[THIN] KB: CTX114875 - Configuring Security Features of SmartAuditor
- From: "Jim Kenzig ThinHelp.com" <jkenzig@xxxxxxxxx>
- To: THIN <thin@xxxxxxxxxxxxx>
- Date: Sun, 7 Oct 2007 11:50:42 -0400
CTX114875 - Configuring Security Features of SmartAuditor
This document was published at: http://support.citrix.com/article/CTX114875
Document ID: *CTX114875*, Created on: Oct 5, 2007, Updated: Oct 5, 2007
Products: Citrix Presentation Server 4.5 for Windows Server 2003, Citrix
Presentation Server 4.5 for Windows Server 2003 x64 Edition
*Summary*
This article provides information about the security features of Citrix
SmartAuditor and outlines the process of configuring SmartAuditor security
features. SmartAuditor is designed to be deployed within a secure network
and accessed only by authorized personnel. As SmartAuditor is a security
product it is important to protect access to SmartAuditor data from
unauthorized users and it is imperative that session recording data does not
fall into the wrong hands by restricting access to SmartAuditor. The
centralized architecture of SmartAuditor provides the ability to secure
access to SmartAuditor resources and data using several different methods.
SmartAuditor security features are enabled through built-in configuration
tools and configuration of several Windows components.
*SmartAuditor Communication Security*
Communication between SmartAuditor components is achieved through Internet
Information Services (IIS) and Microsoft Message Queuing (MSMQ). IIS
provides the web services communication link between each SmartAuditor
component, while MSMQ provides a reliable data transport mechanism for
sending recorded session data from the SmartAuditor Agent to the
SmartAuditor Server.
This section discusses methods for securing both IIS and MSMQ for use with
SmartAuditor. IIS topics discussed include certificates, SSL, integrated
windows authentication and configuring IIS ports. MSMQ is explained and
methods available to secure MSMQ communication through the MSMQ hardened
mode are outlined.
*Internet Information Services (IIS)*
Internet Information Services (IIS) hosts the SmartAuditor Broker, a web
application that handles the search queries and file download requests from
the SmartAuditor Player, policy administration requests from the
SmartAuditor Policy Console and evaluates recording polices from the
SmartAuditor Agent for each Citrix Presentation Server session. IIS also
hosts the Microsoft Message Queuing (MSMQ) virtual directory when MSMQ HTTP
support is enabled, allowing recorded session data to be sent via HTTP or
HTTPS.
IIS supports several methods for securing access to IIS web applications and
services, the following items are discussed:
- Certificates in IIS for Using SSL
- Integrated Windows Authentication
- Configuring IIS Ports
*Certificates in IIS*
The SmartAuditor Broker is configured by default to require secure channel
(SSL) using 128-bit encryption. IIS supports SSL security through a valid
server certificate installed on the IIS web site where SSL security is to be
applied. As the Broker is installed as a virtual directory named *
SmartAuditorBroker* under *Default Web Site* of IIS, a server certificate is
required for the *Default Web Site* before SSL connections will be accepted
by the SmartAuditor Broker. To establish an SSL connection, you require a
server certificate at one end of the connection and the certificate of the
certificate authority (CA) that issued the server certificate at the other
end.
- *Server certificate* - A server certificate certifies the identity
of a server. The type of digital certificate that is required by the
SmartAuditor Broker is called a server certificate.
- *Issuing CA certificate* - A certificate that identifies the CA
that signed the server certificate. The issuing CA certificate belongs to
the CA. This type of digital certificate is required by the Agent, Player
and Policy Console to verify the server certificate.
When establishing an SSL connection from the Agent, Player or Policy
Console, the IIS web server sends its server certificate to the client. When
receiving a server certificate, the Agent, Player or Policy Console checks
to see which CA issued the certificate and if the CA is trusted by the
client. If the CA is not trusted, the certificate is declined and an error
is logged in the Application Event log for the Agent or an error message is
displayed to the user in the Player or Policy Console.
A server certificate is installed by gathering information about the server
and requesting a CA to issue a certificate for that server. It is important
to specify the correct information when requesting a server certificate and
ensuring the server name is specified correctly, such that if the Fully
Qualified Domain Name (FQDN) is used for connecting clients (Agent, Player,
and Policy Console) the certificate information specified to the CA must use
the FQDN of the server rather than the NetBIOS name. Likewise if NetBIOS
names are used, do not specify the FQDN when requesting a server
certificate. The server certificate needs to be installed into the local
machine's certificate store and the issuing CA certificate needs to be
installed on each connecting client.
Your organization may have a private CA that issues server certificates and
this can be used with SmartAuditor. For a private CA ensure each client
machine has the issuing CA certificate installed. Refer to Microsoft
documentation about using certificates and certificate authorities.
Alternatively, number of companies and organizations currently act as CA's,
including VeriSign, Baltimore, Entrust, and their respective affiliates.
All certificates have an expiration date, which is defined when issued by
the CA. The expiration date can be found by checking the properties of the
certificate. The Administrator needs to ensure certificates are renewed
before the expiration date to prevent any errors occurring in SmartAuditor.
*To install a server certificate in IIS*
The SmartAuditor installation is configured to use HTTPS, and requires the
Default Web Site to be configured with a server certificate issued from a
CA. These steps provide an outline on how to install a server certificate in
IIS.
1. Log on to the server that hosts the SmartAuditor Server as an
administrator.
2. From the *Start* menu, choose *Start *>* Control Panel
*>*Administrative Tools
*>* Internet Information Services (IIS) Manager*.
3. In the left pane, expand the *servername* node (where
*servername*is the name of the server where you are enabling HTTPS) by
choosing
*servername* > *Web Sites* > *Default Web Site*.
4. Right-click *Default Web Site* and choose *Properties* > *Directory
Security*.
5. In the Secure communications region, choose *Server
Certificate*and follow the onscreen instructions of the
*Web Server Certificate Wizard* to request a server certificate.
6. Send the certificate request file to your CA.
7. Once you have received a server certificate from your CA repeat
steps 1-5 to install the server certificate. The *Web Server
Certificate Wizard* guides you through installing the certificate.
*To use HTTPS as the communication protocol (if HTTPS has been disabled)*
The SmartAuditor installation is configured to use HTTPS, however if this
has been changed to HTTP and you want to change SmartAuditor back to HTTPS
you must change several settings.
1. Enable secure connections for the SmartAuditor Broker in IIS on
the SmartAuditor Server:
- Log on to the server that hosts the SmartAuditor Server as an
administrator
- From the *Start* menu, choose *Start *>* Control Panel*
>*Administrative Tools
*>* Internet Information Services (IIS) Manager*.
- In the left pane, expand the *servername* node (where
*servername*is the name of the server where you are enabling HTTPS) by
choosing
*servername* > *Web Sites* > *Default Web Site* > *SmartAuditorBroker*.
- Right-click *SmartAuditorBroker* and choose *Properties* > *Directory
Security*.
- In the Secure communications region, choose *Edit* and enable
the *Require
secure channel (SSL)* check box.
- Click *OK* to save the setting and exit the dialog boxes.
1. Change the protocol setting from HTTP to HTTPS for the
SmartAuditor Agent service installed on each computer hosting Presentation
Server.
- Log on to each server where the *SmartAuditor Agent* is installed
as an administrator.
- From the *Start* menu, choose *Start* > *All Programs* > *Citrix* >
*SmartAuditor* > *SmartAuditor* *Agent* *Properties*. The *
SmartAuditor* *Agent Properties* dialog box appears.
- Choose the *Connections* tab.
- In the SmartAuditor Broker area, select *HTTPS* from the
*Protocol*drop-down list and choose
*OK* to accept the change. If you are prompted to restart the service,
choose *Yes*.
1. Change the protocol setting from HTTP to HTTPS in the SmartAuditor
Player settings:
- Log on to the workstation where the SmartAuditor Player is
installed.
- From the *Start* menu, choose *Start* > *All Programs* > *Citrix* >
*SmartAuditor* > *SmartAuditor Player*. The *SmartAuditor Player*launches.
- Choose *Tools* > *Options* > *Connections*, select the server, and
choose *Modify*.
