[THIN] Re: Citrix security question

  • From: "Henry Sieff" <hsieff@xxxxxxxxxxxx>
  • To: <thin@xxxxxxxxxxxxx>
  • Date: Fri, 11 Feb 2005 11:52:24 -0600

What about not?

Users should never need modify on program files. They need to read - the
only modifications (barring poorly written apps which store temp data in
their program dir) should be by an admin installing.

Ditto for Winnt\system32.

Track down the NSF guide on hardening Win2k, or Ms's own guidelines,
then get ntfilemon from sysinternals to troubleshoot the things which
don't work. 

> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx 
> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Benway
> Sent: Friday, February 11, 2005 9:30 AM
> To: 'thin@xxxxxxxxxxxxx'
> Subject: [THIN] Re: Citrix security question
> 
> Ok I checked out
> http://support.microsoft.com/default.aspx?scid=kb;en-us;327522
> But it doesn't really comment on the program files folder 
> only the root.
> 
> What about leaving the terminal server user group with modify 
> on the program files folder?
> 
> jb 
> 
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx 
> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Benway
> Sent: Friday, February 11, 2005 9:01 AM
> To: 'thin@xxxxxxxxxxxxx'
> Subject: [THIN] Citrix security question
> 
> I just installed Citrix XP onto a Windows 2000 SP4 server.
> I was looking at the ntfs file permissions and realized that 
> the everyone group has full access to all the folders at the 
> root. And the terminal server users has modify access to the 
> program files folder.
> 
> That just doesn't seem right. It seems like they could 
> delete/overwrite any files they wanted or install any program 
> that doesn't write to the registry.
> 
> I've never looked at a fresh install before, I always assumed 
> that since all my users are standard users, not power users 
> or local admins, I'd be ok, but looking it this I'm not so sure.
> 
> Do any of you change the default security settings?
> 
> Thanks,jb
> ********************************************************
> This Weeks Sponsor: ThinPrint, GmbH
> Now available: .print Remote Desktop Printing Engine for 
> Microsoft Terminal Services
> http://www.thinprint.com/dotprint/index.php?s=682&lc=1
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ThinWiki community - Excellent SBC Search Capabilities!
> http://www.thinwiki.com
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or set Digest or 
> Vacation mode use the below link:
> http://thin.net/citrixlist.cfm
> ********************************************************
> This Weeks Sponsor: ThinPrint, GmbH
> Now available: .print Remote Desktop Printing Engine for 
> Microsoft Terminal Services
> http://www.thinprint.com/dotprint/index.php?s=682&lc=1
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ThinWiki community - Excellent SBC Search Capabilities!
> http://www.thinwiki.com
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or set Digest or 
> Vacation mode use the below link:
> http://thin.net/citrixlist.cfm
> 
********************************************************
This Weeks Sponsor: ThinPrint, GmbH
Now available: .print Remote Desktop Printing Engine
for Microsoft Terminal Services
http://www.thinprint.com/dotprint/index.php?sh2&lc=1
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
ThinWiki community - Excellent SBC Search Capabilities!
http://www.thinwiki.com
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm

Other related posts: