users having domain admin rights - love that. DUN w/o authentication - another good one. As Greg has mentioned before, look up the DISA STIGs - they have them for all flavors or modern windows as well as for XenApp itself. Proceed carefully, implementing all of them *will* break stuff. Also, I'm baffled by the statement that two-factor auth is too expensive but appsense and a CAG aren't. Actually, I'm not baffled - I smell fertilizer. I worked in that environment once - a financial firm that hosted account systems for credit unions - firewalls behind firewalls behind firewalls. We didn't have winframe then (nor was I aware of it then) and iirc our only external access points were a dial-up vpn through at&t and dedicated circuits to the credit unions; absolutely no external access allowed in from the internet. Even crazier, for each and every PC internal they had 250 rules in the firewall controlling outbound connectivity. T'was a mess, but every Friday was doughnut day. :) On Wed, Aug 26, 2009 at 3:00 AM, Wilson, Christopher <CMWilson@xxxxxxxxxxxxx > wrote: > On the security topic still… > > > > What is the worst compromise you’ve seen of a Citrix environment? I’ve > never seen one personally. > > > > I remember back in the day before CSG etc, we would open 1494 from the > outside to our internal Citrix servers. Citrix used to claim this wasn’t > much of an attack vector, but eventually we got CSG and that made it more > secure and easier traverse other people’s firewalls. I’ll stop there, I > know there are other measures to secure this traffic, but I’m wondering how > much risk are we really talking about with Citrix XenApp? What’s the worst > thing you’ve ever seen? I’m trying to get a real sense of the risk we need > to manage with security measures. >