Citrix XenApp 7.x Windows Server Lockdown Policy Via GPO

[Tom Swift]

There are some wonderful documents online about creating a group policy object to lock down a Windows server that's running XenApp.

 

One example:

http://www.carlstalhood.com/group-policy-objects-vda-user-settings/#lockdown

 

***Summary of settings required to lock down a Windows Server

---START----

User Configuration | Policies | Administrative Templates | Control Panel

o Always open All Control Panel Items when opening Control Panel = enabled

o Show only specified Control Panel items = enabled, canonical names =

Microsoft.RegionAndLanguage

Microsoft.NotificationAreaIcons

MLCFG32.CPL

Microsoft.Personalization

Microsoft.Mouse

Microsoft.DevicesAndPrinters

Microsoft.System(letsusersseethecomputername)

 

User Configuration | Policies | Administrative Templates | Control Panel | Add or Remove Programs

o Remove Add or Remove Programs = enabled

 

User Configuration | Policies | Administrative Templates | Control Panel | Programs

o Hide the Programs Control Panel = enabled

 

Desktop GPO Settings

User Configuration | Policies | Administrative Templates | Desktop

o Hide Network Locations icon on desktop = enabled

o Prohibit user from manually redirecting Profile Folders = enabled

o Remove Properties from the Computer icon context menu = enabled

o Remove Properties from the Recycle Bin icon context menu = enabled

 

Start Menu & Taskbar GPO Settings

User Configuration | Policies | Administrative Templates | Start Menu & Taskbar

o Clear the recent programs list for new users = enabled

o Do not allow pinning Store app to the taskbar = enabled

o Remove and prevent access to Shut Down, Restart, Sleep, and Hibernate commands = enabled

o Remove common program groups from Start Menu = enabled (only if you have some other means for putting shortcuts back on the user’s Start Menu/Desktop. Also, enabling this setting might prevent Outlook 2013 desktop alerts. Microsoft 3014833)

o Remove Help menu from Start menu = enabled

o Remove links and access to Windows Update = enabled

o Remove Network Connections from Start menu = enabled

o Remove Network icon from Start menu = enabled

o Remove Run menu from Start menu = enabled

o Remove the Action Center icon = enabled (not in Windows 10)

o Remove the networking icon = enabled

o Remove the Security and Maintenance icon = enabled (Windows 10) 

o Remove user folder link from Start menu = enabled

 

System GPO Settings

User Configuration | Policies | Administrative Templates | System

o Prevent access to registry editing tools = enabled, disable regedit from running silently = No

o Prevent access to the command prompt = enabled, disable command prompt script processing = No

Disabling registry editing tools also disables reg.exe. This is true even if silently is set to No.

 

Explorer GPO Settings

User Configuration | Policies | Administrative Templates | Windows Components | File Explorer (Windows 8+) or Windows Explorer (Windows 7)

o Hide these specified drives in My Computer = enabled, Restrict A, B, C, and D drives only

o Hides the Manage item on the File Explorer context menu = enabled

o Prevent access to drives from My Computer = enabled, Restrict A, B, C, and D drives only. If this setting is enabled, you can’t use Start Menu’s search to find programs.

o Prevent users from adding files to the root of their Users Files folder = enabled

o Remove “Map Network Drive” and “Disconnect Network Drive” = enabled 

o Remove Hardware tab = enabled

o Remove Security Tab = enabled

 

Hiding Disk Drives

To hide specific drive letters:

1.  User Configuration  Preferences Windows Settings Drive Maps New Mapped Drive 

2.  Choose Action UpdateDrive Letter Existing CHide this drive

3.  Common Tab: Run in logged-on users Security

----END----

 

Searching online I can't locate a powershell script that automates this process and does it for you flawlessly.  Instead, it seems you need to start up GPMC.MSC and go and create all these settings by hand.  I guess the good news is that once you've done it, you can Backup up the GPO and Restore it to a different domain if you wanted to.  

 

Process:

Source Server...

Start Powershell by right clicking on it in Taskbar and running it as Administrator

import-module GroupPolicy

Backup-Gpo -Name CitrixSecuirty -Path C:\backups 

Create ZIP file of c:\backups and transfer it to other domain

*For my example I created it on local hardware and emailed the ZIP file to myself and extracted the contents on an Amazon AWS Domain Controller I'm testing with

 

Destination Server...

$gpo = New-GPO "TestGPO"

#Above command creates a GPO named TestGPO

import-gpo -BackupGpoName CitrixSecurity -TargetName TestGPO -path c:\backups

#Above command imports GPO originally named CitrixSecurity to destination domain and names it TestGPO

 

I've attached a file names CitrixSecurity.zip which contains the exported GPO, but it's not for all the settings to do a server lockdown -- just a sample testing one for single sign-on with Storefront and the Citrix Receiver ICA client.  This was more to document the process and ask if someone actually has a legit backup of the GPO settings mentioned above and if not, I'll spend an hour and go and create them and post back here with an updated GPO backup file that actually does the server lockdown.  I guess you're able to review the backup info before applying it to your domain, but this almost feels like an advanced REGEDIT import of HKLC keys and you have to trust the source.

 

Thanks,

Tom

 

 

 

CitrixSecurity.zip

[Ramnarendra GSV]

Hi Team,

 

Thanks for the above post. 

 

In the recent pentest, we have had found ICA jailbreak, whereas the ICA file is able to download and open. It shows sensitive data like proxyadress and initial program start type. Could you please help me solving this?