $30,000 on the servers on the weekend, right and you will not get 10:31 that money back. The next thing is looking at just D&S and then social engineering which will kind of get into a little bit. I'm so if you're running 10:40 any of these applications, you can very easily see those porch when outside right? There are still 1494 and 2598 open from the outside 10:48

world. There's about two million of them right now. So it's a good time. So it's very easy for us to know what version 10:57 of Citrix you're on by the color of the page. Right? We know what version netscaler you're running. We know what version storefront or web interface. 11:07 And then even when we get to hear why do we still have NS route in NS routes to work at so many places. The people that are the biggest offenders 11:15 of NS route NS route or people that I have sdx has because they made their template VM and they just made a new instance for production or application 11:25

X and they just rolled it to production and never change that password and I've been at many companies and make the billions of dollars that have that 11:33 and it's it's kind of a shame. The next thing is make sure that netscaler. I don't just put that on gen pop on Cell Block B Wright actually lock 11:41 it down so that if we've actually looked at any of the releases of many the vulnerabilities they were nsip related they were because you had access to 11:51 this IP. All right. So Citrix is easy to spot lots of very unique ports and being where's the same thing fishing fishing is the best way to get any 12:00

into any deployment. There's no need to hack the Matrix send a bunny in a black off a worm or anything like that since someone in email about a gift 12:10 card and no click it and that's all it takes one malicious email is all the different is And it's just going to keep getting worse. And then from 12:17 here, you can really go fun fun. If you use social engineering toolkit set. I can actually clone your Citrix website send to user request to them and 12:26 say hey something's going on with the website. Can you check it? They put in your username and password. I have the username and password. Right? And 12:35

this is can be done in the matter of about 2 or 3 minutes. And if I'm on your network, then I would use Wi-Fi pineapples and things like that so I can 12:42 be the man in the middle in your connection WPA2 know that's what really matters so who here is a domain admin? I know you don't want to raise is like 12:50 a hacker do talking right? It's kind of awkward. So if you are number one rule never log into your image with that username, do you login into that 12:58 image that username anyone who logs and after you can become domain admin until you change your password? So how often do you change your password and 13:06

maybe once a year for some domain Advance maybe once every five years for others Mac, maybe 6. How many times and how long someone has access to 13:14 become with you and take over your token. Give me cat the Bloodhound or great way that you use to attack people and find domain admin Define open 13:24 shares find ways to get in and there's always windows that has lots of vulnerability. So we're not patching it. So you're always going to get in that 13:33 way to the next is just getting admin access what we talked about. So not really anything there brute-forcing log on pages is still really possible 13:41

and there's a reason for that. Most people don't do any logging. I'm so from there. A wave we go from there. We're going to get we get access to 13:49 Citrix or any publisher resource. We're going to try to jailbreak out of whatever Apple keishin you published you publish me to ask 400 client or an 13:58 extension or application extra Z. I'm going to try to get out of it and into Powershell in the command prompt in regedit and all kinds of other fun 14:05 tools right file open and help about her than most dangerous things. Once you done that you've actually capture the flag and then you're going to 14:11

write a report and then you're going to try to start fixing it. So we've already talked about what are the most to dangerous applications browsers? 14:19 Browsers and male clients, right? So one of the most important things we talked about browsers you need to make sure you using the ATM X-File. 14:28 If you're not using the ATM X-File, you're leaving hundreds of security features from Windows off the table. So you need to load your ATM X-File needs 14:38 to be paired like a fine wine. So if your office 2013 you need to 2013 ATM Max at the 2016 Eid 2016 right there. So many ways that can go down with 14:46

that. The next is when we talk about proxying. If you have an appointment that needs no Zero Internet or internet access that can be accomplished 14:56 by just a couple settings we go to Internet Explorer we go to print out connections we setup a proxy and we put it to localhost. But 15:06 Microsoft is so awesome that it takes for more policies to make sure someone can't change the one policy that we made. This is what happens with 15:15 Microsoft right take for things to stop one thing. So when we talked about that also think about DNS security umbrella clients project pie holes 15:23