- Select *HTTPS* from the *Protocol* drop-down list and choose
*OK*(twice) to accept the change and exit the dialog box.
1. Change the protocol setting from HTTP to HTTPS in the SmartAuditor
Policy Console:
- Log on to the server where the SmartAuditor Policy Console is
installed.
- From the *Start* menu, choose *Start* > *All Programs* > *Citrix* >
*SmartAuditor* > *SmartAuditor Policy Console*. The *Connect to
SmartAuditor Server* dialog box appears.
- Choose *HTTPS* from the *Protocol* drop-down list and choose
*OK*to connect. If the connection is successful, this setting will
also be
remembered the next time you launch the SmartAuditor Policy Console.
*Integrated Windows Authentication*
The SmartAuditor Broker virtual directory, *SmartAuditorBroker* is
configured to only support authentication through Integrated Windows
Authentication. This requirement ensures that only Windows authenticated
users and computers are able to access the Broker services. Integrated
Windows Authentication is based on the Kerberos v5 authentication algorithm
as implemented by Active Directory. As the SmartAuditor Broker will never be
accessed from the Internet, the other IIS authentication options available
are not required and must never be turned on. By using Integrated Windows
Authentication, the role based security of the Broker is maintained and
access to SmartAuditor recording policy and session recording data by
anonymous users is strictly prohibited. The SmartAuditor Agent, Policy
Console and Player authenticate using the connecting user's current Windows
credentials. For the Policy Console and Player this is the currently logged
on user. As the Agent service runs as a service under the local system
account, the credentials presented to the server are those of the computer
itself. In all cases, the principal (user or computer account) of the
connecting client must belong to the same or trusted domain as the server. A
connection request made from a local non-domain user, workgroup or an
untrusted domain will always fail.
*Configuring IIS Ports*
SmartAuditor components that connect to the SmartAuditor Broker are capable
of connecting using non-default communication ports. Secure connections to
the Broker by default use port 443 for HTTPS traffic; however it is possible
to change this port in IIS to another unused port between 1 and 65535.
Changing the HTTPS port can act as an obfuscation measure and conceal the
Broker web application. Before changing the HTTPS port in IIS, it is
important that the new port is not already in use by the server for another
application or service. The *services* file in the *
SystemRoot\System32\Drivers\Etc* directory lists TCP and UDP port numbers
used by Windows Server 2003 or use the *netstat –a* command, checking the
port is not already in use or listening. Ensure that any firewalls between
SmartAuditor components also allow access to the SmartAuditor Server using
this port. Note that obfuscation of port numbers should never be used as an
alternative to SSL or IPSec.
*To change the default HTTPS Port*
1. Change the default HTTPS port in IIS on the SmartAuditor Server:
- Log on to the server that hosts the SmartAuditor Server as an
administrator.
- From the *Start* menu, choose *Start *>* Control Panel*
>*Administrative Tools
*>* Internet Information Services (IIS) Manager*.
- In the left pane, expand the *servername* node (where
*servername*is the name of the server where you are changing the HTTPS
port) by choosing
*servername* > *Web Sites* > *Default Web Site*.
- Right-click *Default Web Site* and choose *Properties* > *Web Site*
.
- In the Web site identification region, change the port number in
the *SSL Port* field. (e.g. Change from 443 to 8081)
- Click *OK* to save the setting and exit the dialog box.
1. Change the port setting for HTTPS for the SmartAuditor Agent
service installed on each computer hosting Presentation Server:
- Log on to each server where the *SmartAuditor Agent* is installed.
- From the *Start* menu, choose *Start* > *All Programs* > *Citrix* >
*SmartAuditor* > *SmartAuditor* *Agent* *Properties*. The *
SmartAuditor* *Agent Properties* dialog box appears.
- Choose the *Connections* tab.
- If using HTTPS for MSMQ, then in the SmartAuditor Storage Manager
message queue area, clear the *Use default* check box and change the
port number in the *HTTP/HTTPS port* field to the new port number.
- In the SmartAuditor Broker area, clear the *Use default* check box
and change the port number in the *HTTP/HTTPS port* field to the new
port number.
- Choose *OK* to accept the change. If you are prompted to restart
the service, choose *Yes*.
1. Change the port setting for HTTPS in the SmartAuditor Player
settings:
- Log on to the workstation where the SmartAuditor Player is
installed.
- From the *Start* menu, choose *Start* > *All Programs* > *Citrix* >
*SmartAuditor* > *SmartAuditor Player*. The *SmartAuditor Player*launches.
- Choose *Tools* > *Options* > *Connections*, select the server, and
choose *Modify*.
- Clear the *Use default* check box and change the port number in the
*Port *field to the new port number.
- Choose *OK* (twice) to accept the change and exit the dialog box.
1. Change the port setting for HTTPS in the SmartAuditor Policy
Console:
- Log on to the server where the SmartAuditor Policy Console is
installed.
- From the *Start* menu, choose *Start* > *All Programs* > *Citrix* >
*SmartAuditor* > *SmartAuditor Policy Console*. The *Connect to
SmartAuditor Server* dialog box appears.
- Clear the *Use default* check box and change the port number in the
*Port *field to the new port number.
- Choose *OK* to connect. If the connection is successful, this
setting will also be remembered the next time you launch the SmartAuditor
Policy Console.
*Internet Protocol Security (IPSec)*
Internet Protocol Security (IPSec) may be implemented as an alternative to
using SSL to secure data between SmartAuditor components. IPSec is an
Internet standard for secure communications that is part of the TCP/IP
stack, providing authenticated and encrypted communication. IPSec must be
enabled and configured on each computer hosting a SmartAuditor component.
IPSec is configured using the Local Security Settings (IP Security Policies)
for each server and workstation. Refer to the Microsoft Documentation for
further information on IPSec.
*Microsoft Message Queuing (MSMQ)*
Microsoft Message Queuing (MSMQ) provides reliable transport of data from
the SmartAuditor Agent to the SmartAuditor Server using an MSMQ private
message queue named *CitrixSmAudData*. SmartAuditor supports three types of
MSMQ message transport protocols; TCP, HTTP and HTTPS. Configuration of the
MSMQ transport protocol for SmartAuditor is maintained through the *
Connections* tab in the *SmartAuditor Agent Properties* application, with
the default setting of TCP. Typically MSMQ messages are sent and received
through the TCP transport protocol using remote procedure calls (RPC). If
IPSec is not used, data is sent as plaintext. The preferred approach is for
communication to be secured with SSL by using the HTTP/S mode provided by
MSMQ. When MSMQ HTTP support is enabled, messages may also be received
through IIS via either HTTP or HTTPS. By default, the MSMQ service opens the
following ports to send and receive messages:
- TCP: 1801, 135, 2101, 2103, 2105
- UDP: 1801, 3527(internal MSMQ ping)
The SmartAuditor Agent installation configures the Agent to send MSMQ
messages using TCP. MSMQ is secured by enabling *MSMQ HTTP Support *on the
SmartAuditor Server machine and setting the transport protocol in the
*SmartAuditor
Agent Properties* application to HTTPS. Furthermore, when MSMQ is set to
HTTP hardened mode on the server, the MSMQ service does not listen on any of
the above ports and only HTTP messages received by the IIS virtual directory
for MSMQ are accepted and processed. As no TCP or UDP ports are open, the
client can only send MSMQ messages using HTTP or HTTPS. MSMQ hardened mode
using HTTPS also provides the ability for the SmartAuditor Server to be
secured using firewalls, and allowing only HTTPS port (443) access to be
granted. It is recommended that production SmartAuditor systems always be
setup in this way.
*To Enable MSMQ HTTP Support*
1. Logon to the SmartAuditor Server as an administrator.
2. From the *Start* menu, choose *Start > Control Panel > Add or
Remove Programs*.
3. From the Add or Remove Programs dialog choose, *Add or Remove
Windows Components*.
4. From the Windows Components Wizard choose, *Application Server
*>*Details
*>* Message Queuing *>* Details*, enable the check box for *MSMQ HTTP
Support* and clear the check box for *Active Directory
Integration*(if enabled).
