StoreFront 1912

Secure your StoreFront deployment

This article highlights areas that may have an impact on system security when deploying and configuring StoreFront.

End user authentication

Normally end users must authenticate either to StoreFront directly, or to a Citrix Gateway in front of StoreFront. For more information on available authentication methods, see Authentication.

Communication with end-users

Citrix recommends securing communications between users’ devices and StoreFront using HTTPS. This ensures that passwords and other data sent between the client and StoreFront are encrypted. Furthermore, plain HTTP connections can be compromised by various attacks, such as man-in-the-middle attacks, particularly when connections are made from insecure locations such as public Wi-Fi hotspots. In the absence of the appropriate IIS configuration, StoreFront uses HTTP for communications.

Depending on your configuration, users may access StoreFront via a gateway or load balancer. You can terminate the HTTPS connection at the gateway or load balancer. However in this case Citrix still recommends that you secure connections between the gateway or load-balancer and StoreFront using HTTPS.

To enable HTTPS, disable HTTP and enable HSTS, see Securing StoreFront with HTTPS.

Communication with Delivery Controllers

Citrix recommends using the HTTPS protocol to secure data passing between StoreFront and your Citrix Virtual Apps and Desktops delivery controllers. See For more information, see enable HTTPS on Delivery Controllers. To configure StoreFront to use HTTPS, see Add resource feeds for Citrix Virtual Apps and Desktops and Add Citrix Gateway appliance. In case the certificates are compromised, you can use Certificate Revocation List (CRL) checking. Alternatively you can configure Windows to secure communication between the servers using IPSec.

You can configure the delivery controller and StoreFront to ensure that only trusted StoreFront servers can communicate with the delivery controller, see Manage security keys.

Communication with Cloud Connectors

Citrix recommends using the HTTPS protocol to secure data passing between StoreFront and your Cloud Connectors. See HTTPS Configuration. To configure StoreFront, see Add resource feeds for Citrix Desktops as a Service and Add Citrix Gateway appliance. In case the certificates are compromised, you can use Certificate Revocation List (CRL) checking. Alternatively you can configure Windows to secure communication between the servers using IPSec.

You can configure the delivery controller and StoreFront 1912 CU2 or higher to ensure that only trusted StoreFront servers can communicate with the delivery controller, see Manage security keys.

TLS versions

For TLS support for each version of Windows, see Microsoft Learn. You can disable TLS 1.0 and 1.1 both as a server and a client using Group Policy or Windows registry settings, see Microsoft documentation. Older versions of Citrix Receiver do not support TLS 1.2, see CTX232266 for more details.

Remote access

Citrix does not recommend exposing your StoreFront server directly to the internet. Citrix recommends using a Citrix Gateway to provide authentication and access for remote users.

Microsoft Internet Information Services (IIS) hardening

You can configure StoreFront with a restricted IIS configuration. Note that this is not the default IIS configuration.

Filename extensions

You can use request filtering to configure a lists of allowed file extensions and disallow unlisted file name extensions. See IIS documentation.

StoreFront requires the following file name extensions:

  • . (blank extension)
  • .appcache
  • .aspx
  • .cr
  • .css
  • .dtd
  • .gif
  • .htm
  • .html
  • .ica
  • .ico
  • .jpg
  • .js
  • .png
  • .svg
  • .txt
  • .xml

If download or upgrade of Citrix Workspace app is enabled for a store website, StoreFront also requires these file name extensions:

  • .dmg
  • .exe

If Citrix Workspace app for HTML5 is enabled, StoreFront also requires these file name extensions:

  • .eot
  • .ttf
  • .woff
  • .wasm

Verbs

You can use request filtering to configure a list of allowed verbs and disallow unlisted verbs. See IIS documentation.

  • GET
  • POST
  • HEAD

Non-Ascii characters in URLs

If you ensure that the store name and website name only use ascii characters then StoreFront URLs do not contain ascii characters. You can use request filtering to disallow non-ascii characters. See IIS documentation.

MIME Types

You can remove OS shell MIME Types corresponding to the following file extensions:

  • .exe
  • .dll
  • .com
  • .bat
  • .csh

See IIS documentation.

