STIGQter: STIG Summary: Citrix XenDesktop 7.x Windows Virtual Delivery Agent Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 26 Apr 2019:

Citrix Windows Virtual Delivery Agent must be configured to prohibit or restrict the use of ports, as defined in the PPSM CAL and vulnerability assessments.

DISA Rule

SV-96149r1_rule

Vulnerability Number

V-81435

Group Title

SRG-APP-000142

Rule Version

CXEN-VD-000275

Severity

CAT II

CCI(s)

• CCI-000382 - The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services.

Weight

10

Fix Recommendation

To change the VDA registration port from the default "80", create the Citrix Machine Policy and update the DDCs, as explained below:
1. Create a new Citrix Machine policy or edit an existing one.
2. Navigate to the Settings tab and select "Control Registration Port".
3. Update the Value to reflect the new port.
4. Select "OK".
5. Restart all desktops and wait until all the desktops report as Unregistered.
6. Update the DDCs' VDA registration Port.
7. Restart all desktops and verify that all VDAs register successfully.

Check Contents

On Delivery Controllers, verify that only approved ports are used.

1. Open a command prompt.
2. Navigate to the XenDesktop install directory Program Files\Citrix\Broker\Service
3. Enter BrokerService.exe /Show to display the currently used ports.

If an unapproved port is used, this is a finding.

Vulnerability Number

V-81435

Documentable

False

Rule Version

CXEN-VD-000275

Severity Override Guidance

On Delivery Controllers, verify that only approved ports are used.

1. Open a command prompt.
2. Navigate to the XenDesktop install directory Program Files\Citrix\Broker\Service
3. Enter BrokerService.exe /Show to display the currently used ports.

If an unapproved port is used, this is a finding.

Check Content Reference

M

Target Key

3297

Comments