Running Explore from seamless app triggers server desktop. 1

[ruster]

Hello All,

Have an interesting case that Citrix was unable to offer much help on. I have two seperate citrix farms that are both exibiting the same symptom. One farm is running MF1.8 on NT4TS SP6, the other is MFXPe on NT4TS SP6. The problem is as follows...

I have a number of apps published by each farm. As a user, if I were to start a published MS Word session that is set to start in seamless mode, then click on File --> Open, right click on one of the available directories that are listed, and select either the Explore or Find option, a Citrix session starts in the background displaying the server desktop!! I have tried this for several apps including Word, Excel, IE, and all exhibit this problem. Citrix was able to re-create the problem, but by using the Terminal Server client (using RDP) to connect to the apps. The problem is impacting all 8 servers, so I suspect it is a bug. I will be contacting microsoft on the issue tomorrow, however, I am hoping that some out there have encountered and resolved this issue.

Any help would be appreciated.

Regards,

DaRuster.

 

[CitrixEngineer]

I've never seen that before - I just tried it, and you're right!

I'll log a call with Citrix on this as well. The more calls they get over an issue, the more likely they are to fix it. Let's hope others browsing this forum do the same ;-)

I can't test this today, as I'm in an MFU environment and cannot modify anything on the MFW servers, but I saw an issue once where a client wanted to publish explorer.exe as an app. If he did this, the user got an entire desktop. We found that by copying explorer.exe to explorer2.exe, we could publish the renamed executable without launching a desktop.

There must be something in the environment that sees explorer.exe start up and checks for the presence of a desktop. If there is not one, it creates it. If the program is not called explorer.exe, it ignores it. I'd guess there's a registry key somewhere that effects this. Just a hunch.

Well spotted

 

[CitrixEngineer]

It's just struck me why I've never seen this - at every site that I've ever rolled out MetaFrame, I've always implemented a "no right-click" policy. This is easily done using the System policy editor, and disabling all context menus in explorer.

It upsets quite a lot of users, but most IT departments are more than happy to implement this, since it goes a long way to closing down a pile of security holes. There are other ways of doing things besides right-clicking...

Hope this helps

 

[masai]

That is because the default user shell is set to explorer.exe. In a normal workstation if you open the task manager and kill the explorer.exe, the whole desktop disapears. It is the reverse effect. By starting explorer.exe (user shell) windows starts the desktop.
CitrixEngineer is right to the point he says that by renaming explorer it works out, because by default the shell is set to explorer.exe. If you want just publish explorer.exe, rename is enough but it does not resolve the shell launching from within applications.
You can create a group include the users in and modify the policy only for this group or apply it directly to the registry. I would do it using the first one. It is easier to revert the changes.
1. Copy explorer.exe and rename the copy to whatever. EX.EXE etc. Copy it out of the SYSTEMROOT (your WTSRV or WINNT).
2. Create a domain group and include the users.
3. Open Poledit and choose New Policy, and add the group created
4. Double click the added group and choose "Windows NT Shell", "Custom User Interface", Check the "Custom Shell"
5. In the "Shell name (eg. explorer.exe)", enter the complete path to your SYSTEMROOT and enter user.exe. (eg. D:\WTSRV\SYSTEM32\USER.EXE). You will notice that USER.EXE actually exists in the system32 directory.
6. Put the policies in the servers NETLOGON. Reboot.
Try out in a non-production server first. If the result is the one you are after, too good for you.

 

[CitrixEngineer]

That's a good tip, masai, but you then give users access to all the security holes in Explorer, such as drives becoming unhidden, and the ability to browse system directories.

The worst thing about Explorer is the File menu, which allows you to run just about anything - because you're running the program with system permissions. Users can edit sensitive files, such as wfcname.ini in the root of the Terminal Server. If this is deleted or edited, the Citrix Server will stop functioning.

I just tried this as a regular user on the production setup at this site - I have no admin access to the MFW servers because I'm building the MFU servers only.

I cannot browse other users' profiles directories, but I'm happily searching through %systemroot%\wtsrv, I've opened, modified and saved (under a different name) the wfcname.ini, and, after double-clicking cmd.exe I launched telnet and got a login to the MFU server I'm working on.

Just by running Word as a published application.

I'm going to use this as evidence that this company's security is not tight enough.


It really depends upon how "adventurous" your users are.

I'd disable it

Good Luck


CE

 

[ruster]

The one odd issue on this is that the Citrix rep I spoke to, claimed to have tried to re-create this problem using the ICA client with his own lab server, and was unable to do so. He claimed that he did recreate it using the RDP TS client. I understand masai's point of explorer.exe, and when I had the discussion with the Citrix rep initially, I pointed this out to him as well. However because of the inconsisitencies between my environment, and that of the Citrix support rep lab, I am unable at this point to prove if its a Citrix or TS issue.

Rui.

 

[masai]

CitrixEngineer is right. NT is not an exponential on the security field. Security comes with cost of loosing versatility.
I think the security issue could be worked out securing better the file system. On NT4 you can't hide only one disk so, you have to carefully secure them without cutting the user to access what he/she requires for running the applications.
But back to the case, It is a known issue that Citrix won't help much. Few years in the market and amazingly they do not have a single list of applications certified on the platform. Leave them to their academic discussion on RDP ICA. Also, you will be entertained with the security issues, in the meanwhile you (at least) duplicate / rename explorer.exe and run your published applications.

 

[DevilDog]

DAMN!!! I was able to duplicate your problem! It's not just Word... it's any of my published apps that allow me to do a 'file open' that gets me to the explorer option. I haven't heard from the trenches about this so I must figure that I do not have too many "adventurous" users. I'll see what I can do about posting an issue with Citrix. I agree with CitrixEngineer; disable all context menus in explorer.

-- Devil Dog --