RE: Securing Citrix NFuse and IIS 5

From: Henry Sieff (
Date: 10/19/02

From: Henry Sieff <>
To: "''" <>,
Date: Fri, 18 Oct 2002 17:38:51 -0500

A couple more points I forgot to mention:

1) You must lock down the actual Citrix Servers: All those privelege
elevation/local only exploits you thought you didn't need to worry about
because you trust your users and nobody can get a local logon? Well, guess
what: they are now an actual risk. There are many good guides to locking
down citrix servers themselves; the Brian Madden book has a good one.

2) Treat those citrix servers (or the secure gateway) the same way you would
treat a VPN host in terms of where you place it. Use IDS to sniff all the
traffic going in and out.

> -----Original Message-----
> From: []
> Sent: Friday, October 18, 2002 10:22 AM
> To:
> Subject: Securing Citrix NFuse and IIS 5
> I'm working on a pilot deployment of Citrix with its NFuse
> component on Win2000 to allows remote users to access our LAN
> via web browser. NFuse uses IIS 5 installed on the same
> machine to deliver all of our applications to the remote user.
> Is there anything special to know about hardening IIS 5 in
> conjunction with NFuse that anyone here has any experience
> with? What about a good white paper on hardening IIS 5,
> besides what Microsoft has on their web site?
> Has anyone used EEye's SecureIIS product with NFuse/IIS5?
> I've heard very good things about it and hope it might be useful here.
> Thanks for any information you might be able to provide.
> Regards.
> Get your free encrypted email at