Duration 44:56
16+
Play
Video

Citrix Synergy TV - SYN218 - How to protect your Citrix Workspace

Patrick Coble
Principal Consultant at VDISEC
  • Video
  • Table of contents
  • Video
Citrix Synergy Atlanta 2019
May 22, 2019, Atlanta, GA, United States
Citrix Synergy Atlanta 2019
Video
Citrix Synergy TV - SYN218 - How to protect your Citrix Workspace
Available
In cart
Free
Free
Free
Free
Free
Free
Add to favorites
293
I like 0
I dislike 0
Available
In cart
Free
Free
Free
Free
Free
Free
  • Description
  • Transcript
  • Discussion

About speaker

Patrick Coble
Principal Consultant at VDISEC

About the talk

This session will cover security best practices for Citrix Workspace deployments, as well as practical ways to secure your infrastructure using multiple techniques from Citrix, Microsoft and other solutions. In most scenarios, business critical applications are virtualized and delivered with Citrix. However, they are usually the most overlooked when it comes to security because of timing and priorities. If the application works, no other security reviews are normally completed. If you are running an EMR, banking application, mail client, browser, or any other Windows application, your business can be at risk. Learn how to defend your Citrix Workspace.Note: This session will be available for on-demand viewing post-event on Citrix Synergy TV.

Share

All right. Looks like it is game time cuz I can hear the Echo and voice of myself and must be that time and there's no more music. All right guys what we got a lot of stuff to go over and hopefully you've read that. So we're just going to get right to it. I'm going to break down a couple things for you first thing 386dx back when I was 8 years old turbo button 33 megahertz living the dream 200 mag hard drive $5,000. What a damn deal right now is amazing and you never needed more than that movie hackers came out of cork board games with before that but that's what I knew.

I wanted to get into cyber security Ryan. I work at a call center to Allstate Motor Club Toys R Us South Southern Cal Edison and IBM tech support. So I did that but then eventually I became the Y2K floppy disk put her inner outer. So I was in charge of updating over 600 computers over and over again with Norton Ghost in BIOS updates to make sure Y2K was cool. And guess what happened that night nothing. Cool one alert. Then the next thing is I got to go to a CNA class at while I was in high school. And anybody directory any CNAs out here. That's the OG right there at the

good stuff. That was the that was some of the best then I join the Marines did two tours in Iraq, basically two years there in ramadi and of course, you know that picture looks super cool but Marines don't have MacBooks. All right, that's for sure. We get the leftovers from the Army so we don't get that cool. So then I got out of the Marine Corps then I walked over and start working as a consultant anyone hear an architect right sticks and Bubbles. That's what we draw all the time. You don't even need to really be able to write as long as you can draw on a grease board. You

can do anything, right? Cuz all you have to do is draw a you don't actually have to do it and then 2016 is when I was busted off and want to do my own thing focus on vdi security because I saw there's a big gap. So I got to do a been doing lots of presentations. You can see Brian Madden up there and then See that door, you'll probably figure out what that is in just a second cuz it's kind of that can slide basically I teach about the hacker side. So I go to hacker conferences and teach people how to break into virtual desktops and I come to conferences like this to teach you how to defend your

virtual desktop appointment. So I do both sides. I'm kind of purplish red team blue team and I'm kind of an author for the baby book eventually the big bugs coming but it's so cool. So you came here to learn about how to lock down your virtual desktop you are in the correct Session 1 spoiler alert, there is not one single thing we're going to do that's going to just secure it and you will have no more worries ever and ever again, right? This is a multi-step process and defense-in-depth. It's going to take awhile fry and you need to make sure you're doing testing. So what do I speak of

what do people? What are you guys? This is a self-assessment. What do you host on your virtual desktop deployment? I'm pretty sure it's business-critical. I'm also pretty sure it's Revenue impacting when it's down something bad is happening and its data I'm sure is very important to your business whether that's intellectual property Phi PCI, whatever compliance you're under fedgov ramp all that good stuff. And it what can people do inside your session I bet they can do some things that you don't think that they could which means that's what an attacker

can do the same thing. It will use their weaknesses that you've left the user to be able to do whatever they want a two year old with a flamethrower in Sims chords walking around this is what you're going to get right and then file shares. This is the most common one when we talked about ransomware is unsecured file shares. This is a very common finding this is basically like an NTFS everyone full control and then on the share permissions everyone full control and somewhere deep down in the Heart of Texas and payroll George open a support ticket 14 years ago so that he can