5. Click *OK* to the *Message Queuing Setup* dialog and *OK* to
the *Message
Queuing* and *Application Server* dialogs.
6. Click *Next* to install.
*To configure the SmartAuditor Agent to Send MSMQ messages using HTTPS*
1. Logon to the computer hosting the SmartAuditor Agent service as an
administrator.
2. From the *Start* menu, choose *Start *>* All Programs *>* Citrix *
>* SmartAuditor *>* SmartAuditor Agent Properties*.
3. In the SmartAuditor Agent Properties dialog box, click *
Connections* tab.
4. In the *SmartAuditor Storage Manager message queue* section,
select *HTTPS* from the *Protocol* field and choose *OK* to accept the
change. If you are prompted to restart the service, choose *Yes*.
*To enable MSMQ Hardened Mode*
1. Logon to the SmartAuditor Server as an administrator.
2. From the *Start* menu, choose* Start *>* Control Panel
*>*Administrative Tools
*>* Computer Management*.
3. Expand *Services and Applications*, then right click on *Message
Queuing* and select *Properties*.
4. From the Message Queuing Properties dialog box choose, *Server
Security* tab and enable the *Enable hardened MSMQ mode to secure this
computer on the Internet *check box.
5. Click *OK* to save the setting and click *Yes* to restart the *Message
Queuing Service* and *Citrix SmartAuditor Storage Manager*.
6. Click *Restart Now* to the *Message Queuing – Restart
System*dialog box for the changes to take effect. The server will now
restart.
*Agent Security*
The SmartAuditor Agent is a Windows service which records Presentation
Server sessions, sending session recording data to the SmartAuditor Server
via MSMQ. Session data is acquired by the SmartAuditor Driver and read by
the Agent. The Agent collects information about the session and sends this
to the SmartAuditor Broker via its web services interface to determine if
the session should be recorded. The Broker then returns a policy decision
and the Agent either continues recording or discontinues recording. If the
Agent discontinues recording, the session data already recorded is deleted.
Periodically, the Agent communicates with the Broker to determine the
current SmartAuditor rollover parameters and a list of live session
recordings currently being played. A key security feature of the
SmartAuditor system is that no additional listener ports are ever opened on
computers running Presentation Server with SmartAuditor enabled. The only
accessible interface into the SmartAuditor Agent is the optional Event API.
*Event API*
The SmartAuditor Event API can be enabled or disabled on a per-server basis.
The default setting for each SmartAuditor Agent installation is for the COM
interface to be disabled. With the Event API turned off, the Agent has no
accessible interfaces. Any attempts to connect to the interface will fail
until it is enabled by the administrator. The Event API is secured to only
allow local access and activation permissions to users of the following
built-in groups:
- Terminal Server User
- Interactive
- System
The Event API requires a session ID to insert events into sessions currently
recording, however if the supplied session ID is not a current Terminal
Services session, or the supplied session is not being recorded by the
SmartAuditor Agent, then the function call to the Event API will be ignored
and no error will be returned to the caller. This is to prevent the Event
API being used as a means for detecting whether a particular session is
actually being recorded.
This however does not prevent a user from one session adding events into the
recorded session of another user. Please refer to Citrix SmartAuditor for
Presentation Server
4.5<http://support.citrix.com/article/entry.jspa?entryID=14594>for
more information on configuring the SmartAuditor Agent and Event API.
*SmartAuditor Security Roles*
SmartAuditor provides role-based security for authorizing user access to
SmartAuditor Broker data and resources. The role-based security is based on
three SmartAuditor Broker functions:
- *Player* – Search for and view session recording files from the
SmartAuditor Player
- *PolicyQuery *– Query SmartAuditor Server for policy evaluations
from the SmartAuditor Agent
- *PolicyAdministrator *– View, and change record policies on the
SmartAuditor Server from the SmartAuditor Policy Console
Roles are configured using the SmartAuditor Authorization Console installed
on the SmartAuditor Server machine. All requests made by users that require
*Player* or *PolicyAdministrator* role membership are audited by the Broker
and logged in the Windows Application Event log. This also includes attempts
where the request failed because the user was not a member of the required
role.
