This post is primarily related to a small oversight on Citrix ADC (formerly NetScaler), which continues to persist through more current 12.x firmwares.
By default, the nsroot account is set to allow external authentication. That is to say, if a global authentication policy, commonly LDAP(S), is bound to the NetScaler, when logging in via nsroot it will first check the external authentication source for a match before trying locally.
We commonly see external auth bound globally to follow good security practices of minimizing reliance on shared logins by employing LDAP(S) to manage user access via the organization’s directory service. The moment that policy is bound globally however, one can create an nsroot account in the directory and log into the appliance with that account. Now, the argument can be made that one with such elevated rights to create users could simply add themselves or another unauthorized user to the group the manages access to administer the appliance. Proper security permission on said group, proper RBAC controls, and auditing should mitigate that, which I won’t get into here. The point is minimizing potential vectors for exposure.
So whether or not you plan on enabling external authentication globally for administrative logins or not, I recommend as part of your routing security audits of your appliances and as part of baseline hardening when spinning up new appliances, to disable external authentication on the nsroot user account.
And while you’re at it, why not head over to the System > Configure Global System Settings Parameters section of the appliance and enable strong passwords for local users with an 8+ character minimum? This is necessary to meet various security compliance protocols, many of which are covered in our eBook.
And lastly, on the topic of securing nsroot, not only is it essential to change the default nsroot password when standing up your appliance but also changing the lights-out-management (LOM) port aka out-of-band (OOB) management port of the NetScaler if it is equipped with one (higher-end MPX and SDX appliances which use IPMI cards).
By default, the IPMI configuration much like the base ADC config uses nsroot \ nsroot as a login. From the shell of the appliance (both MPX and SDX) the following command should allow one to change the default nsroot password for the LOM port:
ipmitool user set password 2 <hit enter, you'll be prompted for new password twice, be sure to test login afterward>
Note: Password has to be 8 chars or more. It won’t error out if it isn’t but it won’t commit it otherwise. It also does not seem to like some special characters such as $ so watch out for that.
While you’re in there, you can configure the LOM networking with these commands:
ipmitool lan set 1 ipsrc static ipmitool lan set 1 ipaddr (LOM IP address) ipmitool lan set 1 netmask (netmask IP address) ipmitool lan set 1 defgw ipaddr (default gateway IP address)
On some SDX versions, these commands might need to be run first:
modprobe ipmi_devintf modprobe ipmi_msghandler modprobe ipmi_si