Remove X-Powered-By Header

By default IIS reports that it is using ASP.NET by adding a X-Powered-By header with value ASP.NET. You can configure IIS to remove this header. See IIS Custom Headers documentation.

Remove Server header with IIS version

By default IIS reports the IIS version by adding a Server header. You can configure IIS to remove this header. See IIS request filtering documentation.

Move the StoreFront website to a separate partition

You can host the StoreFront web sites on a separate partition from the system files. Within IIS you must move the Default Web Site, or create a separate site, on the appropriate partition prior to creating your StoreFront deployment.

IIS features

For the list of IIS features installed and used by StoreFront, see System Requirements. You can remove other IIS features.

Although StoreFront does not use ISAPI filters directly, the feature is required by ASP.NET so cannot be uninstalled.

Handler Mappings

StoreFront requires the following Handler Mappings. You can remove other handler mappings.

  • ExtensionlessUrlHandler-Integrated-4.0
  • PageHandlerFactory-Integrated-4.0
  • StaticFile

See IIS Handlers Documentation.

ISAPI filters

StoreFront does not require any ISAPI filters. You can remove all ISAPI filters. However, ASP.NET requires the ISAPI Windows feature. See IIS ISAPI Filters documentation.

.NET Authorization Rules

By default IIS servers have the “.NET Authorization Rule” set to Allow All Users. By default, the web site used by StoreFront inherits this configuration.

If you remove or change the .NET Authorization rule at the server level then you must override the rules on the web site used by StoreFront to add an allow rule for “All Users” and remove any other rules.

Retail mode

You can enable Retail mode, see IIS documentation.

Application Pools

StoreFront creates the following application pools:

  • Citrix Configuration Api
  • Citrix Delivery Services Authentication
  • Citrix Delivery Services Resources
  • and Citrix Receiver for Web

Do not change the application pools used by each IIS application or the identity of each pool. If you are using multiple sites, it is not possible to configure each site to use separate application pools.

Under the Recycling settings, you can set the application pool idle time-out and Virtual Memory Limit. Note that when the “Citrix Receiver for Web” application pool recycles it causes users logged in through a web browser to be logged out, therefore it is set by default to recycle at 02:00 each day to minimize disruption. If you change any of the recycling settings this may result in users being logged off at other times of the day.

Default IIS landing page

You can delete files iisstart.htm, welcome.png from c:\inetpub\wwwroot.

Required settings

  • Do not change the IIS Authentication settings. StoreFront manages authentication and configures directories of the StoreFront site with the appropriate authentication settings.
  • For the StoreFront server under SSL Settings, do not select Client certificates: Require. StoreFront installation configures the appropriate pages of the StoreFront site with this setting.
  • StoreFront requires cookies for session state and other functionality. On certain directories, under Session State, Cookie Settings, Mode must be set to Use Cookies.
  • StoreFront requires .NET Trust Level to be set to Full Trust. Do not set the .NET trust level to any other value.

Services

StoreFront installation creates the following Windows services:

  • Citrix Configuration Replication (NT SERVICE\CitrixConfigurationReplication)
  • Citrix Cluster Join (NT SERVICE\CitrixClusterService)
  • Citrix Peer Resolution (NT SERVICE\Citrix Peer Resolution Service)
  • Citrix Credential Wallet (NT SERVICE\CitrixCredentialWallet)
  • Citrix Subscriptions Store (NT SERVICE\CitrixSubscriptionsStore)
  • Citrix Default Domain Services (NT SERVICE\CitrixDefaultDomainService)

These accounts log on as Network Service. Do not change this configuration.

If you configure StoreFront Kerberos constrained delegation for XenApp 6.5, this in addition creates the Citrix StoreFront Protocol Transition service (NT SERVICE\CitrixStoreFrontProtocolTransition). This service runs as NT AUTHORITY\SYSTEM. Do not change this configuration.

User rights assignment

Modifying User Rights Assignment from the defaults may cause issues with StoreFront. In particular:

  • Microsoft IIS is enabled as part of StoreFront installation. Microsoft IIS grants the logon right Log on as a batch job, and the privilege Impersonate a client after authentication to the built-in group IIS_IUSRS. This is normal Microsoft IIS installation behavior. Do not change these user rights. Refer to Microsoft documentation for details.

