[THIN] Re: How widespread is the knowledge of this security l oop-hole?
- From: Frank Monroe <Frank.Monroe@xxxxxxxxxxx>
- To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
- Date: Tue, 24 Aug 2004 18:04:33 -0500
If you are talking about the setting that disables the redirection of
network drives entirely, that is a policy in the CMC under client drives.
If you are talking about specific drive letters, use DisableDrives= and then
a comma separated list of drives to disable.
-----Original Message-----
From: Pedigo Michael-G17060 [mailto:Michael.Pedigo@xxxxxxxxxxxx]
Sent: Tuesday, August 24, 2004 6:03 PM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: How widespread is the knowledge of this security l
oop-hole?
Frank,
Can you please elaborate on this information....if the ability to restrict
is already there...then great.....it just isn't documented well. I could
really use this info. It would be better if it was GUI based....a lot
easier to configure. I don't mind modifying files...just need to know what
to do.
The point of security risk is in a highly sensitive data instance....if
somebody is able to shadow a users session and gain control....and had an
idea of where to look, they could view data on another companies
network....It is amazing what some security groups can think up as
scenarios...huh. I do agree with them that it would be better if this was
mitigated....it would put a lot of security people at ease and perhaps allow
Citrix all the more penetration into Data sensitive applications.
I appreciate everyone's input on this.
Sincerely,
Mike Pedigo
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Frank Monroe
Sent: Saturday, August 21, 2004 12:10 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: How widespread is the knowledge of this security l
oop-hole?
I don't see the security issue here. The drives that are mapped on the
client desktop were mapped by some authenticated user. And any application
running on that desktop can access those drives. The Citrix client is
simply another desktop application. Why does it pose any more risk than any
of the other applications that can also access those drives?
At any rate, as long as you are running at least FR2, you can disable the
redirection of network drives. You can also turn off specific drive letters
by using the DisableDrives option in the [ClientDrives] section of the
MODULE.INI.
-----Original Message-----
From: Steve Greenberg [mailto:steveg@xxxxxxxxxxxxxx]
Sent: Saturday, August 21, 2004 12:33 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: How widespread is the knowledge of this security
loop-hole?
I think your point is valid in the sense that default configurations can
potentially allow security risks. However, there are ways to limit and
control access which are perfectly acceptable. However, the point about
being able to allow/deny each individual drive is a really good one, this
feature should be added to the policy section of the CMC, it makes perfect
sense.
Steve Greenberg
Thin Client Computing
34522 N. Scottsdale Rd. suite D8453
Scottsdale, AZ 85262
(602) 432-8649
(602) 296-0411 fax
steveg@xxxxxxxxxxxxxx
_____
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Pedigo Michael-G17060
Sent: Friday, August 20, 2004 11:37 AM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] How widespread is the knowledge of this security loop-hole?
Hi All,
I was recently enlightened on what I consider a fairly major security
loop-hole in Metaframe...
Maybe the rest already know....
The wonderful feature of mapping your local hard drives.....you can also map
the network drives of the client via hidden shares...this could be really
bad...right???
I personally don't like security by obscurity.
I raised the issue to Citrix....but they didn't say much.
I suggested they modify the client and Management console to allow to
allow/deny each drive separately to tighten up this security risk.
Am I crazy or do you see where I am coming from?
Perhaps you might want to let Citrix know too...
Other related posts:
