Reading any of the last quarters Financial Review and/or BRW magazine, they will tell you about the hot stocks to invest in for 2007. Some of the obvious are the minerals boom, exporting commodities to china and outsourcing IT. This post will focus on the latter “outsourcing IT”. No, I am not going to give you stock advice and ask you to invest in funds such as the CommSec India share fund. Nor am I going to talk about buying into remote connectivity software companies if the outsourcing boom takes off again like it did about 5 years ago. (That is, before they brought most of it back in-house). What this post is about is the increased importance that will be placed on remote connectivity software (e.g. Citrix) as businesses focus on outsourcing to cut costs.

Most network people I speak to about Citrix say two things. It’s better for the network bandwidth and security. Both of these statements are true if Citrix is implemented correctly. A common mistake is that the networking guys will spend all their time fine tuning Citrix to get the most out of the link but will assume that it is already secure. The problem here is that it is not that Citrix is inherently insecure, but more along the lines that the applications that are placed within the Citrix session can lead to Citrix’s undoing.

One of the most common an oldest attacks performed on Citrix is the launching of the command shell. It requires no skill level and is simple to execute. To perform this exploit within a Citrix session requires an application like Windows Explorer. That attacker launches explorer, in the Tool Bar selects File -> Open and a dialog box appears. They then browse to C:\Windows\system32\cmd.exe and right click and select Open. That’s it! Now the attacker has command line access to your Citrix server located within your network. Note, they will be running at the same level they logged in with. Now think about all the other applications that the end user requires and try and lock this down. In addition, other applications like Microsoft SQL Suite allow you to launch applications via the Tools option without having to perform the above.

There is so much to talk about when it comes to Citrix security and this is just one example of many. If you are a Citrix administrator you should be aware of such avenues of attack and probably have removed the File option from the Explorer Tool Bar and/or restricted the browsing to certain types of files (e.g. .txt, .pdf, etc). But remember that any other application may be susceptible to the same avenue of attack and factor in the time to test this problem using either the teams baseline standard and a security professional.