[THIN] Re: worst case scenario
- From: Steve Snyder <kwajalein@xxxxxxxxx>
- To: thin@xxxxxxxxxxxxx
- Date: Wed, 26 Aug 2009 08:54:27 +1200
users having domain admin rights - love that. DUN w/o authentication -
another good one.
As Greg has mentioned before, look up the DISA STIGs - they have them for
all flavors or modern windows as well as for XenApp itself. Proceed
carefully, implementing all of them *will* break stuff.
Also, I'm baffled by the statement that two-factor auth is too expensive but
appsense and a CAG aren't. Actually, I'm not baffled - I smell fertilizer.
I worked in that environment once - a financial firm that hosted account
systems for credit unions - firewalls behind firewalls behind firewalls. We
didn't have winframe then (nor was I aware of it then) and iirc our only
external access points were a dial-up vpn through at&t and dedicated
circuits to the credit unions; absolutely no external access allowed in from
the internet. Even crazier, for each and every PC internal they had 250
rules in the firewall controlling outbound connectivity. T'was a mess, but
every Friday was doughnut day. :)
On Wed, Aug 26, 2009 at 3:00 AM, Wilson, Christopher <CMWilson@xxxxxxxxxxxxx
> wrote:
> On the security topic still…
>
>
>
> What is the worst compromise you’ve seen of a Citrix environment? I’ve
> never seen one personally.
>
>
>
> I remember back in the day before CSG etc, we would open 1494 from the
> outside to our internal Citrix servers. Citrix used to claim this wasn’t
> much of an attack vector, but eventually we got CSG and that made it more
> secure and easier traverse other people’s firewalls. I’ll stop there, I
> know there are other measures to secure this traffic, but I’m wondering how
> much risk are we really talking about with Citrix XenApp? What’s the worst
> thing you’ve ever seen? I’m trying to get a real sense of the risk we need
> to manage with security measures.
>
Other related posts:
