That is why view source is the first menu item I disable via GPO : ) The simple fix is to only allow Admins access to the MSTSC app via Security and rename notepad to something else (or remove completely if you don't need it) I remember how we learned of this hole back in the Winframe 1.7 days over 10 years ago now I guess.. we were publishing Netscape on Wyse Winterms (one of the first to do so) and we had an enterprising patron run up the Citrix Admin console and start messaging nasty messages to other library users via the console. When security tracked the offender down we learned how the little 13 year old punk did it (just as you describe below) and the quick fix was to just delete Notepad and through the years GPO and other options have come along to fix but the hole remains glaring. Bernd I don't think it should be a problem but maybe you could build a tick box into the program to disable it if people do not want the functionality. And also a notice to those that that do enable it that they may need to provide additional security precautions if they do. We all know managing a Citrix/TS environment is mostly about security issues after the task of just getting an app to work. Jim On 6/24/07, Dobry, Wes <Wes.Dobry@xxxxxxxx> wrote:
Citrix won't prevent you from running other applications that can be launched from within an application etc. You're still running a full desktop session. Citrix just only "shows" you the seamless application until you launch another application from within that one. This is why you should still practice proper user lockdowns to non-administrative users. You can also cause a session to break out of a seamless session... (Hint... Publish an IE page, right-click on page, view source, when notepad opens goto file/open, right click on a folder that you create on your desktop and click explore...) -Wes -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx on behalf of Bernd Harzog Sent: Sun 6/24/2007 7:33 AM To: Thin List Subject: [THIN] A Great Citrix Feature or a Massive Security Hole? Folks, I have not been posting much since I left RTO a couple of years ago. I am now with ProactiveWatch, a vendor that makes a Managed Services platform that allows VARs to monitor and manage applications, systems and networks at their customer sites. We are working on putting remote control integration into a forthcoming version of the product, and the first thing we did was RDP. The interesting case is the case of our Console installed on a Citrix Server at the customer site. If the Admin is using the Console (published as a Citrix app), let's say from home (just public Internet from home to the office), and then he right-clicks and invokes and RDP session (this assumes an RDP file on the Citrix Server with the correct parameters), the Citrix Presentation Server turns around and publishes that Admin an RDP session. In other words, if you have published application A, and you launch application B from within A, Citrix goes ahead and just publishes B to you in your existing session. All of this without any work on the back end to "enable" RDP as a Citrix application. Now this is tremendously convenient for an Admin because you can basically right-click and have a desktop to any server you want to see without actually have to publish MSTSC as an application. But if (and I am not sure this is true), you are a user running published Word, and then go run a script to launch Notepad, then you can write things to the file system that will eventually turn the server over to you. So, is this working the way it is supposed to, and if so, is this a good thing or a really big security hole. I look forward to comments from all of my old friends (Rick, Jim, are you listening). Cheers, Bernd Harzog Vice President and General Manager ProactiveWatch www.proactivewatch.com bharzog@xxxxxxxxxxxxxxxxxx 770-475-4249 This e-mail message and any attached files are confidential and are intended solely for the use of the addressee(s) named above. If you are not the intended recipient, any review, use, or distribution of this e-mail message and any attached files is strictly prohibited. This communication may contain material protected by Federal privacy regulations, attorney-client work product, or other privileges. If you have received this confidential communication in error, please notify the sender immediately by reply e-mail message and permanently delete the original message. To reply to our email administrator directly, send an email to: postmaster@xxxxxxxxxxxxxxxxxxx . If this e-mail message concerns a contract matter, be advised that no employee or agent is authorized to conclude any binding agreement on behalf of Orlando Regional Healthcare by e-mail without express written confirmation by an officer of the corporation. Any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of Orlando Regional Healthcare.
-- Jim Kenzig Microsoft MVP - Terminal Services http://www.thinhelp.com Citrix Technology Professional Provision Networks VIP CEO The Kenzig Group http://www.kenzig.com Blog: http://www.techblink.com