CTX114875 - Configuring Security Features of SmartAuditor This document was published at: http://support.citrix.com/article/CTX114875 Document ID: *CTX114875*, Created on: Oct 5, 2007, Updated: Oct 5, 2007 Products: Citrix Presentation Server 4.5 for Windows Server 2003, Citrix Presentation Server 4.5 for Windows Server 2003 x64 Edition *Summary* This article provides information about the security features of Citrix SmartAuditor and outlines the process of configuring SmartAuditor security features. SmartAuditor is designed to be deployed within a secure network and accessed only by authorized personnel. As SmartAuditor is a security product it is important to protect access to SmartAuditor data from unauthorized users and it is imperative that session recording data does not fall into the wrong hands by restricting access to SmartAuditor. The centralized architecture of SmartAuditor provides the ability to secure access to SmartAuditor resources and data using several different methods. SmartAuditor security features are enabled through built-in configuration tools and configuration of several Windows components. *SmartAuditor Communication Security* Communication between SmartAuditor components is achieved through Internet Information Services (IIS) and Microsoft Message Queuing (MSMQ). IIS provides the web services communication link between each SmartAuditor component, while MSMQ provides a reliable data transport mechanism for sending recorded session data from the SmartAuditor Agent to the SmartAuditor Server. This section discusses methods for securing both IIS and MSMQ for use with SmartAuditor. IIS topics discussed include certificates, SSL, integrated windows authentication and configuring IIS ports. MSMQ is explained and methods available to secure MSMQ communication through the MSMQ hardened mode are outlined. *Internet Information Services (IIS)* Internet Information Services (IIS) hosts the SmartAuditor Broker, a web application that handles the search queries and file download requests from the SmartAuditor Player, policy administration requests from the SmartAuditor Policy Console and evaluates recording polices from the SmartAuditor Agent for each Citrix Presentation Server session. IIS also hosts the Microsoft Message Queuing (MSMQ) virtual directory when MSMQ HTTP support is enabled, allowing recorded session data to be sent via HTTP or HTTPS. IIS supports several methods for securing access to IIS web applications and services, the following items are discussed: - Certificates in IIS for Using SSL - Integrated Windows Authentication - Configuring IIS Ports *Certificates in IIS* The SmartAuditor Broker is configured by default to require secure channel (SSL) using 128-bit encryption. IIS supports SSL security through a valid server certificate installed on the IIS web site where SSL security is to be applied. As the Broker is installed as a virtual directory named * SmartAuditorBroker* under *Default Web Site* of IIS, a server certificate is required for the *Default Web Site* before SSL connections will be accepted by the SmartAuditor Broker. To establish an SSL connection, you require a server certificate at one end of the connection and the certificate of the certificate authority (CA) that issued the server certificate at the other end. - *Server certificate* - A server certificate certifies the identity of a server. The type of digital certificate that is required by the SmartAuditor Broker is called a server certificate. - *Issuing CA certificate* - A certificate that identifies the CA that signed the server certificate. The issuing CA certificate belongs to the CA. This type of digital certificate is required by the Agent, Player and Policy Console to verify the server certificate. When establishing an SSL connection from the Agent, Player or Policy Console, the IIS web server sends its server certificate to the client. When receiving a server certificate, the Agent, Player or Policy Console checks to see which CA issued the certificate and if the CA is trusted by the client. If the CA is not trusted, the certificate is declined and an error is logged in the Application Event log for the Agent or an error message is displayed to the user in the Player or Policy Console. A server certificate is installed by gathering information about the server and requesting a CA to issue a certificate for that server. It is important to specify the correct information when requesting a server certificate and ensuring the server name is specified correctly, such that if the Fully Qualified