by Patrick Coble, CTP, Nashville CUGC Leader
What an amazing year this was for the Citrix User Group Community, with so many members, meetings and new groups. This year added 4,500 new members, with 11 new groups started across the world! There were a total of 138 regular meetings and 8 XLs (Texas, Florida, Great Lakes, Great Plains, Midwest, Northeast, SoCal, Denmark).
I think the XLs are the best bang for anyone’s buck in the EUC and Citrix space to go to because they bring the best sessions, speakers and vendors\sponsors to a town close to you. It is worth a long drive or short flight and 1-2 nights in a hotel to come and learn more about the Citrix EUC ecosystem. If you cannot make Citrix Synergy because of the cost and/or timing, then making the trip to a CUGC XL event is well worth it. I have heard so many stories of post-XL attendees who learned how to improve their login times, fix issues, hear about solutions that make their deployment better and how they secured their personal or corporate life.
It is amazing to be part of an organization that helps so many people all over the world every day and that really does make an impact in people’s life. Impact to peoples lives might seem like a stretch for a User Group but, with the number of Citrix Admins that participate in this community and learn things to help do their job better, along with sharing war stories of things that didn’t go so well, helps everyone learn from those experiences. I think about login times alone, and how much focus there is from the community along with many of the CUGC sponsors, and how many tips have been shared, and guides on how people have gotten to say, under 20 or even 10 seconds. This type of feedback can help those users have a better day, see more patients, get more work done and hopefully have a better work balance because they are not waiting 60-100 seconds each day to get in and out of the system. There is so much great knowledge being shared by members, sponsors, Citrites, CTAs and CTPs through this worldwide group.
For me, this year was a wild one with 24 speeches to around 1,817 people, which is crazy. Because of the Citrix User Group and the community support, I was blessed to be able to go to Norway and Sweden for the Norway Citrix User Group and then E2EVC in Berlin and Tokyo too. I’m so thankful for all the support from the Citrix community to support me in getting so many “security” presentations out this year. I know that in all my travels I learned a ton more about lowering login times, layering Pros and Cons, Cloud Offerings, Citrix and Microsoft best practices, vGPU Options, MFA, FSLogix and Office and so much more.
What did I talk about?
I had a great time getting to talk about Citrix ADC Security to show people the power of this system to drastically reduce the attack surface of any VIP running through the appliance. I had lots of memes and ways to describe what each feature did that I hope resonated. So many deployments are just using 2-3 features of their existing Citrix ADC and they don’t know about all the security-related things it can do to further secure your deployment.
Citrix ADC Security 101 Big Things
1. GeoIP – Block countries that you don’t need (drops billions of IPs)
2. BadIP – Block potentially malicious IPs from getting to those applications (millions of IPs)
3. AppQoE\DoS Protection – Drastically limit the impact Denial-of-Service attacks so they don’t overrun your network and/or your application
4. NSIP Best Practices – Make sure those networks are secure and to also check your SNIPs and MIPs to make sure they don’t have management on them.
5. TLS Best Practices – First off, you want to make sure you are managing the device using HTTPS all the time and that you replace that default certificate, so you don’t become a victim of an MiTM attack. Working on getting A+ is also important.
6. WAF – aka Wafinator (Web Application Firewall) because this is one of the biggest and baddest security tools you can use to layer on a VIP you’re already hosting. Blocking bad things with Negative mode or only allowing “good” learned traffic in Positive mode. This can protect you from Zero Days because it won’t let random traffic be processed. When you configure this on a web application, you need to do consistent testing as the application gets updated because that fix may be seen as an attack.
7. Logging – Getting a Syslog setup for the Citrix ADC is critical to ever be able to do any incident response along with being able to track issues if they come up to have enough information to troubleshoot further. Are you getting password sprayed right now on your Citrix Gateway? If you’re not looking at your logs you will never know until it is too late, and they are in.
How to Survive a VDI PenTest
This topic is fun in that it goes over how I test VDI deployment security and how attackers can take advantage of common weaknesses. I was able to also turn this into a 2-4 hour Master Class at a couple conferences this year, which was awesome. Below are some of the main topics in this presentation.
1. Common Group Policies – Allowing the users access to do too much by default is a very common finding.
2. Multifactor – Most don’t have it deployed at all and then many forget to enable it on all their external portals to their company. An username and password is not enough these days especially for anything externally exposed, with over 11.5 Billion credentials for attackers to search through they are almost surely going to find a winner.
3. Patching – Did you patch it this month? Don’t let your VDI deployment be a huge bot network of unpatched systems that one exploit can spread like wildfire.
4. AppLocker – Most deployments are not using it and anything that the user can access can be executed and that counts random things they downloaded from the internet. You know what you publish to your users so that should be the only thing that is allowed to launch for those users.
5. Antivirus – Most don’t have any deployed still in 2019, so please deploy something. There is an overhead from any of the solutions, but it Is worth the protection layer it adds.
6. And many more others topics related to Windows and basic Network security recommendations.
Then the last presentation, that started at Midwest XL in Cincinnati, was the “Security War Stories” presentation. This one is my favorite because it goes over the most common Red Team techniques that are used to break into any office in the world. I talked about some of my stories and a couple from @jaysonstreet, who is a legend in the hacker community for some epic jobs and stories. We also covered a little bit about some personal security best practices too, but I think you will hear more about this next year with a couple other sessions I have brewing.
Citrix Turned 30!
If you didn’t know Citrix turned 30 years old this year, there was a little shindig down in Ft. Lauderdale, with Roger Roberts the first CEO and Mark Templeton the 2nd CEO and David Henshall the current CEO. It was awesome to hear some of the stories of how Citrix was started and how it evolved over the years. If you didn’t know Ed Iacobucci founded Citrix (Citrus Systems) in 1989, before Windows had taken off and there was an OS called OS/2 from IBM along with DOS and Unix too. It is so cool to think about how Citrix was started, to just remote applications and then, it has been able to manage mobile devices, have its own hypervisor, have its own ADC, have a couple analytic engines, file sharing and now it offers an intelligent workspace to make time consuming tasks happen quicker and simpler. I think even in the next 5 years the company will go through yet another era and I’m excited to see “whats next.”
I think the most important thing for 2019 is that I had the honor to run around and talk about security, and I thank you all for making a field trip to see me and every other speaker at CUGC meetings all over the world. I hope you all have a great rest of your 2019 and you’re ready for 2020. If you haven’t signed up to be part of the Citrix User Group Community, please do. And, if you don’t have a local group, then you can start one just reach out to HQ@mycugc.org and learn about how to get started. If you didn’t get to a XL event last year, I suggest giving one a try and if you were at one last year, you know how awesome they were, so you don’t want to miss another. Then if you have some ideas or have figured out a couple things that helped you out, then I suggest starting a blog and writing about it and you will be able to help someone else out with that knowledge. Also remember that each Fall is the application period for the CTA and CTP programs, so you can get ready for next year!
And now A quick video of my year in more than 60 seconds! Thank you to every local leader and member at each destination to help me find all the places to eat and things to do while on the road.