[THIN] Re: Citrix security question

• From: Durf <stygmata@xxxxxxxxx>
• To: thin@xxxxxxxxxxxxx
• Date: Sat, 12 Feb 2005 08:03:26 -0500

It is also possible / desirable to harden more than just file
permissions, as well -- there are Registry permissions and user rights
to look at.

I am by no means an expert in this, but I know it is possible to use
the Security Configuration and Analysis tool (secedit) to apply a
higher-level security template to the operating system, which will
tighten down a number of options -- some of which to the point where
older applications may refuse to run, keep in mind.

I don't have any good pointers on using this with a terminal server,
unfortunately.  I myself attended a SANS class on the 'Windows 2000
Gold Standard' for security, which is well worth it if you get an
opportunity.  You bring your own box and walk through the process of
applying the various templated to the machine and observe the effects.
 Very recommended.

It would be great if somebody could cook up an .inf template for the
SecEdit tool that incorporated all of the various registry and
permissions settings recommended by various folks...


On Fri, 11 Feb 2005 19:22:33 -0500, Walter, Chris
<christopher.walter@xxxxxxx> wrote:
> Users don't need anything more than "read" to your entire server with the
> exception of your Documents and Settings and Temp directories.  Although I
> have had applications where I have had to set one file to modify.  If you
> have Windows 2003 you should try installing it just to compare the security,
> they did a much better job with the "Out of the box" security.  They
> actually restricted access to directories within the Windows directory to
> the point where users don't have any access.
> 
> Chris
> 
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
> Of Henry Sieff
> Sent: Friday, February 11, 2005 12:52 PM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: Citrix security question
> 
> What about not?
> 
> Users should never need modify on program files. They need to read - the
> only modifications (barring poorly written apps which store temp data in
> their program dir) should be by an admin installing.
> 
> Ditto for Winnt\system32.
> 
> Track down the NSF guide on hardening Win2k, or Ms's own guidelines,
> then get ntfilemon from sysinternals to troubleshoot the things which
> don't work.
> 
> > -----Original Message-----
> > From: thin-bounce@xxxxxxxxxxxxx
> > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Benway
> > Sent: Friday, February 11, 2005 9:30 AM
> > To: 'thin@xxxxxxxxxxxxx'
> > Subject: [THIN] Re: Citrix security question
> >
> > Ok I checked out
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;327522
> > But it doesn't really comment on the program files folder
> > only the root.
> >
> > What about leaving the terminal server user group with modify
> > on the program files folder?
> >
> > jb
> >
> > -----Original Message-----
> > From: thin-bounce@xxxxxxxxxxxxx
> > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Benway
> > Sent: Friday, February 11, 2005 9:01 AM
> > To: 'thin@xxxxxxxxxxxxx'
> > Subject: [THIN] Citrix security question
> >
> > I just installed Citrix XP onto a Windows 2000 SP4 server.
> > I was looking at the ntfs file permissions and realized that
> > the everyone group has full access to all the folders at the
> > root. And the terminal server users has modify access to the
> > program files folder.
> >
> > That just doesn't seem right. It seems like they could
> > delete/overwrite any files they wanted or install any program
> > that doesn't write to the registry.
> >
> > I've never looked at a fresh install before, I always assumed
> > that since all my users are standard users, not power users
> > or local admins, I'd be ok, but looking it this I'm not so sure.
> >
> > Do any of you change the default security settings?
> >
> > Thanks,jb
> > ********************************************************
> > This Weeks Sponsor: ThinPrint, GmbH
> > Now available: .print Remote Desktop Printing Engine for
> > Microsoft Terminal Services
> > http://www.thinprint.com/dotprint/index.php?s=682&lc=1
> > **********************************************************
> > Useful Thin Client Computing Links are available at:
> > http://thin.net/links.cfm
> > ThinWiki community - Excellent SBC Search Capabilities!
> > http://www.thinwiki.com
> > ***********************************************************
> > For Archives, to Unsubscribe, Subscribe or set Digest or
> > Vacation mode use the below link:
> > http://thin.net/citrixlist.cfm
> > ********************************************************
> > This Weeks Sponsor: ThinPrint, GmbH
> > Now available: .print Remote Desktop Printing Engine for
> > Microsoft Terminal Services
> > http://www.thinprint.com/dotprint/index.php?s=682&lc=1
> > **********************************************************
> > Useful Thin Client Computing Links are available at:
> > http://thin.net/links.cfm
> > ThinWiki community - Excellent SBC Search Capabilities!
> > http://www.thinwiki.com
> > ***********************************************************
> > For Archives, to Unsubscribe, Subscribe or set Digest or
> > Vacation mode use the below link:
> > http://thin.net/citrixlist.cfm
> >
> ********************************************************
> This Weeks Sponsor: ThinPrint, GmbH
> Now available: .print Remote Desktop Printing Engine
> for Microsoft Terminal Services
> http://www.thinprint.com/dotprint/index.php?sh2&lc=1
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ThinWiki community - Excellent SBC Search Capabilities!
> http://www.thinwiki.com
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or
> set Digest or Vacation mode use the below link:
> http://thin.net/citrixlist.cfm
> ********************************************************
> This Weeks Sponsor: ThinPrint, GmbH
> Now available: .print Remote Desktop Printing Engine
> for Microsoft Terminal Services
> http://www.thinprint.com/dotprint/index.php?s=682&lc=1
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ThinWiki community - Excellent SBC Search Capabilities!
> http://www.thinwiki.com
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or
> set Digest or Vacation mode use the below link:
> http://thin.net/citrixlist.cfm
> 


-- 
--------------
Give a man a match, and he'll be warm for a minute.
But set a man on fire, and he'll be warm for the rest of his life.
********************************************************
This Weeks Sponsor: ThinPrint, GmbH
Now available: .print Remote Desktop Printing Engine 
for Microsoft Terminal Services
http://www.thinprint.com/dotprint/index.php?s=682&lc=1
********************************************************** 
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
ThinWiki community - Excellent SBC Search Capabilities!
http://www.thinwiki.com
***********************************************************
For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm

• References:
  • [THIN] Re: Citrix security question
    • From: Walter, Chris

Other related posts:

• » [THIN] Citrix security question
• » [THIN] Re: Citrix security question
• » [THIN] Re: Citrix security question
• » [THIN] Re: Citrix security question
• » [THIN] Re: Citrix security question
• » [THIN] Re: Citrix security question
• » [THIN] Re: Citrix security question

1. Home
2. thin
3. Archive
4. 02-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---