This post will cover the installation and configuration steps required for the Citrix StoreFront 3.12 Long Term Service Release on Windows Server 2012 R2 to comply with the applicable DISA STIGs as of early 2018.

This includes guidance for StoreFront compatibility with the following DISA STIGs:

• Windows Server 2012 R2 Member Server R2V11
• Windows Firewall STIG V1R6
• Internet Information Systems Server 8.5 V1R2
• Internet Information Systems Site 8.5 V1R2
• Microsoft Dot Net Framework 4.0 V1R4

These configurations are for StoreFront only and do not take into account other services that may be co-located on the same IIS server. These configurations may break those other services, so be mindful when utilizing the information below.

If you want some quicker reference information, see the Cheat Sheet section at the bottom of the post. If you are looking for more context around this blog series, please refer to my How to Deploy XenDesktop LTSR with DISA STIGs Overview.

Internet Information Systems and StoreFront Installation

Starting from a clean Windows Server 2012 R2 image, here are the steps to install Internet Information Systems (IIS) and StoreFront LTSR.

• Go ahead and apply the base OS, .NET, and Firewall STIGs detailed above prior to StoreFront and IIS installation. Many customers use Local or Group Policy to apply this.
• Install the Web Server (IIS) Role from Server Manager. Add the ASP.NET 4.5 feature under .NET Framework 4.5.
• Change the IIS root directory (IIS Site STIG V-76815) to a non-system drive. This MUST be done prior to StoreFront installation or you will run into upgrade issues due to improper directory pointers. There are many resources out there that show how to modify the IIS installation directory, but in general the following items need to be moved (ensure this is done using Administrator privileges): Log Files, History, ASP.NET Cache, Physical Path, Error Codes, wwwroot and ftproot folders, and the httpcompression directory.
• Rename the IIS Default Web Site now if necessary. This is not a DISA STIG but may be an internal security control. If you are not required to change the Default Web Site name, I recommend leaving it as is.
• Install StoreFront from the XenDesktop 7.15 LTSR installation ISO, ensuring you perform a checksum on the disc image prior (the hash value is available on our public download page). Only select StoreFront as the installation component and do not enable Call Home.

StoreFront Master Server Configuration

At this point you should have a single StoreFront server with a vanilla installation on a non-system drive. However, you’ll notice in IIS Manager that there is very little to perform STIGs on. For this reason, I now recommend that you make your base production StoreFront configurations. If this is not possible, at least create a base StoreFront Store with blank configurations. If your environment is disconnected from the Internet, I recommend disabling “Check for the publisher’s certificate revocation” in Internet Explorer under Settings > Advanced, or in Control Panel > Internet Options,to drastically improve the StoreFront console response time.

Perform the following base configurations from the StoreFront console:

• Open the StoreFront Console and select New Deployment
• Do not check Allow only unauthenticated (Anonymous) users to access this store.
• The Base URL should be the HTTPS load balanced web address of your StoreFront servers and not the individual server name. For example: https://desktops.customer.com instead of https://StoreFront01.customer.com
• Make your initial production StoreFront Store configurations. For example, adding XenDesktop sites and NetScaler Gateways, configuring authentication mechanisms, etc.
• Go to Manage Receiver for Web Sites, select your Store(s), select Configure > Advanced Settings and set Loopback Communication to Off (this is due to IIS Site STIG V-76807).
• On each StoreFront server using an elevated Notepad instance, open the Windows hosts files located at C:\Windows\system32\drivers\etc\hosts and add an entry for the Local IP of the StoreFront Server and the Load Balanced FQDN (the same FQDN that was used as the base URL earlier). For example, “192.168.1.120 desktops.customer.com”. Each StoreFront server will use its own unique IP, but the same FQDN in the hosts file. This is critical for the StoreFront callback to work along with IIS Site STIG V-76807.

StoreFront Server Groups and Propagation

At this point I recommend that you complete your other StoreFront server builds, add them to the same StoreFront Server Group, and then propagate your configurations prior to performing the STIG configurations in the rest of this post. You may run into issues here where you are able to join a Server Group, but not propagate changes. To fix this:

• Stop the Citrix Configuration Replication Service on all StoreFront servers if it is running.
• Temporarily add NT SERVICE\CitrixClusterService and NT SERVICE\CitrixConfigurationReplication to the local Administrators Group on all StoreFront servers (these may not appear until you attempt to propagate changes).
• Start the Citrix Configuration Replication Service on all StoreFront servers.
• Propagate changes from the master StoreFront Server.

IIS 8.5 Server STIG and Configurations

Once you have your base StoreFront configurations complete, I recommend you now complete the IIS Server 8.5 STIG configurations. For the most part you can apply the STIG controls per DISA instructions. Below are the most critical STIG steps to perform in IIS Manager along with additional guidance for specific vulnerabilities. If a vulnerability is not listed, then it is safe to apply according to DISA instructions.

