AOH :: ISNQ4706.HTM|
Tighten Up Your Citrix and RDP Security
Tighten Up Your Citrix and RDP Security
Tighten Up Your Citrix and RDP Security
Site design & layout copyright © 1986-2014 CodeGods
Forwarded with permission from: Security UPDATE
=== CONTENTS ==================================================
IN FOCUS: Tighten Up Your Citrix and RDP Security
NEWS AND FEATURES
- Microsoft Will Fix Windows URI Flaw
- NAC Will Act as Emergency Broadcast System for University
- Third Brigade Looks to Service Providers to Expand Market Share
- Recent Security Vulnerabilities
GIVE AND TAKE
- Security Matters Blog: Blue Monster Business Card
- FAQ: Remotely Run Commands on Vista and Windows 2008
- From the Forum: Security Audit Tools
- Share Your Security Tips
- Monitor Endpoints on a Distributed Network
- Wanted: Your Reviews of Products
RESOURCES AND EVENTS
FEATURED WHITE PAPER
=== SPONSOR: Storage Guardian =================================
Keys to Backing Up & Securing Data at Remote Business Sites
Keeping data at remote office sites backed up and secure is a
critical component of business success. Register now to get the
knowledge you need to make smart decisions regarding data backup at
remote business sites.
=== IN FOCUS: Tighten Up Your Citrix and RDP Security ========= by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
Both Citrix and Microsoft's RDP have been in widespread use for quite a
long time. The technologies allow people to connect to remote systems
to use desktop applications and administration tools. If you use these
technologies every day, it might be a good idea to ask yourself whether
your remote computing environment is as secure as it could be.
A couple weeks ago, Petko Petkov posted some very interesting
information at his GNUCITIZEN Web site. Using Google, Petkov discovered
numerous Citrix configuration (.ica) files that are located on .gov,
.mil, and other domains. If you're familiar with Citrix configuration
files, you know that they contain information that clients use to
connect to servers. Along with server IP addresses, the information
sometimes includes usernames and passwords.
Having .ica files indexed by Google and other search engines is
obviously problematic, to say the least. Monday, I did a quick search
on Google and found more than 600 .ica files, some of which did contain
complete connection information. RDP connection files are also being
exposed to the Internet and thus picked up by search engines. A quick
search at Google revealed more than 300 RDP connection files. Searching
Yahoo! for the same two file types revealed more exposed connection
In the blog post "CITRIX: Owning the Legitimate Backdoor," (at the URL
below), Petkov outlines how easy it is to modify Citrix connection
files to launch various programs, including command shells, after
connecting to a remote server. It's also possible to enumerate
available server farms, servers, and applications by using scripts.
That sort of information can give an intruder a big head start in
finding chinks in network armor.
Citrix and RDP connection files should not be listed in search engines,
which means that you need to protect access to those types of files.
Furthermore, you need to make sure your Citrix and Windows Terminal
Services installations are locked down tight. Otherwise an intruder
will eventually come along and try to break in.
You also need to defend against email- and Web-based attacks that
deliver specially modified Citrix and RDP connection files that could
trick people into exposing sensitive data, trick them into uploading
and downloading files, and so on.
For more information about the Citrix and RDP risks, be sure to read
Petkov's blog post "Remote Desktop Command Fixation Attacks," at the
first URL below, and his "Clear" post at the second URL below. In these
posts, he elaborates on some of his concerns and provides links to lots
of other related material.
Whenever someone brings to light risks such as these, related intruder
activity increases. To get a rough idea of how such information
stimulates activity, head over to The SANS Institute's Internet Storm
Center and take a look at the traffic patterns for Citrix port 1484 (at
the first URL below) and RDP port 3389 (at the second URL below).
You'll notice spikes in traffic that coincide with Petkov's blog posts.
=== SPONSOR: Symantec =========================================
Guarding against the growing threats to the corporate email and IM
environment has become an ever-consuming task of the IT professional.
Now is the turning point for IT security professionals to look at their
mainstays in their defense strategy and make sure they are pulling
their weight. In scrutinizing your messaging management solutions, this
valuable guide shows that securing a mail and messaging infrastructure
should not be an afterthought. A secure mail and messaging
infrastructure is fundamental to your business and any organization
should plan for the appropriate message hygiene, availability, and
control services from the start.
=== SECURITY NEWS AND FEATURES ================================
Microsoft Will Fix Windows URI Flaw
After claiming that a recently discovered flaw in Windows was a
problem with third-party software, Microsoft reversed course and will
now fix the problem. The flaw is found in a component of the OS called
Uniform Resource Identifier (URI) handling, which allows Web browsers
to launch applications via hyperlinks in Web pages.
NAC Will Act as Emergency Broadcast System for University
The University of the Pacific in Stockton, California, will use the
Web broadcasting capability of Impulse Point's Safe Connect Network
Access Control (NAC) solution as one of its methods for notifying
students and faculty about an emergency situation. The university will
also use text messages and email announcements.
Third Brigade Looks to Service Providers to Expand Market Share
Third Brigade, maker of intrusion detection and prevention systems
(IDS/IPS), announced a newly expanded partner program aimed at helping
service providers better secure their customers' applications and data.
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
=== SPONSOR: Sophos ===========================================
Trends in Malware: 2007 Security Threat Report
A sharp rise in web threats is the latest twist in cyber criminals'
continually evolving efforts to steal information for financial gain.
We review the year so far and predict the threat landscape for the
second half of 2007.
=== GIVE AND TAKE =============================================
SECURITY MATTERS BLOG: Blue Monster Business Card
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=6A5AE:57B62BBB09A6927903AAF5C900D37188
This is sort of funny. Check out Hugh MacLeod's "Blue Monster,"
which spoofs Microsoft with a business card of sorts.
FAQ: Remotely Run Commands on Vista and Windows 2008
by John Savill, http://list.windowsitpro.com/t?ctl=6A5AB:57B62BBB09A6927903AAF5C900D37188
Q: How can I remotely run commands on a Windows Vista or Windows Server
Find the answer at
FROM THE FORUM: Security Audit Tools
A forum participant is looking for a good tool to audit a Windows
Server 2003 domain environment, including passwords. Any suggestions?
SHARE YOUR SECURITY TIPS AND GET $100
Share your security-related tips, comments, or problems and
solutions in Security Pro VIP's Reader to Reader column. Email your
contributions to email@example.com. If we print your submission,
you'll get $100. We edit submissions for style, grammar, and length.
=== PRODUCTS ================================================== by Renee Munshi, firstname.lastname@example.org
Monitor Endpoints on a Distributed Network
Promisec announced InnerSpace, a centralized endpoint compliance and
governance solution. InnerSpace works without agents, monitoring all
endpoints and servers for deviations from corporate policy. It's
designed for large, distributed enterprise networks and offers one
interface for monitoring and reporting on all the computers on the
network. InnerSpace establishes a baseline for each group of computers,
noting the devices, applications, services, toolbars, and so on
on those computers, and then monitors for deviations from the baseline.
For more information, go to
WANTED: your reviews of products you've tested and used in
production. Send your experiences and ratings of products to
email@example.com and get a Best Buy gift certificate.
=== RESOURCES AND EVENTS ====================================== For more security-related resources, visit
Learn how to protect yourself from data theft, Web site
hacking/vandalism, and general security issues. With increasing
concerns about host-based intrusion, IT professionals need to be
equipped with effective security solutions. Attend this October 30 (12
p.m. EDT) Web seminar to learn how Symantec Critical System Protection
provides intrusion protection and detection capabilities to better
equip you in a landscape of ever emerging threats.
Learn from other people's mistakes, not your own! This free Web seminar
features an interactive discussion that reveals today's common mistakes
and misconceptions about messaging, archiving, regulations, and e-
discovery. You'll learn why these misconceptions came about, how to
avoid the common mistakes, and what to do to meet today's email
archiving and e-discovery needs.
Interop New York
See all of the latest technologies in action at Interop New York,
October 22-26. Visit 200+ exhibitors, attend 100+ sessions, and check
out live demos of practical business solutions. Interop is the
gathering place for business and IT leaders who want to find out what's
next in business technology. Register today.
=== FEATURED WHITE PAPER ======================================
Employees installing and using unauthorized applications such as IM,
VoIP, games, and peer-to-peer file-sharing cause many businesses legal
concerns, IT support burdens, network and system overhead, as well as
employee productivity issues. This white paper discusses the various
approaches to control applications and highlights a simple solution
that removes cost and management overhead.
=== ANNOUNCEMENTS =============================================
Discover the New SQL Server Magazine
Don't miss the relaunched SQL Server Magazine, coming this month!
Besides a new look, we have even more coverage of administration and
performance, development and Web apps, BI and Reporting Services, and
SQL Server fundamentals. Subscribe now and save 58% off the cover
Got a Tough Exchange or Outlook Question?
Rely on Exchange & Outlook Pro VIP, the new online resource with in-
depth articles on administration, migration, security, and performance.
Subscribers get direct access to our top-flight editors, so subscribe
and receive personalized solutions to your toughest technical
questions. It beats a support call to Microsoft!
Security UDPATE is brought to you by the Windows IT Pro Web site's
Security page (first URL below) and Security Pro VIP (second URL
Subscribe to Security UPDATE at
Be sure to add Security_UPDATE@list.windowsitpro.com
to your antispam software's list of allowed senders.
To contact us:
About Security UPDATE content -- firstname.lastname@example.org
About technical questions -- http://list.windowsitpro.com/t?ctl=6A5B3:57B62BBB09A6927903AAF5C900D37188
About your product news -- email@example.com
About your subscription -- firstname.lastname@example.org
About sponsoring Security UPDATE -- email@example.com
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2007, Penton Media, Inc. All rights reserved.
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com