RE: Securing Citrix NFuse and IIS 5

From: Henry Sieff (hsieff@orthodon.com)
Date: 10/19/02


From: Henry Sieff <hsieff@orthodon.com>
To: "'auto300258@hushmail.com'" <auto300258@hushmail.com>, focus-ms@securityfocus.com
Date: Fri, 18 Oct 2002 17:38:51 -0500

A couple more points I forgot to mention:

1) You must lock down the actual Citrix Servers: All those privelege
elevation/local only exploits you thought you didn't need to worry about
because you trust your users and nobody can get a local logon? Well, guess
what: they are now an actual risk. There are many good guides to locking
down citrix servers themselves; the Brian Madden book has a good one.

2) Treat those citrix servers (or the secure gateway) the same way you would
treat a VPN host in terms of where you place it. Use IDS to sniff all the
traffic going in and out.

> -----Original Message-----
> From: auto300258@hushmail.com [mailto:auto300258@hushmail.com]
> Sent: Friday, October 18, 2002 10:22 AM
> To: focus-ms@securityfocus.com
> Subject: Securing Citrix NFuse and IIS 5
>
>
>
> I'm working on a pilot deployment of Citrix with its NFuse
> component on Win2000 to allows remote users to access our LAN
> via web browser. NFuse uses IIS 5 installed on the same
> machine to deliver all of our applications to the remote user.
>
> Is there anything special to know about hardening IIS 5 in
> conjunction with NFuse that anyone here has any experience
> with? What about a good white paper on hardening IIS 5,
> besides what Microsoft has on their web site?
>
> Has anyone used EEye's SecureIIS product with NFuse/IIS5?
> I've heard very good things about it and hope it might be useful here.
>
> Thanks for any information you might be able to provide.
>
> Regards.
>
>
>
> Get your free encrypted email at https://www.hushmail.com
>