• V-76761: Install the SSL certificate that will be used for the Base URL FQDN on all StoreFront servers. Remove SSLv3 and TLSv1 protocols from the Windows server through the registry per DISA instructions.
• V-76771: Select the IIS Server Name and ASP.NET Authorization. Remove All Users from this list and add Administrators with Allow permissions. Then select the Default Web Site and ASP.NET Authorization. Add All Users to this list with Allow permissions. This will allow StoreFront to function properly, but still adhere to V-76771.
• V-76725: If you have issues setting Regenerate expired session ID, change the Mode to Auto-Detect, enable it, then switch back to Use Cookies. It should be noted that older versions of the IIS 8.5 Server STIG had you set Use URI instead of cookies. This will break StoreFront but is not necessary for this revised STIG version.
• V-76685: If you are using a load balancer in front of StoreFront, you must set it to pass client IP addresses through to StoreFront. There are a few caveats to this regarding smart card authentication which requires SSL Bridge type load balancing, which not be able to natively insert the client IP address. See my article on using NetScaler to load balance STIGed StoreFront to accomplish this.
• V-76699: There are no configurations needed to satisfy this control as StoreFront uses Active Directory for all user management and not any other internal mechanisms.
• V-76711 (Mime types) and V-76731 (Machine Key set to HMAC256) can be set safely.

IIS 8.5 Site STIG Configurations

You are now ready to perform the IIS 8.5 Site STIG. This one is a little more involved and requires a bit more guidance than the Server STIG:

• V-76787: A duplicate from the IIS Server STIG. If you are using a load balancing server, you must set it to pass along the originating client IP address.
• V-76797: MIME types should be inherited already from the Server STIG V-76711. These are safe to set.
• V-76805: This cannot be done as StoreFront requires Full .NET trust to operate properly. It can be downgraded to a CAT III with supporting documentation.
• V-76807: The server Bindings should use the Base URL FQDN that was previously configured for StoreFront (for example, desktops.customer.com). If this is not done correctly, in addition to disabling Loopback Communication and the local Hosts file additions, it will break StoreFront services entirely!
• V-76809: SSL Client Certificates are required, but only the top-level Site. Click the Default Web Site and select SSL Settings and enable Client Certificates Required. Now click on the Citrix folder underneath the Default Web Site. Select SSL Settings and disable Client Certificates Required. For reference, this setting must stay off for all StoreFront Stores except for the StoreAuth\Certificates folder which is responsible for smart card authentication to StoreFront (per Store). This is a common issue, so double-check this setting if you are having authentication problems with StoreFront.
• V-76815: This was taken care of previously by moving the Default Web Site to a non-system drive. This is critical prior to StoreFront installation due to paths being written on install. Upgrades may fail if this was not done prior to installation!
• V-76817, V-76819, V-76821, V-76823, V-76825, V-76827: configurations can all be done safely under RequestFiltering. However, if you are going to disable Allow Unlisted Verbs, then you must explicitly enable the GET, POST, and HEAD verbs.
• V-76827: You can disable Allow unlisted file extensions per DISA instructions, but must add the following file extensions to the list for StoreFront:
  • . (blank extension)
  • .appcache
  • .aspx
  • .cr
  • .css
  • .dtd
  • .gif
  • .htm
  • .html
  • .ica
  • .ico
  • .jpg
  • .js
  • .png
  • .svg
  • .txt
  • .xml
• If allowing Receiver download from StoreFront:
  • .dmg
  • .exe
• If the HTML 5 client is utilized:
  • .eot
  • .ttf
  • .woff

• V-76839: Several of the StoreFront applications pools (Citrix Configuration API, Citrix Delivery Services Authentication, Citrix Delivery Services Resources, Citrix Receiver for Web) require unlimited (0) timeouts. Setting these timeouts to anything but 0 may break StoreFront functionality or produce unintended behavior for users, making this a security finding. Actual user timeouts are set in the StoreFront console.
• V-76841: This timeout setting should be compliant already, but ensure you review this and set an appropriate timeout, as you may want to set it lower.
• V-76865: The StoreFront Citrix Delivery Services Resources Application Pool has 4 applications that runs under its context instead of the maximum of 1. An exception will be needed as this is a finding and cannot be modified without breaking StoreFront.
• V-76867, V-76869, V-76871: All StoreFront Application Pools have a Recycling, Request Limit, Virtual Memory, and Private Memory settings of unlimited (0). It is not recommended to modify these configurations. They may be downgraded to a CAT III with supporting documentation.
• V-76883: An alternateHostname may safely be defined. I would recommend setting this to the Base URL FQDN for consistency.
• V-76885: StoreFront utilizes ASPX scripts that are not isolated in their own folders. This is a finding that will require risk acceptance.
• V-76891: This requires that a DoD security banner is put in place prior to logon to any system. To accomplish this, we can modify StoreFront with some custom JavaScript. Note that this is only recommended for logons directly to StoreFront and not through NetScaler Gateway. I will publish another article on how to accomplish this on NetScaler. Under inetpub\wwwroot\Citrix\StoreWeb\custom (where Store is your Store name) open the script.js file. You will see a number of commented out lines of code which can be safely removed and replaced with something similar to the following:

var doneClickThrough = false;

CTXS.Extensions.beforeLogon = function (callback) {

doneClickThrough = true;

CTXS.ExtensionAPI.showMessage({

messageTitle: "DoD Logon Banner",

messageText:　　"<div class='logonBanner'>I've read & consent to terms in IS user agreem't.</div>",

okButtonText: "Accept",

okAction: callback });

};

In this example, I am using the approved shortened version of the DoD user agreement. If you wish to use the full agreement, I suggest that you also modify the banner GUI to auto scroll and be slightly larger. To accomplish this, add the following to style.css in the same folder (test the height setting that works best for your environment):

.logonBanner {

height: 400px;

text-align: left;

overflow-y: auto;

}

These customizations must be on each StoreFront server separately as these changes cannot be propagated through the StoreFront console.

