Securing Your Terminal/Citrix Servers with The Security Configuration Wizard
Thursday, 16 March 2006 by Michel Roth

Terminal/Citrix environments by their very nature allow interactive access to their servers. Interactive access to a server also happens to be the Valhalla in hackerland. Seems like you're stuck between a rock and a hard place, right? There's only one thing to do: secure those servers! One of the tools you should use to secure your servers is the Security Configuration Wizard.

Introduction

First up, you need to know that the Security Configuration Wizard requires Windows Server 2003 Service Pack 1. The Security Configuration Wizard is a free tool from Microsoft which you can use to secure your servers. The Security Configuration Wizard (SCW) is a so called the "attack surface reduction tool". It works by scanning your server to see what role (or roles) it has. Then it determines what the minimal software requirements for that role (or roles) are and allows you to disable everything else. This results in a Security Policy that you can easily apply to other servers which perform the same role(s). Since Terminal / Citrix server environments usually consist of many of the exact same servers, the Security Configuration Wizard is an excellent tool to secure these servers.

 

What does the Security Configuration Wizard Do?

Before you can use the Security Configuration Wizard you have to install it first: the Security Configuration Wizard is not installed by default. You have to add it via add/remove programs by adding the Security Configuration Wizard Windows Component.


Figure 1: Adding the Security Configuration Wizard Role

Once you've installed the Security Configuration Wizard you'll find it under Administrative Tools > Security Configuration Wizard.

Alternatively you can just execute "scw.exe" and that will also start the Security Configuration Wizard.

The Security Configuration Wizard then takes you trough a multitude of steps where you have to input information about your server. Let's take a look at what the Security Configuration Wizard configures:

First, it will ask you whether you want to create a new policy, edit an existing one, apply an existing one or roll-back an applied policy. The latter is particularly neat when you're developing your specific policy and it turns out that you've been a tad bit too restrictive...

Next you will have to select a server which will serve as a template/baseline for this specific configuration. In our case, when using the Security Configuration Wizard to configure a Terminal/Citrix server make absolutely sure that the server you are using is indeed representative for all the other Terminal/Citrix servers you want to apply this policy to.


Figure 2: Selecting the template / baseline server

After the Security Configuration Wizard loads its configuration database, you'll get to the actual configuring. Let's take a look at what the Security Configuration Wizard configures:

Server Roles
Here the Security Configuration Wizard scans your server to see what role(s) are installed on the server. You can then select which roles you actually want to enable in the policy.

Client Features
The Security Configuration Wizard shows you what client roles are installed on your server. Here you can select which client features you want enabled.

Administration and Other Options
In this section, you can choose administration options such as error reporting and Terminal Server printer redirection, as well as other application options and Windows features that use services and ports. Note that all the options listed here are derived from the choices you made in the Server Roles section earlier.

Additional Services
Some services installed on your computer might not be in the Security Configuration Wizard database. These are the services that are shown in this section. Typically, Non-Microsoft services show up here. So this is where you'll get to configure Citrix services.

Handling Unspecified Services
This is a really important one. In this section you'll configure what the Security Configuration Wizard does with services that aren't installed on this current server, when you are applying a Security Configuration Wizard policy to other servers. You can select one of two choices:

  • Disable every service that isn't in the current policy
  • Do nothing to services that aren't in the current policy


Figure 3: Disabling unspecified services

This is why it is so important that your template / baseline server is exactly the same as the servers you want to apply the Security Configuration Wizard policy to. If you do this correctly then you can easily select "Disable the service".  This setting is the recommended one if you want to thoroughly secure your Terminal / Citrix servers.

In the next Window you'll get a summary of the configuration you specified. It shows you the current state of a service and the state of the service after your configuration has been applied. Note that your configuration is not applied yet.

Network Security
In this section of the Security Configuration Wizard you can configure Windows Firewall and IPsec. You can choose to skip this section completely, but it is recommended that you configure Windows Firewall and IPsec to facilitate optimal security.

Open Ports and Approved Applications
In this first section the Security Configuration Wizard shows you what ports were listening for the roles and components you selected in the previous sections of the Security Configuration Wizard. If an application uses more than one port, this can only determined by "hovering" over the description or by clicking on the triangle.

All the ports that you select can accept incoming connections, all other connections are dropped.


Figure 4: Selecting inbound ports and associated applications

In the next screen you will be asked to confirm the choices you made in the screen depicted above. Double-check to be sure that you have selected all inbound connections you need on your server because all other inbound traffic will be blocked.

Registry Settings
This is where you configure a number of settings of your server related to authentication protocols and LDAP and SMB signing. It's imperative that you have a thorough understanding of what these sections mean. Like the wizard says, if you are not sure what to configure here, just skip this section. Not configuring these settings correctly will either result in problems ranging from the inability of clients authenticating to this server to opening up your network for hash-cracking attack attempts.

The settings that are covered are:

  • Require SMB Security Signatures
  • Require LDAP Signing
  • Outbound Authentication Methods
  • Outbound Authentication Methods Using Domain Accounts
  • Outbound Authentication using Local Accounts
  • Inbound Authentication Methods
  • Registry Settings Summary

Audit Policy
In this final section the Security Configuration Wizard allows you to configure the audit settings for your server. The Security Configuration Wizard presents you with three choices:

  • Do not audit
  • Audit successful activities
  • Audit successful and unsuccessful activities

What you select depends on your auditing needs. Know that the first choice naturally is the least demanding on your server and the latter the most demanding. It's important to know that proper auditing can only be successful if you periodically review your (security) audit logs. Even better, use an automated system to review your (security) audit logs.

Another thing to know is that the Security Configuration Wizard also enables you to audit access to the file system. To this end the Security Configuration Wizard comes with the SCWAudit.inf, which configures system access control lists (SACLS). This ensures that your server records write access by any user to any executable or configuration files in the Windows directory structure, and changes to the state or configuration of Windows services. Outside of these objects there's no additional SACLS configured.  Remember that events that write to the Windows directory structure, such a Service Packs, create massive logs.

The settings made by the SCWAudit.inf are the only settings that can not be reverted by rolling back the Security Configuration Wizard settings. To roll back these settings (to the default SACLS) you have to import "DefaultSACLs.inf" from C:\WINDOWS\Security\Msscw\Kbs. Consult the Security Configuration Wizard for more information.
 

Terminal/Citrix Server Specific Configurations

When utilizing the Security Configuration Wizard to configure your Terminal/Citrix servers, it's important to pay extra attention to the (additional) services section and to the ports section in network security.

For example when running the Security Configuration Wizard on a Citrix Presentation Server 4.0 Enterprise Edition server, you could encounter the following additional services:


Figure 5: Additional Terminal / Citrix Server specific additional services

Be sure to double check if all the services are shown in this window. Depending on your setup your server could have the following additional services running:

  • ADF Installer Service
  • Citrix CPU Utilization Mgmt/Resource Mgmt
  • Citrix CPU Utilization Mgmt/User-Session Sync
  • Citrix Licensing WMI
  • Citrix Print Manager Service
  • Citrix SMA Service
  • Citrix Virtual Memory Optimization
  • Citrix WMI Service
  • Citrix XTE Server
  • CitrixLicensing
  • Client Network
  • Independent Management Architecture
  • License Management Console for Citrix Licensing
  • MetaFrame COM Server

Again remember that this is your template server. If this, for example, is not the Citrix licensing server then the licensing components won't show up here. Applying the resulting security policy to a server that is the Citrix licensing server could severely mess things up.

For strictly Terminal Server deployments, keep an eye out for services like Terminal Services Session Directory.

You also need to pay extra attention to the ports section of the Network Security component of the Security Configuration Wizard:


Figure 6: Configuring incoming ports for a Citrix Server

This is where you will be able to open up your system for incoming ports required by the software on your server. Citrix specific ports could be any of the following:

Name

TCP/UDP

Portnumber

ICA

TCP

1494

IMA

TCP

2512

CMC

TCP

2513

SSL

TCP

443

STA (IIS)

TCP

80

TCP Browsing

UDP

1604

XML (integrated with IIS)

TCP

80

Citrix License Management Console

TCP

8082

Presentation Server Licensing

TCP

27000

Session Reliability

TCP

2598

Double-check if the incoming port for 1494 is detected; I've seen examples of when the Security Configuration Wizard does not detect the need for this incoming port. Citrix has a support article up on this. Read it here.

Also, don't forget to think about other third party software, like agents for backup programs or other tools that add functionality to your Terminal Servers (Softgrid, WISDOM).

 

Advanced Configurations

Of course, like any good tool, the Security Configuration Wizard comes with a command-line version as well: scwcmd.exe. You can use Scwcmd for the following tasks:

  • Configure one or many servers with an SCW-generated policy
  • Analyze one or many servers with an SCW-generated policy
  • View analysis results in HTML format
  • Roll back SCW policies
  • Register a Security Configuration Database extension with SCW
  • Transform an SCW-generated policy into native files that are supported by Group Policy

That's right, scwcmd allows you to transform a Security Configuration Wizard policy (.xml file) into a GPO. This is one of the powerful features of this tool. Remember that any Internet Information Services (IIS) settings that are defined in the SCW policy will be lost during the scwcmd transform operation because Group Policy does not support configuration of IIS settings.

Just link this GPO to the OU which holds the servers that you created this policy for and you're done!

You can also customize the Security Configuration Wizard to include role definitions beyond the default set provided in Windows Server 2003 Service Pack 1. Microsoft has put up a detailed whitepaper on this.

 

Conclusion

There's more than one way to skin a cat. You can for example use just Group Policy to control the state of the service. The real value of the Security Configuration Wizard lies in its name. In its last name actually: wizard. It walks you through every step needed to create a detailed security policy consisting of previously separate components of Windows security. The ability to export Security Configuration Wizard policies to a GPO makes for excellent integration with existing Active Directory infrastructures.

So as long you pay proper attention to selecting a appropriate template /baseline server, the Security Configuration Wizard is an excellent tool in helping you secure your servers.

 

This article was previously published at MSTerminalServices.org. 


Related Items:

Security Configuration Wizard Walkthrough (30 January 2006)
Security Configuration Wizard Documentation (27 January 2006)
Security Configuration Wizard Documentation (13 May 2005)
TechNet Webcast: Security Configuration Wizard in Windows Server 2003 Service Pack 1 (Level 300) (25 May 2005)
Securing Your Terminal/Citrix Servers with The Security Configuration Wizard (16 March 2006)
Security Configuration Wizard 80 Minute Hands On Lab (1 May 2005)
Windows 2003 SP1 Security Configuration Wizard Webcast (15 February 2005)
Windows Server 2003 Service Pack 1 Downloads (31 March 2005)
Locking Down Windows Terminal Services (30 May 2007)
Windows 2003 Service Pack 1 Release Candidate 2 Available (9 February 2005)
Comments (0)