Security Planning

Security Planning

This topic describes:

• General security best practices when using XenDesktop, and any securityrelated differences between XenDesktop and a conventional computer environment

• Managing user privileges

• Deployment scenarios and their security implications

Your organization may need to meet specific security standards to satisfy regulatory requirements. This document does not cover this subject, because such security standards change over time. For up-to-date information on security standards and Citrix products, consult https://www.citrix.com/security/, or contact your Citrix representative.

Security Best Practices

Keep all computers in your environment up to date with security patches. One advantage of XenDesktop is that you can use desktop appliances as terminals, which simplifies this task.

Protect all computers in your environment with antivirus software.

Protect all computers in your environment with perimeter firewalls, including at enclave boundaries as appropriate.

If you are migrating a conventional environment to XenDesktop, you may need to reposition an existing perimeter firewall or add new perimeter firewalls. For example, suppose there is a perimeter firewall between a conventional client and database server in the data center. When XenDesktop is used, that perimeter firewall must instead be placed so that the desktop and endpoint device are on one side of it, and the database servers and delivery controllers in the data center are on the other side. You should, therefore, consider creating an enclave within your data center to contain the servers and controllers used by XenDesktop.

All computers in your environment should be protected by a personal firewall on the computer. When the Virtual Desktop Agent is installed, it prompts for consent to adjust the configuration of the Microsoft Windows Firewall to add any necessary program exceptions or port exceptions so that the Virtual Desktop Agent will operate correctly. These exceptions are displayed by Windows Firewall in the usual way. The exceptions are removed if the Virtual Desktop Agent is uninstalled. If you are using a personal firewall other than Windows Firewall, you must adjust the firewall configuration manually. For further details about configuring firewalls, see “To configure firewalls manually” on page 60.

All network communications should be appropriately secured and encrypted as appropriate to match your security policy. You can secure all communication between Microsoft Windows computers using IPSec; refer to your operating system documentation for details about how to do this. In addition, communication between endpoint devices and desktops is secured through Citrix SecureICA, which is configured by default to 128-bit encryption. You can configure SecureICA when you are creating or updating a desktop group; see “Creating and Updating Desktop Groups” on page 75. For further information on SecureICA settings, see the Citrix Presentation Server Administrator’s Guide.

Managing User Privileges

You should grant users only the capabilities they require. Microsoft Windows privileges continue to be applied to desktops in the usual way: configure privileges through User Rights Assignment and group memberships through Group Policy. One advantage of XenDesktop is that it is possible to grant a user administrative rights to a desktop without also granting physical control over the computer on which the desktop is stored.

When planning for desktop privileges, note:

• By default, when nonprivileged users connect to a desktop, they see the time zone of the system running the desktop instead of the time zone of their own endpoint device. For information on how to allow users to see their local time when using desktops, see “Configuring Time Zone Settings” on page 98.

• A user who is an administrator on a desktop has full control over that desktop. If a desktop is a pooled desktop rather than an assigned desktop, the user must be trusted in respect of all other users of that desktop, including future users. All users of the desktop need to be aware of the potential permanent risk to their data security posed by this situation. This is equivalent to the security of an ordinary computer: the users of a computer must trust the administrators of that computer. This consideration does not apply to assigned desktops, which have only a single user; that user should not be an administrator on any other desktop.

• A user who is an administrator on a desktop can generally install software on that desktop, including potentially malicious software. The user can also potentially monitor or control traffic on any network connected to the desktop. Again, this is equivalent to the security of an ordinary computer.

Deployment Scenarios

Your user environment can consist of either endpoint devices that are unmanaged by your organization and completely under the control of the user, or of endpoints that are managed and administered by your organization. The security considerations for these two environments are generally different.

Managed Endpoint Devices

Managed endpoint devices are under administrative control; they are either under your own control, or the control of another organization that you trust. You may configure and supply endpoints directly to users; alternatively, you may provide terminals on which a single desktop runs in full-screen-only mode (XenDesktopready desktop appliances). You should follow the guidelines described in “Security Best Practices” on page 20 for all managed endpoints. XenDesktop has the advantage that minimal software is required on an endpoint.

A managed endpoint device can be set up to be used in full-screen-only mode or in window mode:

• If an endpoint is configured to be used in full-screen-only mode, users log on to it with the usual Log On To Windows screen. The same user credentials are then used to log on automatically to XenDesktop.

• If an endpoint is configured so that users see their desktop in a window, users first log on to the endpoint, then log on to XenDesktop through the XenDesktop Web site supplied with XenDesktop.

Unmanaged Endpoint Devices

Endpoint devices that are not managed and administered by a trusted organization cannot be assumed to be under administrative control. For example, you might permit users to obtain and configure their own endpoints, but users might not follow the general security best practices described above. XenDesktop has the advantage that it is possible to deliver desktops securely to unmanaged endpoints. These endpoints should still have basic antivirus protection that will defeat keylogger and similar input attacks.

Pooled or Assigned Desktops

When using XenDesktop, you can prevent users from storing data on endpoint devices that are under their physical control. However, you must still consider the implications of users storing data on desktops. It is not good practice for users to store data on desktops; data should be held on file servers, database servers, or other repositories where it can be appropriately protected.

Your desktop environment may consist of pooled desktops or assigned desktops:

• Users should never store data on pooled desktops.

• If users store data on an assigned desktop, that data should be removed if the desktop is later made available to other users. Further advice about this is provided in “To update a desktop group” on page 90.