> -----Original Message-----
> From: Peter Meister [mailto:petermeiMICROSOFT.COM]
> Sent: Friday, March 30, 2001 11:45 AM
> To: FOCUS-MSSECURITYFOCUS.COM
> Subject: Re: Citrix MetaFrame
>
>
> Marco is absolutely correct. PAM offers no security benefits and in
> NFUSE is easily hacked...

Not by itself, no. You lock the server down, though.

> best security for your app is at the Directory Services Level which
is
> either through NDS or Active Directory....If the Terminal Server is
> going to deploy apps only it must be able to logically
> authenticate and
> maintain high level security or possible cmd.exe or shell
> execution can
> be done through NFUSE...which as Marco indicates allows for
> workarounds
> to gain entry...

I think you're confused, actually. If you work around the published
apps the way Marco describes, its not being done "through NFUSE", it
is being done on the servers publishing the apps (NFUSE is just a
portal; no apps execute on it at all).

Preventing these "hacks" (and really, all you're doing is making use
of the stupid features MS builds into Word by default, like full
trusted access to the file system) doesn't require AD or NDS (both of
which have its problems, and shouldn't be exposed directly to the
internet). File and registry ACL's and policies on nt4 TSE will take
care of it. If you're really serious, you use SecureEXE or Appsense.
NFUSE's benefit is primarily a presentation benefit. It gives you a
central point to present apps to the users; the apps can be published
on mutliple servers. The security benefits can be realized if you lock
down cmd.exe and other dangerous apps on the actual servers. The NFUSE
server itself can't be "hacked" if you have it properly configured.
Its simply a web server which uses XML to query Citrix servers. The
ONLY thing it can do (if properly configured) is present the apps
which the user has been authorized to run on those servers and tell
the client where to find the apps; nothing actually executes on the
NFUSE server.

It is true you can then use "features" within the apps to execute
things you shouldn't be allowed to, if the the admin is a moron, that
is. (And I blame that on the MS apps themselves :)). They can also be
locked down, though, by using policies effectively, and restricting
what apps can be run on the server to those you select. Or using the
above mentioned add-ons (which you would need on your Win2K machines
anyways to be truly protected).

>
> My recommendation is to use a high level encrypted channel to
> gain entry
> into the Terminal Server<High Encryption Mode> shell the user
outside
> the DMZ through the firewall and authenticate the user against the
> directory service to allow access of the app...This will use Windows
> Authentication as well as TACACS against your firewall and finally
the
> authentication of the directory service which will allow the user to
> execute..This also logs to the Firewall as well as the event
> log so you
> have good awareness of who it is or the potential threat!!!

Thats such a primitive method. You are allowing people to connect
directly to your TS server without doing any sort of mutual
authentication. (Well, you are at your VPN server, but its not very
elegant compared to the options MF gives you). Not only that, once
connected, you have no way to stop them from sending poison data to
your servers. Citrix has the Extranet 2.0 server, which gives you an
application proxy. Read the literature; you'll quickly see the error
of your ways :).

> Never put a
> fully capable Terminal Server with App availability outside
> the DMZ your
> asking for trouble here!

Never put a TS in your DMZ, and never let a client talk directly to
your app servers; you're asking for trouble. In the set up you
describe, you are allowing anyone who authenticates to have a user
session on a server which is a member of an AD forest (bad bad mojo)
and not only that, you've ENCRYPTED that direct connection, so you'll
NEVER know for sure what they are doing with it. Hell, I can set up my
MF servers without even using an NT Domain or AD; just stand alone
servers, happily functioning as a load balanced farm, and I DON'T have
to open up whacky ports between my servers and an AD server, since all
the communications between the servers can take place via http/XML.

So, with MF, I can:

Put the extranet server in one DMZ, along with an NFUSE web server.
Put the server farm, which can in its own NT4 domain, in a second one.
I open up http from my clients to the NFUSE server, and ICA from my
clients to the Extranet Server. That's all I need to open from the
outside to DMZ 1.

The Extranet server communicates via SSL to the server farm, on any
port you want. You restrict what any given user can do on any given
server via rules on the ES. The NFUSE box uses XML (on any port you
like) to query the Citrix servers about what apps should be shown to
what users.

You then use policies to further restrict who can access what on your
servers. The whole thing is also load balanced, which means I can
simply clone a server and add it to the farm to increase capacity.
With no limits in practical terms, because its not MS's crappy
clustering, but rather, an application level load balancing.

Maybe Whistler will (when it arrives in a couple of years :-)) do what
MF XP does today. But by then, who knows how high Citrix will have
raised the bar.

And lets not even discuss how much more efficient ICA is than RDP.
anyone with a sniffer and MRTG can verify that for themselves.

So, MF does give you more flexibility in your security infrastructure.
Oh, and let us not forget, you can run MF on Unix.

As for costs, well, if you simply stick to NT 40 TSE, instead of
Win2K, and go with the MF XP licensing model, its not that much more
expensive, especially since MF gives you a concurrent connection based
model.

Which is, I suspect, why MS is now trying to play catch-up with the
protocol Citrix threw away after developing it (cf the history of RDP)
in favor of ICA.

> -Peter!
>
> -----Original Message-----
> From: Marco Peretti [mailto:marcoSECUREWAVE.COM]
> Sent: Friday, March 30, 2001 1:39 AM
> To: FOCUS-MSSECURITYFOCUS.COM
> Subject: Re: Citrix MetaFrame
>
>
> Ed,
>
> publishing a single application gives you only a false sense of
> security. If, from that application, you can start another
application
> (cmd.exe ?) then you can do what you want .. and that's why the
NFuse
> online demo of Word has 95% of menu items disabled. In Word
> 200, if you
> go to the About Box and select System Info you can do pretty much
what
> you want.
>
> There are a few products that give you more control but they
> are all, as
> far as I know, based on file system filter drivers, which makes them
> easy to bypass. We checked one and in one hour we found three way to
> bypass it ... what's the use then ?
>
> Marco
>
>
>
> -----Original Message-----
> From: Focus on Microsoft Mailing List
> [mailto:FOCUS-MSSECURITYFOCUS.COM]On Behalf Of Edward Czerwin Jr.
> Sent: Thursday, March 29, 2001 4:23 PM
> To: FOCUS-MSSECURITYFOCUS.COM
> Subject: Re: Citrix MetaFrame
>
>
>
> yes... we run 5 terminal servers with citrix metaframe 1.8 on top of
> it... However, we do not expose them to the internet. The security
> seems good becuase it can publish a single application as opposed to
a
> entire desktop. Also if you were to expose it to the
> internet you would
> only have to open a single port on your firewall to do so.
>
> Thanks,
> Ed Czerwin
> Network Analyst
> MCP, CCA
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]