Citrix won't prevent you from running other applications that can be
launched from within an application etc.
You're still running a full desktop session. Citrix just only "shows" you
the seamless application until you launch another application from within
that one. This is why you should still practice proper user lockdowns to
non-administrative users.
You can also cause a session to break out of a seamless session...
(Hint... Publish an IE page, right-click on page, view source, when
notepad opens goto file/open, right click on a folder that you create on
your desktop and click explore...)
-Wes
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx on behalf of Bernd Harzog
Sent: Sun 6/24/2007 7:33 AM
To: Thin List
Subject: [THIN] A Great Citrix Feature or a Massive Security Hole?
Folks,
I have not been posting much since I left RTO a couple of years ago. I am
now with ProactiveWatch, a vendor that makes a Managed Services platform
that allows VARs to monitor and manage applications, systems and networks at
their customer sites.
We are working on putting remote control integration into a forthcoming
version of the product, and the first thing we did was RDP. The interesting
case is the case of our Console installed on a Citrix Server at the customer
site. If the Admin is using the Console (published as a Citrix app), let's
say from home (just public Internet from home to the office), and then he
right-clicks and invokes and RDP session (this assumes an RDP file on the
Citrix Server with the correct parameters), the Citrix Presentation Server
turns around and publishes that Admin an RDP session. In other words, if you
have published application A, and you launch application B from within A,
Citrix goes ahead and just publishes B to you in your existing session. All
of this without any work on the back end to "enable" RDP as a Citrix
application.
Now this is tremendously convenient for an Admin because you can basically
right-click and have a desktop to any server you want to see without
actually have to publish MSTSC as an application. But if (and I am not sure
this is true), you are a user running published Word, and then go run a
script to launch Notepad, then you can write things to the file system that
will eventually turn the server over to you.
So, is this working the way it is supposed to, and if so, is this a good
thing or a really big security hole.
I look forward to comments from all of my old friends (Rick, Jim, are you
listening).
Cheers,
Bernd Harzog
Vice President and General Manager
ProactiveWatch
www.proactivewatch.com
bharzog@xxxxxxxxxxxxxxxxxx
770-475-4249
This e-mail message and any attached files are confidential and are
intended solely for the use of the addressee(s) named above. If you are not
the intended recipient, any review, use, or distribution of this e-mail
message and any attached files is strictly prohibited. This communication
may contain material protected by Federal privacy regulations,
attorney-client work product, or other privileges. If you have received this
confidential communication in error, please notify the sender immediately by
reply e-mail message and permanently delete the original message. To reply
to our email administrator directly, send an email to:
postmaster@xxxxxxxxxxxxxxxxxxx . If this e-mail message concerns a
contract matter, be advised that no employee or agent is authorized to
conclude any binding agreement on behalf of Orlando Regional Healthcare by
e-mail without express written confirmation by an officer of the
corporation. Any views or opinions presented in this e-mail are solely those
of the author and do not necessarily represent those of Orlando Regional
Healthcare.