  • When you install StoreFront, it creates Application Pools which IIS grants user rights Log on as a service, Adjust memory quotas for a process, Generate security audits, and Replace a process level token.

  • To create or change a deployment, the admin must have rights Restore files and directories.

  • For a server to join a server group, the Administrators group must have rights Restore files and directories, Access this computer from the network and Manage auditing and security log.

  • For users to log on with a username and password authentication (directly or via a gateway), they must have rights to “Allow log on locally”, unless you have configured StoreFront to validate passwords via the delivery controller.

This is not a comprehensive list and other user access rights may be required.

Configure group memberships

When you configure a StoreFront server group, the following services are added to the Administrators security group:

  • Citrix Configuration Replication (NT SERVICE\CitrixConfigurationReplication)
  • Citrix Cluster Join (NT SERVICE\CitrixClusterService). This service is only seen on servers which are part of a group, and only runs while the join is in progress.

These group memberships are required for StoreFront to operate correctly, to:

  • Create, export, import and delete certificates, and set access permissions on them
  • Read and write the Windows registry
  • Add and remove Microsoft .NET Framework assemblies in the Global Assembly Cache (GAC)
  • Access the folder Program Files\Citrix\<StoreFrontLocation>
  • Add, modify, and remove IIS app pool identities and IIS web applications
  • Add, modify, and remove local security groups and firewall rules
  • Add and remove Windows services and PowerShell snap-ins
  • Register Microsoft Windows Communication Framework (WCF) endpoints

In updates to StoreFront, this list of operations might change without notice.

StoreFront installation also creates the following local security groups:

  • CitrixClusterMembers
  • CitrixCWServiceReadUsers
  • CitrixCWServiceWriteUsers
  • CitrixDelegatedAuthenticatorUsers
  • CitrixDelegatedDirectoryClaimFactoryUsers
  • CitrixPNRSReplicators
  • CitrixPNRSUsers
  • CitrixStoreFrontAdministrators
  • CitrixSubscriptionServerUsers
  • CitrixSubscriptionsStoreServiceUsers
  • CitrixSubscriptionsSyncUsers

StoreFront maintains the membership of these security groups. They are used for access control within StoreFront, and are not applied to Windows resources such as files and folders. Do not modify these group memberships.

NTLM

StoreFront uses NTLM to authenticate between servers in a server group. If you disable NTLM then StoreFront is unable to synchronize data between StoreFront servers in a server group.

You can configure the server to only use NTLMv2 and reject NTLMv1, see Microsoft documentation.

Certificates in StoreFront

Server certificates

Server certificates are used for machine identification and Transport Layer Security (TLS) transport security in StoreFront. If you decide to enable ICA file signing, StoreFront can also use certificates to digitally sign ICA files.

For more information see Communication between end users and StoreFront and Ica file signing.

Token management certificates

Authentication services and stores each require certificates for token management. StoreFront generates a self-signed certificate when an authentication service or store is created. Self-signed certificates generated by StoreFront should not be used for any other purpose.

Citrix Delivery Services certificates

StoreFront holds a number of certificates in a custom Windows certificate store (Citrix Delivery Services). The Citrix Configuration Replication service, Citrix Credential Wallet service, and Citrix Subscriptions Store service use these certificates. Each StoreFront server in a cluster has a copy of these certificates. These services do not rely on TLS for secure communications, and these certificates are not used as TLS server certificates. These certificates are created when a StoreFront store is created or StoreFront is installed. Do not modify the contents of this Windows certificate store.

Code signing certificates

StoreFront includes a number of PowerShell scripts (.ps1) in the folder in <InstallDirectory>\Scripts. The default StoreFront installation does not use these scripts. They simplify the configuration steps for specific and infrequent tasks. These scripts are signed, allowing StoreFront to support PowerShell execution policy. We recommend the AllSigned policy. (The Restricted policy is not supported, as this prevents PowerShell scripts from executing.) StoreFront does not alter the PowerShell execution policy.