Domain Name (FQDN) is used for connecting clients (Agent, Player, and Policy Console) the certificate information specified to the CA must use the FQDN of the server rather than the NetBIOS name. Likewise if NetBIOS names are used, do not specify the FQDN when requesting a server certificate. The server certificate needs to be installed into the local machine's certificate store and the issuing CA certificate needs to be installed on each connecting client. Your organization may have a private CA that issues server certificates and this can be used with SmartAuditor. For a private CA ensure each client machine has the issuing CA certificate installed. Refer to Microsoft documentation about using certificates and certificate authorities. Alternatively, number of companies and organizations currently act as CA's, including VeriSign, Baltimore, Entrust, and their respective affiliates. All certificates have an expiration date, which is defined when issued by the CA. The expiration date can be found by checking the properties of the certificate. The Administrator needs to ensure certificates are renewed before the expiration date to prevent any errors occurring in SmartAuditor. *To install a server certificate in IIS* The SmartAuditor installation is configured to use HTTPS, and requires the Default Web Site to be configured with a server certificate issued from a CA. These steps provide an outline on how to install a server certificate in IIS. 1. Log on to the server that hosts the SmartAuditor Server as an administrator. 2. From the *Start* menu, choose *Start *>* Control Panel *>*Administrative Tools *>* Internet Information Services (IIS) Manager*. 3. In the left pane, expand the *servername* node (where *servername*is the name of the server where you are enabling HTTPS) by choosing *servername* > *Web Sites* > *Default Web Site*. 4. Right-click *Default Web Site* and choose *Properties* > *Directory Security*. 5. In the Secure communications region, choose *Server Certificate*and follow the onscreen instructions of the *Web Server Certificate Wizard* to request a server certificate. 6. Send the certificate request file to your CA. 7. Once you have received a server certificate from your CA repeat steps 1-5 to install the server certificate. The *Web Server Certificate Wizard* guides you through installing the certificate. *To use HTTPS as the communication protocol (if HTTPS has been disabled)* The SmartAuditor installation is configured to use HTTPS, however if this has been changed to HTTP and you want to change SmartAuditor back to HTTPS you must change several settings. 1. Enable secure connections for the SmartAuditor Broker in IIS on the SmartAuditor Server: - Log on to the server that hosts the SmartAuditor Server as an administrator - From the *Start* menu, choose *Start *>* Control Panel* >*Administrative Tools *>* Internet Information Services (IIS) Manager*. - In the left pane, expand the *servername* node (where *servername*is the name of the server where you are enabling HTTPS) by choosing *servername* > *Web Sites* > *Default Web Site* > *SmartAuditorBroker*. - Right-click *SmartAuditorBroker* and choose *Properties* > *Directory Security*. - In the Secure communications region, choose *Edit* and enable the *Require secure channel (SSL)* check box. - Click *OK* to save the setting and exit the dialog boxes. 1. Change the protocol setting from HTTP to HTTPS for the SmartAuditor Agent service installed on each computer hosting Presentation Server. - Log on to each server where the *SmartAuditor Agent* is installed as an administrator. - From the *Start* menu, choose *Start* > *All Programs* > *Citrix* > *SmartAuditor* > *SmartAuditor* *Agent* *Properties*. The * SmartAuditor* *Agent Properties* dialog box appears. - Choose the *Connections* tab. - In the SmartAuditor Broker area, select *HTTPS* from the *Protocol*drop-down list and choose *OK* to accept the change. If you are prompted to restart the service, choose *Yes*. 1. Change the protocol setting from HTTP to HTTPS in the SmartAuditor Player settings: - Log on to the workstation where the SmartAuditor Player is installed. - From the *Start* menu, choose *Start* > *All Programs* > *Citrix* > *SmartAuditor* > *SmartAuditor Player*. The *SmartAuditor Player*launches. - Choose *Tools* > *Options* > *Connections*, select the server, and choose *Modify*. - Select *HTTPS* from the *Protocol* drop-down list and choose *OK*(twice) to accept the change and exit the dialog box. 1. Change the protocol setting from HTTP to HTTPS in the SmartAuditor Policy Console: - Log on to the server where the SmartAuditor Policy Console is installed. - From the *Start* menu, choose *Start* > *All Programs* > *Citrix* > *SmartAuditor* > *SmartAuditor Policy Console*. The *Connect to SmartAuditor Server* dialog box appears. - Choose *HTTPS* from the *Protocol* drop-down list and choose *OK*to connect. If the connection is successful, this setting will also be remembered the next time you launch the SmartAuditor Policy Console. *Integrated Windows Authentication* The SmartAuditor Broker virtual directory, *SmartAuditorBroker* is configured to only support authentication through Integrated Windows Authentication. This requirement ensures that only Windows authenticated users and computers are able to access the Broker services. Integrated Windows Authentication is based on the Kerberos v5 authentication algorithm as implemented by Active Directory. As the SmartAuditor Broker will never be accessed from the Internet, the other IIS authentication options available are not required and must never be turned on. By using Integrated Windows Authentication, the role based security of the Broker is maintained and access to SmartAuditor recording policy and session recording data by anonymous users is strictly prohibited. The SmartAuditor Agent, Policy Console and Player authenticate using the connecting user's current Windows credentials. For the Policy Console and Player this is the currently logged on user. As the Agent service runs as a service under the local system account, the credentials presented to the server are those of the computer itself. In all cases, the principal (user or computer account) of the connecting client must belong to the same or trusted domain as the server. A connection request made from a local non-domain user, workgroup or an untrusted domain will always fail. *Configuring IIS Ports* SmartAuditor components that connect to the SmartAuditor Broker are capable of connecting using non-default communication ports. Secure connections to the Broker by default use port 443 for HTTPS traffic; however it is possible to change this port in IIS to another unused port between 1 and 65535. Changing the HTTPS port can act as an obfuscation measure and conceal the Broker web application. Before changing the HTTPS port in IIS, it is important that the new port is not already in use by the server for another application or service. The *services* file in the * SystemRoot\System32\Drivers\Etc* directory lists TCP and UDP port numbers used by Windows Server 2003 or use the *netstat –a* command, checking the port is not already in use or listening. Ensure that any firewalls between SmartAuditor components also allow access to the SmartAuditor Server using this port. Note that obfuscation of port numbers should never be used as an alternative to SSL or IPSec. *To change the default HTTPS Port* 1. Change the default HTTPS port in IIS on the SmartAuditor Server: - Log on to the server that hosts the SmartAuditor Server as an administrator. - From the *Start* menu, choose *Start *>* Control Panel* >*Administrative Tools *>* Internet Information Services (IIS) Manager*. - In the left pane, expand the *servername* node (where *servername*is the name of the server where you are changing the HTTPS port) by choosing *servername* > *Web Sites* > *Default Web Site*. - Right-click *Default Web Site* and choose *Properties* > *Web Site* . - In the Web site identification region, change the port number in the *SSL Port* field. (e.g. Change from 443 to 8081) - Click *OK* to save the setting and exit the dialog box. 1. Change the port setting for HTTPS for the SmartAuditor Agent service installed on each computer hosting Presentation Server: - Log on to each server where the *SmartAuditor Agent* is installed. - From the *Start* menu, choose *Start* > *All Programs* > *Citrix* > *SmartAuditor* > *SmartAuditor* *Agent* *Properties*. The * SmartAuditor* *Agent Properties* dialog box appears. - Choose the *Connections* tab. - If using HTTPS for MSMQ, then in the SmartAuditor Storage Manager message queue area, clear the *Use default* check box and change the port number in the *HTTP/HTTPS port* field to the new port number. - In the SmartAuditor Broker area, clear the *Use default* check box and change the port number in the *HTTP/HTTPS port* field to the new port number. - Choose *OK* to accept the change. If you are prompted to restart the service, choose *Yes*. 1. Change the port setting for HTTPS in the SmartAuditor Player settings: - Log on to the workstation where the SmartAuditor Player is installed. - From the *Start* menu, choose *Start* > *All Programs* > *Citrix* > *SmartAuditor* > *SmartAuditor Player*. The *SmartAuditor Player*launches. - Choose *Tools* > *Options* > *Connections*, select the server, and choose *Modify*. - Clear the *Use default* check box and change the port number in the *Port *field to the new port number. - Choose *OK* (twice) to accept the change and exit the dialog box. 1. Change the port setting for HTTPS in the SmartAuditor Policy Console: - Log on to the server where the SmartAuditor Policy Console is installed. - From the *Start* menu, choose *Start* > *All Programs* > *Citrix* > *SmartAuditor* > *SmartAuditor Policy Console*. The *Connect to SmartAuditor Server* dialog box appears. - Clear the *Use default* check box and change the port number in the *Port *field to the new port number. - Choose *OK* to connect. If the connection is successful, this setting will also be remembered the next time you launch the SmartAuditor Policy Console. *Internet Protocol Security (IPSec)* Internet Protocol Security (IPSec) may be implemented as an alternative to using SSL to secure data between SmartAuditor components. IPSec is an Internet standard for secure communications that is part of the TCP/IP stack, providing authenticated and encrypted communication. IPSec must be enabled and configured on each computer hosting a SmartAuditor component. IPSec is configured using the Local Security Settings (IP Security Policies) for each server and workstation. Refer to the Microsoft Documentation for further information on IPSec. *Microsoft Message Queuing (MSMQ)* Microsoft Message Queuing (MSMQ) provides reliable transport of data from the SmartAuditor Agent to the SmartAuditor Server using an MSMQ private message queue named *CitrixSmAudData*. SmartAuditor supports three types of MSMQ message transport protocols; TCP, HTTP and HTTPS. Configuration of the MSMQ transport protocol for SmartAuditor is maintained through the * Connections* tab in the *SmartAuditor Agent Properties* application, with the default setting of TCP. Typically MSMQ messages are sent and received through the TCP transport protocol using remote procedure calls (RPC). If IPSec is not used, data is sent as plaintext. The preferred approach is for communication to be secured with SSL by using the HTTP/S mode provided by MSMQ. When MSMQ HTTP support is enabled, messages may also be received through IIS via either HTTP or HTTPS. By default, the MSMQ service opens the following ports to send and receive messages: - TCP: 1801, 135, 2101, 2103, 2105 - UDP: 1801, 3527(internal MSMQ ping) The SmartAuditor Agent installation configures the Agent to send MSMQ messages using TCP. MSMQ is secured by enabling *MSMQ HTTP Support *on the SmartAuditor Server machine and setting the transport protocol in the *SmartAuditor Agent Properties* application to HTTPS. Furthermore, when MSMQ is set to HTTP hardened mode on the server, the MSMQ service does not listen on any of the above ports and only HTTP messages received by the IIS virtual directory for MSMQ are accepted and processed. As no TCP or UDP ports are open, the client can only send MSMQ messages using HTTP or HTTPS. MSMQ hardened mode using HTTPS also provides the ability for the SmartAuditor Server to be secured using firewalls, and allowing only HTTPS port (443) access to be granted. It is recommended that production SmartAuditor systems always be setup in this way. *To Enable MSMQ HTTP Support* 1. Logon to the SmartAuditor Server as an administrator. 2. From the *Start* menu, choose *Start > Control Panel > Add or Remove Programs*. 3. From the Add or Remove Programs dialog choose, *Add or Remove Windows Components*. 4. From the Windows Components Wizard choose, *Application Server *>*Details *>* Message Queuing *>* Details*, enable the check box for *MSMQ HTTP Support* and clear the check box for *Active Directory Integration*(if enabled). 5. Click *OK* to the *Message Queuing Setup* dialog and *OK* to the *Message Queuing* and *Application Server* dialogs. 6. Click *Next* to install. *To configure the SmartAuditor Agent to Send MSMQ messages using HTTPS* 1. Logon to the computer hosting the SmartAuditor Agent service as an administrator. 2. From the *Start* menu, choose *Start *>* All Programs *>* Citrix * >* SmartAuditor *>* SmartAuditor Agent Properties*. 3. In the SmartAuditor Agent Properties dialog box, click * Connections* tab. 4. In the *SmartAuditor Storage Manager message queue* section, select *HTTPS* from the *Protocol* field and choose *OK* to accept the change. If you are prompted to restart the service, choose *Yes*. *To enable MSMQ Hardened Mode* 1. Logon to the SmartAuditor Server as an administrator. 