Tighten Up Your Citrix and RDP Security

Tighten Up Your Citrix and RDP Security
Tighten Up Your Citrix and RDP Security

Forwarded with permission from: Security UPDATE 

=== CONTENTS ==================================================
IN FOCUS: Tighten Up Your Citrix and RDP Security

   - Microsoft Will Fix Windows URI Flaw
   - NAC Will Act as Emergency Broadcast System for University
   - Third Brigade Looks to Service Providers to Expand Market Share
   - Recent Security Vulnerabilities

   - Security Matters Blog: Blue Monster Business Card
   - FAQ: Remotely Run Commands on Vista and Windows 2008
   - From the Forum: Security Audit Tools
   - Share Your Security Tips

   - Monitor Endpoints on a Distributed Network
   - Wanted: Your Reviews of Products 




=== SPONSOR: Storage Guardian =================================
Keys to Backing Up & Securing Data at Remote Business Sites
   Keeping data at remote office sites backed up and secure is a 
critical component of business success. Register now to get the 
knowledge you need to make smart decisions regarding data backup at 
remote business sites. 

=== IN FOCUS: Tighten Up Your Citrix and RDP Security =========   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Both Citrix and Microsoft's RDP have been in widespread use for quite a 
long time. The technologies allow people to connect to remote systems 
to use desktop applications and administration tools. If you use these 
technologies every day, it might be a good idea to ask yourself whether 
your remote computing environment is as secure as it could be. 

A couple weeks ago, Petko Petkov posted some very interesting 
information at his GNUCITIZEN Web site. Using Google, Petkov discovered 
numerous Citrix configuration (.ica) files that are located on .gov, 
.mil, and other domains. If you're familiar with Citrix configuration 
files, you know that they contain information that clients use to 
connect to servers. Along with server IP addresses, the information 
sometimes includes usernames and passwords. 

Having .ica files indexed by Google and other search engines is 
obviously problematic, to say the least. Monday, I did a quick search 
on Google and found more than 600 .ica files, some of which did contain 
complete connection information. RDP connection files are also being 
exposed to the Internet and thus picked up by search engines. A quick 
search at Google revealed more than 300 RDP connection files. Searching 
Yahoo! for the same two file types revealed more exposed connection 

In the blog post "CITRIX: Owning the Legitimate Backdoor," (at the URL 
below), Petkov outlines how easy it is to modify Citrix connection 
files to launch various programs, including command shells, after 
connecting to a remote server. It's also possible to enumerate 
available server farms, servers, and applications by using scripts. 
That sort of information can give an intruder a big head start in 
finding chinks in network armor. 

Citrix and RDP connection files should not be listed in search engines, 
which means that you need to protect access to those types of files. 
Furthermore, you need to make sure your Citrix and Windows Terminal 
Services installations are locked down tight. Otherwise an intruder 
will eventually come along and try to break in. 

You also need to defend against email- and Web-based attacks that 
deliver specially modified Citrix and RDP connection files that could 
trick people into exposing sensitive data, trick them into uploading 
and downloading files, and so on.

For more information about the Citrix and RDP risks, be sure to read 
Petkov's blog post "Remote Desktop Command Fixation Attacks," at the 
first URL below, and his "Clear" post at the second URL below. In these 
posts, he elaborates on some of his concerns and provides links to lots 
of other related material. 

Whenever someone brings to light risks such as these, related intruder 
activity increases. To get a rough idea of how such information 
stimulates activity, head over to The SANS Institute's Internet Storm 
Center and take a look at the traffic patterns for Citrix port 1484 (at 
the first URL below) and RDP port 3389 (at the second URL below). 
You'll notice spikes in traffic that coincide with Petkov's blog posts. 

=== SPONSOR: Symantec =========================================
Messaging Management
   Guarding against the growing threats to the corporate email and IM 
environment has become an ever-consuming task of the IT professional. 
Now is the turning point for IT security professionals to look at their 
mainstays in their defense strategy and make sure they are pulling 
their weight. In scrutinizing your messaging management solutions, this 
valuable guide shows that securing a mail and messaging infrastructure 
should not be an afterthought. A secure mail and messaging 
infrastructure is fundamental to your business and any organization 
should plan for the appropriate message hygiene, availability, and 
control services from the start. 

=== SECURITY NEWS AND FEATURES ================================
Microsoft Will Fix Windows URI Flaw
   After claiming that a recently discovered flaw in Windows was a 
problem with third-party software, Microsoft reversed course and will 
now fix the problem. The flaw is found in a component of the OS called 
Uniform Resource Identifier (URI) handling, which allows Web browsers 
to launch applications via hyperlinks in Web pages. 

NAC Will Act as Emergency Broadcast System for University
   The University of the Pacific in Stockton, California, will use the 
Web broadcasting capability of Impulse Point's Safe Connect Network 
Access Control (NAC) solution as one of its methods for notifying 
students and faculty about an emergency situation. The university will 
also use text messages and email announcements. 