Although StoreFront does not install a code signing certificate in the Trusted Publishers store, Windows can automatically add the code signing certificate there. This happens when the PowerShell script is executed with the Always run option. (If you select the Never run option, the certificate is added to the Untrusted Certificates store, and StoreFront PowerShell scripts will not execute.) Once the code signing certificate has been added to the Trusted Publishers store, its expiration is no longer checked by Windows. You can remove this certificate from the Trusted Publishers store after the StoreFront tasks have been completed.

StoreFront security separation

If you deploy any web applications on your StoreFront server in the same web domain (domain name and port) as StoreFront, then any security risks in those web applications could potentially reduce the security of your StoreFront deployment. Where a greater degree of security separation is required, Citrix recommends that you deploy StoreFront in a separate web domain.

ICA downloads

ICA files contain the information to connect to VDAs and often to single sign onto them without further authentication. Therefore ensure that ICA files are protected. For hybrid launches, depending on configuration, ICA files may be downloaded to the user’s device. It is recommended that you disable ICA downloads. For more information, see Workspace app deployment.

ICA file signing

StoreFront provides the option to digitally sign ICA files using a specified certificate on the server so that versions of Citrix Workspace app that support this feature can verify that the file originates from a trusted source. ICA files can be signed using any hash algorithm supported by the operating system running on the StoreFront server, including SHA-1 and SHA-256. For more information, see Enable ICA file signing.

User change password

You can enable users logging on through a web browser with Active Directory domain credentials to change their passwords, either at any time or only when they have expired. However, this exposes sensitive security functions to anyone who can access any of the stores that use the authentication service. If your organization has a security policy that reserves user password change functions for internal use only, ensure that none of the stores are accessible from outside your corporate network. When you create the authentication service, the default configuration prevents users from changing their passwords, even if they have expired. For more information, see Enable users to change their passwords.

Customizations

To strengthen security, do not write customizations that load content or scripts from servers not under your control. Copy the content or script into the website custom folder where you are making the customizations. If StoreFront is configured for HTTPS connections, ensure that any links to custom content or scripts also use HTTPS.

Security Headers

When viewing a store website through a web browser, StoreFront returns the following security related headers that place restrictions on the web browser.

Header name Value Description
content-security-policy frame-ancestors 'none' This prevents other sites from embedding a StoreFront websites within a frame which avoids click-jacking attacks. StoreFront uses inline scripts and styles so it is not possible to use a content-security-policy that blocks these. StoreFront websites only display content configured by administrators and do not display any user-entered content, therefore there is no need to block inline scripts.
X-Content-Type-Options nosniff This avoid MIME type sniffing.
X-Frame-Options deny This prevents other sites from embedding StoreFront websites within a frame which avoids click-jacking attacks. It is obsoleted by content-security-policy to frame-ancestors 'none' but is understood by some older browsers that do not support content-security-policy
X-XSS-Protection 1; mode=block Used by some browsers to mitigate against XSS (cross-site-scripting) attacks

Cookies

StoreFront uses several cookies. Some of the cookies used in the operation of the website are as follows:

Cookie Description
ASP.NET_SessionId Tracks the user’s session including authentication status. Has HttpOnly set.
CtxsAuthId To prevent session fixation attacks, StoreFront in addition tracks whether the user is authenticated using this cookie. It has HttpOnly set.
CsrfToken Used to prevent cross-site request forgery via the standard Cookie-to-header token pattern. The server sets a token in the cookie. The client reads the token from the cookie and includes the token in the query string or a header in subsequent requests. This cookie is required to have HttpOnly not set so the client JavaScript can read it.
CtxsDeviceId Identifies the device. Has HttpOnly set.

StoreFront sets a number of other cookies to track user state, some of which need to be read by JavaScript so do not have HttpOnly set. These cookies do not contain any information relating to authentication or other confidential information.

If the client connects over HTTPS then it sets the secure attribute when creating or updating cookies.

Additional security information

Note:

This information may change at any time, without notice.

Your organization may want to perform security scans of StoreFront for regulatory reasons. The preceding configuration options can help to eliminate some findings in security scan reports.

If there is a gateway between the security scanner and StoreFront, particular findings may relate to the gateway rather than to StoreFront itself. Security scan reports usually do not distinguish these findings (for example, TLS configuration). Because of this, technical descriptions in security scan reports can be misleading.