Citrix and Terminal Servers provide highly valuable functionality for session-based access, but to date have had an Achilles heel when it comes to privileged account management across multiple users. It’s time for organisations to secure this potential threat vector.
With accessibility comes great responsibility
Citrix and Windows Terminals allow geographically distributed workforces to connect into IT environments. Their introduction has allowed organisations to greatly reduce the need for managing employee devices, while increasing application response, and all without data leaving the perceived safe confines of the corporate environment.
However, this connectivity has introduced monumental challenges. Firstly, by their design, these virtual portals are accessible from the internet thus offering a tunnel into internal servers which has made them an attractive target for hackers.
A further consideration is that all traffic using the Citrix/Terminal Server is seen by the network as coming from a single IP address, sometimes representing dozens of users with different access requirements. Using virtual desktop infrastructure (VDI) to give each individual a complete virtual desktop system rather than publishing multiple user spaces on a single OS Kernel space is a costly alternative that only addresses a small portion of the issue.
Network-layer IP-centric access controls do not take the actual user into account. For a traditional firewall, this means that an access rule is needed to allow the server to access every resource that any user on that server could need. In the case of VDI desktop pools it means pre-assigning each individual user’s IP address in a predictable way. In practice, these access rules can often become a ‘permit all’ for the Citrix/Terminal Server multi-user desktop or VDI environment IP address pools.
Finally, and despite how hard the enterprise tries to lock down these environments, there are well-documented cases of users inadvertently exposing their organisations to attacks.
The stakes are high
The threat landscape requires organisations to consider the security implications of compromised accounts and machines far more seriously than in the past. The threat of a Citrix server being compromised, whether by malware or a malicious user exploiting vulnerabilities in the system, is just too dangerous to be ignored.
For example, there have been a number of reported breaches where compromised credentials allowed access to a terminal server that was acting as a ‘jump box’. In one case, entry via a terminal server provided the opening that attackers required to establish unimpeded access to retail point-of-sale (POS) systems. This single compromised account led to countless credit card details and customer records being stolen.
In today’s evolving threat landscape new vulnerabilities are constantly being discovered in operating systems, and Citrix and Microsoft both stress the need to always install their latest security updates. However this process of enumerating ‘bad’ behaviour is limited to a reactive approach to security. New malware and attack vectors are always being developed, and a compromised server with access to secure network areas can be used as a launching point for a serious attack.
Multi-user and virtual desktop infrastructures like Citrix’s XenDesktop and XenApp solutions or Terminal Server offer too many tangible benefits to be ignored, but that doesn’t mean you can overlook the holes they create.
The reason that attacks like those described above have been successful is that, with Citrix/Terminal Servers, access rules allow dozens of users sharing an IP address to access every resource on a network segment. Once inside the network, cyber criminals, who typically possess stolen credentials, have been able to ‘see’ applications and services, whether authorised or not.
A better way to secure access
The reason that attacks like those described above are successful is that controlling a user’s access to their desktop and/or applications is just one side of the equation.
In order to truly protect corporate data and resources there also needs to be tight user-based controls around network access from virtual desktops. Enterprises need to move away from IP-centric architectures to a role-based security model that maintains the distinction between individual users connecting through a Citrix or Windows Terminal, then dynamically provision access on the network and application level depending on the user’s role and attributes.
For example is the user on a laptop at home or are they on an unrecognised tablet on an unsecure Wi-Fi network? Should access be granted in the latter case to sensitive data?
Dynamic access control also makes it difficult for attackers with stolen credentials – or anyone else on the network – to find valuable network assets. The technology abstracts applications and resources from the underlying physical infrastructure, which means that non-authorised services aren’t just hidden – they’re simply not visible on the network at all. And what cyber criminals can’t see, they can’t compromise.
Kurt Mueffelmann, CEO of Cryptzone