proxy files, there's multiple ways to do this and make sure all even ad blockers there have been malicious attacks that have happened because of ads 15:33 if you block them you at least you're low in your wrist and it's also going to increase performance and also help your users with less distractions, 15:41 cuz there's less things on the page and less Candy Crush still with the males and mail client you need to make sure you do in that we are to talk 15:47 about at 8 a.m. So this restricted browsing feature is very very powerful because it keeps it basically almost sandbox when someone opens up a link in 15:56

a Microsoft product and you check which products you want to turn it on for and it can do some main things. We talked about jailbreaking. Is the big 16:06 Blind Side most people think when you publish an application is more secure than a public desktop and that's not the case windows are still windows 16:14 and everything leads to the command prompt. So when we talked about end Healthcare application like next gen all I need to do to break out a next-gen 16:22 is just hell about and then there is some sequel logs. No Phi nothing really super cool, but then I can click on next-gen cuz they have selfless 16:30

self-promotion and I can get to the internet right? And once I went to the internet one very common finding there's no content filtering because it's 16:40 in the Datacenter. It's in the vdi network. No one stops anything on those Network segments. And so that can become a very big problem for a lot of 16:49 people and that means that I can download my virus and actually execute it. Then you have things like remotes can a nice little helper application if 16:58 anybody's in the twain world It has the same problem. Why do I need to click on remote scan to learn more about it? It's just add one more. Jailbreak 17:06

to be able to come back in anybody in the banking or as400 world. Okay, well. If you got that basically file open 17:15 Jurassic Park not allowed to actually launch that right because it's a file type block and you can't do a straight. Astrid good job. I'll be in but 17:25 then you failed. You have ADD button. Well, what can I add button to let me just go ahead and put the internet and I just managed shortcut and now I 17:34 just open the internet. So this is the most secure Top Secret Squirrel banking application and it just got defeated by a button add. Right? And this 17:41

is what happens with the Packers. They just sat there and they can play with this. This is the new start of this. This is the mr. T optimization and 17:51 vdi lockdown method did mr. T wake up one day and go all the way into all his jewelry. Probably not 18:00 he put it in a little bit at a time. So we're going to talk about is incremental success. We're not trying to boil the ocean for trying to do things 18:09 on bite-sized chunks so that you guys can be a have a more secure deployment. We don't want you to be attacked. We don't want you to be on the news 18:19

optimizing is the very first piece of jewelry that mr. T would put on so if you know i i c t r or even project VRC from the old school, you 18:26 know that there is some very powerful optimizations that you should be running less services on your server and desktop less attack surface faster 18:36 login times better server density winning all the way across the board. You need to optimize your image and ictr is probably the one that is releasing 18:45 the most blogs all the time about very specific things. They optimize and how big that thing was for. So they're a great group and I'm thankful. Thank 18:54

them for all the things they're doing if you're not optimizing these are basically the three main flavors Citrix. Father VMware Optimizer and this 19:03 this is one of my favorite because it's something that you get to do constantly. It's helped steals your image who steals our image with their own 19:11 random three-line Powershell script. Yeah. So use one that is community supported and will contain all the optimization from mini AV of 19:19 appliances so that you can be done all at once and what is a Powershell to or gooey rhyme this just run it every time you want to steal your image and 19:29

it'll be optimized and set up all your KMS goodies and everything from that so now mr. T. He's going to just start off with some rings, right? I mean 19:38 cuz that's kind of sensible. Most people have a couple rings. And so that is our Windows policy, right? When does policies of them one of the most 19:47 important things you can focus on beyond all this different stuff and it's a dirt analytics and all the other things. One of the things make sure you 19:54 have success system a success and failure for all your logging event. As a domain policy makes you remembering at least like 20 passwords and you got 20:02

at least 14 maybe even 16 character passwords teaching users about past phrases instead of half words. I know passwords are eventually going to go 20:10 away that's what the internet says, but we're also going paperless soon to write. So any day now one of those two things are going to happen, right? 20:19 So check out that someone of things we want to do is focus. We want to First remove admin access. We don't let users to become admin. Then we want to 20:26 make sure and remove any comment jailbreak methods and there were a lock on the start menu and then lock down the file explorer. So when we talk about 20:35