*Authorization Console*
The SmartAuditor Authorization Console is built on the Windows Server 2003
Authorization Manager snap-in for the Microsoft Management Console (MMC). It
is configured to load the SmartAuditor Broker authorization store XML file
that contains the Broker security roles. The authorization store XML file is
named *SmartAuditorAzManStore.xml*, protected with a strong ACL and is
stored in the directory* ProgramFiles/Citrix/SmartAuditor/Server/App_Data*.
Members of SmartAuditor security roles may be domain or local users, groups
and computer accounts. The default members for each security role are:
*Security Role*
*Default Member*
*Player*
None
*PolicyQuery*
Authenticated Users
*PolicyAdministrator*
Local Administrators
The *Player* role by default has no members to restrict unauthorized users
from playing recorded sessions. Only users who need access to a SmartAuditor
role should be granted access to that specific role. For example, a
*Player*user who only reviews session recordings should not be granted
access to the
*PolicyQuery* or *PolicyAdministrator* roles, but be granted access to the *
Player* role only. Furthermore, ensure that users who no longer require
access to a role are removed from that particular role.
The *PolicyQuery* role by default is quite broad in which users and
computers are able to access this role. The *PolicyQuery* role for example,
could be accessed by any user or machine that is an authenticated user.
To improve the security of this role, remove the Authenticated Users group
from the *PolicyQuery* roles respectively. Then, only add the necessary
computers to the *PolicyQuery *security role, such that the
*PolicyQuery*role only contains the computer accounts of the machines
hosting
Presentation Server that have the SmartAuditor Agent installed and enabled.
Any changes to security roles are not immediate as the SmartAuditor Broker
updates its internal cache of the security roles once every minute from the
SmartAuditor Broker authorization store XML file. To force an immediate
update of the security roles for the Broker, recycle the *
SmartAuditorAppPool* application pool in the IIS Applications Pools, after
changing security roles.
*To Remove Users from SmartAuditor Roles*
1. Log on to the server where SmartAuditor Server is installed as an
administrator.
2. From the *Start* menu, choose *Start* > *All Programs* > *Citrix*>
*SmartAuditor* > *SmartAuditor Authorization Console*. The
SmartAuditor Authorization Console appears.
3. From the left pane of the SmartAuditor Authorization Console,
select one of the three SmartAuditor security roles.
4. From the right pane of the SmartAuditor Authorization Console,
select a user to remove and from the main menu, choose *Action* >*Delete
*. Any changes to the security roles take effect in the SmartAuditor
Broker during the update (that occurs once every minute).
*To Assign User or Computers to SmartAuditor Roles*
1. Log on to the server where SmartAuditor Server is installed as an
administrator.
2. From the *Start* menu, choose *Start* > *All Programs* > *Citrix*>
*SmartAuditor* > *SmartAuditor Authorization Console*. The
SmartAuditor Authorization Console appears.
3. From the left pane of the SmartAuditor Authorization Console
select, one of the three SmartAuditor security roles.
4. From the main menu, choose *Action* > *Assign Windows Users and
Groups*.
5. Add the necessary users, groups or computers to the security role
and click *OK* when finished. When adding computers, in the *Select
Users, Computers, or Groups* dialog box, you need to click *Object
Types…* and choose *Computers* from the *Object Types* dialog box and
click *OK*. Any changes to the security roles take effect in the
SmartAuditor Broker during the update (that occurs once every minute).
*To recycle the SmartAuditor Broker*
1. Log on to the server that hosts the SmartAuditor Server as an
administrator.
2. From the *Start* menu, choose *Start *> *Control Panel*
>*Administrative Tools
*>* Internet Information Services (IIS) Manager*.
3. In the left pane, expand the *servername* node (where
*servername*is the name of the server where you are recycling the
SmartAuditor Broker)
by choosing *servername* > *Application Pools* > *SmartAuditorAppPool*.