Windows Server 2012 R2 STIG Configurations

The following configurations can be completed after StoreFront has been installed and configured to ensure compliance with the Server 2012 R2 STIG:

• V-3487: Stop and Disable the Citrix Telemetry Service under the Services MMC console. After this is done, remove the Citrix Telemetry Service account from the Performance Log Users local group and also remove the Citrix Telemetry Service profile folder from C:\Users.
• V-1127: Remove the NT SERVICE\CitrixClusterService and NT SERVICE\CitrixConfigurationReplication service accounts from the local Administrators group when not propagating StoreFront configurations. They can be added back in to each StoreFront server once you are ready to propagate changes from your master StoreFront server.
• V-26489, V-26503: The StoreFront IIS application pool accounts should be given Generate Security Audit and Replace a Process Level Token rights in OS security policy. This is a STIG finding.

Other Considerations and Recommendations

• When upgrading StoreFront or adding a new Store or Receiver Web Site, ensure that you double check the SSL Settings > Require Client Certificate setting to ensure it did not get inherited and enabled from the top-level site. The most likely symptom of this issue is users getting errors when attempting to authenticate at StoreFront.
• Always ensure your load balanced StoreFront URL is part of Trusted Sites for not only client devices but for your StoreFront servers themselves.
• Always use a single StoreFront server as your “master” configuration propagation server.
• Utilize SSL Bridge load balancing instead of just SSL when using smart card authentication directly to StoreFront. This is not required if authenticating at NetScaler.

Cheat Sheet

Here’s the abbreviated reference for the most important information from this post.

STIG exceptions needed:

• V-76805: This cannot be done as StoreFront requires Full .NET trust. This can be downgraded to a CAT III with supporting documentation.
• V-76839: Several of the StoreFront applications pools (Citrix Configuration API, Citrix Delivery Services Authentication, Citrix Delivery Services Resources, Citrix Receiver for Web) require unlimited (0) timeouts. Setting these timeouts to anything but 0 may break StoreFront functionality or produce unintended behavior for users.
• V-76865: The StoreFront “Citrix Delivery Services Resources” Application Pool has 4 applications that runs under its context instead of the maximum of 1.
• V-76867, V-76869, V-76871: All StoreFront Application Pools have a Recycling, Request Limit, Virtual Memory, and Private Memory settings of unlimited (0). It is not recommended to modify these configurations. They may be downgraded to a CAT III with supporting documentation.
• V-76885: StoreFront utilizes ASPX scripts that are not isolated in their own folders. This is a finding that will require acceptance of risk in the accreditation package.
• V-26489, V-26503: The StoreFront IIS application pool accounts should be given Generate Security Audit and Replace a Process Level Token rights in OS security policy.
• V-76685, V-76787: These can be addressed if you have NetScaler available for authentication, but not if you are simply using an SSL Bridge to load balance (required for smart card authentication when using a load balancer). See my article on load balancing STIGed StoreFront with NetScaler for more information.

Important Installation and Configuration Changes:

• Move IIS to a non-system drive prior to installation of StoreFront.
• Ensure Loopback Communication is Off for all StoreFront Stores.
• Ensure that the StoreFront Base URL matches the Host entry made for V-76807 in the server bindings.
• Ensure that the Base URL that is configured for StoreFront is added as a Hosts file entry on each StoreFront server to point to itself.

Potential issues:

• Slow StoreFront MMC Console access can generally be fixed by removing “Check for the publisher’s certificate revocation” in Internet Explorer under Settings > Advanced or in Control Panel > Internet Options.
• If you are having problems authenticating at StoreFront, ensure that Client Certificates Required under SSL Settings has not accidentally been enabled for your StoreFront Stores. Only the Default Web Site and the StoreAuth\Certificates folder under each Store should have this enabled.
• Always ensure your StoreFront URL is configured as a Trusted Site for both clients and servers (most notably itself). Otherwise you may receive authentication issues.
• If you are load balancing StoreFront and require smart card authentication directly, ensure that you are using SSL Bridge as the load balancing type. In general, SSL connections must go directly to any service requesting a user certificate without being broken in the middle.

I hope this was helpful. For those of you with NetScalers, I’ll publish a separate article on how to load balance a STIGed StoreFront Server Group properly. I also want to thank the VDI team out in Stuttgart for their help in validating some of these settings!

Let me know if you have any questions or suggestions in the comments section.

Nick Czabaranek
Lead Architect for US Public Sector Consulting Services