publishing applications and desktops the policies and what we want to do are basically the same the only difference is in a public desktop. You're 20:42 probably going to try to focus on the start menu in desktop, so they didn't make sure that they don't have access to the things they don't need but in 20:49 some cases if you publish me a nap, it's no more or less secure. Right so I can still get their butts desktop of that and server even though you just 20:57 published me one application. So when we make our new handy-dandy supercooled the main we're going to make sure we hit deny on apply Group Policy 21:06

to us the Citrix admin group. We don't want these restrictions on us. We want the restrictions on the user's noisy Cricket Men In Black Panther near 21:16 the smallest gun, but with the biggest bang that is no run in the start menu. Do you enable that policy restricts execution of many bad things 21:25 for different ways. So it is the best policy you can enable command prompt Powershell. The key with Powershell is you can't just do one thing. You 21:35 have to block for things. Does anyone know what those four things are? Powershell ice and 64-bit and 32-bit and I search for executables you 21:44

have to block don't forget them cuz I don't you know, and then we talked about all the other restrictive applications with Powershell Linda links. You 21:54 can block them that way and then you need to also make sure there's no red jet air control panel command prompt have the normal stuff nothing too 22:03 crazy there and make sure they can't run Windows updates because you should be doing that. Hopefully once a month maybe every two months Max maybe I 22:10 need to make sure that they can't reveal their own password cuz I tell screen scrapers work, but with Citrix you can get past that night. So next 22:18

thing is making sure that you can restrict what programs running to help. I'll have a Blog article on this probably in the next week or so. I did it 22:26 for a client. They have 127 e x he's in there he'll prescription. So I mean basically nothing windows can be launched from help that's dangerous. So 22:34 I'll post that so you can just paste that into that and magical things. Stop working. Next thing is Office Products default open and save locations 22:44 are also very important of long with restricted browsing to make sure you're doing that and basically you can approve what's locations things are 22:54

allowed to execute from and if you have something that has a file menu and a file open or if I'll save you might be able to remove file or you're 23:02 going to have to use a third-party product like a Petco or Avanti to remove specific menus from application. So that someone cannot do things are not 23:11 supposed to do especially with things you don't intend for people to do next most powerful we talked about the desktop is adding items or editing 23:19 items. If someone you blocked access to all these things and you didn't do this I can just make a shortcut to that right or I can edit a shortcut to 23:26

Internet Explorer to go to command prompt. These are simple things that you want to do next thing start menu settings here. You can spend a long time. 23:35 It's basically do you want them to be able to edit things? And what do you want to show them? Do you want them to see the computer the hard drive the 23:45 network control panel all these other things and then with their make sure you're also not allowing users to map network drives users. Do not need to 23:51 map network drives. You should be in mapping there and it drives for them. Right? So these are kind of the top 10 if you were able to do this mr. T 23:59

starter kit sizes to get your rings and maybe your bracelets in a little bit. And so when we go into that this is kind of all those settings that we 24:08 kind of just went over if that's fine and blue and Richard browsing level Bobby Boucher. You should 24:17 make sure and turn them off everywhere you can and there are many ways to do it. Number one is that you see how it says Microsoft Word 2016. That's 24:27 because in 2013 this problem policy. So you're not going to be able to stop at the same way. So you need to kind of upgrade. The next is there's a 24:36

more advanced called way of blocking macros kind of level 2. This is where macros can execute there's two ways to do basic C4 and other work around 24:44 and then the last way is training training and training you got a teacher users to think twice and click once you cannot just be clicking on all the 24:52 internet things cuz it's not just all kitty cat videos, right? So now mr. He's got his bracelet this time to start patching this right. So now he's 25:02 starting to look pretty cool. This is a big thing just like we talked about originally there are lots of environments that have don't get patches and 25:11

it's because everyone is scared pack paranoid something to that road about so find a way to do it use many ways to do it kind of my favorite 25:18 is obviously automation framework a way to build your master image continually so that you do not have to deal with some of these situations 25:28 and then that way it makes passing happen within just a couple days and patches of release instead of a couple months after that. And then one of the 25:37 most powerful things, you know, he had to put on his first gold chain, but it looks kind of silly right so application whitelisting blacklisting. This 25:46