4. Right-click *SmartAuditorAppPool* and choose *Recycle*.
*Auditing of Security Roles*
The SmartAuditor Broker audits all access to the *Player* and *
PolicyAdministrator* roles by logging success and failure audits to the
Windows Application Event log. This includes access to:
- Searching for session recordings
- Downloading session recordings
- Loading policies
- Changing the active policy
- Creating new policies
- Deleting policies
- Saving policies
When access is granted for a role a *Success Audit* event log entry is
created, stating the user who was granted access and the particular file or
action granted. When access is denied a *Failure Audit* event log entry is
created, stating the user request was rejected, the user who was denied
access and the requested role that was denied. Users are denied access when
they are not a member of a role.
*Storage Directories*
SmartAuditor session recordings are stored in the *
SystemDrive:\SessionRecordings* directory by default. You can change the
directory where they are stored, or add additional storage directories in
order to load balance storage across multiple volumes. Storage directories
can be specified to a local drive, SAN volume, or UNC network path. Network
mapped drive letters are not supported. The Storage Manager stores session
recording files using a directory structure of *
<StorageDirectory>\year\month\day,* where *<StorageDirectory>* is the
storage directory specified in the SmartAuditor Server Properties
application. When a new session recording file is created, subdirectories
are created based upon the current date (for example, if the date is
31stJanuary 2007 the session recording would reside in
*<StorageDirectory>/2007/01/31*).
For local drive and SAN volume storage directories, the existence of the
storage directory is not required when specified in the SmartAuditor Server
Properties application. The directory is created automatically and a strong
Access Control List (ACL) is applied when the Storage Manager service is
restarted. If the directory already exists and is empty, the Storage Manager
deletes the directory and recreates the directory with the strong ACL. If
however the directory exists and contains one or more files, changes to the
ACL for the existing directory are not made. It is the responsibility of the
Administrator to ensure strong ACL's are applied to this directory.
The ACL that is applied to a new directory is not inherited from the parent
directory, but any subdirectories of the storage directory inherit the ACL
applied by the Storage Manager. The list of Access Control Entries (ACE)
forming the storage directory ACL is:
*Account*
*Access Control*
*Local Administrators*
Full Control
*Creator Owner*
Full Control
*Local Service*
Full Control
*Network Service*
Full Control
*System*
Full Control
Although UNC network paths are supported as a storage directory these can
not be secured by the Storage Manager. It is the responsibility of the
Administrator to secure UNC network paths by applying the ACL's listed
above, substituting Local Service and Network Service accounts with the
Active Directory machine account (*domainname\machinename$*) of the
SmartAuditor Server. For performance and security reasons, the use of UNC
network paths for storing recording files is not recommended.
It is important to protect and secure storage directories as much as
possible. Storage directories should not have Windows shares enabled to
allow users direct access to session recording files. All access to storage
directories should be made via the Broker where the download of files is
highly restricted, encrypted and audited. The physical security of disks
should be considered when securing the storage directories. Ensure servers
running SmartAuditor components are physically secure. If possible, lock
these machines in a secure room to which only authorized personnel can gain
direct access.
The Storage Manager supports the use of several storage directories to load
balance session recording files across multiple volumes. The load balancing
operates using a round robin method, by cycling through the storage
directories and storing each new session recording file in the next storage
directory. It is possible to add the same storage directory more than once,
to improve load balancing across several directories.
*To Add storage directories to the SmartAuditor Server *
1. Logon to the SmartAuditor Server as an administrator.
2. From the *Start* menu, choose *Start > All Programs > Citrix >
SmartAuditor > SmartAuditor Server Properties*.
3. In the SmartAuditor Server Properties dialog box, click
*Storage*tab. The current storage directory appears in the
*File storage directories *list.
4. Click *Add*, type the path for the new storage directory or browse
to locate the directory, and then click *OK*. If the directory does
not exist, SmartAuditor creates the new directory and assigns ACL's to the
directory.
5. Click *OK* to accept the change. If you are prompted to restart
the service, choose *Yes*.