2. From the *Start* menu, choose* Start *>* Control Panel *>*Administrative Tools *>* Computer Management*. 3. Expand *Services and Applications*, then right click on *Message Queuing* and select *Properties*. 4. From the Message Queuing Properties dialog box choose, *Server Security* tab and enable the *Enable hardened MSMQ mode to secure this computer on the Internet *check box. 5. Click *OK* to save the setting and click *Yes* to restart the *Message Queuing Service* and *Citrix SmartAuditor Storage Manager*. 6. Click *Restart Now* to the *Message Queuing – Restart System*dialog box for the changes to take effect. The server will now restart. *Agent Security* The SmartAuditor Agent is a Windows service which records Presentation Server sessions, sending session recording data to the SmartAuditor Server via MSMQ. Session data is acquired by the SmartAuditor Driver and read by the Agent. The Agent collects information about the session and sends this to the SmartAuditor Broker via its web services interface to determine if the session should be recorded. The Broker then returns a policy decision and the Agent either continues recording or discontinues recording. If the Agent discontinues recording, the session data already recorded is deleted. Periodically, the Agent communicates with the Broker to determine the current SmartAuditor rollover parameters and a list of live session recordings currently being played. A key security feature of the SmartAuditor system is that no additional listener ports are ever opened on computers running Presentation Server with SmartAuditor enabled. The only accessible interface into the SmartAuditor Agent is the optional Event API. *Event API* The SmartAuditor Event API can be enabled or disabled on a per-server basis. The default setting for each SmartAuditor Agent installation is for the COM interface to be disabled. With the Event API turned off, the Agent has no accessible interfaces. Any attempts to connect to the interface will fail until it is enabled by the administrator. The Event API is secured to only allow local access and activation permissions to users of the following built-in groups: - Terminal Server User - Interactive - System The Event API requires a session ID to insert events into sessions currently recording, however if the supplied session ID is not a current Terminal Services session, or the supplied session is not being recorded by the SmartAuditor Agent, then the function call to the Event API will be ignored and no error will be returned to the caller. This is to prevent the Event API being used as a means for detecting whether a particular session is actually being recorded. This however does not prevent a user from one session adding events into the recorded session of another user. Please refer to Citrix SmartAuditor for Presentation Server 4.5<http://support.citrix.com/article/entry.jspa?entryID=14594>for more information on configuring the SmartAuditor Agent and Event API. *SmartAuditor Security Roles* SmartAuditor provides role-based security for authorizing user access to SmartAuditor Broker data and resources. The role-based security is based on three SmartAuditor Broker functions: - *Player* – Search for and view session recording files from the SmartAuditor Player - *PolicyQuery *– Query SmartAuditor Server for policy evaluations from the SmartAuditor Agent - *PolicyAdministrator *– View, and change record policies on the SmartAuditor Server from the SmartAuditor Policy Console Roles are configured using the SmartAuditor Authorization Console installed on the SmartAuditor Server machine. All requests made by users that require *Player* or *PolicyAdministrator* role membership are audited by the Broker and logged in the Windows Application Event log. This also includes attempts where the request failed because the user was not a member of the required role. *Authorization Console* The SmartAuditor Authorization Console is built on the Windows Server 2003 Authorization Manager snap-in for the Microsoft Management Console (MMC). It is configured to load the SmartAuditor Broker authorization store XML file that contains the Broker security roles. The authorization store XML file is named *SmartAuditorAzManStore.xml*, protected with a strong ACL and is stored in the directory* ProgramFiles/Citrix/SmartAuditor/Server/App_Data*. Members of SmartAuditor security