Management best practices for security
Before configuring NetScaler for any type of service, we should always ensure that NetScaler is locked down in way that management access can be brute-forced, MitM attacks for logging and so on. So as a best-practice we should:
- Disable interfaces that are not used.
- Do not start any features that we do not use.
- Define a SNMP manager we can send alerts to. Prefer using SNMPv3, which allows for encrypted authentication and traffic.
- Disable heartbeat monitoring on disabled interfaces in HA setup.
- Change the
nsrootpassword. - Set up external authentication access to NetScaler, which allows for AD group authentication to NetScaler and makes it easier to audit and control changes; it also restricts access. In order to set up this feature we can follow this Citrix article http://support.citrix.com/article/CTX123782. It is important to make sure that this feature is bound to a global level and that the
nsrootaccount is marked as non-external authentication access...