share out this payroll folder and guess what? It's still everyone full control. So if you're not looking at your permissions and running reports and getting some get apples are using some software look at it. You probably had many more open shares than you can imagine. It's not just to see dollar signs were worried about there's probably big big If your corporate data is at risk because of bad permissions. So knocking on the door attackers, it only takes pressure and time to break into anything if we're talking about Mario, right? I'm going to teach you how to protect yourself

against level 1 through 6 to 7 Mario, but level 8 you're on your own right persistent attackers going to get in that's just the way it's going to work. They're going to attack your people and those people will be attacking you rhyme some threats hacking there's a lot of people they can make thousands of dollars a day in their jammies sending spear phishing emails and ransomware request and then it's over a trillion dollar industry that's working against you everyday. So however much you're spending on it. There's bending it probably 50 to a hundred times more. So one thing to know to

is it's also just email fishing is a great Revenue stream, especially when you get to wailing there was someone that actually was able to get 100 million dollars from Facebook and Google By sending them bad POS and they just paid it for over a year. This happens all the time people wire money. And so that's what we're going to kind of break into and then your bad password habits are going to come back to bite you if any of you are using the same password for multiple science when that side gets breached all their sides get breached and that's exactly what happens to user account. When I

look at bridge data. That's what I go for right? I just put in company name. I see 752 accounts and one of those passwords is probably going to work to get in it probably was spring 2019 or 2012 announce. I just got change of the spring 2019. So it's pretty easy. So most people are in 5 to 10 breaches. What does that look like? There's / 6.4 billion searchable records over 600 GB of data that's on the internet right now that I can search about every single one of you And your users can do the same thing and more importantly the attackers are doing that every single day.

There's artificial intelligence and machine learning that's going through those databases to correlate LinkedIn Facebook social networks email addresses and banking to be able to make a profile on you to say Patrick banks at Fifth Third Bank Patrick. Does this Patrick does that an attack those things send bad passwords passwords Brian Bosworth harvesting all that good stuff. So there's lots of big names here hundreds and hundreds of millions of records from some of these single companies equal up to the 6.4 billion dollars. If you've never heard of D, hash. Cam is a great place

for you to type in your email address and see how many breaches and how many times you have been personally affected and I would also go there and put in your domain company axe.com and see how many threats there are to your environment right. Now today any of those people you find their go change make them change their password. That's exactly what I would do if that's what I Security audits. So what's happened in 2008 with the Advent of virtual desktops virtual desktops meant that we can get all our users in one centralized place. But what's happened even with

all the machine creation services in PBS and it's the clones and all these Technologies. We actually patch them less than a PC and it's because if we crack it we buy it and when there's application problems, we don't cook it. We just serve it. We can't control the applications. We are just two delivers, right? So this is a big problem that happens and PCs are in most cases when I assess more up-to-date than the virtual desktop. They can be months behind your data is worth way more than any product that you have and that's what everyone's after that's what those breeches are

about. That's what cybersecurity is all about. And so would whistleblowers and leaks within your own organization Insider threats are still a big deal. And if you're allowing people to get access to things they shouldn't Access to the Tiger has access to those exact same things. So penetration testing methods. This is a good one. Very very expensive glass door more expensive maglock. What is greater than a glass door when were trying to break in and do a penetration test? A can of compressed air 99 cents is all it takes to defeat $150,000 security

system in a 20,000 dollar door. Simple things turn it upside down. What about over here? We've got this nice door. We've got our access card reader. We've got a bump guard so I can't do bump keys and shim it and I've even got a biometric reader. How can I get past this? What's greater than that? Basically a fancy coat hanger with a string on it slide it underneath the door open the door from the inside. That's all it takes. And this is what an attacker does all the time. And so what can your users do what are they published what DLP things have you thought about what can they copy

in and out of their session right? It's a big deal from there. And then the next two most important things where people checking their email and where they're going to the internet wherever that is. Those are the most dangerous places in your whole environment. So if you have Internet Explorer browser or a male client publishing your scissors employment or VI, it is the most dangerous thing. You can actually published ever. So from there. How do we break into people's deployments? We Recon we DNS can we use show Dan wygal and Google dorks? Does anyone know who Google dork is basically

it's a cool search term. So this is a way that I can find any Citrus appointment in the whole world by just searching Google cuz it's soup. So I can type in there and I can find all these companies that are using it. You should search your own URL. You can actually ask Google to remove your url. You can actually ask showed and to remove your url. You can actually move Weigel. You can remove these entries so that it makes you makes your Haystack a little smaller than everybody else's right. There's nice and easy ways to do it the next thing breach day to just like we talked about the

