You can also choose to configure those firewall ports manually. If you use a different firewall, you must configure the firewall manually. Citrix recommends that you do not use these ports for anything else, to avoid the possibility of inadvertently leaving administrative interfaces open to attack.
All network communications should be appropriately secured and encrypted to match your security policy. You can secure all communication between Microsoft Windows computers using IPSec; refer to your operating system documentation for details about how to do this. In addition, communication between user devices and desktops is secured through Citrix SecureICA, which is configured by default to bit encryption.
You can also secure network communications between user devices and desktops using TLS. Apply Windows best practice for account management. Do not create an account on a template or image before it is duplicated by Machine Creation Services or Provisioning Services.
Do not schedule tasks using stored privileged domain accounts. Do not manually create shared Active Directory machine accounts. To prevent non-admin users from performing malicious actions, we recommend that you configure Windows AppLocker rules for installers, applications, executables and scripts on the VDA host and on the local Windows client.
Grant users only the capabilities they require. Microsoft Windows privileges continue to be applied to desktops in the usual way: configure privileges through User Rights Assignment and group memberships through Group Policy. One advantage of this release is that it is possible to grant a user administrative rights to a desktop without also granting physical control over the computer on which the desktop is stored.
Some applications require desktop privileges, even though they are intended for users rather than for administrators. These users may not be as aware of security risks. Treat these applications as highly-sensitive applications, even if their data is not sensitive. Consider these approaches to reduce security risk:.
These approaches will not remove all security risk from applications that require desktop privileges. Logon rights are required for both user accounts and computer accounts. As with Microsoft Windows privileges, logon rights continue to be applied to desktops in the usual way: configure logon rights through User Rights Assignment and group memberships through Group Policy.
The Windows logon rights are: log on locally, log on through Remote Desktop Services, log on over the network access this computer from the network , log on as a batch job, and log on as a service. For computer accounts, grant computers only the logon rights they require. Consider the following approach:. Refer to Microsoft documentation for more information.
Delivery Controller installation also creates the following Windows services. These are also created when installed with other Citrix components:. Delivery Controller installation also creates the following Windows service. This is not currently used. If it has been enabled, disable it. Delivery Controller installation also creates these following Windows services. These are not currently used, but must be enabled. Do not disable them.
Except for the Citrix Storefront Privileged Administration Service, these services are granted the logon right Log on as a service and the privileges Adjust memory quotas for a process, Generate security audits, and Replace a process level token. You do not need to change these user rights. These privileges are not used by the Delivery Controller and are automatically disabled.
Do not alter these service settings. Do not alter its service settings. You can disable the Citrix Telemetry Service. Apart from this service, and services that are already disabled, do not disable any other of these Delivery Controller Windows services.
It is no longer necessary to enable creation of 8. The registry key NtfsDisable8dot3NameCreation can be configured to disable creation of 8. You can also configure this using the fsutil. Your user environment can contain either user devices that are unmanaged by your organization and completely under the control of the user, or user devices that are managed and administered by your organization.
The security considerations for these two environments are generally different. Managed user devices are under administrative control; they are either under your own control, or the control of another organization that you trust.
You may configure and supply user devices directly to users; alternatively, you may provide terminals on which a single desktop runs in full-screen-only mode. Follow the general security best practices described above for all managed user devices. This release has the advantage that minimal software is required on a user device. User devices that are not managed and administered by a trusted organization cannot be assumed to be under administrative control.
For example, you might permit users to obtain and configure their own devices, but users might not follow the general security best practices described above. This release has the advantage that it is possible to deliver desktops securely to unmanaged user devices. These devices should still have basic antivirus protection that will defeat keylogger and similar input attacks. When using this release, you can prevent users from storing data on user devices that are under their physical control.
However, you must still consider the implications of users storing data on desktops. It is not good practice for users to store data on desktops; data should be held on file servers, database servers, or other repositories where it can be appropriately protected. Your desktop environment may consist of various types of desktops, such as pooled and dedicated desktops. Users should never store data on desktops that are shared amongst users, such as pooled desktops.
If users store data on dedicated desktops, that data should be removed if the desktop is later made available to other users. Mixed-version environments are inevitable during some upgrades.
Follow best-practice and minimize the time that Citrix components of different versions co-exist. In mixed-version environments, security policy, for example, may not be uniformly enforced. Note: This is typical of other software products; the use of an earlier version of Active Directory only partially enforces Group Policy with later versions of Windows.
The following scenario describes a security issue that can occur in a specific mixed-version Citrix environment. When Citrix Receiver 1. It does not recognize the policy setting, which was released in the later version of the product. This policy setting allows users to upload and download files to their virtual desktop, which is the security issue. To work around this, upgrade the Delivery Controller or a standalone instance of Studio to version 7.
Alternatively, use local policy on all affected virtual desktops. Note: Citrix recommends that you do not assign VDA administrator privileges to general session users. In XenDesktop 5. This release uses a registry entry to allow or prohibit multiple automatic remote PC assignments; this setting applies to the entire Site. Caution: Editing the registry incorrectly can cause serious problems that may require you to reinstall your operating system.
Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it. If there are any existing user assignments, remove them using SDK commands for the VDA to subsequently be eligible for a single automatic assignment.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation. The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
XenApp and XenDesktop. View PDF. This content has been machine translated dynamically. Give feedback here. Thank you for the feedback. This article has been machine translated. For additional security guidance from Microsoft, see Microsoft security documentation. Skip to main content. This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode. Please rate your experience Yes No. Actually I am going to be using Smart Deploy for the first time this round.
I started to look into MDT, and may still to some degree. I am looking more for specific configurations people think are key to Window 7. I am trying to think of something off the top of my head as an example. Even though this isn't a good example, I mean things like - "Make sure you enable remote desktop". I don't need as "low level" advice for imaging. The best discovery I've made when it comes to imaging is the Microsoft Deployment Toolkit.
Basically, you give it the base OS files it just copies everything from the DVD , the applications that you want installed with the appropriate command line switches to make the installer silent , and the drivers for any systems you have that you will be deploying to. It makes imaging and updating said image much easier than something like Ghost. If you want to update an application new version of Office, Java, etc you just update it on the deployment server - no need to image a computer, update the application, then recapture a new image.
It also does all of the sysprep work and Windows updating for you during the deployment process. Maybe simple, I know, but I like to add the Run option on the start menu. Going into the Start properties, choosing Customize, then scrolling to the Run command. In that case, I would say that most of what you are looking for can probably be done and should be if possible via Group Policy.
One that I have had to play with relates to UAC. As an example - I was using Windows Remote Assistance to install an application on a remote computer. When the UAC prompt came up asking for admin credentials, the screen on my side went black with a pause icon and I could no longer see the user's desktop.
The same functionality is built into the Windows 7 Start Search bar. Anything that you would have typed into the Run command dialogue box previously can be run in the Start Search bar as well The way I do it is I do all the updates Install AV install adobe reader, flash, shockwave install office add to domain add admins to the admin groups and then I ran sysprep and take the image with ghost.
Guess I haven't seen the Start Search bar yet Thank you. Check it out, multiple software loads with all the boxes uncheched loaded right. Here's one for you if you're not getting windows updates via a WSUS server. Go into group policy and Enable - No auto-restart with logged on users for scheduled automatic updates installations. Our CEO was in the middle of a company-wide presentation when I saw the balloon pop up saying Windows needed to restart after it installed updates.
0コメント