[THIN] Re: A Great Citrix Feature or a Massive Security Hole?

Citrix won't prevent you from running other applications that can be launched 
from within an application etc.

You're still running a full desktop session.  Citrix just only "shows" you the 
seamless application until you launch another application from within that one. 
 This is why you should still practice proper user lockdowns to 
non-administrative users.

You can also cause a session to break out of a seamless session...
(Hint...  Publish an IE page, right-click on page, view source, when notepad 
opens goto file/open, right click on a folder that you create on your desktop 
and click explore...)

-Wes


-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx on behalf of Bernd Harzog
Sent: Sun 6/24/2007 7:33 AM
To: Thin List
Subject: [THIN] A Great Citrix Feature or a Massive Security Hole?
 
Folks,

 

I have not been posting much since I left RTO a couple of years ago. I am now 
with ProactiveWatch, a vendor that makes a Managed Services platform that 
allows VARs to monitor and manage applications, systems and networks at their 
customer sites.

 

We are working on putting remote control integration into a forthcoming version 
of the product, and the first thing we did was RDP. The interesting case is the 
case of our Console installed on a Citrix Server at the customer site. If the 
Admin is using the Console (published as a Citrix app), let's say from home 
(just public Internet from home to the office), and then he right-clicks and 
invokes and RDP session (this assumes an RDP file on the Citrix Server with the 
correct parameters), the Citrix Presentation Server turns around and publishes 
that Admin an RDP session. In other words, if you have published application A, 
and you launch application B from within A, Citrix goes ahead and just 
publishes B to you in your existing session. All of this without any work on 
the back end to "enable" RDP as a Citrix application.

 

Now this is tremendously convenient for an Admin because you can basically 
right-click and have a desktop to any server you want to see without actually 
have to publish MSTSC as an application. But if (and I am not sure this is 
true), you are a user running published Word, and then go run a script to 
launch Notepad, then you can write things to the file system that will 
eventually turn the server over to you.

 

So, is this working the way it is supposed to, and if so, is this a good thing 
or a really big security hole.

 

I look forward to comments from all of my old friends (Rick, Jim, are you 
listening).

 

Cheers,

 

Bernd Harzog

Vice President and General Manager

ProactiveWatch

www.proactivewatch.com

bharzog@xxxxxxxxxxxxxxxxxx

770-475-4249

 



This e-mail message and any attached files are confidential and are intended 
solely for the use of the addressee(s) named above. If you are not the intended 
recipient, any review, use, or distribution of this e-mail message and any 
attached files is strictly prohibited. This communication may contain material 
protected by Federal privacy regulations, attorney-client work product, or 
other privileges. If you have received this confidential communication in 
error, please notify the sender immediately by reply e-mail message and 
permanently delete the original message.  To reply to our email administrator 
directly, send an email to:  postmaster@xxxxxxxxxxxxxxxxxxx .  If this e-mail 
message concerns a contract matter, be advised that no employee or agent is 
authorized to conclude any binding agreement on behalf of Orlando Regional 
Healthcare by e-mail without express written confirmation by an officer of the 
corporation. Any views or opinions presented in this e-mail are solely those of 
the author and do not necessarily represent those of Orlando Regional 
Healthcare.

Other related posts: