[THIN] Re: How widespread is the knowledge of this security l oop-hole?
- From: Pedigo Michael-G17060 <Michael.Pedigo@xxxxxxxxxxxx>
- To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
- Date: Tue, 24 Aug 2004 17:03:17 -0500
Frank,
Can you please elaborate on this information....if the ability to restrict is
already there...then great.....it just isn't documented well. I could really
use this info. It would be better if it was GUI based....a lot easier to
configure. I don't mind modifying files...just need to know what to do.
The point of security risk is in a highly sensitive data instance....if
somebody is able to shadow a users session and gain control....and had an idea
of where to look, they could view data on another companies network....It is
amazing what some security groups can think up as scenarios...huh. I do agree
with them that it would be better if this was mitigated....it would put a lot
of security people at ease and perhaps allow Citrix all the more penetration
into Data sensitive applications.
I appreciate everyone's input on this.
Sincerely,
Mike Pedigo
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of
Frank Monroe
Sent: Saturday, August 21, 2004 12:10 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: How widespread is the knowledge of this security l oop-hole?
I don't see the security issue here. The drives that are mapped on the client
desktop were mapped by some authenticated user. And any application running on
that desktop can access those drives. The Citrix client is simply another
desktop application. Why does it pose any more risk than any of the other
applications that can also access those drives?
At any rate, as long as you are running at least FR2, you can disable the
redirection of network drives. You can also turn off specific drive letters by
using the DisableDrives option in the [ClientDrives] section of the MODULE.INI.
-----Original Message-----
From: Steve Greenberg [mailto:steveg@xxxxxxxxxxxxxx]
Sent: Saturday, August 21, 2004 12:33 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: How widespread is the knowledge of this security loop-hole?
I think your point is valid in the sense that default configurations can
potentially allow security risks. However, there are ways to limit and control
access which are perfectly acceptable. However, the point about being able to
allow/deny each individual drive is a really good one, this feature should be
added to the policy section of the CMC, it makes perfect sense.
Steve Greenberg
Thin Client Computing
34522 N. Scottsdale Rd. suite D8453
Scottsdale, AZ 85262
(602) 432-8649
(602) 296-0411 fax
steveg@xxxxxxxxxxxxxx
_____
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of
Pedigo Michael-G17060
Sent: Friday, August 20, 2004 11:37 AM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] How widespread is the knowledge of this security loop-hole?
Hi All,
I was recently enlightened on what I consider a fairly major security loop-hole
in Metaframe...
Maybe the rest already know....
The wonderful feature of mapping your local hard drives.....you can also map
the network drives of the client via hidden shares...this could be really
bad...right???
I personally don't like security by obscurity.
I raised the issue to Citrix....but they didn't say much.
I suggested they modify the client and Management console to allow to
allow/deny each drive separately to tighten up this security risk.
Am I crazy or do you see where I am coming from?
Perhaps you might want to let Citrix know too...
Other related posts:
