Endpoint Protection

Hello,

we had a penetration test for our Citrix infrastructure.
On the Citrix servers is SEP 12.1.3 installed (AV / AS only) and the auditors have commented that it might be possible for normal users to read the Exclusionen from the registry and exploit them. (For Citrix you NEED some Exclusion for sure.)

The same problem we had on thousands of PCs and notebooks. Here I created an Application and Device Control Policy that block access for normal users. Works fine.

Since several years I install on the Citrix servers only AV / AS and now I'm careful and I would be interested if anyone has experience with ADC on Citrix servers (NOT Citrix Provisioning Server)?
 

Symantec Endpoint Protection (SEPM and SEP Client) 12.1.3 ==> on the way to 12.1.4 in the next weeks.

Citrix Presentation Server 4.5 on Windows Server 2003 R2 fully patched

Citrix XenApp Server 6.5 on Windows Server 2008 R2 fully patched

Thank you in advance.
Thedo

Deploying ADC for Citrix or just servers in general should be carefully planned out. It's not much different than deploying to clients except there is a lot more noise being generated. The good part with ADC is you can create all the rules you see fit and put them in Log mode and let it run so you can monitor it. That would be my first suggestion, figure out what you want to do, create the rule(s), and leave in log mode for a bit so you can monitor. I've had good success deploying to servers in the past. Same goes for our Citrix environment.

This article may be of use as well:

Best Practices for Deploying Symantec Endpoint Protection's Application and Device Control Policies

Pay special attention to the limitations and recommended limits of ADC.

Hope that helps.

-Brian

Thank you Brian for the quick reply.

However, the basic operation of the ADC is known to me. A detailed test with a Citrix Server 6.5 and 4.5 are planned.

Is there anyone already gained experience in production (in real life) with Citrix and ADC?

As I said I use it in my Citrix environment. What exactly do you want to know? Rules used? Performance? Issues?

The Pen-Tester want us to secure the access on our Citrix Servers to the registry were you can read the exclusion paths from SEP... 

How would you implement such a request?

What You control with ADC Policies in Citrix environment?

How much less users per server you have with installed ADC on Citrix Servers?

Are there any problems with the Memory Optimization?

Any other issues like BSOD with special Software?

Thanks in advance.

Does he have access to the client or is this remotely? You can obviously block regedit.exe as well as stop the remote registry service.

Some things we stop are:

• Modifications to the HOSTS file
• Changes to Internet Explorer
• Changes to system files
• Do Not Allow Browser Helper Objects
• Do Not Allow Toolbars

We typically have 20-25 users active at any point. We did follow the best practices for SEP on Terminal Servers

The server is heavily spec'd out so no issues with resources.

We have not seen issues with BSOD. We run AV/IPS/ADC components. Add exceptions as needed.