SYN 321: Securing the Published Browser
49
1 © 2016 Citrix Session Number/Session Title: SYN321: Securing the published browser Session Description: Browsers are the most common published application in virtualized environments—and also the most exposed to security issues, as they’ve historically been one of the most vulnerable pieces of software on any end point. The security concerns with browsers are legendary and involve complex settings, third-party plugins, active content, Flash, JAVA and other components that must be kept under strict control. XenApp and XenDesktop provide unique methods to fine-tune browser security and protect sensitive data across web applications, compliance environments, administrative portals, email and the cloud. Join this session for a discussion of “when bad things happen to good browsers” including demos of common security problems and their solutions. In this session, you will learn: • How to lock down browsers at the end point for accessing both virtualized and web environments • Guidance for hardening published browsers, including group policy and PowerShell configuration of security policies • How to tune browser components to be application-specific and further minimize the attack surface
-
Upload
citrix -
Category
Technology
-
view
507 -
download
1
Transcript of SYN 321: Securing the Published Browser
1 © 2016 Citrix
Session Number/Session Title:
SYN321: Securing the published browser
Session Description:
Browsers are the most common published application in virtualized environments—and also the most exposed to security issues, as they’ve historically been one of the most vulnerable pieces of software on any end point. The security concerns with browsers are legendary and involve complex settings, third-party plugins, active content, Flash, JAVA and other components that must be kept under strict control. XenApp and XenDesktop provide unique methods to fine-tune browser security and protect sensitive data across web applications, compliance environments, administrative portals, email and the cloud. Join this session for a discussion of “when bad things happen to good browsers” including demos of common security problems and their solutions.
In this session, you will learn:
• How to lock down browsers at the end point for accessing both virtualized and web environments
• Guidance for hardening published browsers, including group policy and PowerShell configuration of security policies
• How to tune browser components to be application-specific and further minimize the attack surface
2 © 2016 Citrix
Session Date-Time/Location:
5/24/2016, 2:00 p.m. – 3:30 p.m. / Murano 3304
Session Track: Desktop & App Delivery, Security
Session Level: Technical - Advanced
Session Owner: Calvin Hsu
(Contact with any questions regarding session content and direction)
Image source:
http://www.bing.com/images/search?q=browser&view=detailv2&qft=+filterui%3alicense-L2_L3&id=E6F8E72F843D7D4187ED4FDBB88C61EB4DDF034A&selectedIndex=1&ccid=b%2bjOseF4&simid=608051161184536293&thid=OIP.M6fe8ceb1e178b94805643ce78575472do0&ajaxhist=0
(License selected: Free to modify, share and use commercially)
3 © 2016 Citrix
@JHNord @CitrixSecurity @atofunk
4 © 2016 Citrix
5 © 2016 Citrix
Source: https://cis.citrix.com/insights/#/product-insights/xenapp-and-xendesktop
6 © 2016 Citrix
[Kurt]
7 © 2016 Citrix
[Kurt]
• We’re addressing local browsers for access to virtualization resources, as well as datacenter and cloud-hosted browsers. Reverse seamless???
• The guidance provided is appropriate for corporate, home and third-parties
• Plugins include Flash player, Silverlight, JAVA, Acrobat, etc.
• The goal is a “browser enclave”, where a problem with the browser/content is contained
• Througout this conversation, we will be discussing the tradeoffs between security and functionality, along with those between anonymity and auditing.
• Introducing the Securing the Published Browser Whitepaper
8 © 2016 Citrix
Eric Beiers is a solution architect that works with the largest enterprises of Canada to help develop and realize their virtualization, cloud and networking strategies and vision. Eric was the previous technical lead of Citrix Consulting Canada, as the Enterprise Architect for the country where he architected many large global deployments of Citrix, with high security kept at top of mind.
Joseph Nord is Security Product Manager for Citrix where he authors the XenApp and XenDesktop product requirements for security and authentication features and manages the completion of certifications and compliance including Common Criteria, FIPS, PCI and HIPAA. Joe works with customers, partners and Citrix sales teams to help customers achieve their security goals.
As Chief Security Strategist for Citrix, Kurt Roemer leads security, compliance, risk and privacy strategies for Citrix products. As a member of the Citrix CTO and Strategy Office, Roemer drives ideation, innovation and technical direction for products and solutions that advance business productivity while ensuring information governance.
