STIGQter: STIG Summary: Citrix Virtual Apps and Desktop 7.x Windows Virtual Delivery Agent Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Jan 2021:

Citrix Windows Virtual Delivery Agent must implement DoD-approved encryption.

DISA Rule

SV-234253r628798_rule

Vulnerability Number

V-234253

Group Title

SRG-APP-000014

Rule Version

CVAD-VD-000030

Severity

CAT I

CCI(s)

• CCI-000068 - The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions.
• CCI-001184 - The information system protects the authenticity of communications sessions.
• CCI-001414 - The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.
• CCI-001453 - The information system implements cryptographic mechanisms to protect the integrity of remote access sessions.
• CCI-002418 - The information system protects the confidentiality and/or integrity of transmitted information.
• CCI-002420 - The information system maintains the confidentiality and/or integrity of information during preparation for transmission.
• CCI-002421 - The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by organization-defined alternative physical safeguards.
• CCI-002422 - The information system maintains the confidentiality and/or integrity of information during reception.

Weight

10

Fix Recommendation

Implement a DoD-approved VPN or gateway/proxy that will authenticate user access and tunnel/proxy traffic to the Windows VDA. Ensure the VPN or gateway/proxy is configured to authenticate the user before accessing the environment, and meets the DoD encryption requirements, such as FIPS 140-2, for the environment.

Check Contents

A DoD approved VPN, or gateway/proxy, must be leveraged to access the Windows VDA from a remote network. This VPN, or gateway, must handle user authentication and tunneling of Citrix traffic. The VPN, or gateway, must meet the DoD encryption requirements, such as FIPS 140-2, for the environment.

If no VPN, or gateway/proxy, is used for remote access to the VDA, this is a finding.
If the VPN, or gateway/proxy, does not authenticate the remote user before providing access to the VDA, this is a finding.
If the VPN, or gateway/proxy, fails to meet the DoD encryption requirements for the environment, this is a finding.

Vulnerability Number

V-234253

Documentable

False

Rule Version

CVAD-VD-000030

Severity Override Guidance

A DoD approved VPN, or gateway/proxy, must be leveraged to access the Windows VDA from a remote network. This VPN, or gateway, must handle user authentication and tunneling of Citrix traffic. The VPN, or gateway, must meet the DoD encryption requirements, such as FIPS 140-2, for the environment.

If no VPN, or gateway/proxy, is used for remote access to the VDA, this is a finding.
If the VPN, or gateway/proxy, does not authenticate the remote user before providing access to the VDA, this is a finding.
If the VPN, or gateway/proxy, fails to meet the DoD encryption requirements for the environment, this is a finding.

Check Content Reference

M

Target Key

5265

Comments