Tighten Up Your Citrix and RDP Security

Both Citrix and Microsoft's RDP have been in widespread use for quite a long time. The technologies allow people to connect to remote systems to use desktop applications and administration tools. If you use these technologies every day, it might be a good idea to ask yourself whether your remote computing environment is as secure as it could be.

A couple weeks ago, Petko Petkov posted some very interesting information at his GNUCITIZEN Web site. Using Google, Petkov discovered numerous Citrix configuration (.ica) files that are located on .gov, .mil, and other domains. If you're familiar with Citrix configuration files, you know that they contain information that clients use to connect to servers. Along with server IP addresses, the information sometimes includes usernames and passwords.

Having .ica files indexed by Google and other search engines is obviously problematic, to say the least. Monday, I did a quick search on Google and found more than 600 .ica files, some of which did contain complete connection information. RDP connection files are also being exposed to the Internet and thus picked up by search engines. A quick search at Google revealed more than 300 RDP connection files. Searching Yahoo! for the same two file types revealed more exposed connection files.

In the blog post "CITRIX: Owning the Legitimate Backdoor," (at the URL below), Petkov outlines how easy it is to modify Citrix connection files to launch various programs, including command shells, after connecting to a remote server. It's also possible to enumerate available server farms, servers, and applications by using scripts. That sort of information can give an intruder a big head start in finding chinks in network armor. http://www.gnucitizen.org/blog/citrix-owning-the-legitimate-backdoor/

Citrix and RDP connection files should not be listed in search engines, which means that you need to protect access to those types of files. Furthermore, you need to make sure your Citrix and Windows Terminal Services installations are locked down tight. Otherwise an intruder will eventually come along and try to break in.

You also need to defend against email- and Web-based attacks that deliver specially modified Citrix and RDP connection files that could trick people into exposing sensitive data, trick them into uploading and downloading files, and so on.

For more information about the Citrix and RDP risks, be sure to read Petkov's blog post "Remote Desktop Command Fixation Attacks," at the first URL below, and his "Clear" post at the second URL below. In these posts, he elaborates on some of his concerns and provides links to lots of other related material.



Whenever someone brings to light risks such as these, related intruder activity increases. To get a rough idea of how such information stimulates activity, head over to The SANS Institute's Internet Storm Center and take a look at the traffic patterns for Citrix port 1484 (at the first URL below) and RDP port 3389 (at the second URL below). You'll notice spikes in traffic that coincide with Petkov's blog posts.



Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.