If a application has crashed within Citrix and will not close, it is possible to access task manager.
It is a legitimate request. At my workplace we use Citrix for our electronic medical records.
One of my co-workers found a security hole where a user could use task-manager to end-task the Citrix process. The next user could then re-launch the citrix agent and re-connect to the already authenticated medical software - basically circumventing the authentication process by utilizing Citrix's re-connection feature. The timeframe for this is small(about 2 minutes) and I really think it is being nit-picky but figured I do my due diligence and explore some options for preventing the security hole. Preventing killing the Citrix client's process is one of the options that was thrown about in a meeting. Pskill would be fine with me.but I guarantee Support Desk wouldn't go for it. Right now the support desk has standing rules that a) if a call takes over 30 minutes it needs to go to level 2 support and b) if it isn't in an SOP you aren't really responsible for it. I don't think the 30 minute rule encourages the proper curiosity and patience required to fully think through some of the problems we have, but there isn't a lot I can do about it.
They also use things like 'first-call resolution' metrics to determine how successful they are.yea.I should have prefaced this posting with a disclaimer that the politics in my department are a nightmare. I manage to avoid them for the most part because I'm the evening shift engineer.The application is not published as a desktop. The users are admins on all their machines and have access to task manager on their workstation to kill the Citrix client process.
One of my co-workers found a security hole where a user could use task-manager to end-task the Citrix process. The next user could then re-launch the citrix agent and re-connect to the already authenticated medical software - basically circumventing the authentication process by utilizing Citrix's re-connection feature. The timeframe for this is small(about 2 minutes) and I really think it is being nit-picky but figured I do my due diligence and explore some options for preventing the security hole.For the longer term, though, this sounds like something that either the medical software (which I guess has its own authentication screens) or Citrix (or both) should address. The Citrix server ought to have a way of telling processes running under it (the authenticated medical software) 'session disconnected, you need to re-authenticate the next time you get input.' Maybe there's an option in Citrix to just disable the reconnection feature? Finni - Exactly:User A is authenticated to MedicalApp.User A uses task manager to kill the Citrix client and leaves the terminal.User B acquires the terminal and re-launches the Citrix client.User B launches MedicalApp.User B is now in User A's authenticated MedicalApp.Automatic reconnection is disabled.
The reconnection isn't automatic in this case - it manual when User B clicks on MedicalApp.ACLs on the process seem promising. Most users wouldn't know how to change the ACL so that may be a feasible fix. Quick google didn't find anything that is meant for editing process ACLs via command line.
Any suggestions? ICA Settings-Auto Client reconnect-Require user authentication, set this at the farm or server level and problem solved.Except that we use generic accounts to ensure that a unique user is used per session. MedicalApp crashes if the same domain user hits the same presentation server twice because the temp files security crap invalidates the second session.
The users don't know the Generic username/passwords - they're saved into the PNAgent so when Citrix asks for the username/password they won't know what to type.the solution i'm going to propose is that the generic accounts have Task Manager disabled via group policy. That would solve the issue while still allowing normal users to use task manager.Thanks again for all the ideas. Real solutions:Don't make users admins.Don't use citrix. RDS in Win 2008 R2 kicks ass.Contact the medical app developers and have them integrate their security with Windows security, so the users don't have two sets of login credentials.There.1) 2000 desktops. I'm not in charge of them. Only thing I can do is encourage that going forward we don't give users admin access.
I have been for a while now. So far not much changed.2) Not gonna happen. And while I think RDP has improved greatly with Win7/2008.ICA still kicks the living crap out of it for most purposes.3) They do have AD credential support.
![Task Task](/uploads/1/2/5/4/125420606/941917672.jpg)
![Citrix bring up task manager job Citrix bring up task manager job](/uploads/1/2/5/4/125420606/790950273.jpg)
We don't use it, and I guarantee that will never change. I bring up controversial issues constantly while trying to make our work environment less back-asswards.but I won't broach this subject.