Management best practices for security
Before configuring NetScaler for any type of service, we should always ensure that NetScaler is locked down in way that management access can be brute-forced, MitM attacks for logging and so on. So as a best-practice we should:
Disable interfaces that are not used.
Do not start any features that we do not use.
Define a SNMP manager we can send alerts to. Prefer using SNMPv3, which allows for encrypted authentication and traffic.
Disable heartbeat monitoring on disabled interfaces in HA setup.
Change the
nsrootpassword.Set up external authentication access to NetScaler, which allows for AD group authentication to NetScaler and makes it easier to audit and control changes; it also restricts access. In order to set up this feature we can follow this Citrix article http://support.citrix.com/article/CTX123782. It is important to make sure that this feature is bound to a global level and that the
nsrootaccount is marked as non-external authentication access...