An information services veteran with more than 30 years experience, his credentials includethe Certified Information Systems Security Professional (CISSP) designation. He also servedas Commissioner for the US public-sector CLOUD2 initiative and led efforts to develop the PCI Security Standards Council Virtualization Guidance Information Supplement while serving on the Board of Advisors.
9 © 2016 Citrix
[Kurt, Joe, Eric]
Image Source:
http://atom.smasher.org/vegas/?l1=Tonight+Only%21&l2=Eric%2C+Joe+and+Kurt&l3=&l4=Just+Browsing
10 © 2016 Citrix
[Eric]
DEMO
(1) Corporate site, going to the bad place on the network + secure browser - Why should wecare?
Show an example of launching a webpage from a local computer
No restrictions, all wide open, user can go to the bad places on the Internet and accept thewarnings
Not centrally managed, and no technical policy to enforce corporate policy
Launch a secure browser site, show the idea that if you have a current generation browser, you can launch a browser, from within another browser
11 © 2016 Citrix
12 © 2016 Citrix
13 © 2016 Citrix
14 © 2016 Citrix
[Joe, Kurt]
Image Source:
http://www.bing.com/images/search?q=scared&view=detailv2&qft=+filterui%3alicense-L2_L3&id=5EDE5975BAE94FA5D3220CE607E8E2A89B00108B&selectedIndex=15&ccid=%2b4zu3HEl&simid=608021049168429905&thid=OIP.Mfb8ceedc7125e5beeb3003b20b442c4fo0&ajaxhist=0
(License selected: Free to modify, share and use commercially)
15 © 2016 Citrix
• Integrated browsers, installable browsers, browser appliances
• Local browser access with URL redirection. Remote PC.
• Persistent and non-persistent
Image Source:
http://www.amazon.com/HP-Chromebook-14-Celeron-14-inch/dp/B0172GUW4I/ref=sr_1_7?s=pc&ie=UTF8&qid=1463513119&sr=1-7&keywords=hp+chromebook
16 © 2016 Citrix
[Joe, Kurt]
Value of running hosted, things to lock down, ability to restrict clipboard (one-way) and format limiting, turn off client drive mapping, printing…everything you don’t need
Trash Can – disposable browser
Goal is a desired state that’s reproducable through configuration
Can use PowerShell to validate
chrome://policy/
Chromebook
TLS 1.2
17 © 2016 Citrix
Image Source:
http://www.bing.com/images/search?q=browser+security&view=detailv2&qft=+filterui%3alicense-L2_L3&id=BE5DEFEF0C048783BA227F05923AD344BDDD79E2&selectedIndex=41&ccid=AuIvjmdB&simid=608044065901576378&thid=OIP.M02e22f8e6741ea58c447277ba237d4eco0&ajaxhist=0
(License selected: Free to modify, share and use commercially)
18 © 2016 Citrix
[MZ] This is a big deal. Do you want to force all your users to use legacy version of browser just because you have one application that requires it? Wouldn’t it be nice if you could choose which browser you want to use with each of the critical applications?
19 © 2016 Citrix
[MZ] This is a big deal. Do you want to force all your users to use legacy version of browser just because you have one application that requires it? Wouldn’t it be nice if you could choose which browser you want to use with each of the critical applications?
20 © 2016 Citrix
Level 1, 2
Green, Yellow, Red [high-level data sensitivity classification]
Sensitive apps
Options
PCI
Enterprise mode – compatibility setting in IE11 (configure for IE8 compatibility)
Lockdown vs. relaxation
21 © 2016 Citrix
Tradeoffs?
Forbes
Turn off address bar
Enterprise mode – compatibility setting in IE11 (configure for IE8 compatibility)
Be aware of site-specific policies, such as preference for HTML5 over Flash
Persistence
Redirects
Whitelisting and blacklisting? (domains, plugins, active content)
22 © 2016 Citrix
DEMO - Build and harden the OS
(2) Building the OS image (powershell creation) + How to add applications(powershell/vbs/mcs) - We need to build and harden the OS
Explain the idea of consistency of images, and you need some way to automate, since if youdo this a few times by hand, it will never be the same
Want to build the system by installing certain services, disabling some services,
Demonstrate installing applications using powershell
Explain the idea of converting the image to a gold image for use in MCS or PVS, and having a non-persistent image allows us to reboot, and go back to a known clean state (no demo, just console?)