Third Brigade Looks to Service Providers to Expand Market Share
   Third Brigade, maker of intrusion detection and prevention systems 
(IDS/IPS), announced a newly expanded partner program aimed at helping 
service providers better secure their customers' applications and data. 

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at 

=== SPONSOR: Sophos ===========================================
Trends in Malware: 2007 Security Threat Report
   A sharp rise in web threats is the latest twist in cyber criminals' 
continually evolving efforts to steal information for financial gain. 
We review the year so far and predict the threat landscape for the 
second half of 2007. 

=== GIVE AND TAKE =============================================
SECURITY MATTERS BLOG: Blue Monster Business Card
by Mark Joseph Edwards, 
   This is sort of funny. Check out Hugh MacLeod's "Blue Monster," 
which spoofs Microsoft with a business card of sorts. 

FAQ: Remotely Run Commands on Vista and Windows 2008
by John Savill, 

Q: How can I remotely run commands on a Windows Vista or Windows Server 
2008 box?

Find the answer at 

FROM THE FORUM: Security Audit Tools
   A forum participant is looking for a good tool to audit a Windows 
Server 2003 domain environment, including passwords. Any suggestions? 

   Share your security-related tips, comments, or problems and 
solutions in Security Pro VIP's Reader to Reader column. Email your 
contributions to If we print your submission, 
you'll get $100. We edit submissions for style, grammar, and length.

=== PRODUCTS ================================================== by Renee Munshi, 

Monitor Endpoints on a Distributed Network
   Promisec announced InnerSpace, a centralized endpoint compliance and 
governance solution. InnerSpace works without agents, monitoring all 
endpoints and servers for deviations from corporate policy. It's 
designed for large, distributed enterprise networks and offers one 
interface for monitoring and reporting on all the computers on the 
network. InnerSpace establishes a baseline for each group of computers, 
noting the devices, applications, services, toolbars, and so on
on those computers, and then monitors for deviations from the baseline. 
For more information, go to 

WANTED: your reviews of products you've tested and used in 
production. Send your experiences and ratings of products to and get a Best Buy gift certificate. 

=== RESOURCES AND EVENTS ======================================   For more security-related resources, visit 

Learn how to protect yourself from data theft, Web site 
hacking/vandalism, and general security issues. With increasing 
concerns about host-based intrusion, IT professionals need to be 
equipped with effective security solutions. Attend this October 30 (12 
p.m. EDT) Web seminar to learn how Symantec Critical System Protection 
provides intrusion protection and detection capabilities to better 
equip you in a landscape of ever emerging threats. 

Learn from other people's mistakes, not your own! This free Web seminar 
features an interactive discussion that reveals today's common mistakes 
and misconceptions about messaging, archiving, regulations, and e-
discovery. You'll learn why these misconceptions came about, how to 
avoid the common mistakes, and what to do to meet today's email 
archiving and e-discovery needs. 

Interop New York
   See all of the latest technologies in action at Interop New York, 
October 22-26. Visit 200+ exhibitors, attend 100+ sessions, and check 
out live demos of practical business solutions. Interop is the 
gathering place for business and IT leaders who want to find out what's 
next in business technology. Register today. 

=== FEATURED WHITE PAPER ======================================
Employees installing and using unauthorized applications such as IM, 
VoIP, games, and peer-to-peer file-sharing cause many businesses legal 
concerns, IT support burdens, network and system overhead, as well as 
employee productivity issues. This white paper discusses the various 
approaches to control applications and highlights a simple solution 
that removes cost and management overhead. 

=== ANNOUNCEMENTS =============================================
Discover the New SQL Server Magazine 
   Don't miss the relaunched SQL Server Magazine, coming this month! 
Besides a new look, we have even more coverage of administration and 
performance, development and Web apps, BI and Reporting Services, and 
SQL Server fundamentals. Subscribe now and save 58% off the cover 

Got a Tough Exchange or Outlook Question? 
   Rely on Exchange & Outlook Pro VIP, the new online resource with in-
depth articles on administration, migration, security, and performance. 
Subscribers get direct access to our top-flight editors, so subscribe 
and receive personalized solutions to your toughest technical 
questions. It beats a support call to Microsoft! 

Security UDPATE is brought to you by the Windows IT Pro Web site's 
Security page (first URL below) and Security Pro VIP (second URL 

Subscribe to Security UPDATE at 

Be sure to add 
to your antispam software's list of allowed senders.

To contact us: 
About Security UPDATE content -- 
About technical questions -- 
About your product news -- 
About your subscription -- 
About sponsoring Security UPDATE -- 

View the Windows IT Pro privacy policy at 

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.

CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - 

Site design & layout copyright © 1986-2014 CodeGods