Setting Up System Security

Citrix Systems and most Web professionals recommend that you either disassociate your Web site from your production system or rigorously restrict external access to your system. Any system accessible over the Internet is by definition a security risk. Because you don’t want to permit unauthorized access to your production site through the Web, unless you have very robust security and plan to use this with an intranet, you should keep your Web server on a separate network loop outside your firewall. Citrix strongly recommends that you read the security information that comes with your software to assist you in formulating a security plan for your installation.

Place Web servers outside the firewall.

In addition to the standard Windows NT and WinFrame security features, access to the WinFrame server can be restricted in several ways:

• WinFrame supports Internet firewalls that can be used to restrict Internet access to the WinFrame server.
  
  
• You can require that a username and a password be entered before a user can execute an application (explicit user access only).
  
  
• You can restrict an application to specific users or groups of users via the Application Configuration utility.
  
  
• You can use the AUDITLOG utility to generate reports of logon and logoff activity for a WinFrame server based on the security event log. To use AUDITLOG, logon/logoff accounting must be enabled.
  
  
• For added security, you can use the Restricted Application List (APPSEC) utility to restrict user program access to a list of authorized applications.
  
  
• The ACLCHECK utility examines the security ACLs associated with your hard disk directories and reports on any potential security exposures.
  
  
• The Application Execution Shell (APP) lets you write execution scripts that you can use to set up an application before executing it and to perform cleanup after the application terminates.
  
  
• The C2 Security Manager helps you configure the level of system security you want.