is almost in most cases more power more powerful than any bars. If Done Right antibiotic should still be installed and still a good catch all I'd 25:53 never recommend not doing it and there's many ways to do it applocker through group policy you already own that and you might be a policy pack. If 26:02 you've got Java or browsers are PDF readers and all kinds of things that go on there and then Citrix whammer volunteer vetco can do the same things. 26:10 So that's what it looks like. If you're able to the number one most important thing is you can turn on app locker with audit mode only it's not going 26:18

to block anything. It's just going to tell you if it would have blocked something. You can adjust our policies and then Crank It Up slowly but surely 26:27 And then from there when we're doing applocker. These are the main three steps you kind of need to do level 0 is in a audit the regular policies and 26:35 make sure and prevent at admin applications. Then you need to do LOL Bend will talk about in a second and then your main applications. This is just 26:44 like root removing an any any rule on a firewall. It takes a long time. It's not easy. LOL been Fiat bar Mo. 26:51

He basically has wrote about this and it's called living off the land which means when I land on a server, I don't need to download any tools to pack 27:00 your planet. I just hacked your planet with your own windows executables. So it's it's usually a pretty fun time so we can take program compatibility 27:09 assistant and we can use it to do bad things. We can use it to copy files inject files and because its privileges trusted you can do lots of very 27:17 interesting things with it. And this is all the LOL Benz for server or desktop 1809 and newer right now. There's a lot of them some of these you're 27:25

not going to get out of this. . Exe people need to print that's for sure. Right but you just need to understand that Frank can do more than just print 27:34 a file. Right? It is a network file transfer is what's actually happening and you can do very malicious things with it. So Aaron Locker if anyone's 27:41 never heard of this is a very easy way to start your applocker experience. It looks at you the you'd run is a Powershell script. It looks at every 27:50 where the user has rideable permissions and it makes applocker rules for those places. If a user can't write to a location it can definitely 27:57

help you because then they may not be able to execute also so you can also fix your file permissions or make I block her actually block these things 28:07 down is documentation is 81 Pages. It goes through it step-by-step and it's a very good way to kind of start. And now we have the mr. T. We 28:14 know and love right now. It's time to make sure whatever we just let Windows do they make sure that is such policies are there and the default 28:24 policies are insecure by Divine Right. This is what basically Citrus is molded over the past. What now? We're talkin about 30 years, right? 1989. 28:32

They have used the most common policies and these are the ones that are enabled. This is the most secure policies, but the good thing is is they do 28:41 have a secure policy. It's called the security and control template. It's in every version since six 5, if you make your default user policy based off 28:49 this it will be secure and then you're just going to open it up for each Pacific use case. And so I wrote about this you've been on such as user group 28:58 wrote about how to plan and kind of the the power of this antibiotics. You need to make sure you're running it. We know that one thing happens is we 29:07

tune are antibiotics has and sometimes that actually guts the effectiveness. It has no more real time scanning capabilities. It has terrible dad 29:16 updates and stuff like that. And so these are kind of some of the main vendors that most people talk about there's over two hundred antivirus vendors 29:24 and lots of VC money goes into it. These are the ones that's kind of see the most especially ones that are hypervisor integrated because then we don't 29:31 have to do as many things. I'm not really going to get into which one's better or worse but Windows features one thing we all need to know and we need 29:40

to understand was with our current Windows 10 release is that we're going to get features that are only going to exist in a new version of Windows and 29:49 we have 18 months on one version and 30 months on the other version. So fall vs. Spring released and toes we go through these different versions. You 29:56 can see more and more things are added. But if you're not on that version you do not have that feature. Right? And that's why I group policies in a 30:03 BMX is also have to do that. Is anyone here ever use laps? Hopefully a couple of you one ring should not rule them. All right one administrator 30:11

password should not be universally accepted on every single system in your domain, especially when you have for 500,000 devices laps is a very easy 30:21 way to do it. Is it annoying to check out passwords? Yes, but is it free? Yes, it only takes a little bit of time to implement it same thing with MSA. 30:29 If you have lots of Windows service integrated things this can change and rotate the passwords on a very automated basis without buying anything you 30:37 already own this technology. So if you have if you run a shop that has lots of Windows Services take a look at him essay. Then the next the TLs / SSL, 30:46

