by Lyndon-Jon Martin, Citrix
In 2019, I wrote “Suggested Leading Practises for the Secure Browsing Service” in light of the recent sharp rise in cyber incidents and attacks against organisations of all sizes in the City of & Greater London (and worldwide). Here, I’ve written about some suggested field leading practises on securing access for IT administration while also taking the opportunity to review the previously published field leading practises shared from 2019.
What is the Secure Browsing Service (SBS) from a Field perspective?
It’s a turn-key SaaS remote browser isolation service that layers onto any endpoint with a traditional OR modern internet browser powered by a Google Chrome based web browser for isolated (sandboxed) access to SaaS and Web apps. The power of the remote isolation is that the app is streamed in a controlled sandbox to any employee’s endpoint and isolated from the underlying network irrespective of the network interface (Ethernet v Wi-Fi), its earned vs. zero trust IP network status. The streamed sessions can also be isolated from the employee’s installed apps and data, reducing and de-risking IP/Pii exfiltration attempts by improving security hygiene through controlled isolation (sandboxed) ICA/HDX channels avoiding potential insider lateral movements or from advisories / bad actors that have either compromised the employees endpoint or the network that the employee is connected to (e.g. @home Wi-Fi). You can further reduce lateral movements by using the SBS in conjunction with the Citrix’s Secure Internet Access service part of Citrix’s SASE solution – https://www.citrix.com/solutions/sase/.
The diagram below represents the streamed flow of delivered SBS apps (Web/SaaS) to any endpoint and how you can control and enforce greater or more relaxed security which affects the employees affordance interactivity e.g cut/copy/paste or even printing.
SBS Employee Affordance and Security Policies
The following is a current list of available configuration policies as of October 2021 that can be defined per published SBS app. These apps can be integrated into Citrix Workspace, published as stand alone SBS apps to internal or 3rd parties to obtain access to secure remote access to Line of Business (LOB) apps and associated systems of record (SoRs). Examples include providing a SBS app to a marketing agency or a HR consultant to derisk Pii exfiltration, whilst adhering and meeting strict GDPR or ICO Pii compliance and governance requirements when interacting with and the processing of Personally Identifiable Information (Pii).
Publish Secure Browser
Select a type of secure browser to publish.
| Shared Passcode | Authenticated | Unauthenticated |
| External: default | External | External |
SBS Points of Presence (POP)
The SBS in Citrix Cloud can automatically set the best POP for the connection or you can pin the published SBS app to a specific POP (e.g. “West Europe” region) but be aware to DENY the “Region Failover” setting which has a configured default of ALLOW.
Timeouts
Idle Timeout: default 10 minutes
The number of minutes to wait before logging a session off due to inactivity.
Idle Warning Time: default 2 minutes
The number of minutes before logoff to show the idle timeout warning.
Policies
Clipboard: default is DENY
Enabling clipboard allows copy and paste operations to and from the remote session.
Printing: default is DENY
Enabling printing saves the remote webpage as a PDF and transfers it to the user’s device.
Non-kiosk: default is ALLOW
Enabling non-kiosk mode restores the interface to the remote browser, allowing the user to access the address bar and create multiple tabs and windows.
Region Failover: default is ALLOW
Enabling region failover automatically transfers the secure browser to a different region if the selected region is reporting an issue.
Client Drive Mapping: default is DENY
Enabling client drive mapping allows the user to upload and download files to and from the remote session when using all versions of Citrix Workspace app except for HTML5. Only available to paid customers.
URL Parameters: default is DENY
Enabling URL parameters allows a new session’s starting URL to be replaced by a different URL provided as a query parameter.
Hostname Tracking: default is DENY
Use host name tracking to enable Secure Browser to log host names during a user’s session. This policy is disabled by default. This information is shared with Citrix Analytics. For more information, see Citrix Analytics – https://docs.citrix.com/en-us/citrix-analytics.html.
Allow Lists
External Allow List: default is ALLOW any to any e.g *:*
Entries are in the format “hostname:port number”, with one entry per line. Asterisks are supported as wildcards. Browser requests must match at least one entry in the allow list to be allowed.
Examples:
Citrix.com:* the wild card denominates that ANY port can be used with this URL
Citrix.com:443 instructs that only port 443 can be used with this URL
*.* denominates an ANY to ANY policy e.g mycugc.org:80 hyperlink can freely access a URL on citrix.com:443 or citrix.com:80 e.t.c
URL Filtering
None: default is ALLOW
Allows all categories.
| Lenient | Moderate | Strict |
| Maximizes access while still controlling risk from illegal and malicious websites. | Minimizes risk while allowing additional categories with low probability of exposure from unsecure or malicious sites. Includes most business travel, leisure, and social media websites. | Minimizes the risk of accessing unsecured or malicious websites. End users can still access websites with very low risk. Includes most business travel and social media websites. |
Secure Browser Service (SBS) Apps field leading practises for Policies, App Mgmt. and Employee Affordance
The following are revisions and updates to the original 2019 post.
Suggested Naming Convention Styles
My initial and suggested naming conventions for SBS apps I have amended due to net new platform features and advantages of field feedback and new ways of thinking through experience.
WEB_SAAS_NAME-REGION-DEPT-SSO_TYPE-SECURITYPOSTURE example WhatsApp-westeu-ins-cwa-0 translates to this web/SaaS app is called “WhatsApp”; westeu indicates this SBS app is pinned to operating in the “Western Europe” region of available pooled one-time use Secure Browser VMs; ins indicates its assigned and consumed by the InfoSec team; cwa identifies that this SBS app is integrated into “Citrix Workspace app” as an available resource; 0 translates to the strongest security policy set by your IT/InfoSec/Security teams ensuring a strict hygiene strategy.
WEB_SAAS_NAME-REGION-DEPT example WhatsApp-auto-salesservices translates to this web/SaaS app is called “WhatsApp”; auto indicates that this SBS app operates and is accessible anywhere world wide; salesservices represent’s organisational department(s) that this SBS app is intended for; the security applied can be categorised like in the above example or you can use an all-in rule when published SBS apps by department(s).
WEB_SAAS_NAME-REGION-DESCRIPTION example google-auto-personalshopping translates to in simple terms to a remote isolation internet browser to allow employees to do personal online activities, completely separating life from work on an enrolled work owned endpoints.
Policies
Example of a policy framework that meets both security and employee affordance aligned to the following suggested name convention standard “WEB_SAAS_NAME-REGION-DEPT-SSO_TYPE-SECURITYPOSTURE”, lets now evaluate some potential examples in the below table.
- Policy #0 is securing access to your favourite IaaS web console
- Policy #1 allows for personal online activities e.g online shopping to be made available on enrolled work owned endpoints
- Policy #2 is for an external marketing agency based in Europe.
| Policy (Security) #0 | Policy (Affordance)#1 | Policy (Affordance) #2 |
| Clipboard – DENY | Clipboard – DENY | Clipboard – ALLOW |
| PRINT – DENY | PRINT – ALLOW | PRINT – ALOW |
| Non-Kiosk – DENY | Non-Kiosk – ALLOW | Non-Kiosk – DENY |
| Region Failover – DENY | Region Failover – ALLOW | Region Failover – DENY and specify pinned Secure Browser VMs region |
| Client Drive Mapping – DENY | Client Drive Mapping – DENY | Client Drive Mapping – ALLOW |
| Allow Lists – Enter in each required “hostname:port number” and remove the wild card *.* | Allow Lists – ALLOW wild card *.* | Allow Lists – Enter in each required “hostname:port number” and remove the wild card *.* |
| URL Filtering – Strict | URL Filtering – Lenient | URL Filtering – Strict |
| Idle Timeouts – 2 minute | Idle Timeouts – 5 minute | Idle Timeouts – 3 minute |
| Idle Warning – 1 minute | Idle Warning – 3 minute | Idle Warning – 1 minute |
Securing Console Access to AWS EC3, Azure, Citrix Cloud, GCP for IT (3rd Parties and Sensitive Apps e.g Marketing ) Administration mandated by InfoSec and Security Teams
This is likely to prove unpopular within IT and EUC Professionals, but safe guarding any/all administration consoles in 2021 is now crucial and de-risks lateral movements of any type for IT personnel irrespective of role, function, leadership vs. IC status. For customers concerned with lateral movements due to advisories / bad actors you can weaponise SBS apps to securely stream and deliver access to IT administration web and SaaS consoles by delivering them back to IT as SBS apps.
