How to Deploy XenDesktop LTSR with DISA STIGs

Nicholas Czabaranek

6 years ago

If you’re a US Government DoD IT engineer or administrator, then you’re undoubtedly familiar with the Secure Technical Implementation Guides (STIGs) produced by the US Defense Information Systems Agency or DISA for short. These guidelines dictate security measures that must be applied to various IT systems in order to secure them in accordance with US Government standards. While this is great for security, it can often lead to frustrating situations as STIGs may break vendor software functionality… Citrix included!

No worries, Citrix Consulting is here to rescue you from the frustration of using the latest applicable DISA STIGs with the Citrix XenDesktop 7.15 Long Term Service Release!

This blog series will detail how to install and configure our XenDesktop 7.15 LTSR base software packages with the latest STIG revisions as of the date of each articles posting. I’ll be walking through various Server OS and Citrix XenDesktop components as our internal testing and validation is completed. Links will be posted in this overview article so you can bookmark this for later reference.

Who is this for?

Anyone who is responsible for running a Citrix environment in accordance with DISA STIGs. Whether you are just beginning to deploy, going through a security audit, or have already broken something… this blog series is for you! It may also be useful for those who wish to apply additional security controls to their XenDesktop environment outside of US DoD.

How do I use it?

Each article will detail the following information:

Server OS and XenDesktop component versions tested.
Applicable DISA STIG versions applied to the component.
How to successfully install and configure the component with STIGs.
Which vulnerabilities exceptions must be addressed through a Plan of Action and Milestone (POA&M) with supporting information.
Additional best practices and suggestions based upon our Consulting teams experience in the field with US DoD environments.

Testing methodology:

The complete testing environment has been STIGed to ensure it reflects a vanilla US DoD Windows Enterprise environment as closely as possible.
Base environmental STIGs were applied and audited prior to each components installation, as well as after installation, and after production-style configurations were completed.
Basic component functionality will be unit and system tested to ensure full XenDesktop functionality in most use cases.
All OS installations off vanilla Microsoft or DISA Secure Host Baseline (SHB) ISOs with recent patches applied.
The environment has been completely disconnected from Internet access to simulate air-gapped networks.
McAfee HBSS was disabled for installation and testing. I may post more information regarding this topic and specific XenDesktop components (PVS anyone?) in the future. For now, I always recommend disabling antivirus, HIPS, DLP, etc. when installing XenDesktop software!
STIG audits were done on each component through a combination of SCAP scans and manual checks resulting in as close to 100% success as possible.

Caveats:

These blogs will not cover peripheral components like Active Directory or DNS directly.
While components of XenDesktop 7.15 LTSR were used for testing, many configurations, recommendations, and vulnerability exceptions may apply to other versions of our XenDesktop product.
Authentication to all components will be assumed to use Smart Card or Username and Password.
Every environment is different, and there is no guarantee that other security controls will not cause issues with our products.
Every use case has not be tested and validated. If you are running into specific issues feel free to post in the comments of this the relevant component article.
These configurations adhere as much as possible to full STIG compliance and do not take the user experience into consideration. In the real world, always think about the user impact before applying security configurations!

Blog Series Articles: