Poor Citrix set-ups leave firms vulnerable

Many companies "incorrectly" deploying Citrix technology are leaving internal systems and sensitive data open to attack, a security testing firm warned today.

Global Secure Systems (GSS) acknowledged that the issues it claims to have discovered are not the fault of Citrix itself.

However, the company warned that poor installations can have "potentially devastating" security implications.

Too many companies install Citrix without comprehensive knowledge of the design and management of the environment, and do not sufficiently consider how to mitigate risk, according to GSS.

The security testing company claimed that its recent assessments of Citrix environments found that every deployment tested had been vulnerable to arbitrary code execution.

In addition more than 80 per cent of deployments exposed commercially sensitive data, while many were found to breach the Data Protection Act.

"The fastest breach was carried out within 15 seconds of logging-on to the service. Even in the most locked-down environment, five high-risk vulnerabilities were discovered," said GSS.

"These were the result of small errors made in configuration, but typically many more such errors are found, any of which could lead to the network being compromised."

Robin Hollington, director of consulting at GSS, said: "Imagine how your board would feel if they discovered that a junior clerk had subverted controls to gain access to board members' restricted network drives.

"They would have the freedom to browse through payroll, trading and research data, and the facility to export this and other sensitive information such as business plans and customer databases without being detected."

Hollington added that, although hardening guides are useful, simply working from these is not sufficient to secure the Citrix/Windows environments because even a single, small overlooked opening can be exploited to give high-risk access.