(Yes, I know it’s supposed to sign them in automatically. It doesn’t always. We’ve got tickets in. What does work every time is signing into Office when prompted.)
(Yes, I know it’s supposed to sign them in automatically. It doesn’t always. We’ve got tickets in. What does work every time is signing into Office when prompted.)
Why is the user allowed to install programs? That should be controlled by the administrator. Plus i don’t think citrix lets users install anything period. It’s been a few years since i used it but i seem to recall citrix images being immutable.
Users in general are too dumb to do the simplest things they are supposed to do even when you’re holding their hand while they are trying. But when it comes to doing things they aren’t supposed to do, and that are explicitly disabled, they will turn into geniuses and find a way.
That hasn’t been my experience in systems administration. If you set stuff up ptoperly the users can’t do anything you don’t want them to. If they do then they should get a job in penetration testing.
Yea, if a business let’s users install shit, it’s on them.
Though I get SMB’s have a challenging dance to do as they require more flexibility.
A lot of heavy lifting going on in those words…
Also, the malware which gets bundled with “free” versions of products usually doesn’t care if the install fails or succeeds, just that the user downloaded the package, unzipped it, and double-clicked on the ever-so-helpful “install.lnk”. Most of the current ransomware and infostealer malware doesn’t need local admin to do it’s damage. Plenty of Remote Access Toolkits (RATs) will run quite happily in user space. Users can edit their local RUN registry key and/or create scheduled tasks. And there are doubtless Privilege Escalation vulnerabilities sprinkled around the system like fairy dust when it gets to be time to dump the SAM hive or lsass memory space.
Yes, locking down local admin gets you a lot, in terms of security. It’s far from a trump card though. Lots and lots of damage can happen in user land.
The VDI images don’t have to be immutable, but they often are. In our case, we’re not exposing virtual desktops, just apps. But if they did have a mutable VDI, they still wouldn’t be allowed to install software.
The actual install isn’t really important for an attacker, just the user making the attempt. The payload will exists beside the software installer and will be launched by the user running some sort of “install” batch file or executable. It won’t install anything, it’ll dump files in places like %TEMP% and add something to the user’s RUN registry entry. It’s also why I mentioned a “laptop”. What the attacker is really after isn’t the Citrix server (that would be nice to pop, but it’s not necessary) it’s the user’s local system. That’s going to provide a beachhead on the network for the attacker to work out from. It will also provide a treasure trove of credentials the attacker can sell or use elsewhere to attack the environment (infostealers don’t need, or even ask for, local admin). Even just being able to sell access to one compromised laptop is a win for the attacker. Access brokers can sell that off to more advanced groups who will come back and try to move out from there.
But wait, we have MFA everywhere! Are you sure, are you really, really sure you don’t have a dev team somewhere who decided to hang something out on a poorly documented corner of the network and they disabled MFA on the device for a test, and then forgot to shutdown the test equipment? Because ya, I’ve worked incidents where exactly that happened.