SYN 321: Securing the Published Browser

1 © 2016 Citrix
Session Number/Session Title:
SYN321: Securing the published browser
Session Description:
Browsers are the most common published application in virtualized environments—and also
the most exposed to security issues, as they’ve historically been one of the most vulnerable
pieces of software on any end point. The security concerns with browsers are legendary and
involve complex settings, third-party plugins, active content, Flash, JAVA and other
components that must be kept under strict control. XenApp and XenDesktop provide unique
methods to fine-tune browser security and protect sensitive data across web applications,
compliance environments, administrative portals, email and the cloud. Join this session for a
discussion of “when bad things happen to good browsers” including demos of common
security problems and their solutions.
In this session, you will learn:
• How to lock down browsers at the end point for accessing both virtualized and web
environments
• Guidance for hardening published browsers, including group policy and PowerShell
configuration of security policies
• How to tune browser components to be application-specific and further minimize the
attack surface

2 © 2016 Citrix
Session Date-Time/Location:
5/24/2016, 2:00 p.m. – 3:30 p.m. / Murano 3304
Session Track: Desktop & App Delivery, Security
Session Level: Technical - Advanced
Session Owner: Calvin Hsu
(Contact with any questions regarding session content and direction)
Image source:
http://www.bing.com/images/search?q=browser&view=detailv2&qft=+filterui%3alicense-
L2_L3&id=E6F8E72F843D7D4187ED4FDBB88C61EB4DDF034A&selectedIndex=1&ccid=b%2bj
OseF4&simid=608051161184536293&thid=OIP.M6fe8ceb1e178b94805643ce78575472do0&
ajaxhist=0
(License selected: Free to modify, share and use commercially)

3 © 2016 Citrix
@JHNord @CitrixSecurity @atofunk

5 © 2016 Citrix
Source: https://cis.citrix.com/insights/#/product-insights/xenapp-and-xendesktop

7 © 2016 Citrix
[Kurt]
• We’re addressing local browsers for access to virtualization resources, as well as
datacenter and cloud-hosted browsers. Reverse seamless???
• The guidance provided is appropriate for corporate, home and third-parties
• Plugins include Flash player, Silverlight, JAVA, Acrobat, etc.
• The goal is a “browser enclave”, where a problem with the browser/content is contained
• Througout this conversation, we will be discussing the tradeoffs between security and
functionality, along with those between anonymity and auditing.
• Introducing the Securing the Published Browser Whitepaper

8 © 2016 Citrix
Eric Beiers is a solution architect that works with the largest enterprises of Canada
to help develop and realize their virtualization, cloud and networking strategies and vision.
Eric was the previous technical lead of Citrix Consulting Canada, as the Enterprise Architect
for the country where he architected many large global deployments of Citrix, with high
security kept at top of mind.
Joseph Nord is Security Product Manager for Citrix where he authors the XenApp and
XenDesktop product requirements for security and authentication features and manages the
completion of certifications and compliance including Common Criteria, FIPS, PCI and HIPAA.
Joe works with customers, partners and Citrix sales teams to help customers achieve their
security goals.
As Chief Security Strategist for Citrix, Kurt Roemer leads security, compliance, risk and privacy
strategies for Citrix products. As a member of the Citrix CTO and Strategy Office, Roemer
drives ideation, innovation and technical direction for products and solutions that advance
business productivity while ensuring information governance.
An information services veteran with more than 30 years experience, his credentials include
the Certified Information Systems Security Professional (CISSP) designation. He also served
as Commissioner for the US public-sector CLOUD2 initiative and led efforts to develop the PCI
Security Standards Council Virtualization Guidance Information Supplement while serving on
the Board of Advisors.