new problem with Cloud as we have all talked about. It before is API Keys people are terrible bottom and lots of private Repose become public Repose and does API Keys get out in the wild and someone all the sudden spins up $30,000 on the servers on the weekend, right and you will not get that money back. The next thing is looking at just D&S and then social engineering which will kind of get into a little bit. I'm so if you're running any of these applications, you can very easily see those porch when outside right? There are still 1494 and 2598 open from the outside

world. There's about two million of them right now. So it's a good time. So it's very easy for us to know what version of Citrix you're on by the color of the page. Right? We know what version netscaler you're running. We know what version storefront or web interface. And then even when we get to hear why do we still have NS route in NS routes to work at so many places. The people that are the biggest offenders of NS route NS route or people that I have sdx has because they made their template VM and they just made a new instance for production or application

X and they just rolled it to production and never change that password and I've been at many companies and make the billions of dollars that have that and it's it's kind of a shame. The next thing is make sure that netscaler. I don't just put that on gen pop on Cell Block B Wright actually lock it down so that if we've actually looked at any of the releases of many the vulnerabilities they were nsip related they were because you had access to this IP. All right. So Citrix is easy to spot lots of very unique ports and being where's the same thing fishing fishing is the best way to get any

into any deployment. There's no need to hack the Matrix send a bunny in a black off a worm or anything like that since someone in email about a gift card and no click it and that's all it takes one malicious email is all the different is And it's just going to keep getting worse. And then from here, you can really go fun fun. If you use social engineering toolkit set. I can actually clone your Citrix website send to user request to them and say hey something's going on with the website. Can you check it? They put in your username and password. I have the username and password. Right? And

this is can be done in the matter of about 2 or 3 minutes. And if I'm on your network, then I would use Wi-Fi pineapples and things like that so I can be the man in the middle in your connection WPA2 know that's what really matters so who here is a domain admin? I know you don't want to raise is like a hacker do talking right? It's kind of awkward. So if you are number one rule never log into your image with that username, do you login into that image that username anyone who logs and after you can become domain admin until you change your password? So how often do you change your password and

maybe once a year for some domain Advance maybe once every five years for others Mac, maybe 6. How many times and how long someone has access to become with you and take over your token. Give me cat the Bloodhound or great way that you use to attack people and find domain admin Define open shares find ways to get in and there's always windows that has lots of vulnerability. So we're not patching it. So you're always going to get in that way to the next is just getting admin access what we talked about. So not really anything there brute-forcing log on pages is still really possible

and there's a reason for that. Most people don't do any logging. I'm so from there. A wave we go from there. We're going to get we get access to Citrix or any publisher resource. We're going to try to jailbreak out of whatever Apple keishin you published you publish me to ask 400 client or an extension or application extra Z. I'm going to try to get out of it and into Powershell in the command prompt in regedit and all kinds of other fun tools right file open and help about her than most dangerous things. Once you done that you've actually capture the flag and then you're going to

write a report and then you're going to try to start fixing it. So we've already talked about what are the most to dangerous applications browsers? Browsers and male clients, right? So one of the most important things we talked about browsers you need to make sure you using the ATM X-File. If you're not using the ATM X-File, you're leaving hundreds of security features from Windows off the table. So you need to load your ATM X-File needs to be paired like a fine wine. So if your office 2013 you need to 2013 ATM Max at the 2016 Eid 2016 right there. So many ways that can go down with

that. The next is when we talk about proxying. If you have an appointment that needs no Zero Internet or internet access that can be accomplished by just a couple settings we go to Internet Explorer we go to print out connections we setup a proxy and we put it to localhost. But Microsoft is so awesome that it takes for more policies to make sure someone can't change the one policy that we made. This is what happens with Microsoft right take for things to stop one thing. So when we talked about that also think about DNS security umbrella clients project pie holes

proxy files, there's multiple ways to do this and make sure all even ad blockers there have been malicious attacks that have happened because of ads if you block them you at least you're low in your wrist and it's also going to increase performance and also help your users with less distractions, cuz there's less things on the page and less Candy Crush still with the males and mail client you need to make sure you do in that we are to talk about at 8 a.m. So this restricted browsing feature is very very powerful because it keeps it basically almost sandbox when someone opens up a link in