right you need to make sure you're also taking a look at all your external access. Not just your Citrix. Make sure you're getting a plus right make 30:56 sure you're turning off all the old ciphers. It can be a very daunting task but there is at least a decoder ring on the website that will tell you 31:04 which ADC version and Cipher supportive has depending on which model and everything in between. Do you need to make sure you also sell? One thing to 31:12 remember is if you are running default self-signed certificates on your net scalars on your visa center and all your other random doodads. I can be 31:21

the man in the middle every single time you click in and you accepted it replace the self-signed certificates to something that you trust on your 31:30 browser either locally or at the Domain level with your domain certificate. So if that bar turns red, you know to run you don't want to click on it. 31:37 You do not want to type on it, but you're accepting a man-in-the-middle attack every single time that red banner comes up and you say except so don't 31:47 be that person. All right multi-factor, you got to have it and it is the best way to slow down an attacker is not going to stop it a simple 31:54

social engineering phone call can get anyone passcode and just a couple minutes by acting like your it and saying someone's off of work because you 32:04 just looked at emails and then bada bing bada boom. You've got their 6-digit token, and now you're logging in but make sure you under Send how 32:12 powerful MFA is when you don't have MFA. It only takes one thing to log into username and password when I have him fa I need to have the phone. I need 32:21 to have the passcode or the face or the passcode. I need to know the app. I might have to enter a pin and then I have to have the username and 32:30

password. So I have to have at least three to five things to log on to your deployment if I have MFA enabled versus one and we talked about breech 32:37 data. It only takes one. It only takes one account out of organization of two or three hundred thousand people to get into that organization and also 32:46 probably not even be noticed because all we're doing is checking email so Pro tip for MFA start with your it people everyone needs to be very 32:54 familiar of the reset process how to roll it out how to do things. But then I do it. Different than many others start with your high stakes employees, 33:04

who is someone that can send a PO for $700,000 and no one bats an eye. That's who needs MFA not even just now. Their assistance their 33:12 accountants their executive assistants and everything in between that world and that c-suite that VP the SBP world people that are able to spend money 33:22 or the people that we need to worry about then we need to go to leadership. The only way you're ever going to get your users to trust something as if 33:30 your leaders are aware of it and can help them. This may go all the way down to your team leads and stuff like that. And then after you have completed 33:37

that Gauntlet roll it out to all your users don't do it to all your users and then exclude it and exclude the CEO. Those are the people 33:44 they're going to get it packed. So the methodology Corps start off with no jewelry. We're going to optimize it. We're in put some windows policies on 33:54 it. We're going to patch it. We're going to do whitelisting and over to have her sit with policies and that's how we go from mr. T with nothing to the 34:03 mr. T. We love social security best practices could go on for days. Has anyone here do micro segmentation? Good 34:11

more than I thought so it's a very very good thing to do. There's multiple ways and solutions to do it. And SX is obviously probably the biggest and 34:21 then ACI then checkpoint and then a couple other Solutions outside of that that's even nutanix. So it's something you should do and if you can't do 34:31 that at least through Windows Firewall this may sound like I just like rebooted in the 1980s mode because we've been turning off Windows Firewall 34:40 since the 90s and why are we turning it back on guess what are automatically put all the firewall rules in your vda your video. I already put all the 34:47

firewall rules in so just turn it on and guess what it will still work now will all your applications work definite. Maybe you need to test but it's a 34:56 couple rules most likely and you would at least be more secure you want to crank it up to eleven you turn on ipsec. It means now I can't sniff the 35:04 Network anymore and see clear text username and passwords going across your network. I can't even really tell who's talking to who because all the 35:13 packets are encrypted. It's basically like you're running on a VPN in your internal Network all the time. Is there overhead? Yes, are there things you 35:20

have to worry about you, but it's something you should probably look at next thing vlans wheel of vlans, but we never put any acl's on them. 35:27 We never stop one VLAN from talking to another VLAN. We may have all 4096. We collected them all just like Pokemon, but 35:37 every meal and can talk to every meal and so it almost defeats the purpose. Admin rights remove them. If you're still running any application that has 35:46 admin rights who requires admin rights IRG to look at Citrix User Group sponsor policypak because policy pack has many ways to be able to make sure 35:56

