There is a general misunderstanding with regards a few of the End-Point Analysis (EPA) scans provided with the Citrix Access Gateway Advanced Edition, and I find that the implementation of these scans is often not thought out correctly. There are three (3) specific scans that need to be explained.
- Domain Name Scan
- Registry “Watermark” Scan
- Antivirus Scan
Domain Name Scan: The Domain name (membership) scan will use the Domain’s NetBIOS name, often referred to as the “down-level” Domain name, and not the FQDN (Fully Qualified Domain Name). This is important to note because from my experience many companies tend to use similar NetBIOS Domain names as their main NetBIOS domain name, such as CORP. Therefore, if you are scanning a contractor’s end point device, or that of a 3rd party, you may get false results. So this scan does not actually prove that the machine is a member of your internal Domain; it only proves that it is a member of a Domain that matches the NetBIOS name of your Domain. This proves that this scan should only be used to assist in confirming the configuration of an end-point device, and that it should be used in conjunction with other scans to determine the final access privileges for the device.
The best type of scan to compliment the Domain name scan is to look for a registry key specific to the customers SOE. So that now leads us onto the next section about the Registry “Watermark” Scan.
Registry “Watermark” Scan: See here for the original article from Ecki. I have enhanced the article and used a different registry key that I believe is easier to manage.
Unfortunately Citrix do not provide a standard registry scan that allows you to specify a key, value and data that matches something specific within the customer’s SOE environment. To achieve this, you need to write your own scan package. Citrix introduced a change into AAC version 4.5 that requires that every EPA Scan package be digitally signed. This makes it difficult to deploy your own scan, as you freely could with earlier versions. The EPA Scan package delivered with AAC 4.5 is now already signed by Citrix, so if you would like to create your own scans, you have to sign them with a digital certificate. Citrix do, however, provide an excellent SDK that plugs into Visual Studio 2005. It assists you with building the package and creates the CAB file for you. The instructions for signing it and then packaging it up into an executable are very thorough. However, this process takes time and effort, as well as the cost of a digital certificate from a reputable certification body. A limitation here, and one that becomes a real headache to manage, is that this will need updating each time Citrix releases updates to their scans, as your new scan package not only contains your own scans, but all the Citrix scans too.
An alternative is to purchase a commercial EPA Scan package from a 3rd party, such as EPAFactory, Extentrix, etc. This can also be expensive, so at the end of the day you are more or less stuck with the scans provided by Citrix.
However, there is a way to achieve a registry “watermark” scan with a little understanding of how the existing scans work. Some of the EPA Scans do nothing other than read predefined registry keys from the end point device. To take this one step further, there is one particular scan that enumerates multiple keys for comparison against a “Data Set” (list) configured in the AAC. The particular scan in question is “Citrix Scans for Windows Update”, which is part of the default EPA scan package. This scan enumerates all keys under the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix
It essentially reports back a list of KB numbers found, which relates to the Security Updates and Hotfixes installed.
There is nothing stopping us from adding our own key to this location. Therefore, by deploying the following registry key and creating a Data Set that contains one string called “CompanyABC_Asset” as a value, you can create a “Citrix Scans for Windows Update” scan to assist you with determining if the device is indeed a Corporate asset or not.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\CompanyABC_Asset]
"Comments"="CompanyABC Asset Tag for use with the Citrix Advanced Access Control Windows Update EPA Scan"
"Fix Description"="CompanyABC Asset Tag for SOE machines"
Note that the “Comments” and “Fix Description” values are not required, but are added as a form of documentation.
You could also get home users and/or business partners to add a similar key to their registry containing a string such as “NON_CompanyABC_Asset” as per the following:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\NON_CompanyABC_Asset]
"Comments"="CompanyABC Asset Tag for use with the Citrix Advanced Access Control Windows Update EPA Scan"
"Fix Description"="CompanyABC Asset Tag for Home and 3rd Party Devices"
This allows such machines to be “partially” trusted, providing an extra dimension to what can be achieved with the SmartAccess Policies.
Antivirus Scan: There are some people that believe that the Citrix antivirus scans can use the Windows API to query for the presence of antivirus software just like the Windows Security Centre does. This is not the case.
Citrix currently supports the following antivirus scans.
- McAfee VirusScan
- McAfee VirusScan Enterprise
- Norton Antivirus Personal
- Symantec Antivirus
- Symantec Antivirus Enterprise
- Trend OfficeScan
- Windows Security Center Antivirus
These scans require constant testing against the new program versions. For Example: the McAfee VirusScan Enterprise scan does not support version 8.5. In this case Citrix need to update their software and release a hotfix to address this.
Furthermore, these AV scans require regular updating as the rules we setup set the minimum Program, Engine and Pattern versions allowed to enable the end point device to pass the scan.
A greater range of antivirus scans can be covered by looking at a 3rd party product from EPAFactory called EPdetect. “This scan is the definitive AV scan for Citrix Access Gateway. It will check for the presence of 250+ AV products and derivatives, see if they are running and when they were last updated. The scan is updated around every 3 weeks with new information and customers are informed by email of available updates.”
More information I received from EPAFactory…”Our scan checks for around 300 products in the one scan; it can detect the product, whether it is running, and when it was last updated. It therefore allows you to specify the period in days that the antivirus product has to have been updated in. Based on these criteria the admin can set filters according to their policy. So we abstract ourselves from the need to check and maintain specific pattern file versions.”
I have recently been made aware of the Extentrix EPA scans, but have not had time to research them to assess their relevance.