Suggested Use Cases from the Field in The City of & Greater London
- Pin console access to POP’s by GEO – why IT can still access the console it’s pinned to a GEO (e.g. EMEA due to GDPR or ICO compliance in the U.K.) when accessing information, for example in Canada which is outside of Europe.
- Allow multi-dimensional media and clipboard redirection from enrolled endpoints by publishing the SBS apps as authenticated apps via Citrix Workspace assigned to the IT Administration personas enforced by IAM (modern) or security groups in AD (traditional).
- Allow unrestricted console access for IT employees in high security environments in any part of the network inclusive of guest or dirty networks – NOT recommended but written demonstrates purposes indicating the the art of the possible.
- Monitor – https://docs.citrix.com/en-us/citrix-cloud/secure-browser-service.html#monitor-usage, remediate and terminate access to sanctioned SBS apps in use directly from within the SBS console for insiders threats e.g resignation offloading; any disgruntled IT employees. See below demonstration video.
- Reduce inbound ACL access* – https://support.citrix.com/article/CTX286379 rules and strength IP flow controls and monitoring usage by forcing IT employees to only access administrative consoles using a SBS apps.
- SBS App “Duress” scenario’s monitor authorised authentication access where it is not originating from SBS app ACL IP addr range* inclusive of Citrix Workspace (e.g. https://<tenant>.cloud.com/), should indicate to security teams of possible advisories attacking systems through human duress measures (e.g. kidnapping – yes it’s real and yes it happens!). This thinking stems from growing up in a country where this type of security threat and attack is often used by advisories to gain access to systems through physical harm to friends and family. While this strategy is far from perfect it’s a logical trip wire to amplify to security that an employee is potentially compromised and under duress. If you are operating a network re-direction technology like Citrix‘s Secure Internet Access – https://docs.citrix.com/en-us/citrix-secure-internet-access to control the network traffic (de)centralised access to apps and data, you can operate a traffic light system for duress so if attempted authorised access is outside of an SBS app and not from an enrolled and managed endpoint that is a proper red light or if it’s from a managed endpoint but outside of Citrix Workspace is should be an amber light – you can get well creative.
- Avoid any and all administration console exfiltration cut/copy/paste between two or more consoles (e.g. copying of [network] security groups IP networking and routing info between the AWS/Azure v Citrix SD-WAN Orchestrator consoles).
Demonstration
Example demonstration revoking access to an SBS app used by an IT Administrator that is potentially under “duress.”
Hygiene of Administration Access to Citrix Cloud
- Carefully evaluate and select a preferred authentication platform + method for IT and Security Teams – https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-management/identity-access-management/add-admins.html.
- Enforce delegated administration by available Citrix Cloud service(s) where supported.
- InfoSec and Security teams should begin familiarising themselves with the Citrix Cloud System Log (Tech Preview as of publishing this article Oct 2021) – https://docs.citrix.com/en-us/citrix-cloud/citrix-cloud-management/system-log.html and understand the data retention periods for events stored in Citrix Cloud. Suggested to integrate Citrix Analytics with all supported Citrix Cloud Service(s), if you are a “Splunk” consumer I would suggest forwarding events to your “Splunk” tenant(s) from Citrix Cloud to continue to meet your organisation’s security leading practises for remediation and response action(s) to any type of cyber attacks / security events.
The views expressed here are my own and do not necessarily reflect the views of Citrix.