that users get elevated for just the one process not all the processes almost every attack requires admin elevation. So if they're not an admin, they 36:04 can't Elevate their forward to can't execute the next thing hacker Paradise. You do not need hundreds of domain admins. You need two to four 36:13 and two of them should probably be a top secret key that you're going to break and you're going to keep in a cabinet. Noah needs to be a domain admin 36:23 to be a Citrix. Admin. There's no case for that. So don't do it right make an active directory group make it and delegated roll with nit. So they only 36:31

have access to what they need to and no one is at Enterprise admin schema admin admin and domain admin rights very very dangerous things. The next 36:40 is some of the social security stuff when we talked about the permissions. You're not paying attention to your NTFS. That's how the worms spread. 36:50 That's how ransomware and all the bad nasty things happen. The next thing is if you're a big deal D companies look at sticks. Even if you're not 36:57 looking up your Windows operating system space dig is going to give you a lot of information about how to lock down Windows 10 and its file system way 37:06

more than you probably ever knew begin with Permissions flow this is a good one use one Active Directory Group to rule them all. So we've gotten 37:14 Microsoft Word. We're going to use that to entitle the delivery group The Group Policy application the applocker policies the NTFS permissions on that 37:24 image will be using that same group the external group verification so that they can log in as using that group. My multi-factor is going to use that 37:34 group along with all the file shares and application access to that one group allows you to have access to that. If you are not in that group, you 37:43

cannot access it any other way, even if you're on the server, so use the same group don't make your job harder use those groups and then just make 37:50 them smarter. So Citrus has lots and lots of cool security features. And of course they got in town a two big ones. I mean there was a couple more in 37:58 there. So this is why for me Citrix has the most secure vdi deployment is because of all this all their analytics secure browser everything else if 38:07 they have it's kind of amazing and when I think about the other guys, they have a fraction of the security features and Citrix is continually 38:16

developing and security. So, of course that makes me happy so vdi logging. This is a fun when every time and it's one of my favorite slide because 38:25 everyone when I talk about logging they're like, oh we should be logging if you don't have logs. There's no way to do incident response. I've been in 38:33 places that have been breached and we go and look and we log into the netscaler and the log is gone and that's because the way that they're logging 38:41 and it only lasted about fifteen days and they were breached 30 days ago most breeches if you don't attack him in the first 48, you're not going to 38:49

text them and usually the next 30 day. It's kind of just like a murder and many times did thinning on how the attacker rolls. They're either going to 38:57 be low and slow or loud and proud right? And so they're going to steal everything they can or they're going to be very sneaky and make more account 39:05 and they're going to wait and they still have bash access. We're going to wait and I going to do more and more and more it is how people are in 4 39:11 months in years without anyone knowing because they say keep a low profile. So make sure you're doing logging you need a syslog server and you need 39:19

something that does Windows Event log collection where that's Blanc weather. That's elk or whether that's logrhythm. Right Blanc is obviously the king 39:27 of a of the playground and then logrhythm in a couple others are there are say there's a bunch of people have Sims and then elk is you know, the open 39:35 source version that it's long as you have storage you have it if you like Gartner magic quadrant, you can buy something in the top, right? And then 39:44 this is a great one Black Hills intersect. They do lots and lots of red team and blue team training and they tell you Exactly how to set up Powershell 39:52

and Windows Event log forwarding for $0. You just need to follow the guide and click and you need to have some storage space and it doesn't even need 40:02 to be fast or space Powershell logging if you do windows of that logging and you don't do power show logging it just means now you can't detect when 40:10 someone actually ran Mimi cat because I'm going to run it as Powershell right? Do you need to know what Powershell scripts are being ran, so don't 40:18 forget about Powershell The Final Countdown. This is kind of just a picture one, right but this is kind of everything we talked about in order to 40:25