a Microsoft product and you check which products you want to turn it on for and it can do some main things. We talked about jailbreaking. Is the big Blind Side most people think when you publish an application is more secure than a public desktop and that's not the case windows are still windows and everything leads to the command prompt. So when we talked about end Healthcare application like next gen all I need to do to break out a next-gen is just hell about and then there is some sequel logs. No Phi nothing really super cool, but then I can click on next-gen cuz they have selfless

self-promotion and I can get to the internet right? And once I went to the internet one very common finding there's no content filtering because it's in the Datacenter. It's in the vdi network. No one stops anything on those Network segments. And so that can become a very big problem for a lot of people and that means that I can download my virus and actually execute it. Then you have things like remotes can a nice little helper application if anybody's in the twain world It has the same problem. Why do I need to click on remote scan to learn more about it? It's just add one more. Jailbreak

to be able to come back in anybody in the banking or as400 world. Okay, well. If you got that basically file open Jurassic Park not allowed to actually launch that right because it's a file type block and you can't do a straight. Astrid good job. I'll be in but then you failed. You have ADD button. Well, what can I add button to let me just go ahead and put the internet and I just managed shortcut and now I just open the internet. So this is the most secure Top Secret Squirrel banking application and it just got defeated by a button add. Right? And this

is what happens with the Packers. They just sat there and they can play with this. This is the new start of this. This is the mr. T optimization and vdi lockdown method did mr. T wake up one day and go all the way into all his jewelry. Probably not he put it in a little bit at a time. So we're going to talk about is incremental success. We're not trying to boil the ocean for trying to do things on bite-sized chunks so that you guys can be a have a more secure deployment. We don't want you to be attacked. We don't want you to be on the news

optimizing is the very first piece of jewelry that mr. T would put on so if you know i i c t r or even project VRC from the old school, you know that there is some very powerful optimizations that you should be running less services on your server and desktop less attack surface faster login times better server density winning all the way across the board. You need to optimize your image and ictr is probably the one that is releasing the most blogs all the time about very specific things. They optimize and how big that thing was for. So they're a great group and I'm thankful. Thank

them for all the things they're doing if you're not optimizing these are basically the three main flavors Citrix. Father VMware Optimizer and this this is one of my favorite because it's something that you get to do constantly. It's helped steals your image who steals our image with their own random three-line Powershell script. Yeah. So use one that is community supported and will contain all the optimization from mini AV of appliances so that you can be done all at once and what is a Powershell to or gooey rhyme this just run it every time you want to steal your image and

it'll be optimized and set up all your KMS goodies and everything from that so now mr. T. He's going to just start off with some rings, right? I mean cuz that's kind of sensible. Most people have a couple rings. And so that is our Windows policy, right? When does policies of them one of the most important things you can focus on beyond all this different stuff and it's a dirt analytics and all the other things. One of the things make sure you have success system a success and failure for all your logging event. As a domain policy makes you remembering at least like 20 passwords and you got

at least 14 maybe even 16 character passwords teaching users about past phrases instead of half words. I know passwords are eventually going to go away that's what the internet says, but we're also going paperless soon to write. So any day now one of those two things are going to happen, right? So check out that someone of things we want to do is focus. We want to First remove admin access. We don't let users to become admin. Then we want to make sure and remove any comment jailbreak methods and there were a lock on the start menu and then lock down the file explorer. So when we talk about

publishing applications and desktops the policies and what we want to do are basically the same the only difference is in a public desktop. You're probably going to try to focus on the start menu in desktop, so they didn't make sure that they don't have access to the things they don't need but in some cases if you publish me a nap, it's no more or less secure. Right so I can still get their butts desktop of that and server even though you just published me one application. So when we make our new handy-dandy supercooled the main we're going to make sure we hit deny on apply Group Policy

to us the Citrix admin group. We don't want these restrictions on us. We want the restrictions on the user's noisy Cricket Men In Black Panther near the smallest gun, but with the biggest bang that is no run in the start menu. Do you enable that policy restricts execution of many bad things for different ways. So it is the best policy you can enable command prompt Powershell. The key with Powershell is you can't just do one thing. You have to block for things. Does anyone know what those four things are? Powershell ice and 64-bit and 32-bit and I search for executables you

