ICA Client File Security: WEB Client Drive Access and the Webica.ini File Explained Document ID: CTX568194 This solution pertains to: ICA Client Last modified: Wed May 09 10:34:19 2001 This document discusses the use of the Webica.ini file that is created on WinFrame- and MetaFrame-based clients using our Citrix ALE client plugin to connect to a server, load balanced server farm, or published application. In particular, the nuances of the security setup for drive access and the ways to modify the Webica.ini file to override or preset certain types of access for your ICA based clients are discussed. By default a WinFrame or MetaFrame server maps client drives and printers from ICA-based clients that support that function. One of these is the Web Client that users download from a Web page when they want to start an ICA-enabled application from their Web site. Because the ICA protocol is trying to establish a connection between client hosts, some people have concerns over the type of client mapping and access being given to the client's local hard drive. In response to these security concerns, we enhanced the original Web Client to have a more dynamic and configurable client drive capability. With these new modifications, you can set the type of client access you want to have at the actual client OS in which you have the browser and ICA Web Client installed. This is done through a Windows pop-up that is generated the first time that client accesses that particular server for that application. Users have a choice of Full Access, Read Access, or No Access, as well as a "Don't notify me again" check box. Below is a sample INI file of what gets written to the client, and the definitions of the type of access that has been set per the INI file and the user's selection on the Windows menu selection. This file is called a Webica.ini file. When it is created and modified, it is placed in the %windir% path of the client's Windows operating system. Webica.ini [Access] CurrentConnection=SQL DATABASE10.4.3.245 GlobalSecurityAccess=-1 SQL DATABASE10.4.3.245=405 179.103.132.77=-1 CurrentConnection=. This is the last server connection that was made. Notice it consists of the published application name and the server address. If SQL DATABASE is load balanced between 10.4.3.245 and 10.4.3.145, when this user connects to 10.4.3.145, he or she gets the pop-up. The entry SQL DATABASE10.4.3.145=405 needs to be added. The user will not see a pop-up for SQL DATABASE10.4.3.245 because an entry is already defined. This is done on a per IP address basis You can choose not to see the pop-up each time by selecting Do not notify me again. It sets the GlobalSecurityAccess to the selected value. In this case it is (-1), which means it is not set and is ignored. If the GlobalSecurityAccess is set, it takes precedence over specific entries. For instance, assume you have a published application SQL database being load balanced by servers A and B. If the client is directed to server A five times in a row and selects the "Do not notify me again" button, the pop-up appears only at the first of the five connections. Now assume the sixth connection is routed to server B due to server load rerouting the connection. The pop-up appears again, because the user is attaching to a different server. This behavior is intentional. Trusting a remote server (or application) is based on its IP address. Giving permission to a remote machine to access your local drives should only be done on a per-address basis. This ability to "remember" given permission was added as an enhancement from the original release version and was related to some very real security concerns. We wanted to be sure that malicious users could not get Read/Write access to the client drives of Web-based users on the Internet. If only the published application name is used, there is very little security. If I were trying to hack into systems, I could make a published application on the Internet and call it MSWORD. Any users who trust a published application called MSWORD would automatically trust mine. But mine really isn't Word. In order to be sure we only trust the people we really want to, it uses the published application's name and server address. Types of access based on the settings in the INI file are as follows: [Access] CurrentConnection=SQL DATABASE10.4.3.245 This is just a way of keeping track of the current connection. It is not a security setting. MSACCESS 10.4.3.228=405 405 means give the server Full Access. 404 is Read Access. 403 is No Access. -1 means no security setting is configured. MSACCESS 10.4.3.227=405 This is a second server entry if MSACCESS is load balanced to more than one server by its published application name. NOTEPAD10.4.1.26=405 This is a second published application the client has accessed and set the appropriate security on. GlobalSecurityAccess=-1 This could be set to 405 and the user would never get prompted for security on any connection. The example below provides two ways to set this manually for a preconfigured scenario. Example: SQL DATABASE is the published application. It is published on 10.4.3.245 and 10.4.3.246. You do not want your users to get prompted for the security access but you want the server to have full access to the client machines. There are two possible solutions. Solution 1: Your Webica.ini file gets these two entries: SQL DATABASE10.4.3.245=405 SQL DATABASE10.4.3.246=405 If you have these two entries in your Webica.ini file, you will not get a pop-up when connecting to the published application SQL DATABASE regardless of the server to which you connect. Solution 2: Your Webica.ini file gets this entry: GlobalSecurityAccess=405 You will not get the pop-up for SQL DATABASE or any other published application to which you connect. -----Message d'origine----- De : Woodward, Michael [mailto:Michael.Woodward@xxxxxxxxxxxxxx] Envoyé : 17 décembre 2003 15:17 À : 'thin@xxxxxxxxxxxxx' Objet : [THIN] Client Settings - the 'never ask again for any application' setti ng OK, I have looked and looked. On the standard Program Neighborhood setup; When the client first connects to a server they get the message for client security where they can select options including: - Full Access, - Never ask again for any application. Once a user has selected these options, where can they go to change them? Client is 6.20.985. Thanks ----- C. Michael Woodward Mid-Tier Support Sun Chemical Cincinnati, Ohio 45232 * 513.681.5950 x 576 * Michael.Woodward@xxxxxxxxxxxxxx