9 © 2016 Citrix
[Kurt, Joe, Eric]
Image Source:
http://atom.smasher.org/vegas/?l1=Tonight+Only%21&l2=Eric%2C+Joe+and+Kurt&l3=&l4=Ju
st+Browsing

10 © 2016 Citrix
[Eric]
DEMO
(1) Corporate site, going to the bad place on the network + secure browser - Why should we
care?
Show an example of launching a webpage from a local computer
No restrictions, all wide open, user can go to the bad places on the Internet and accept the
warnings
Not centrally managed, and no technical policy to enforce corporate policy
Launch a secure browser site, show the idea that if you have a current generation browser,
you can launch a browser, from within another browser

14 © 2016 Citrix
[Joe, Kurt]
Image Source:
http://www.bing.com/images/search?q=scared&view=detailv2&qft=+filterui%3alicense-
L2_L3&id=5EDE5975BAE94FA5D3220CE607E8E2A89B00108B&selectedIndex=15&ccid=%2b4
zu3HEl&simid=608021049168429905&thid=OIP.Mfb8ceedc7125e5beeb3003b20b442c4fo0&
ajaxhist=0

15 © 2016 Citrix
• Integrated browsers, installable browsers, browser appliances
• Local browser access with URL redirection. Remote PC.
• Persistent and non-persistent
Image Source:
http://www.amazon.com/HP-Chromebook-14-Celeron-14-
inch/dp/B0172GUW4I/ref=sr_1_7?s=pc&ie=UTF8&qid=1463513119&sr=1-
7&keywords=hp+chromebook

16 © 2016 Citrix
[Joe, Kurt]
Value of running hosted, things to lock down, ability to restrict clipboard (one-way) and
format limiting, turn off client drive mapping, printing…everything you don’t need
Trash Can – disposable browser
Goal is a desired state that’s reproducable through configuration
Can use PowerShell to validate
chrome://policy/
Chromebook
TLS 1.2

17 © 2016 Citrix
Image Source:
http://www.bing.com/images/search?q=browser+security&view=detailv2&qft=+filterui%3alic
ense-
L2_L3&id=BE5DEFEF0C048783BA227F05923AD344BDDD79E2&selectedIndex=41&ccid=AuIvj
mdB&simid=608044065901576378&thid=OIP.M02e22f8e6741ea58c447277ba237d4eco0&aj
axhist=0

18 © 2016 Citrix
[MZ] This is a big deal. Do you want to force all your users to use legacy version of browser
just because you have one application that requires it? Wouldn’t it be nice if you could
choose which browser you want to use with each of the critical applications?

19 © 2016 Citrix
[MZ] This is a big deal. Do you want to force all your users to use legacy version of browser
just because you have one application that requires it? Wouldn’t it be nice if you could
choose which browser you want to use with each of the critical applications?

20 © 2016 Citrix
Level 1, 2
Green, Yellow, Red [high-level data sensitivity classification]
Sensitive apps
Options
PCI
Enterprise mode – compatibility setting in IE11 (configure for IE8 compatibility)
Lockdown vs. relaxation

21 © 2016 Citrix
Tradeoffs?
Forbes
Turn off address bar
Enterprise mode – compatibility setting in IE11 (configure for IE8 compatibility)
Be aware of site-specific policies, such as preference for HTML5 over Flash
Persistence
Redirects
Whitelisting and blacklisting? (domains, plugins, active content)

22 © 2016 Citrix
DEMO - Build and harden the OS
(2) Building the OS image (powershell creation) + How to add applications
(powershell/vbs/mcs) - We need to build and harden the OS
Explain the idea of consistency of images, and you need some way to automate, since if you
do this a few times by hand, it will never be the same
Want to build the system by installing certain services, disabling some services,
Demonstrate installing applications using powershell
Explain the idea of converting the image to a gold image for use in MCS or PVS, and having a
non-persistent image allows us to reboot, and go back to a known clean state (no demo, just
console?)

25 © 2016 Citrix
Image source:
http://www.bing.com/images/search?q=under+construction&view=detailv2&qft=+filterui%3
alicense-
L2_L3&id=05B56A181A55837CEDFD8E8E4F905E62CC877603&selectedIndex=9&ccid=3e6v8Z
qr&simid=608034458058622883&thid=OIP.Mddeeaff19aab382d52bbea2fb0ac844bo0&ajaxh
ist=0

27 © 2016 Citrix
(3) How to configure/lock down browser (GPO/GUI) - We need to configure and harden the
browser (part 1)
Review of the GUI of the browser, talk through some of the key settings
Show how to configure IE11, using group policy
Show how to install an ADMX template (or skip but explain), and then use that template to
configure Chrome and Firefox
(4 or merge with 3) Enterprise Mode/trusted sites configuraiton/proxy configuration - We
need to configure and harden the browser (part 2)
When configuring a browser, certain sites might require compatibility viewing, or a lessened
security posture.
Demonstrate using GPOs to configure the trusted sites configuration
Demonstrate configuration of the proxy (several ways to do this, GUI/GPO/PowerShell/WPAD
(choose one)
Demonstrate creating an enterprise mode list in XML (https://technet.microsoft.com/en-
us/itpro/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-
using-the-version-1-schema-and-enterprise-mode-tool,
https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/turn-on-
enterprise-mode-and-use-a-site-list)

43 © 2016 Citrix
Storefront, workflow, tab for each browser…
Colors
3 different Chrome, 3 different background colors
Use cases – protection of cloud-based apps
DEMO
(5) Launch and customize applications (Colours, switches, vbs wrapper) IE8/9/10/Chrome -
We need to tailor the requirements for the usage scenario
Customize a launch of a browser by providing a URL
Customize a launch of a browser by providing additional parameters (kiosk mode, incognito,
disable features)
Customize the appearance of a browser (Red/Blue/Green)
Customize the browser using a .vbs script wrapper, to disable specific controls
(6) Secure Enclave (proxy/av/ids/ips) - We control the placement now! We need to harden
the Network
Demonstrate a restricted browser, getting blocked going to a site (current lab has
NS/IDS/IPS/Firewall/AntiVirus/Proxy/DNS&IP reputation lists)
--- I'm not really sure if showing these other components helps, but I like this demo, since you
can put an ad blocker at the network level, instead of the application level (defence in depth)

45 © 2016 Citrix
References:
Citrix Security and Compliance
• http://www.citrix.com/security
Citrix Common Criteria Resources
• http://www.citrix.com/about/legal/security-compliance/common-criteria.html
NetScaler Security Best Practices: Secure Deployment Guide for NetScaler MPX, VPX, and
SDX Appliances
• http://support.citrix.com/article/CTX129514
Payment Card Industry (PCI) and Citrix XenApp and XenDesktop Deployment Scenarios
• http://www.citrix.com/content/dam/citrix/en_us/documents/support/payment-card-industry-
and-citrix-xenapp-and-xendesktop-deployment-scenarios.pdf
Citrix solutions for Healthcare and Compliance
• https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/citrix-solutions-
for-healthcare-and-hipaa-compliance.pdf
Citrix XenApp and XenDesktop FIPS 140-2 Sample Deployments
• https://www.citrix.com/content/dam/citrix/en_us/documents/about/citrix-xenapp-and-
xendesktop-76-fips-140-2-sample-deployments.pdf

47 © 2016 Citrix
You might be wondering how much we know about your experience with our products, and
what we’re doing to improve product quality and make your experience better.
Our product supportability efforts are the result of paying attention to the issues and
concerns you raise when engaging with our Support teams as well as the feedback you
provide to our Sales and Consulting groups.
The details you see here speak to some of the work we’ve done already, and where we’re
currently focused.
For more details on supportability efforts, visit: www.citrix.com/supportability

SYN 321: Securing the Published Browser

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (17)

Similaire à SYN 321: Securing the Published Browser

Similaire à SYN 321: Securing the Published Browser (20)

Plus de Citrix

Plus de Citrix (20)

Dernier

Dernier (20)

SYN 321: Securing the Published Browser