have to block don't forget them cuz I don't you know, and then we talked about all the other restrictive applications with Powershell Linda links. You can block them that way and then you need to also make sure there's no red jet air control panel command prompt have the normal stuff nothing too crazy there and make sure they can't run Windows updates because you should be doing that. Hopefully once a month maybe every two months Max maybe I need to make sure that they can't reveal their own password cuz I tell screen scrapers work, but with Citrix you can get past that night. So next

thing is making sure that you can restrict what programs running to help. I'll have a Blog article on this probably in the next week or so. I did it for a client. They have 127 e x he's in there he'll prescription. So I mean basically nothing windows can be launched from help that's dangerous. So I'll post that so you can just paste that into that and magical things. Stop working. Next thing is Office Products default open and save locations are also very important of long with restricted browsing to make sure you're doing that and basically you can approve what's locations things are

allowed to execute from and if you have something that has a file menu and a file open or if I'll save you might be able to remove file or you're going to have to use a third-party product like a Petco or Avanti to remove specific menus from application. So that someone cannot do things are not supposed to do especially with things you don't intend for people to do next most powerful we talked about the desktop is adding items or editing items. If someone you blocked access to all these things and you didn't do this I can just make a shortcut to that right or I can edit a shortcut to

Internet Explorer to go to command prompt. These are simple things that you want to do next thing start menu settings here. You can spend a long time. It's basically do you want them to be able to edit things? And what do you want to show them? Do you want them to see the computer the hard drive the network control panel all these other things and then with their make sure you're also not allowing users to map network drives users. Do not need to map network drives. You should be in mapping there and it drives for them. Right? So these are kind of the top 10 if you were able to do this mr. T

starter kit sizes to get your rings and maybe your bracelets in a little bit. And so when we go into that this is kind of all those settings that we kind of just went over if that's fine and blue and Richard browsing level Bobby Boucher. You should make sure and turn them off everywhere you can and there are many ways to do it. Number one is that you see how it says Microsoft Word 2016. That's because in 2013 this problem policy. So you're not going to be able to stop at the same way. So you need to kind of upgrade. The next is there's a

more advanced called way of blocking macros kind of level 2. This is where macros can execute there's two ways to do basic C4 and other work around and then the last way is training training and training you got a teacher users to think twice and click once you cannot just be clicking on all the internet things cuz it's not just all kitty cat videos, right? So now mr. He's got his bracelet this time to start patching this right. So now he's starting to look pretty cool. This is a big thing just like we talked about originally there are lots of environments that have don't get patches and

it's because everyone is scared pack paranoid something to that road about so find a way to do it use many ways to do it kind of my favorite is obviously automation framework a way to build your master image continually so that you do not have to deal with some of these situations and then that way it makes passing happen within just a couple days and patches of release instead of a couple months after that. And then one of the most powerful things, you know, he had to put on his first gold chain, but it looks kind of silly right so application whitelisting blacklisting. This

is almost in most cases more power more powerful than any bars. If Done Right antibiotic should still be installed and still a good catch all I'd never recommend not doing it and there's many ways to do it applocker through group policy you already own that and you might be a policy pack. If you've got Java or browsers are PDF readers and all kinds of things that go on there and then Citrix whammer volunteer vetco can do the same things. So that's what it looks like. If you're able to the number one most important thing is you can turn on app locker with audit mode only it's not going

to block anything. It's just going to tell you if it would have blocked something. You can adjust our policies and then Crank It Up slowly but surely And then from there when we're doing applocker. These are the main three steps you kind of need to do level 0 is in a audit the regular policies and make sure and prevent at admin applications. Then you need to do LOL Bend will talk about in a second and then your main applications. This is just like root removing an any any rule on a firewall. It takes a long time. It's not easy. LOL been Fiat bar Mo.

He basically has wrote about this and it's called living off the land which means when I land on a server, I don't need to download any tools to pack your planet. I just hacked your planet with your own windows executables. So it's it's usually a pretty fun time so we can take program compatibility assistant and we can use it to do bad things. We can use it to copy files inject files and because its privileges trusted you can do lots of very interesting things with it. And this is all the LOL Benz for server or desktop 1809 and newer right now. There's a lot of them some of these you're

not going to get out of this. . Exe people need to print that's for sure. Right but you just need to understand that Frank can do more than just print a file. Right? It is a network file transfer is what's actually happening and you can do very malicious things with it. So Aaron Locker if anyone's never heard of this is a very easy way to start your applocker experience. It looks at you the you'd run is a Powershell script. It looks at every where the user has rideable permissions and it makes applocker rules for those places. If a user can't write to a location it can definitely

help you because then they may not be able to execute also so you can also fix your file permissions or make I block her actually block these things down is documentation is 81 Pages. It goes through it step-by-step and it's a very good way to kind of start. And now we have the mr. T. We know and love right now. It's time to make sure whatever we just let Windows do they make sure that is such policies are there and the default policies are insecure by Divine Right. This is what basically Citrus is molded over the past. What now? We're talkin about 30 years, right? 1989.

