Citrix Policy Lockdown 1.0

Citrix Policies are not the coolest thing to mess with but they are very important and are very often overlooked from a security perspective.  I hope this quick blog will help you look at your policies differently and help you secure your deployment.  When I’m doing Citrix Security Assessments the weak policies are usually the second biggest finding (After Patching) because they usually are just defaults and or the filters and or their order make them weaker than most clients expect them to be with some of those factors. In this article, I will go over the basics of the Citrix security policies, the scary ones you should worry about, how to check if you’re at risk and how to fix them up.  Many of these settings are enabled by default because most customers need these settings but if you look at them just one more time in most cases you should be able disable many of them. Citrix Policy Big 4 Copy\Paste Bi-directional Copy\Paste Write Allowed Formats – All Drive Mappings On by Default Major Client Fixed Drives Client Network Drives Client Removable Drives Minor Client Floppy Drives Client Optical Drives USB Mounts Disabled by Default Restrict the Devices… Read more

Citrix Analytic Services, PreRelease Mini Deep Dive

Citrix Analytic Services

Citrix Released Insight Services for HDX (Citrix) and Web Traffic a couple years ago and it was and is a great solution but I think they have finally doubled down.  They were able to see the value of the data they had from the NetScaler AppFlow streams. This is a great step for them in the security realm, pricing and packaging will determine how many of their existing deployments they can get this deployed in and how many new customers are drawn. When I compare Citrix and VMware right now, VMware has NSX which is an advantage in how they package it but you can run it with Citrix too but at a higher cost because of the packaging. This more adaptive security model is very appealing and if you have NSX and this you are doing what you can for sure but it doesn’t mean you are unhackable either. I believe this is one of the best bolt on things they have ever added and if the pricing and packaging is right it will be a hit. Here are some of the slides from Citrix Synergy 2017 as we go into this. Going over the same scenario we… Read more

Apple and the FBI

Phone Rights Apple and the FBI

As a Security Nerd and someone who has worked in the intelligence community I have followed some cases over the years but this one takes the cake for sure.  This is a big deal and below I will go over things in some pretty good detail of what the FBI wants from the Apple and how these things align with other legal precedents and some other related thoughts. Privacy has always been a very interesting thing since the commercialization of the computer and the internetification of the TCP\IP network.  Apple has done a lot for peoples privacy since the release of IOS with version 8 in late 2014 prevented the unlocking of data when a device was seized by law enforcement without the Passcode based on its AES 256 key system (iOS7 could self destruct with bad pass codes also, but IOS8 tied the encryption to it so you started to have to know it).  Then when IOS 9 came out they stepped it up again with two-factor enablement with TouchID and a couple other things to make it more better.  Also going from 4 digits (10k combinations) to now over a million combinations with 6 alphanumeric passcodes.  That becomes… Read more