[THIN] Re: Securing MFXP

  • From: "Marc-Andre Lapierre" <malapierre@xxxxxxxxxxxxxxxx>
  • To: <thin@xxxxxxxxxxxxx>
  • Date: Wed, 17 Aug 2005 17:37:37 -0400

For sure this is the best. Actually, I use a combination of CSG + Secure
Computing Safe word for citrix or premiere access. I was just talking
about the situation of ILMS (original post) which include only the use
of Certificate.
But I've got some customer (hospital) that couldn't use a public
certificate since the government does not let them do that. I had to do
it that way + they required two factor authentication and the cheapest
way possible. The combination of a private root + username password met
their needs. It's not the best, I agree.
Another cool solution I use: RadIIS on the WI + a radius server that
holds a second user database. You got to authenticate to the radius
first with a username + a java passcode generator (kind of soft token +
PIN) that change on a daily basis and give you the WI login page then
after you authenticate to your ADS through the WI to get your Ticket and
your icons.

From: Steve Greenberg [mailto:steveg@xxxxxxxxxxxxxx] 
Sent: Wednesday, August 17, 2005 5:32 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Securing MFXP
I tend to agree, but rather than target the CERT for improvement, I
would use a third party security add on such as Secure Computing and
require another factor of authentication to gain access...
Steve Greenberg
Thin Client Computing
34522 N. Scottsdale Rd D8453
Scottsdale, AZ 85262
(602) 432-8649

From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Marc-Andre Lapierre
Sent: Wednesday, August 17, 2005 2:02 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Securing MFXP
What if you use Entrust Authority?
Right now, the weakest aspect of a CSG setup is the username/password...
If you use a private Cert that you don't give, the hacker has to find
the Username/Password + hack/fake or whatever your private CA
certificate, which is not that easy even with MS technology. If you use
the public one, yes your encryption might be stronger, but anyone can
get that CA certificate and the only wall they have in front of your
network is, in most cases, a username/password to find. The hacker that
has the knowledge/ability to break in a Microsoft CA certificate is
probably able to break in a Thawte/Verisign one... While a
username/password guess/try is easily feasible to anyone. Maybe I'm
wrong, but if I have to choose, I prefer having a slightly week
encryption (specially knowing that the content of an ICA packet is
almost useless) with an easy to create and a private MS CA Cert than
having a stronger encryption but easier to break in a Username Password

From: Bray, Donovan (ESC) [mailto:BrayD@xxxxxxxxxxxxxxxxxx] 
Sent: Wednesday, August 17, 2005 4:29 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Securing MFXP
From a security standpoint I don't think what you are suggesting is
entirely true. I guarantee you Thawte and Verisign run a much more
secure CA, than the rest of us can.
What you are suggesting is potentially more hoops for an attacker, but
if the hoops are easier to get around, there's no security advantage.
Also as stated before it increases your training costs, and ongoing TCO
for additional helpdesk calls, that you could have reduced by paying
$300/yr to a reputable publicly available CA.  I wouldn't consider
anybody's self setup CA to be more secure than a reputable public CA,
unless you are in the business of setting up Certificate Authorities and
you had a considerable amount of money to invest in the PKI
infrastructure.  Setting up a secure CA and PKI infrastructure is well
beyond running just running Microsoft's CA software on a single box.
It's about the business practices of the CA as much as it is about the

From: Marc-Andre Lapierre [mailto:malapierre@xxxxxxxxxxxxxxxx] 
Sent: Wednesday, August 17, 2005 1:00 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Securing MFXP
But using a private cert is more secure than using a public one since
the ICA has to trust the Root certificate of the CSG box. It's a king of
two factor authentication since you need to give the private certificate
to your users.

From: Joe Shonk [mailto:joe.shonk@xxxxxxxxx] 
Sent: Wednesday, August 17, 2005 1:26 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Securing MFXP
I would look at using CSG; it's more secure and free with your SubAdv.
It's much simpler to setup and maintain than SSL Relay, even with 2
servers.   I would also look into using a Public cert.  They can be had
for only $50 dollars and saves a bunch of time and hassle trying to
teach end users how to install the root cert.

From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of ILMS (Air)
Sent: Tuesday, August 16, 2005 9:24 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Securing MFXP
Hii friends!
We have 2 MFXP FR3/W2k3 servers, users logging in using WI over LAN/WAN.
Would like to implement SSL.
What I have in mind is:
1.  Setup CA on one MF server. Create root cert.
Issue Server cert to both MF servers (IIS servers) and install through
2. Direct WI to use HTTPS (or Citrix SSL??) on 443, also set MF server
name same a certificate name.
3.  Setup citrix ssl relay on both MF servers (required??).
4. Install root cert on clients.
5.  Open only 443 port.
6.  Direct users to use https://server
waiting for your feedback!!
thnx in advance!

Other related posts: