Disabled Command Prompt
The Command Prompt has been disabled in Group Policy in response to the many XenApp 6.5 Security Reviews and Pen Tests that various LOB’s have been engaging the Ethical Hacking team for. While the CMD functionality is not deemed a risk in itself, the concern from EHT/Risk teams is regarding the potential access to execute processes outside of the immediate published application.
The Command Prompt is not disabled for administrative users, only for standard users – as such the teams supporting the XenApp 6.5 infrastructure can still access and run CMD as needed.
In terms of CMD being needed for ‘debugging purposes to investigate production issues’, the appropriate fire account access can be used in accordance with standard change (ITIL)procedures – and this will not be affected by the CMD restriction.
With regard to your application JVM launch script, I have tested both .CMD and .BAT scripts which are allowed to execute for a standard user with no issues – despite an interactive CMD session being disallowed. You could possibly engage the Citrix Implementation team to assist with the problematic script.
Policy-driven Session Timeout Values
The default idle session timeout value for XenApp is 2 hours, and this is enforced by Group Policy.
If there is a need to extend this value, there are options for 8 hour or 24 hour values to be used as exceptions – which must be agreed upon by your business contact – bearing in mind that most Citrix XenApp applications can be accessed externally to the business, and as such can pose a substantial security risk by being left active and idle for extended periods of time.
No comments:
Post a Comment