STIGQter: STIG Summary: Citrix Virtual Apps and Desktop 7.x Windows Virtual Delivery Agent Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Jan 2021: STIGQter: STIG Summary: Citrix Virtual Apps and Desktop 7.x Windows Virtual Delivery Agent Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Jan 2021:SV-234254r628798_rule
V-234254
SRG-APP-000142
CVAD-VD-000275
CAT II
10
Some organizations consider port 80 to be a non-secure port regardless of the protocol. It is necessary to set the Delivery Controller and VDAs to use an approved port for registration traffic.
To set the registration port on the broker to an approved port (e.g., 8080) perform the following:
1. On each the Delivery Controller, open a command prompt.
2. Navigate to the Citrix install directory Program Files\Citrix\Broker\Service.
3. Run the command "BrokerService.exe -VDAPort 8080" to set the registration port to 8080. Replace 8080 with an approved port in the organization.
4. Run the command "BrokerService.exe /Show" to verify the VDA Port is changed.
To configure the Windows VDA to use the approved port set on the Delivery Controller, perform the following:
1. In Active Directory, open the Group Policy object used to apply VDA settings to the Windows VDA. If this GPO does not yet exist, create it.
2. Navigate to Computer Configuration >> Policies >> Citrix Policies.
3. Edit the "Unfiltered Policyā€¯ or create a custom Citrix policy to apply Delivery Controller settings in the GPO.
4. Under the "Settings" tab, find the Virtual Delivery Agent Setting called "Controller registration port".
5. Click "Add" to enable the setting and specify the approved port set on the Delivery Controller.
6. Ensure this GPO is linked to the OUs with the relevant Windows VDAs.
Some organizations consider port 80 to be a non-secure port regardless of the protocol. Ensure VDA registration traffic to the Delivery Controller is occurring on an approved port.
To verify the Delivery Controller is using an approved port, perform the following:
1. On each the Delivery Controller, open a command prompt.
2. Navigate to the Citrix install directory Program Files\Citrix\Broker\Service.
3. Run the command "BrokerService.exe /Show" to display the currently used "VDA Port".
4. Ensure the port in use on each Delivery Controller matches and is approved by the DoD organization.
To verify the Windows VDA is using the approved port for registration, perform the following:
1. In Active Directory, open the Group Policy object used to apply VDA settings to the Windows VDA.
2. Navigate to Computer Configuration >> Policies >> Citrix Policies.
3. Edit the "Unfiltered Policy", or the custom policy used to apply Delivery Controller settings in the GPO.
4. Under the "Settings" tab, find the Virtual Delivery Agent Setting called "Controller registration port".
5. Ensure the port number matches the approved port set on the Delivery Controller.
If an unapproved port is used, this is a finding.
V-234254
False
CVAD-VD-000275
Some organizations consider port 80 to be a non-secure port regardless of the protocol. Ensure VDA registration traffic to the Delivery Controller is occurring on an approved port.
To verify the Delivery Controller is using an approved port, perform the following:
1. On each the Delivery Controller, open a command prompt.
2. Navigate to the Citrix install directory Program Files\Citrix\Broker\Service.
3. Run the command "BrokerService.exe /Show" to display the currently used "VDA Port".
4. Ensure the port in use on each Delivery Controller matches and is approved by the DoD organization.
To verify the Windows VDA is using the approved port for registration, perform the following:
1. In Active Directory, open the Group Policy object used to apply VDA settings to the Windows VDA.
2. Navigate to Computer Configuration >> Policies >> Citrix Policies.
3. Edit the "Unfiltered Policy", or the custom policy used to apply Delivery Controller settings in the GPO.
4. Under the "Settings" tab, find the Virtual Delivery Agent Setting called "Controller registration port".
5. Ensure the port number matches the approved port set on the Delivery Controller.
If an unapproved port is used, this is a finding.
M
5265