5. Support FX part of edition OS
Remote is WPF
MediaTS forMedia the core
NewCitrix MultiWin Technology
added player connect
console redirect
Console 24-bit color
Network Levelaudio
Bi-directional Authentication
Seamless windows
Session directory
multi-monitor mapping
Betterresource
Easy print monitor support
Local multi
Aero glasslayer
RDP gateway Security TLS
Transport support
Bitmap accceleration
Language bar docking
R2 SP1
Push to the Cloud
8. Direct
HIGH Confidential
access Business Intelligence
Managed clients
Windows 7
(payroll, Finance)
sensetivity
SSL
TRUST
gateway
MEDIUM
Medium level
Windows Line of
, MAC, Linux TMG/UAG business
RDGW
<
>
Slates and Low level
tablets, smartp HTTP (s) / LOW
hones, etc. APP Remote Line of business
Desktop
publish
Email / files read
only
TMG
9. Managed clients
Windows 7
Who Device
TRUST
Windows
, MAC, Linux
Slates and
tablets, smartp
Where
hones, etc.
10. HIGH Confidential
Business Intelligence
(payroll, Finance)
sensetivity
MEDIUM
Data Medium level
Line of
business
Low level
LOW
Line of business
Email / files read
only
11. Direct
HIGH Confidential
access Business Intelligence
Managed clients
Windows 7
(payroll, Finance)
sensetivity
SSL / VPN
TRUST
gateway
MEDIUM
Medium level
Windows Line of
, MAC, Linux TMG/UAG business
RDGW
<
>
Slates and Low level
tablets, smartp HTTP (s) / LOW
hones, etc. APP Remote Line of business
Desktop
publish
Email / files read
only
TMG
12. Trust is a combination of
Managed clients
Windows 7 Idendity + Device and Health + Location
TRUST
Windows
, MAC, Linux
How sure are you the
+ What device is being used + How confident are we about
person telling you who
and how sure are we of the the physical and logical location
they are are actually who
health of the user.
Slates and they are + RBAC model
tablets, smartp
Increase by:
hones, etc. Increase by: - Changing physical location
Increase by:
- Health inspection - Logical network
- Complex password
- Device jump
- Call and enable
- ...
- Multi account
- Multi factor auth
- ....
13.
14. No DMZ. RDG in the LAN RDG in the DMZ. No Active
Directory
Dual auth. required
RDG in the DMZ, with Active Reverse Proxy in the DMZ.
Directory RDG in the LAN
TMG / UAG
15. No DMZ. RDG in the LAN RDG in the DMZ. No Active
Directory
Dual auth. required
RDG in the DMZ, with Active Reverse Proxy in the DMZ.
Directory RDG in the LAN
TMG / UAG
27. Wide range of New client
Fast and fluid network devices & form
graphics conditions factors
Windows Metro style
Mobile devices, WAN Touch, Slates
user interface
28. RemoteFX RemoteFX
RemoteFX
Adaptive Media
For WAN
Graphics Remoting
Remote FX
RemoteFX Metro Style
RemoteFX
USB Remote
Multi Touch
Redirection Desktop App
Choice of Available for
Software or Sessions, VM Broad Range
Physical ’s and of Clients
GPU, vGPU Physical Supported
for VM Machines
36. Windows Metro style UI and Applications (HTML, XAML, Native, etc..)
RemoteFX Intelligent Caching
RemoteFX RemoteFX RemoteFX RemoteFX
Media Progressive Optimized Text Calista Codec
Remoting Rendering Codecs
RemoteFX Protocol Encoding
RemoteFX for WAN Transports
RIGHT TYPE OF CODEC FOR EACH TYPE OF CONTENT
37.
38. • Text is sent as text and always sharp => think of pinch zoom blurring
V4.0 (1998) Windows NT 4.0 Server, Terminal Server Edition (required Citrix MultiWin Technology)V5.0 (2000) Windows 2000 Server => TS is part of the core OSV5.1 (2001) Windows XP Professinoal => added 24-bit colorV5.2 => (2003) Windows 2003 => console, session directory, local resource mapping, Translport layer Security TLS, V6.0 => (2007) Windows Vista => Support for WPF, NLA, multi-monitor,V6.1 => (2008) Windows 2008 => new console connect, seamless windows, easy print, RDP gatewayV7.0 => (2009) Windows 2008 R2 => media player redirect, bidirectional audio, better multi monitor support, Aero glass support, bitmap accceleration, language bar dockingV7.1 => (2010) Windows 2008 R2 SP1 => Remote FX
8 steps to protect Win systems against pass-the-hash attacks:1. Prevent dependency of higher sec system on low sec system, or even maximally isolate sec systems (network segmentation as part of security solution).2. Enforce LUA – least user access – minimum rights to user.3. Avoid using LM & NTLM in your network:– via GP: computer security – security settings – local policy – security options – Network security: LANManagerauth level – set to Send NTLMv2 responses only/refuse LM andNTLM– via Regedit: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\LMCompatibilityLevel – set to 3 on client, 5 on server.4. Limit login creds cache. till win2k8 it by default 10, since w2k8 it 25 by default. change over regedit:HKEY_LOCAL_MACHINE\\Software\\Microsoft\\WindowsNT\\Current Version\\Winlogon\\ add REG_SZ value “CachedLogonsCount” – 0-505. Disable “Debug programs” user right. by default part of local admin rights only.GP: in Computer Policy – Security Settings – Local Policies – User Right Assignment – Debug Programms – remove all users.6. Use token-based auth (money consuming feature).7. Use Kerberos with Smart cards as auth solution – prevent password attackas (keylog, capturing etc), but bring another set of attacks (card stealing, copy etc) and in practice not prevent pass-the-hash attacks.8. Implement regular monitor of systems for newrly created accs, audit change of previligies etc.Some trivial, some new steps, but for those who interested – read the full article.
Get-WmiObject -Class Win32_ComputerSystem
RemoteFX For WAN => Full rich desktop over WAN networksRemoteFX Adaptive Graphics => Rich content and features that take Wan and CPU into accountRemoteFX Media Remoting => Remote more types of content using standard codec’s H264 (block-oriented motion-compensation-based codec )RemoteFX Multi Touch => mouse + keyboard + multi TouchRemoteFX USB Redirection => Metro Style Remote Desktop App => easy to interface end-user orientedChoice of Software or Physical GPU, vGPU for VM => no hardware required but Physical GPU can still helpAvailable for Sessions, VM’s and Physical Machines => All types of RDP servers have the same capabilitiesBroad Range of Clients Supported => FAT and thin client all have the same possibilities.
TCP is chosen because of policy / port blocking / .... => even this TCP only system in win8 will be better than win7
Here is the improved RemoteFX for WAN. It isolates traffic to the optimal transport.Note the UDP / TCP split on the traffic. This segments text vs. audio (etc).UDP => recovers from loss where needed, security,...
Take the applications on the server => optimize delivery for the network to the clientMedia remoting => application specifice => Windows media player / realy playerCalista codec => application genericRIGHT TYPE OF CODEC FOR EACH TYPE OF CONTENT
Has been used in browsers for very long now also in RDP and on pictures only
Direct TCP 3389 + UDP 3389GW TCP 433 + UDP 3391
Remote actions App barCharmsSnap
Last desktop preview can be turned off
Get out of the RDP screen and move in at the bottom left