*Playback Protection*
SmartAuditor Playback Protection is a feature of the Broker that encrypts
session recording files before they are downloaded from the Broker for
viewing in the Player. By default, playback protection is enabled and
requires no configuration of certificates, on either the Broker or Player
computers. Since Playback Protection is a server side setting, once it is
enabled all Player requests for downloading session recording files are
encrypted. This prevents unauthorized access and tampering of session
recordings while they reside on the Player computer. Playback Protection is
implemented using 2048-bit RSA key pairs from the Player computer (generated
on first use of the Player), a 128-bit TripleDES (3DES) symmetric key
generated on the Broker computer and using an SHA-1 hash algorithm to verify
the decrypted data. The algorithm implementations of RSA, TripleDES and
SHA-1 are all FIPS compliant. The diagram below illustrates the process of
playing a file with Playback Protection.
When a user of the Player requests a session recording to download from the
SmartAuditor Server (Broker), the Player sends to the Broker, the RSA public
key from the User's Crypto Store and the requested session recording file
ID. If first-time use of the Player, a 2048-bit RSA key pair is generated
using the Microsoft Cryptographic API for the Player user and stored in the
User's Crypto Store on the local machine.
When the Broker begins encrypting a session recording file, it generates a
TripleDES (3DES) 128-bit symmetric key. The symmetric key is then used to
encrypt the contents of the requested plaintext session recording file
(.ICL) retrieved from the master file storage location, to create an .ICLE
file. The encrypted session recording file (.ICLE) is stored temporarily in
the Windows temporary files directory.
The RSA public key from the Player is then used to encrypt the symmetric
key, to create an .ICLK file that is also stored temporarily in the Windows
temporary files directory. The Broker then proceeds to stream the encrypted
session recording file (.ICLE) and key file (.ICLK) to the Player. Once the
Player receives both files, the Broker deletes the files from the Windows
temporary files directory.
The Player stores the downloaded encrypted files on the local disk in the
Player cache directory. The encrypted files can safely reside on the local
disk of the Player computer as the private keys required for decryption are
held safely within the User's Crypto Store, which only the original user can
access.
To decrypt the recording file, the Player reads the RSA private key from the
User's Crypto Store and decrypts the key file (.ICLK) to retrieve the
symmetric key. The symmetric key is then used to decrypt the encrypted
session recording file (.ICLE) back to a plaintext session recording file
(.ICL). A SHA-1 hashing algorithm is then used for verifying the decrypted
session recording file (plaintext) is correct. The decrypted file (.ICL) is
secured with access to the file locked to the Player process, it only exists
while the session recording is playing in the Player and is deleted when the
file is closed by the Player.
Playback Protection is not applied to live session playback as live sessions
are constantly changing. However, live session recording files are only
cached temporarily on the Player computer while a live session recording is
playing and is deleted when the session recording file is closed by the
Player, either when a user stops playing the session recording or the Player
is closed. It is possible to disable live session playback from the
SmartAuditor Server and prevent live sessions from being played.
*To enable Playback Protection (if disabled) *
1. Logon to the SmartAuditor Server as an administrator.
2. From the *Start* menu, choose *Start > All Programs > Citrix >
SmartAuditor > SmartAuditor Server Properties*.
3. In the SmartAuditor Server Properties dialog box, click *Playback*tab.
4. In the *Playback Protection *section, enable the *Encrypt session
recording files downloaded for playback* check box and choose *OK* to
accept the change.
*To disable Live Session Playback *
1. Logon to the SmartAuditor Server
2. From the *Start* menu, choose *Start > All Programs > Citrix >
SmartAuditor > SmartAuditor Server Properties*.
3. In the SmartAuditor Server Properties dialog box, click *Playback*tab.
4. In the *Live Session Playback *section, clear the *Allow live
session playback* check box and choose *OK* to accept the change.
*More Information*
See Advanced Concepts Guide - Citrix Presentation Server, Platinum
Edition<http://support.citrix.com/article/entry.jspa?entryID=14748>-
for a list of additional Advanced Concepts Guide articles.
--
Jim Kenzig
Microsoft MVP - Terminal Services
http://www.thinhelp.com
Citrix Technology Professional
Provision Networks VIP
CEO The Kenzig Group
http://www.kenzig.com
Blog: http://www.techblink.com
Other related posts:
- » [THIN] KB: CTX114875 - Configuring Security Features of SmartAuditor