login, make sure we're doing it and then pull the audience. We already kind of went through this we went through all that. So we already did that one 40:34 or social engineering training like to know before fish me123 something like that if you don't 40:43 Go get it. Don't buy it for all your users do with the exact same way. I talked about multi-factor c-suite leadership it 40:53 those are the people need to be trained by state people that can send those big pio's and no one bats an eye. That's who needs to have that kind of 41:03

training and constantly if you don't know I'm I wrote a little book it's not as big as I wanted it to be because of writing a book is a lot harder the 41:10 first time I thought it was just going to be like a jumbo blog but I was I was definitely mistaken. So it's going to come out hopefully being world 41:19 if you want that you can sign up and get news on it and it's not as if it's not a phishing site. I promise Scout's Honor this answer it right. 41:29 So make sure before you leave you go ahead and go to the your survey if you like this kind of technical content security Focus this kind of stuff 41:38

make sure and let everything know and if you have any questions come see me We're finishing a little early. But this is the kind of the Tweet things 41:48 if you want to do protects Citrix workspace because that's I don't know what hashtag. That sounds cool. And this was kind of dip anyone's. Did anyone 41:58 see the Citrix User Group Defend Your Castle? Okay, good. All right. Well, this is one of my favorite slides ever made. So basically just kind of 42:07 shows the layers of citric security and one slide. So from now outside, we have our firewall that does all our natting in firewall translation for a 42:16

level 1 through level three then we have our Citrix ATC that's doing geoip which is blocking billions of IP addresses bad IP, which is blocking a 42:23 couple hundred million IP addresses and we have whacked protection and the protection to make sure denial service can't happen. Then we can get to our 42:31 Citrix Gateway. When our three levels deep and our environment we have to fix analytics teamed up there so that we can look through with smart access 42:38 MFA SSO and the anomalous access protection look for weird things. This person was just logged in and Kentucky and now they're logged in and China. 42:46

Something weird is going on now. They're in Rio now there in Australia, something's going on in trolls kind of your next layer with Webster website 42:55 content control with secure browser and their SAS application control if any of you or using any Applications that they talked about all the time like 43:05 Salesforce and work a day in expensify and Concur and all that. This is very powerful so that you don't give external access to those applications 43:13 anymore. So no one can go home and just do it. They come through Citrix access these applications because we'll have one Pro Controller one place to 43:21

log it and we can control MFA and single sign-on from there. Then we finally made it to the broker. So we still have citric broker policy was it still 43:29 have citric policies and we still have citrus analytics looking for Saints things and controlling what's in the session now, we've actually made it 43:37 into the network. So microsegmentation your ACL senior DMVs are doing all this stuff who can talk to who and then we get to Windows policies cuz we're 43:44 about to make it to the VA and this is where we're going to have our no run restrict drives all the group policies application blacklisting and white 43:52

listening with applocker. Then we actually made it to the virtual desktop adgroup is what's going to allow me to get to that and if you're not in the 44:00 group you don't have access in the very middle is This is all the citric security features layered and a pretty little bubble multicolored 44:08 Willy Wonka style so that you can kind of see what each one's doing stuff. You were counting. It's over eight layers of security and if we're 44:17 going really wide, it's over like 15 products in the ways that you can do things. So it's very very very powerful. So, hopefully you all learn 44:27

something. Thank you for coming and I hope you all have a good final night because everyone's just going to go rest tonight or go to some weird party, 44:35 right? That's what you do on the Wednesdays at Cinergy. Thank y'all so much. 44:45

Cackle comments for the website

Buy this talk

Access to the talk “Citrix Synergy TV - SYN218 - How to protect your Citrix Workspace”
Available
In cart
Free
Free
Free
Free
Free
Free

Video

Get access to all videos “Citrix Synergy Atlanta 2019”
Available
In cart
Free
Free
Free
Free
Free
Free
Ticket

Interested in topic “IT”?

You might be interested in videos from this event

September 28 2018
Moscow
16
122
app store, apps, development, google play, mobile, soft

Buy this video

Video

Access to the talk “Citrix Synergy TV - SYN218 - How to protect your Citrix Workspace”
Available
In cart
Free
Free
Free
Free
Free
Free

Conference Cast

With ConferenceCast.tv, you get access to our library of the world's best conference talks.

Conference Cast
505 conferences
19653 speakers
7164 hours of content