23 © 2016 Citrix
24 © 2016 Citrix
25 © 2016 Citrix
Image source: http://www.bing.com/images/search?q=under+construction&view=detailv2&qft=+filterui%3alicense-L2_L3&id=05B56A181A55837CEDFD8E8E4F905E62CC877603&selectedIndex=9&ccid=3e6v8Zqr&simid=608034458058622883&thid=OIP.Mddeeaff19aab382d52bbea2fb0ac844bo0&ajaxhist=0
(License selected: Free to modify, share and use commercially)
26 © 2016 Citrix
27 © 2016 Citrix
(3) How to configure/lock down browser (GPO/GUI) - We need to configure and harden the browser (part 1)
Review of the GUI of the browser, talk through some of the key settings
Show how to configure IE11, using group policy
Show how to install an ADMX template (or skip but explain), and then use that template to configure Chrome and Firefox
(4 or merge with 3) Enterprise Mode/trusted sites configuraiton/proxy configuration - We need to configure and harden the browser (part 2)
When configuring a browser, certain sites might require compatibility viewing, or a lessened security posture.
Demonstrate using GPOs to configure the trusted sites configuration
Demonstrate configuration of the proxy (several ways to do this, GUI/GPO/PowerShell/WPAD (choose one)
Demonstrate creating an enterprise mode list in XML (https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool,
https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list)
28 © 2016 Citrix
[Joe, Kurt]
29 © 2016 Citrix
30 © 2016 Citrix
31 © 2016 Citrix
32 © 2016 Citrix
33 © 2016 Citrix
34 © 2016 Citrix
35 © 2016 Citrix
36 © 2016 Citrix
37 © 2016 Citrix
38 © 2016 Citrix
39 © 2016 Citrix
40 © 2016 Citrix
41 © 2016 Citrix
42 © 2016 Citrix
43 © 2016 Citrix
Storefront, workflow, tab for each browser…
Colors
3 different Chrome, 3 different background colors
Use cases – protection of cloud-based apps
DEMO
(5) Launch and customize applications (Colours, switches, vbs wrapper) IE8/9/10/Chrome -We need to tailor the requirements for the usage scenario
Customize a launch of a browser by providing a URL
Customize a launch of a browser by providing additional parameters (kiosk mode, incognito, disable features)
Customize the appearance of a browser (Red/Blue/Green)
Customize the browser using a .vbs script wrapper, to disable specific controls
(6) Secure Enclave (proxy/av/ids/ips) - We control the placement now! We need to hardenthe Network
Demonstrate a restricted browser, getting blocked going to a site (current lab has NS/IDS/IPS/Firewall/AntiVirus/Proxy/DNS&IP reputation lists)
--- I'm not really sure if showing these other components helps, but I like this demo, since you can put an ad blocker at the network level, instead of the application level (defence in depth)
44 © 2016 Citrix
Q&A
45 © 2016 Citrix
References:
Citrix Security and Compliance
• http://www.citrix.com/security
Citrix Common Criteria Resources
• http://www.citrix.com/about/legal/security-compliance/common-criteria.html
NetScaler Security Best Practices: Secure Deployment Guide for NetScaler MPX, VPX, and SDX Appliances
• http://support.citrix.com/article/CTX129514
Payment Card Industry (PCI) and Citrix XenApp and XenDesktop Deployment Scenarios
• http://www.citrix.com/content/dam/citrix/en_us/documents/support/payment-card-industry-and-citrix-xenapp-and-xendesktop-deployment-scenarios.pdf
Citrix solutions for Healthcare and Compliance
• https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/citrix-solutions-for-healthcare-and-hipaa-compliance.pdf
Citrix XenApp and XenDesktop FIPS 140-2 Sample Deployments
• https://www.citrix.com/content/dam/citrix/en_us/documents/about/citrix-xenapp-and-xendesktop-76-fips-140-2-sample-deployments.pdf
46 © 2016 Citrix
47 © 2016 Citrix
You might be wondering how much we know about your experience with our products, and what we’re doing to improve product quality and make your experience better.
Our product supportability efforts are the result of paying attention to the issues and concerns you raise when engaging with our Support teams as well as the feedback you provide to our Sales and Consulting groups.
The details you see here speak to some of the work we’ve done already, and where we’re currently focused.
For more details on supportability efforts, visit: www.citrix.com/supportability
48 © 2016 Citrix
49 © 2016 Citrix
