Windows Live Alerts
EnglishDeutsch
|
Contact
|  
   
 
Start access
Article
Support Forum
SBC FAQ
XenApp/XenDesktop
Remote Desktop Services
Terminal Services
Web Interface
Tips & Tools
Sponsors 
 
Lassen Sie sich von einem Experten Beraten

Security questions Print E-mail



FAQHow can I prevent the full desktop to users?
FAQHow to use a MS ISA server to publish a Citrix server?
FAQCSG / Web Interface security advice!
FAQHow can I hide the Terminal Server local Drives?
FAQHow can I lock down Program Neighborhood?

Questions and Answers
ok, go up!
How can I prevent the full desktop to users?

Open the Citrix Conenction Configuration
Start | run | mfcfg.exe | tcp-ica | advanced |enable "Only launch Published Applications"

and publish the desktop as an application to administrators. Set tcp-rdp on admins only so you can connect to desktop with TS Client.



 WebLinks

  • Terminal Server Desktop, Explorer.exe, Launches from a Published Application
    CTX991230

ok, go up!
How to use a MS ISA server to publish a Citrix server?

First of all when you want to have access to your MetaFrame server from the Internet I advice you to use the FREE Citrix Secure Gateway (CSG). With CSG you only need one external IP and you have only to open port 443.
Next you should consider using the CSG 1.1/3.0 in "relay mode" or the Citrix SSL relay.
With NAT you need for every Citrix server one external IP and you have to run "altaddr" on every Citrix server.


 WebLinks

  • Secure Gateway for MetaFrame Administrator's Guide
    CTX101848
  • Using the Citrix SSL Relay
    CTX16830
  • How to Publish a Citrix Server Behind an ISA Server
    CTX482629
  • IMA and ICA Browsing With Firewall Address Translation (NAT)
    CTX039746
  • Configuring NFuse/Web Interface for Use with Network Address Translation (NAT)
    CTX584485
  • Using One Public IP Address for Multiple MetaFrame Servers with NFuse / Web Interface
    CTX325481
  • Configuring Microsoft ISA Server to Allow Outbound ICA Connections
    CTX104998
  • How to Publish a Citrix Server Behind ISA Server
    Q300177
  • How to publish a Citrix MetaFrame version 1.8 server by using Internet Security and Acceleration Server 2004
    Q837739

ok, go up!
CSG / Web Interface security advice!

If you don't want youre CSG/WI/NFuse Login side in a public search engine do the following:
  • In the Web root place a file named robots.txt with the following content:

            User-agent: *
            Disallow: /

     
      This file will block every search engine robots/spider.
  • Rename the Administrator account and use "good" passwords.
  • Disable the WIAdmin page for access from the Internet, allow only the localhost. If you sill want access from outside, rename or move the WIAdmin side
  • If you're side is listed in a search engine and you  don't want that, remove the side from the engine, visit the search side to find out how to remove sides
  • At least rename the default login title.



 
 WebLinks


ok, go up!
How can I hide the Terminal Server local Drives?

To hide Server drives a Group Policy Object (GPO) for Active Directory or for a Windows NT Domain a system policy has to be set. It's also possible to prevent access to local Server drives.


 WebLinks

  • HideCalc - A Tool for Hiding Drive and creates ADM, KIX and Registry files.
    hidecalc.zip
  • Using GPO to Hide Specified Drives in My Computer for Windows 2000
    Q231289
  • How to: Use System Policies to Hide Specific Drives
    Q242092
  • How to Create a New System Policy 
    CTX134171
  • How to apply System Policy settings to Terminal Server
    Q192794
  • Writing Custom ADM Files for System Policy Editor
    Q225087
  • Administer GPO Properties in Windows 2000
    Q322176
  • Policies and Profiles Standards
    CTX19327
  • How do I prevent users from using My Computer to access the content of selected drives
    JSI Tip 3636
  • How to Lock Down a Windows 2000 Terminal Server Session
    Q278295
  • Locking Down Windows Server 2003 Terminal Server Sessions
    Techinfo
  • All in One Package for NT Domains, ADM Files and Utilities.
    ALLinONEv1.02.zip

ok, go up!
How can I lock down Program Neighborhood?

Restrict PN by using APPSRV.INI


ApplicationSetManagerIconOff=Off
Change this setting to On to remove the Application Set Manager icon from the client.

CustomConnectionsIconOff=Off
Change this setting to On to remove the Custom ICA Connections icon from the client.

FindNewApplicationSetIconOff=Off
Change this setting to On to remove the Find New Application Set icon from the client.

AddICAIconOff=Off
Change this setting to On to remove the Add ICA Connection icon from the client.




 WebLinks

  • Appsrv.ini Parameters Deciphered
    CTX331178
  • How to Create a Preconfigured Program Neighborhood Client
    CTX466058
  • Use Resource Hacker to secure the PN hardcoded but on your own risk.
    Resource Hacker

Last Updated ( Wednesday, 22 February 2006 )

 
find or follow me @