Checklist Summary:

The Citrix Virtual Apps and Desktops (VAD) 7.x Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. This document is meant for use in conjunction with other STIGs such as the Enclave, Network Infrastructure, Microsoft IIS, SQL, Active Directory, and appropriate Windows Operating System STIGs. The Citrix VAD 7.x STIG is composed of five subcomponent STIGs. The following is a brief description of each. All component STIGs must be applied to the Citrix VAD 7.x environment: • StoreFront – Installed on a Windows server in the data center, StoreFront gives users access to the virtual desktops and applications that they are authorized to use. Users log on to StoreFront through Citrix Receiver. StoreFront retrieves an Independent Computing Architecture (ICA) file containing the information required for a user to connect to the Virtual Delivery Agent (VDA) for access to an authorized virtual desktop or application. • Workspace App – Runs on a client endpoint to securely display the application or desktop running in the data center or cloud, including optimized multimedia. • License Server – Installed on a Windows server in the data center, this maintains the licenses for Citrix products through an administration interface to license services. • Delivery Controller – Installed on servers in the data center, the Delivery Controller authenticates users and administrators, manages the assembly of desktop users’ virtual desktop environments, and brokers connections between users and their virtual desktops and applications. • Windows Virtual Delivery Agent – VDAs are installed on the machines inside the data center that host virtual desktops and applications that are available to users. VDAs enable direct ICA connections between a user device and these virtual desktops and applications. • Linux Virtual Delivery Agent – VDAs are installed on the machines inside the data center that host virtual desktops and applications that are available to users. VDAs enable direct ICA connections between a user device and these virtual desktops and applications.

Checklist Role:

• Application Server
• Virtualization Server

Known Issues:

Not provided.

Target Audience:

Security guidance is provided for the Department of Defense. While other agencies and organizations are free to use it, care must be given to ensure that all applicable security guidance is applied both at the device hardening level as well as the architectural level due to the fact that some of the settings may not be able to be configured in environments outside the DoD architecture.

Target Operational Environment:

• Managed
• Specialized Security-Limited Functionality (SSLF)

Testing Information:

Not provided.

Regulatory Compliance:

DoD Instruction (DoDI) 8500.01

Comments/Warnings/Miscellaneous:

Although the use of the principles and guidelines in these SRGs/STIGs provides an environment that contributes to the security requirements of DoD systems, applicable NIST SP 800-53 cybersecurity controls need to be applied to all systems and architectures based on the Committee on National Security Systems (CNSS) Instruction (CNSSI) 1253.

Disclaimer:

Not provided.

Product Support:

Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. DISA will coordinate all change requests with the relevant DoD organizations before inclusion in this document. Approved changes will be made in accordance with the DISA maintenance release schedule.

Point of Contact:

disa.stig_spt@mail.mil

Sponsor:

Not provided.

Licensing:

Not provided.

Change History:

Change status to FINAL - 5/4/21
updated URLs - 1/26/2022

Dependency/Requirements:

URL	Description

References:

Reference URL	Description

NIST checklist record last modified on 01/26/2022