Block Windows XP using selective Ciphers on Citrix NetScaler

As you probably know Windows XP is no longer being supported by Microsoft. No (security) updates will be made available for Windows XP making it possibly vulnerable for future exploits.

As an organization you will have to decide what you are going to do about these (probably unmanaged) Windows XP workplaces. There will still be a lot of home workers that use Windows XP and see no reason to upgrade since ’’it works fine’’, from an organization perspective these work places could potentially form a threat to the business. Especially when al sorts of direct connections are being made such as SSL/VPN, but let’s not forget the still very popular Citrix client drive mappings.

From a technical stand point of view we can easily block incoming Windows XP connection to our Citrix NetScaler Gateway virtual server or AAA virtual server (or any other SSL publication) using a selective group of Ciphers.

Quoted from Wikipedia: “a cipher (or cypher) is an algorithm for performing encryption or decryption—a series of well-defined steps that can be followed as a procedure”.

The very first thing to do is to have an agreement (or a baseline) within the organization (security officer, management, administration, anyone who has an opinion, etc.) on which operating systems (platforms) and which browsers the organization will support.
If the operating systems (platforms) and browsers have been identified we can establish a selection of Ciphers that we would like to configure on the various publications within Citrix NetScaler.

in the below example (which seems to work in most cases) instead of de DEFAULT Cipher Group (which is the default and has been removed) only the TLS1-AES-256-CBC-SHA is added to this Cipher configuration. This will result in only IE9+ and/or Windows Vista+ that are still able to connect (Windows XP and or IE8 do not have the AES Cipher). We (from NetScaler perspective) have the advantage that Microsoft uses an SSL Cipher suite which are dependent on the combination of operating system and browser whereas other browsers have there Cipher Suites built-in. This means Firefox on Windows XP will still not work but on higher operating system it will using its own (AES) Cipher.

TLS1-AES-256-CBC-SHA

Use caution when configuring Ciphers on for instance Citrix NetScaler Gateway. The Citrix NetScaler Gateway virtual server is frequently also used for the authentication callback functionality from Citrix StoreFront or Citrix Web Interface. If the server(s) that are running StoreFront/Web interface also use older browsers (for instance IE8, which is the default browser for Windows Server 2008) the connection will fail because of absence of the requested Cipher.

Remember that if a user is trying to connect from a workplace that does not have the desired Cipher present it will not even see the page (hence the initial handshake does not succeed), it will just tell the user that the page cannot be displayed (no fancy error message).

As a warning, this has not yet been thoroughly tested. So no guarantees and at your own risk. I welcome any feedback on the subject.

Keep in mind that this probably will not be a solution for everyone, if it works for some we’ll be happy. As mentioned before be cautious when configuring Ciphers, test, test, test.

Sources used (and more info on the subject):
https://github.com/client9/sslassert/wiki/IE-Supported-Cipher-Suites  (Good info, must read)
http://en.wikipedia.org/wiki/Cipher
http://support.citrix.com/article/CTX127002
http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html

About Henny Louwers
I work as a Consultant specialized in Application Delivery, Virtualization of Servers, Desktops and Apps.

Comments are closed.

%d bloggers like this: