Media releases are provided as is by companies and have not been edited or checked for accuracy. Any queries should be directed to the company itself.

Security Framework of Citrix MetaFrame Password Manager Validated by Independent Experts

  • 11 August, 2004 15:38

<p>Sydney, Australia — 11 August, 2004 — Citrix Systems, Inc. (Nasdaq:CTXS), the global leader in access infrastructure solutions, today announced the results of an independent security assessment of Citrix® MetaFrame® Password Manager conducted by Foundstone Inc., recognised industry experts in strategic security. The results verify that MetaFrame Password Manager is well designed from a security perspective and conforms to best practices in the software industry. Strong encryption, buffer overflow prevention, appropriate use of operating system and registry permissions, and the presence of anti-tampering techniques are elements of a robust, multi-layered security framework built into the product.</p>
<p>Designed to work seamlessly with all products in the Citrix MetaFrame Access Suite, MetaFrame Password Manager provides password security and single sign-on access to a wide range of Windows®, Web and host-based applications running in Citrix and non-Citrix environments. Users authenticate once with a single password, and MetaFrame Password Manager does the rest by automatically logging into password-protected information systems, enforcing password policies, monitoring password-related events and even automating end-user tasks, including password changes. MetaFrame Password Manager makes connecting to secure applications faster and safer and can lower the costs of support for IT organisations by as much as 25 per cent.</p>
<p>Citrix commissioned the external security review to determine MetaFrame Password Manager’s exposure to a variety of threat conditions considered most likely avenues for a potential security breach. Foundstone’s assessment of MetaFrame Password Manager was performed as a “black box” review: Foundstone had access to the software and associated documents supplied with MetaFrame Password Manager but did not have access to additional information about the source code or architecture of the product. To assess how well passwords were protected from inappropriate exposure Foundstone established a test environment that allowed three product configurations, two operating system scenarios and two synchronisation deployments to be evaluated. After monitoring the installations of MetaFrame Password Manager in the test environment to gain intelligence about the product and its architecture, Foundstone conducted the following tests:</p>
<p>· Verifying that one user cannot view other users’ information;</p>
<p>· Assessing whether malicious administrators can access or change another user’s or administrator’s information;</p>
<p>· Determining if the application is susceptible to a brute force attack against the credential store;</p>
<p>· Verifying that sensitive data is encrypted whether at rest within the application or being transmitted between the central credential store and the MetaFrame Password Manager agent.</p>
<p>Foundstone concluded that a robust security framework was designed into MetaFrame Password Manager in the following ways:</p>
<p>· Strong encryption is used to protect sensitive information in the central credential store, limiting users’ and administrators’ access to sensitive information;</p>
<p>· Debugging tools cannot be used effectively to obtain additional information about the way the application processes data;</p>
<p>· Operating system and registry permissions restrict a user from writing to another user’s settings;</p>
<p>· Users must answer a secret question in order to change a password, protecting against an administrator changing a user’s password to gain access to the credential store;</p>
<p>· Only three attempts to guess authentication credentials are permitted, guarding against brute force attacks;</p>
<p>· Anti-data tampering techniques and checksums have been utilised to prevent alterations to user registry information, the central password store data and password synchronisation data;</p>
<p>· Secure coding practices or some form of consistent checksums appear to be in effect given that no buffer overflow conditions were identified in the application.</p>
<p>“Foundstone’s third-party validation of the security features built into Citrix MetaFrame Password Manager provides an important credential that instills even greater confidence in our customers,” said Rick Braddy, vice president of product management at Citrix. “The assessment further proves that our access infrastructure solutions are the safest, most secure way to remotely access applications and information anywhere, anytime, from any device and over any connection."</p>
<p>“Citrix MetaFrame Password Manager was well designed from a security perspective,” said Stephen L. Surdu, director of consulting, Foundstone, Inc. “Foundstone believes that the Citrix MetaFrame Password Manager product demonstrates a solid approach to security and conforms with best practices Foundstone has seen in the software industry.”</p>
<p>Through its award-winning security products and services, Foundstone gives business executives and IT professionals the peace of mind they demand, with proactive, asset-based security risk solutions that address the entire vulnerability management lifecycle from policy through compliance. Foundstone helps simplify security, direct resources where they’ll have the most impact, and fortify the enterprise with measurable returns.</p>
<p>About Citrix
Citrix Systems, Inc. (Nasdaq:CTXS) is the global leader in access infrastructure solutions and the most trusted name in secure access for enterprises and individuals. Nearly 50 million people in more than 120,000 organisations around the world use Citrix every day. Our software gives people secure and well-managed access to business information wherever it lives-on demand. Citrix customers include 100% of the Fortune 100 companies, 99% of the Fortune 500, and 92% of the Fortune Global 500. Based in Fort Lauderdale, Florida, Citrix has offices in 22 countries, and more than 7,000 channel and alliance partners in more than 100 countries. For more information visit</p>
<p>For Citrix Investors</p>
<p>This release contains forward-looking statements which are made pursuant to the safe harbor provisions of Section 21E of the Securities Exchange Act of 1934. The forward-looking statements in this release do not constitute guarantees of future performance. Those statements involve a number of factors that could cause actual results to differ materially, including risks associated with the company’s business involving the company’s products, their development and distribution, economic and competitive factors and the company’s key strategic relationships and other risks detailed in the company’s filings with the Securities and Exchange Commission. Citrix assumes no obligation to update any forward-looking information contained in this press release or with respect to the announcements described herein.</p>
<p>- # # # -</p>
<p>Citrix® and MetaFrame® are registered trademarks or trademarks of Citrix Systems, Inc. in the U.S. and other countries. Windows® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries. All other trademarks and registered trademarks are property of their respective owners.</p>

Most Popular