This is why triCerat has a lockdown feature. It allows you to specific users and apps and prevent them from running anything else - no matter what back door they find. From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Bernd Harzog Sent: Sunday, June 24, 2007 7:34 AM To: Thin List Subject: [THIN] A Great Citrix Feature or a Massive Security Hole? Folks, I have not been posting much since I left RTO a couple of years ago. I am now with ProactiveWatch, a vendor that makes a Managed Services platform that allows VARs to monitor and manage applications, systems and networks at their customer sites. We are working on putting remote control integration into a forthcoming version of the product, and the first thing we did was RDP. The interesting case is the case of our Console installed on a Citrix Server at the customer site. If the Admin is using the Console (published as a Citrix app), let's say from home (just public Internet from home to the office), and then he right-clicks and invokes and RDP session (this assumes an RDP file on the Citrix Server with the correct parameters), the Citrix Presentation Server turns around and publishes that Admin an RDP session. In other words, if you have published application A, and you launch application B from within A, Citrix goes ahead and just publishes B to you in your existing session. All of this without any work on the back end to "enable" RDP as a Citrix application. Now this is tremendously convenient for an Admin because you can basically right-click and have a desktop to any server you want to see without actually have to publish MSTSC as an application. But if (and I am not sure this is true), you are a user running published Word, and then go run a script to launch Notepad, then you can write things to the file system that will eventually turn the server over to you. So, is this working the way it is supposed to, and if so, is this a good thing or a really big security hole. I look forward to comments from all of my old friends (Rick, Jim, are you listening). Cheers, Bernd Harzog Vice President and General Manager ProactiveWatch www.proactivewatch.com bharzog@xxxxxxxxxxxxxxxxxx 770-475-4249