From Citrix XenDesktop 7.x Delivery Controller Security Technical Implementation Guide
Part of SRG-APP-000514
Associated with: CCI-002450
Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the Federal Government since this provides assurance they have been tested and validated.
Enforcement is via FIPs encryption. To verify, open the Registry Editor on the XenDesktop Controller and find the following key name: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\DesktopServer 1. Verify the XmlServicesSslPort registry key exists with the correct value for SSL port. By default, it is set to "443". 2. Verify XmlServicesEnableNonSsl is set to "0". 3. Verify the corresponding registry value to ignore HTTPS traffic, XmlServicesEnableSsl, is not set to "0". If "XmlServicesSslPort" is not set to the desired port, this is a finding. If "XmlServicesEnableNonSsl" is not set to "0", this is a finding. If XmlServicesEnableSsl is set to "0", this is a finding. To verify FIPS Cipher Suites used: 1. From the Group Policy Management Console, go to Computer Configuration >> Administrative Templates >> Networks >> SSL Configuration Settings. 2. Double-click SSL Cipher Suite Order and verify the "Enabled" option is checked. 3. Verify the correct Cipher Suites are listed in the correct order per current DoD guidelines. If the "Enabled" option is not checked or the correct Cipher Suites are not listed in the correct order per current DoD guidelines, this is a finding.
Obtain and install root certificate(s) for server certificates installed on Desktop/Server VDAs, SQL Server(s), Storefront, and VM Host (VMware VCenter, Hyper-V, XenServer).
To install a TLS server certificate on the Delivery Controller and to configure a port with TLS 1.x:
1. Log on to the Delivery Controller server with a domain account that has Administrator rights.
2. Obtain a TLS server certificate and install it on the Delivery Controller using Microsoft server instructions.
3. Configure the Delivery Controller with the certificate.
When the Server Certificate is installed on IIS, set the Bindings to enable HTTPS on IIS by completing the following procedure:
1. Select the IIS site that you want to enable HTTPS and select "Bindings" under "Edit Site".
2. Click "Add" and select "Type" as "https" and port number as "443". Select the SSL Certificate that was installed and click "OK".
3. Open the Registry Editor on the XenDesktop Controller and find the following key name:
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\DesktopServer
4. Verify that XmlServicesSslPort registry key exists with the correct value for the SSL port. By default, it is set to "443".
5. Change the XML service port using PowerShell by running the following command:
BrokerService –WiSslPort
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer