Restricting Internet Explorer access to local drives and executables on Xenapp

Restricting Internet Explorer access to local drives and executables on Xenapp

In a XenApp Published Desktop environment there are typically a whole load of considerations with regards to the restriction of fuctionality to the users via Windows Explorer in a desktop environment which are not always put in place if the system is used to publish applications (As it is not expected the users will have access outside of the published applications)

Problem

A Citrix XenApp farm is used to publish Dynamics AX ERP applications only – no published desktops or other directly published apps. The application uses embedded IE windows to pull content from Sharepoint and SSRS for dashboards and metrics as “Role Centres” but also has the ability to spawn a stand-alone Internet Explorer window, which includes the address bar. This, in itself, is not an issue however IE has the ability to access file-systems and files (which could include exes) via the file:// URI or even by just typing locations in the form of c:\ or \\server\share. IE will also endeavour to make life easy by the display of inline auto-complete and, if that does not make things easy enough to execute other unintended applications, by just typing a location you can initiate a Windows Explorer window and browse the filesystem.

In order to protect our servers and restrict user access we need to achieve a number of things:

1. Prevent access to the local drives via Windows Explorer and the standard Open file dialog

This prevents view and access of the local drives of the server on which the application is published via the file dialogs (3rd party applications with Windows 2000 or later certification must honour these GPO settings) and in the instance that you wish to publish Windows Explorer for file management. This is easily achievable and there are 2 GPO settings available in Windows to achieve this:

User Configuration\Administrative Templates\Windows Components\Windows Expolorer\

Hide these specified drives in My Computer

This setting removes the drive icons from My Computer and windows Explorer and also from the standard Open dialog box. Even though users can no longer see the restricted drives they can still gain access to drive contents via other routes such as the Run dialog box or via a command window or even just by typing into IE as stated above. This setting DOES NOT prevent programs from accessing these locations or curtail the use of the disk management snap-in for managing drices.

Prevent access to drives from My Computer

By setting this users cannot open folders or access the contents on the relevent drives. this includes using the Run Dialog box. If used without the Hide these specified drives in My Computer setting, above, the drives still appear in the relevent dialogs, however users attempting to access the drives will recieve a message explaining that a setting had prevented the action. As with the above setting, user programs are NOT PREVENTED from accessing the locations on the drives and will continue to work normally.

Each above settings enable you to restrict A, B, C and D drives in various combinations as well as ALL DRIVES. The latter will remove access to any drives even if they are mapped network drives. By setting both of the above to restrict A,B, C and D drives only access to MAPPED NETWORK DRIVES from E onwards is retained:

2.  Prevent Internet Explorer being able to access file:// and c:\ type locations on local machine

This is a little less intuitive to solve but there is a GPO based method that enables this restriction:

User Configuration\Administrative Templates\Start Menu and Taskbar

Remove Run menu from Start Menu

This is specifically to disallow the RUN command from the start menu and  task manager but has the additional effect of preventing users entering UNC paths, accessing local drives and local folders from Internet Explorer.

Before:

After:

Don’t forget:

Typically you will want to just apply these GPO settings to users when they logon to a specific set of computers (terminal servers) so they will be set on an OU containing the servers, as these are User Configuration items, loopback processing will be needed.