If you are talking about the setting that disables the redirection of network drives entirely, that is a policy in the CMC under client drives. If you are talking about specific drive letters, use DisableDrives= and then a comma separated list of drives to disable. -----Original Message----- From: Pedigo Michael-G17060 [mailto:Michael.Pedigo@xxxxxxxxxxxx] Sent: Tuesday, August 24, 2004 6:03 PM To: 'thin@xxxxxxxxxxxxx' Subject: [THIN] Re: How widespread is the knowledge of this security l oop-hole? Frank, Can you please elaborate on this information....if the ability to restrict is already there...then great.....it just isn't documented well. I could really use this info. It would be better if it was GUI based....a lot easier to configure. I don't mind modifying files...just need to know what to do. The point of security risk is in a highly sensitive data instance....if somebody is able to shadow a users session and gain control....and had an idea of where to look, they could view data on another companies network....It is amazing what some security groups can think up as scenarios...huh. I do agree with them that it would be better if this was mitigated....it would put a lot of security people at ease and perhaps allow Citrix all the more penetration into Data sensitive applications. I appreciate everyone's input on this. Sincerely, Mike Pedigo -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Frank Monroe Sent: Saturday, August 21, 2004 12:10 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: How widespread is the knowledge of this security l oop-hole? I don't see the security issue here. The drives that are mapped on the client desktop were mapped by some authenticated user. And any application running on that desktop can access those drives. The Citrix client is simply another desktop application. Why does it pose any more risk than any of the other applications that can also access those drives? At any rate, as long as you are running at least FR2, you can disable the redirection of network drives. You can also turn off specific drive letters by using the DisableDrives option in the [ClientDrives] section of the MODULE.INI. -----Original Message----- From: Steve Greenberg [mailto:steveg@xxxxxxxxxxxxxx] Sent: Saturday, August 21, 2004 12:33 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: How widespread is the knowledge of this security loop-hole? I think your point is valid in the sense that default configurations can potentially allow security risks. However, there are ways to limit and control access which are perfectly acceptable. However, the point about being able to allow/deny each individual drive is a really good one, this feature should be added to the policy section of the CMC, it makes perfect sense. Steve Greenberg Thin Client Computing 34522 N. Scottsdale Rd. suite D8453 Scottsdale, AZ 85262 (602) 432-8649 (602) 296-0411 fax steveg@xxxxxxxxxxxxxx _____ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Pedigo Michael-G17060 Sent: Friday, August 20, 2004 11:37 AM To: 'thin@xxxxxxxxxxxxx' Subject: [THIN] How widespread is the knowledge of this security loop-hole? Hi All, I was recently enlightened on what I consider a fairly major security loop-hole in Metaframe... Maybe the rest already know.... The wonderful feature of mapping your local hard drives.....you can also map the network drives of the client via hidden shares...this could be really bad...right??? I personally don't like security by obscurity. I raised the issue to Citrix....but they didn't say much. I suggested they modify the client and Management console to allow to allow/deny each drive separately to tighten up this security risk. Am I crazy or do you see where I am coming from? Perhaps you might want to let Citrix know too...