roles may be domain or local users, groups and computer accounts. The default members for each security role are: *Security Role* *Default Member* *Player* None *PolicyQuery* Authenticated Users *PolicyAdministrator* Local Administrators The *Player* role by default has no members to restrict unauthorized users from playing recorded sessions. Only users who need access to a SmartAuditor role should be granted access to that specific role. For example, a *Player*user who only reviews session recordings should not be granted access to the *PolicyQuery* or *PolicyAdministrator* roles, but be granted access to the * Player* role only. Furthermore, ensure that users who no longer require access to a role are removed from that particular role. The *PolicyQuery* role by default is quite broad in which users and computers are able to access this role. The *PolicyQuery* role for example, could be accessed by any user or machine that is an authenticated user. To improve the security of this role, remove the Authenticated Users group from the *PolicyQuery* roles respectively. Then, only add the necessary computers to the *PolicyQuery *security role, such that the *PolicyQuery*role only contains the computer accounts of the machines hosting Presentation Server that have the SmartAuditor Agent installed and enabled. Any changes to security roles are not immediate as the SmartAuditor Broker updates its internal cache of the security roles once every minute from the SmartAuditor Broker authorization store XML file. To force an immediate update of the security roles for the Broker, recycle the * SmartAuditorAppPool* application pool in the IIS Applications Pools, after changing security roles. *To Remove Users from SmartAuditor Roles* 1. Log on to the server where SmartAuditor Server is installed as an administrator. 2. From the *Start* menu, choose *Start* > *All Programs* > *Citrix*> *SmartAuditor* > *SmartAuditor Authorization Console*. The SmartAuditor Authorization Console appears. 3. From the left pane of the SmartAuditor Authorization Console, select one of the three SmartAuditor security roles. 4. From the right pane of the SmartAuditor Authorization Console, select a user to remove and from the main menu, choose *Action* >*Delete *. Any changes to the security roles take effect in the SmartAuditor Broker during the update (that occurs once every minute). *To Assign User or Computers to SmartAuditor Roles* 1. Log on to the server where SmartAuditor Server is installed as an administrator. 2. From the *Start* menu, choose *Start* > *All Programs* > *Citrix*> *SmartAuditor* > *SmartAuditor Authorization Console*. The SmartAuditor Authorization Console appears. 3. From the left pane of the SmartAuditor Authorization Console select, one of the three SmartAuditor security roles. 4. From the main menu, choose *Action* > *Assign Windows Users and Groups*. 5. Add the necessary users, groups or computers to the security role and click *OK* when finished. When adding computers, in the *Select Users, Computers, or Groups* dialog box, you need to click *Object Types…* and choose *Computers* from the *Object Types* dialog box and click *OK*. Any changes to the security roles take effect in the SmartAuditor Broker during the update (that occurs once every minute). *To recycle the SmartAuditor Broker* 1. Log on to the server that hosts the SmartAuditor Server as an administrator. 2. From the *Start* menu, choose *Start *> *Control Panel* >*Administrative Tools *>* Internet Information Services (IIS) Manager*. 3. In the left pane, expand the *servername* node (where *servername*is the name of the server where you are recycling the SmartAuditor Broker) by choosing *servername* > *Application Pools* > *SmartAuditorAppPool*. 4. Right-click *SmartAuditorAppPool* and choose *Recycle*. *Auditing of Security Roles* The SmartAuditor Broker audits all access to the *Player* and * PolicyAdministrator* roles by logging success and failure audits to the Windows Application Event log. This includes access to: - Searching for session recordings - Downloading session recordings - Loading policies - Changing the active policy - Creating new policies - Deleting policies - Saving policies When access is granted for a role a *Success Audit* event log entry is created, stating the user who was granted access and the particular file or action granted. When access is denied a *Failure Audit* event log entry is created, stating the user request was rejected, the user who was denied access and the requested role that was denied. Users are denied