[THIN] Re: A Great Citrix Feature or a Massive Security Hole?

• From: "Timothy R. Mangan" <tmangan@xxxxxxxxxxxx>
• To: <thin@xxxxxxxxxxxxx>
• Date: Mon, 25 Jun 2007 12:51:57 -0400

This is why triCerat has a lockdown feature.  It allows you to specific
users and apps and prevent them from running anything else - no matter what
back door they find.

 

From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Bernd Harzog
Sent: Sunday, June 24, 2007 7:34 AM
To: Thin List
Subject: [THIN] A Great Citrix Feature or a Massive Security Hole?

 

Folks,

 

I have not been posting much since I left RTO a couple of years ago. I am
now with ProactiveWatch, a vendor that makes a Managed Services platform
that allows VARs to monitor and manage applications, systems and networks at
their customer sites.

 

We are working on putting remote control integration into a forthcoming
version of the product, and the first thing we did was RDP. The interesting
case is the case of our Console installed on a Citrix Server at the customer
site. If the Admin is using the Console (published as a Citrix app), let's
say from home (just public Internet from home to the office), and then he
right-clicks and invokes and RDP session (this assumes an RDP file on the
Citrix Server with the correct parameters), the Citrix Presentation Server
turns around and publishes that Admin an RDP session. In other words, if you
have published application A, and you launch application B from within A,
Citrix goes ahead and just publishes B to you in your existing session. All
of this without any work on the back end to "enable" RDP as a Citrix
application.

 

Now this is tremendously convenient for an Admin because you can basically
right-click and have a desktop to any server you want to see without
actually have to publish MSTSC as an application. But if (and I am not sure
this is true), you are a user running published Word, and then go run a
script to launch Notepad, then you can write things to the file system that
will eventually turn the server over to you.

 

So, is this working the way it is supposed to, and if so, is this a good
thing or a really big security hole.

 

I look forward to comments from all of my old friends (Rick, Jim, are you
listening).

 

Cheers,

 

Bernd Harzog

Vice President and General Manager

ProactiveWatch

www.proactivewatch.com

bharzog@xxxxxxxxxxxxxxxxxx

770-475-4249

 

• References:
  • [THIN] A Great Citrix Feature or a Massive Security Hole?
    • From: Bernd Harzog

Other related posts:

• » [THIN] A Great Citrix Feature or a Massive Security Hole?
• » [THIN] A Great Citrix Feature or a Massive Security Hole?
• » [THIN] Re: A Great Citrix Feature or a Massive Security Hole?
• » [THIN] Re: A Great Citrix Feature or a Massive Security Hole?
• » [THIN] Re: A Great Citrix Feature or a Massive Security Hole?
• » [THIN] Re: A Great Citrix Feature or a Massive Security Hole?

1. Home
2. thin
3. Archive
4. 06-2007

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---