Citrix server security guidelines?

soyer

Active Member
Hi all,

Another Citrix question for you:
I would like to tighten down security on the Citrix servers. We have already disabled ICA desktop access and RDP protocols. OneWorld/XE is only accesses as a published application via NFuse. But, when in OW one can launch Excel and then see the local drives. Is there a JDE quideline as to what folders to secure and what permissions are required for the end user? (ie: They need write access to printqueue).
I have seen such documentation for Deployement server but not for a Citrix server. Can you help ?
Thanks for everyone's input.
 
Hi Soyer,

Have a look at this script. You will need to rename it into a .CMD file and ammend it to suit your drive letters etc.

It works very well and I have variations of it to many sites.

Profiles are a bit more complex, with Windows 2000 Active Directory you have to create a Group Policy that applies to a set of machines that 'Loops back' to the user profile.

Search on 'Group Policy Loopback' on MS or Google to get more info.

Regards
 

Attachments

  • 50835-WTSFileSecurity.txt
    2 KB · Views: 86
No. These is no JDE guideline. To secure the Citrix server first change the
location of PDF storage to a network drive. This way users will not NEED
access to the local harddrive of the Citrix Server.

Next download and install Microsoft's TweakUI. It's free and allows you to
secure the local harddrives. It also allow for many other usefull things.


Colin



Colin Dawes, Sr. Technical Consultant
Syntax.net
B733.1 to ERP 8.0
Oracle 8i/9i/SQL Server 2K, DB2
 
Thanks Paul, that is exactly what I was looking for (where did you find these settings, is there a JDE doc?)

I do have a follow up question regarding:
"REM Change to F:\ to allow enterprise printing"
If you have only one drive partition (and C:\B7 resides there) do you need to give Change access to the root "C:\" for printing instead of Read like in your example ?

Also, I am familiar with the loopback policy implementation but I didn't quite understand what you intended to do with it. You don't mean to run the above script on Startup do you ?

Thanks.
 
I set this up mostly via experimentation.

On printing I have noticed that temporary files are created on the root of the drive that OneWorld is installed to, but I can't remember the specifics. If you only have one drive then permissions are needed on this drive so that the files can be created. I would test it.

The loopback stuff was just a mention that the system can also be secured via a policy. I mentioned it 'cos it took me ages to find out how... The script only has to be run when changes are made to the system, but the inherited permissions should make this redundant, you don't need to run it from a startup script.

Rgds
 

Similar threads

E9.2 Copy PDF file from PrintQueue to file share
Replies
10
Views
730
akkakm
E9.2 Role not granting user complete access to object
Replies
4
Views
2K
peterbruce
peterbruce
JDE Deployment Server / Server manager refused to connect
Replies
9
Views
11K
dalfanz
action security
Replies
2
Views
4K
mattvanderkooy
Soumen
Deployment Server Migration - F98MOQUE Error
Replies
2
Views
4K
Soumen
Soumen
Back
Top