They have used the most common policies and these are the ones that are enabled. This is the most secure policies, but the good thing is is they do have a secure policy. It's called the security and control template. It's in every version since six 5, if you make your default user policy based off this it will be secure and then you're just going to open it up for each Pacific use case. And so I wrote about this you've been on such as user group wrote about how to plan and kind of the the power of this antibiotics. You need to make sure you're running it. We know that one thing happens is we

tune are antibiotics has and sometimes that actually guts the effectiveness. It has no more real time scanning capabilities. It has terrible dad updates and stuff like that. And so these are kind of some of the main vendors that most people talk about there's over two hundred antivirus vendors and lots of VC money goes into it. These are the ones that's kind of see the most especially ones that are hypervisor integrated because then we don't have to do as many things. I'm not really going to get into which one's better or worse but Windows features one thing we all need to know and we need

to understand was with our current Windows 10 release is that we're going to get features that are only going to exist in a new version of Windows and we have 18 months on one version and 30 months on the other version. So fall vs. Spring released and toes we go through these different versions. You can see more and more things are added. But if you're not on that version you do not have that feature. Right? And that's why I group policies in a BMX is also have to do that. Is anyone here ever use laps? Hopefully a couple of you one ring should not rule them. All right one administrator

password should not be universally accepted on every single system in your domain, especially when you have for 500,000 devices laps is a very easy way to do it. Is it annoying to check out passwords? Yes, but is it free? Yes, it only takes a little bit of time to implement it same thing with MSA. If you have lots of Windows service integrated things this can change and rotate the passwords on a very automated basis without buying anything you already own this technology. So if you have if you run a shop that has lots of Windows Services take a look at him essay. Then the next the TLs / SSL,

right you need to make sure you're also taking a look at all your external access. Not just your Citrix. Make sure you're getting a plus right make sure you're turning off all the old ciphers. It can be a very daunting task but there is at least a decoder ring on the website that will tell you which ADC version and Cipher supportive has depending on which model and everything in between. Do you need to make sure you also sell? One thing to remember is if you are running default self-signed certificates on your net scalars on your visa center and all your other random doodads. I can be

the man in the middle every single time you click in and you accepted it replace the self-signed certificates to something that you trust on your browser either locally or at the Domain level with your domain certificate. So if that bar turns red, you know to run you don't want to click on it. You do not want to type on it, but you're accepting a man-in-the-middle attack every single time that red banner comes up and you say except so don't be that person. All right multi-factor, you got to have it and it is the best way to slow down an attacker is not going to stop it a simple

social engineering phone call can get anyone passcode and just a couple minutes by acting like your it and saying someone's off of work because you just looked at emails and then bada bing bada boom. You've got their 6-digit token, and now you're logging in but make sure you under Send how powerful MFA is when you don't have MFA. It only takes one thing to log into username and password when I have him fa I need to have the phone. I need to have the passcode or the face or the passcode. I need to know the app. I might have to enter a pin and then I have to have the username and

password. So I have to have at least three to five things to log on to your deployment if I have MFA enabled versus one and we talked about breech data. It only takes one. It only takes one account out of organization of two or three hundred thousand people to get into that organization and also probably not even be noticed because all we're doing is checking email so Pro tip for MFA start with your it people everyone needs to be very familiar of the reset process how to roll it out how to do things. But then I do it. Different than many others start with your high stakes employees,

who is someone that can send a PO for $700,000 and no one bats an eye. That's who needs MFA not even just now. Their assistance their accountants their executive assistants and everything in between that world and that c-suite that VP the SBP world people that are able to spend money or the people that we need to worry about then we need to go to leadership. The only way you're ever going to get your users to trust something as if your leaders are aware of it and can help them. This may go all the way down to your team leads and stuff like that. And then after you have completed

that Gauntlet roll it out to all your users don't do it to all your users and then exclude it and exclude the CEO. Those are the people they're going to get it packed. So the methodology Corps start off with no jewelry. We're going to optimize it. We're in put some windows policies on it. We're going to patch it. We're going to do whitelisting and over to have her sit with policies and that's how we go from mr. T with nothing to the mr. T. We love social security best practices could go on for days. Has anyone here do micro segmentation? Good

more than I thought so it's a very very good thing to do. There's multiple ways and solutions to do it. And SX is obviously probably the biggest and then ACI then checkpoint and then a couple other Solutions outside of that that's even nutanix. So it's something you should do and if you can't do that at least through Windows Firewall this may sound like I just like rebooted in the 1980s mode because we've been turning off Windows Firewall since the 90s and why are we turning it back on guess what are automatically put all the firewall rules in your vda your video. I already put all the

firewall rules in so just turn it on and guess what it will still work now will all your applications work definite. Maybe you need to test but it's a couple rules most likely and you would at least be more secure you want to crank it up to eleven you turn on ipsec. It means now I can't sniff the Network anymore and see clear text username and passwords going across your network. I can't even really tell who's talking to who because all the packets are encrypted. It's basically like you're running on a VPN in your internal Network all the time. Is there overhead? Yes, are there things you

have to worry about you, but it's something you should probably look at next thing vlans wheel of vlans, but we never put any acl's on them. We never stop one VLAN from talking to another VLAN. We may have all 4096. We collected them all just like Pokemon, but every meal and can talk to every meal and so it almost defeats the purpose. Admin rights remove them. If you're still running any application that has admin rights who requires admin rights IRG to look at Citrix User Group sponsor policypak because policy pack has many ways to be able to make sure

that users get elevated for just the one process not all the processes almost every attack requires admin elevation. So if they're not an admin, they can't Elevate their forward to can't execute the next thing hacker Paradise. You do not need hundreds of domain admins. You need two to four and two of them should probably be a top secret key that you're going to break and you're going to keep in a cabinet. Noah needs to be a domain admin to be a Citrix. Admin. There's no case for that. So don't do it right make an active directory group make it and delegated roll with nit. So they only

have access to what they need to and no one is at Enterprise admin schema admin admin and domain admin rights very very dangerous things. The next is some of the social security stuff when we talked about the permissions. You're not paying attention to your NTFS. That's how the worms spread. That's how ransomware and all the bad nasty things happen. The next thing is if you're a big deal D companies look at sticks. Even if you're not looking up your Windows operating system space dig is going to give you a lot of information about how to lock down Windows 10 and its file system way

more than you probably ever knew begin with Permissions flow this is a good one use one Active Directory Group to rule them all. So we've gotten Microsoft Word. We're going to use that to entitle the delivery group The Group Policy application the applocker policies the NTFS permissions on that image will be using that same group the external group verification so that they can log in as using that group. My multi-factor is going to use that group along with all the file shares and application access to that one group allows you to have access to that. If you are not in that group, you

cannot access it any other way, even if you're on the server, so use the same group don't make your job harder use those groups and then just make them smarter. So Citrus has lots and lots of cool security features. And of course they got in town a two big ones. I mean there was a couple more in there. So this is why for me Citrix has the most secure vdi deployment is because of all this all their analytics secure browser everything else if they have it's kind of amazing and when I think about the other guys, they have a fraction of the security features and Citrix is continually

developing and security. So, of course that makes me happy so vdi logging. This is a fun when every time and it's one of my favorite slide because everyone when I talk about logging they're like, oh we should be logging if you don't have logs. There's no way to do incident response. I've been in places that have been breached and we go and look and we log into the netscaler and the log is gone and that's because the way that they're logging and it only lasted about fifteen days and they were breached 30 days ago most breeches if you don't attack him in the first 48, you're not going to

text them and usually the next 30 day. It's kind of just like a murder and many times did thinning on how the attacker rolls. They're either going to be low and slow or loud and proud right? And so they're going to steal everything they can or they're going to be very sneaky and make more account and they're going to wait and they still have bash access. We're going to wait and I going to do more and more and more it is how people are in 4 months in years without anyone knowing because they say keep a low profile. So make sure you're doing logging you need a syslog server and you need

something that does Windows Event log collection where that's Blanc weather. That's elk or whether that's logrhythm. Right Blanc is obviously the king of a of the playground and then logrhythm in a couple others are there are say there's a bunch of people have Sims and then elk is you know, the open source version that it's long as you have storage you have it if you like Gartner magic quadrant, you can buy something in the top, right? And then this is a great one Black Hills intersect. They do lots and lots of red team and blue team training and they tell you Exactly how to set up Powershell