access when they are not a member of a role. *Storage Directories* SmartAuditor session recordings are stored in the * SystemDrive:\SessionRecordings* directory by default. You can change the directory where they are stored, or add additional storage directories in order to load balance storage across multiple volumes. Storage directories can be specified to a local drive, SAN volume, or UNC network path. Network mapped drive letters are not supported. The Storage Manager stores session recording files using a directory structure of * <StorageDirectory>\year\month\day,* where *<StorageDirectory>* is the storage directory specified in the SmartAuditor Server Properties application. When a new session recording file is created, subdirectories are created based upon the current date (for example, if the date is 31stJanuary 2007 the session recording would reside in *<StorageDirectory>/2007/01/31*). For local drive and SAN volume storage directories, the existence of the storage directory is not required when specified in the SmartAuditor Server Properties application. The directory is created automatically and a strong Access Control List (ACL) is applied when the Storage Manager service is restarted. If the directory already exists and is empty, the Storage Manager deletes the directory and recreates the directory with the strong ACL. If however the directory exists and contains one or more files, changes to the ACL for the existing directory are not made. It is the responsibility of the Administrator to ensure strong ACL's are applied to this directory. The ACL that is applied to a new directory is not inherited from the parent directory, but any subdirectories of the storage directory inherit the ACL applied by the Storage Manager. The list of Access Control Entries (ACE) forming the storage directory ACL is: *Account* *Access Control* *Local Administrators* Full Control *Creator Owner* Full Control *Local Service* Full Control *Network Service* Full Control *System* Full Control Although UNC network paths are supported as a storage directory these can not be secured by the Storage Manager. It is the responsibility of the Administrator to secure UNC network paths by applying the ACL's listed above, substituting Local Service and Network Service accounts with the Active Directory machine account (*domainname\machinename$*) of the SmartAuditor Server. For performance and security reasons, the use of UNC network paths for storing recording files is not recommended. It is important to protect and secure storage directories as much as possible. Storage directories should not have Windows shares enabled to allow users direct access to session recording files. All access to storage directories should be made via the Broker where the download of files is highly restricted, encrypted and audited. The physical security of disks should be considered when securing the storage directories. Ensure servers running SmartAuditor components are physically secure. If possible, lock these machines in a secure room to which only authorized personnel can gain direct access. The Storage Manager supports the use of several storage directories to load balance session recording files across multiple volumes. The load balancing operates using a round robin method, by cycling through the storage directories and storing each new session recording file in the next storage directory. It is possible to add the same storage directory more than once, to improve load balancing across several directories. *To Add storage directories to the SmartAuditor Server * 1. Logon to the SmartAuditor Server as an administrator. 2. From the *Start* menu, choose *Start > All Programs > Citrix > SmartAuditor > SmartAuditor Server Properties*. 3. In the SmartAuditor Server Properties dialog box, click *Storage*tab. The current storage directory appears in the *File storage directories *list. 4. Click *Add*, type the path for the new storage directory or browse to locate the directory, and then click *OK*. If the directory does not exist, SmartAuditor creates the new directory and assigns ACL's to the directory. 5. Click *OK* to accept the change. If you are prompted to restart the service, choose *Yes*. *Playback Protection* SmartAuditor Playback Protection is a feature of the Broker that encrypts session recording files before they are downloaded from the Broker for viewing in the Player. By default, playback protection is enabled and requires no configuration of certificates, on either the Broker or Player computers. Since Playback Protection is a server side setting, once it is enabled all Player requests for downloading session recording files are encrypted. This prevents unauthorized access and tampering of session recordings while they reside on the Player computer. Playback Protection is implemented using 2048-bit RSA key pairs from the Player computer (generated on first use of the Player), a 128-bit TripleDES (3DES) symmetric key generated on the Broker computer and using an SHA-1 hash algorithm to verify the decrypted data. The algorithm implementations of RSA, TripleDES and SHA-1 are all FIPS compliant. The diagram below illustrates the process of playing a file with Playback Protection. When a user of the Player requests a session recording to download from the SmartAuditor Server (Broker), the Player sends to the Broker, the RSA public key from the User's Crypto Store and the requested session recording file ID. If first-time use of the Player, a 2048-bit RSA key pair is generated using the Microsoft Cryptographic API for the Player user and stored in the User's Crypto Store on the local machine. When the Broker begins encrypting a session recording file, it generates a TripleDES (3DES) 128-bit symmetric key. The symmetric key is then used to encrypt the contents of the requested plaintext session recording file (.ICL) retrieved from the master file storage location, to create an .ICLE file. The encrypted session recording file (.ICLE) is stored temporarily in the Windows temporary files directory. The RSA public key from the Player is then used to encrypt the symmetric key, to create an .ICLK file that is also stored temporarily in the Windows temporary files directory. The Broker then proceeds to stream the encrypted session recording file (.ICLE) and key file (.ICLK) to the Player. Once the Player receives both files, the Broker deletes the files from the Windows temporary files directory. The Player stores the downloaded encrypted files on the local disk in the Player cache directory. The encrypted files can safely reside on the local disk of the Player computer as the private keys required for decryption are held safely within the User's Crypto Store, which only the original user can access. To decrypt the recording file, the Player reads the RSA private key from the User's Crypto Store and decrypts the key file (.ICLK) to retrieve the symmetric key. The symmetric key is then used to decrypt the encrypted session recording file (.ICLE) back to a plaintext session recording file (.ICL). A SHA-1 hashing algorithm is then used for verifying the decrypted session recording file (plaintext) is correct. The decrypted file (.ICL) is secured with access to the file locked to the Player process, it only exists while the session recording is playing in the Player and is deleted when the file is closed by the Player. Playback Protection is not applied to live session playback as live sessions are constantly changing. However, live session recording files are only cached temporarily on the Player computer while a live session recording is playing and is deleted when the session recording file is closed by the Player, either when a user stops playing the session recording or the Player is closed. It is possible to disable live session playback from the SmartAuditor Server and prevent live sessions from being played. *To enable Playback Protection (if disabled) * 1. Logon to the SmartAuditor Server as an administrator. 2. From the *Start* menu, choose *Start > All Programs > Citrix > SmartAuditor > SmartAuditor Server Properties*. 3. In the SmartAuditor Server Properties dialog box, click *Playback*tab. 4. In the *Playback Protection *section, enable the *Encrypt session recording files downloaded for playback* check box and choose *OK* to accept the change. *To disable Live Session Playback * 1. Logon to the SmartAuditor Server 2. From the *Start* menu, choose *Start > All Programs > Citrix > SmartAuditor > SmartAuditor Server Properties*. 3. In the SmartAuditor Server Properties dialog box, click *Playback*tab. 4. In the *Live Session Playback *section, clear the *Allow live session playback* check box and choose *OK* to accept the change. *More Information* See Advanced Concepts Guide - Citrix Presentation Server, Platinum Edition<http://support.citrix.com/article/entry.jspa?entryID=14748>- for a list of additional Advanced Concepts Guide articles. -- Jim Kenzig Microsoft MVP - Terminal Services http://www.thinhelp.com Citrix Technology Professional Provision Networks VIP CEO The Kenzig Group http://www.kenzig.com Blog: http://www.techblink.com