and Windows Event log forwarding for $0. You just need to follow the guide and click and you need to have some storage space and it doesn't even need to be fast or space Powershell logging if you do windows of that logging and you don't do power show logging it just means now you can't detect when someone actually ran Mimi cat because I'm going to run it as Powershell right? Do you need to know what Powershell scripts are being ran, so don't forget about Powershell The Final Countdown. This is kind of just a picture one, right but this is kind of everything we talked about in order to

login, make sure we're doing it and then pull the audience. We already kind of went through this we went through all that. So we already did that one or social engineering training like to know before fish me123 something like that if you don't Go get it. Don't buy it for all your users do with the exact same way. I talked about multi-factor c-suite leadership it those are the people need to be trained by state people that can send those big pio's and no one bats an eye. That's who needs to have that kind of

training and constantly if you don't know I'm I wrote a little book it's not as big as I wanted it to be because of writing a book is a lot harder the first time I thought it was just going to be like a jumbo blog but I was I was definitely mistaken. So it's going to come out hopefully being world if you want that you can sign up and get news on it and it's not as if it's not a phishing site. I promise Scout's Honor this answer it right. So make sure before you leave you go ahead and go to the your survey if you like this kind of technical content security Focus this kind of stuff

make sure and let everything know and if you have any questions come see me We're finishing a little early. But this is the kind of the Tweet things if you want to do protects Citrix workspace because that's I don't know what hashtag. That sounds cool. And this was kind of dip anyone's. Did anyone see the Citrix User Group Defend Your Castle? Okay, good. All right. Well, this is one of my favorite slides ever made. So basically just kind of shows the layers of citric security and one slide. So from now outside, we have our firewall that does all our natting in firewall translation for a

level 1 through level three then we have our Citrix ATC that's doing geoip which is blocking billions of IP addresses bad IP, which is blocking a couple hundred million IP addresses and we have whacked protection and the protection to make sure denial service can't happen. Then we can get to our Citrix Gateway. When our three levels deep and our environment we have to fix analytics teamed up there so that we can look through with smart access MFA SSO and the anomalous access protection look for weird things. This person was just logged in and Kentucky and now they're logged in and China.

Something weird is going on now. They're in Rio now there in Australia, something's going on in trolls kind of your next layer with Webster website content control with secure browser and their SAS application control if any of you or using any Applications that they talked about all the time like Salesforce and work a day in expensify and Concur and all that. This is very powerful so that you don't give external access to those applications anymore. So no one can go home and just do it. They come through Citrix access these applications because we'll have one Pro Controller one place to

log it and we can control MFA and single sign-on from there. Then we finally made it to the broker. So we still have citric broker policy was it still have citric policies and we still have citrus analytics looking for Saints things and controlling what's in the session now, we've actually made it into the network. So microsegmentation your ACL senior DMVs are doing all this stuff who can talk to who and then we get to Windows policies cuz we're about to make it to the VA and this is where we're going to have our no run restrict drives all the group policies application blacklisting and white

listening with applocker. Then we actually made it to the virtual desktop adgroup is what's going to allow me to get to that and if you're not in the group you don't have access in the very middle is This is all the citric security features layered and a pretty little bubble multicolored Willy Wonka style so that you can kind of see what each one's doing stuff. You were counting. It's over eight layers of security and if we're going really wide, it's over like 15 products in the ways that you can do things. So it's very very very powerful. So, hopefully you all learn

something. Thank you for coming and I hope you all have a good final night because everyone's just going to go rest tonight or go to some weird party, right? That's what you do on the Wednesdays at Cinergy. Thank y'all so much.

Cackle comments for the website

Buy this talk

Access to the talk “Citrix Synergy TV - SYN218 - How to protect your Citrix Workspace”
Available
In cart
Free
Free
Free
Free
Free
Free

Access to all the recordings of the event

Get access to all videos “Citrix Synergy Atlanta 2019”
Available
In cart
Free
Free
Free
Free
Free
Free
Ticket

Interested in topic “Software development”?

You might be interested in videos from this event

September 28, 2018
Moscow
16
129
app store, apps, development, google play, mobile, soft

Buy this video

Video

Access to the talk “Citrix Synergy TV - SYN218 - How to protect your Citrix Workspace”
Available
In cart
Free
Free
Free
Free
Free
Free

Conference Cast

With ConferenceCast.tv, you get access to our library of the world's best conference talks.

Conference Cast
525 conferences
20515 speakers
7489 hours of content