4 new registry tweaks for Workspace Manager

From the Nuts & Bolts Dept. As the RES WorkspaceManager Updatepack 6 has been finished, we took the time to trawl through the release notes to see what’s been fixed. As always please remember: The RES update packs are not available for direct download and have not been fully regression tested like a Service Release is. You can request these from RES Support if you believe you are affected by one or more of the issues, or if Support recommends you to apply an updatepack. Updatepack 6 contains some rather nifty registry settings, which you can check out here in the one and only WM Registry Guide:

<<< Click here to view the latest registry tweaks in the guide.

Note: if you want to get an earlier heads-up on updates and new articles on this site, consider following @RESguru on Twitter.

New utility: Printer Migration Wizard

From the Technote Dept. One of the RES developers have been kind enough to share a utility, which may help you import existing printers into Workspace Manager via a BuildingBlock. You can import printers directly from Active Directory or from a CSV file. The tool also supports hooking up printers to zones via the CSV file. This article may be updated with further info, so stay tuned for updates.

<<< Click here to read the article

From humble origins comes True Greatness

By Max Ranzau

From the Blast-from-the-Past Dept. A while back I was sorting some old CD medias and I came across one which made me pause for a bit: It was none other than one of the very first publically available versions of a RES product, the PowerMenu 2000 product. Yeah, so this was back in the late nineties, where everything sold better if you put the number 2000 after it :-) Anyway, PowerMenu 2000 was the ancient forerunner of the product of 14 years later, known today as the RES Workspace Manager. The grand purpose of this article is to show you how ahead of it’s time, PowerMenu 2000 really was. Second, here’s a chance for a trip down memory lane to visit the humble roots, of what is today in my opinion one of the most stellar enterprise management software suites on the market today.

My inspiration for ths article came from the well known Chain of Fools video, where the author goes through upgrading from MSDOS 5.0 all the way up to Win7. Knowing the easy upgrade methodology employed by RES from day one, I’m willing to wager the usual bottle of Danish Akvavit (known stateside as battery acid :) that you can do the same with PowerMenu 2000 all the way up to Workspace Manager 2012 in a similar fashion. The only major hurdle to pass here is migrating from PowerFuse 7.03 to PowerFuse 2008 as you had to do a complete datastore migration. In case you’re wondering about that, read this article from the archives. Other than that it’s just upgrading one RES PowerPack or Servicepack to the next.

The PowerMenu 2000 product was launched during the 32bit Winframe/NT 4.0 TSE days, so in order to give the software a compatible fighting chance to actually work, I installed it on an x86 Windows 2003 server and it still ran without a hitch. Fun fact: Now you know the reason why the default name for the RES created folder in the user’s homedrive pre WM SR1 was “PWRMENU”. For the record this folder in current versions of WM is now called Personal Settings.

When installing PowerMenu 2000, it’s noteworthy that the entire ISO with presentations, docs and everything is about the same size as the MSI installer of today: Around 35 MB. Back then we still used InstallShield though. The entire thing was pretty much a next, next finish job, as it still is today:

During installation, we prompted for a fileshare. For those of you unfamiliar with RES history, this share was home of the original FoxPro based configuration settings database. This was the same deal up to and including PowerFuse 7.03, until we went 100% SQL back in PowerFuse 2008. Today RES Workspace Manager supports every MS SQL version from version 2000 and up including SQL Azure, Oracle, MySQL and IBM DB2.

After installation the product could launch straight into the managed desktop executable, which today still is available in Workspace Manager 2012, known here as the RES Shell. There is a still relevant article available here, which shows you how to make use of it to get your Start Menu back on Windows 8. Back in 1999 PowerMenu did not have any support for the native Explorer. This was due to the fact that many customers had up until then been using it on top of Citrix Winframe, which had no Explorer. The user shell with PowerMenu 2000 looked like this:

During launch you’d see these two splash screens. On the left was the original PowerMenu 2000 splash screen, which back then was mandatory. Today’s Workspace Manager obviously allows you to turn it off. On the right you see the original restrictions of running trial mode on the product. Also note the old triangle RES logo – that’s what we looked like back then! :)

At this point you’re probably wondering; okay then, what could this old WM precursor do then? What was it’s operational scope? Well, back then it actually covered several of the main areas that the Workspace Manager of today does, including configuration, performance and a bit of security. One thing that definitely wasn’t in the product then, was any kind of profile management like the User Settings of today. Managing user settings from the profile was however still a pretty new concept then as CCS had barely thought up Hybrid Profiles at that time. Let’s have a look at what the management console (known then as the Enterprise Manager) looked like:

Granted, there wasn’t a whole lot of options back then, however the basic premise of editing a Managed Application within an application tree or list, is a solid concept that lives on today. Even the Audit log was there to begin with. If you notice the blue fields in the upper right they indicate who created and changed the current object and when.

Presuming you know your way around the current version of the Workspace Manager product, you are likely to recognize some features in PowerMenu’s managed applications, which are present in the current releases. Access Control was pretty much the same, although AD and OU’s weren’t supported as an Access Principal back then. This is probably due to the fact that Windows 2000 was barely out of the box at that time…

,

In the lower left corner above, you’ll recognize the license management and enforcement, which still looks pretty much the same in WM, although it now lives on it’s own separate tab in the console. Funny thing here is that the Cost field still to this day isn’t being used for anything just yet. Of interest here as well is the PowerHours/Opening Hours feature. You will find this exact feature (with the same dialog) is still in the WM product under the properties of a managed app, below Access Control | Time Restrictions | Basic tab. Already back then RES did ODBC Datasources. Today it still works in pretty much the same way.

Now, let’s have a look at the PowerLaunch options. The term PowerLaunch is still to this day occasionally being used by yours truly and some of our other oldschoolers, when referencing as a whole things that happen during user logon in Workspace Manager:

Specifically these are things like printer/drive mappings, drive substitutions, registry hacks, environment variables, files and folder created in the users homedrive, and external tasks were already there as well. One thing I’d like to emphasize is the registry editor. It still looks like it’s former self without many changes. Due to the lack of kernal drivers back then, we did not have the Registry Tracing feature, which came later in PowerFuse 2010.

On the same note here is the security option of lore, known as PowerSense. Today the Workspace Manager security model includes subsystems for Process security, Read-Only Blanketing, File and Folders, Removable Devices, Session, URL and layer 3 Network security. The beginnings were somewhat more humble:

Back in PowerMenu 2000, the way that PowerSense worked, was that unauthorized processes were simply killed uppon detection, rather than preemtively blocked at the kernel layer. I believe we already started introducing the original AppGuard kernel driver somewhere in early PowerFuse series 7 in the early 00′s.

Another item of interest is a personal all-time favorite feature of mine, Access Balancing, which has been largely unmodified for 14 years:

While it was originally designed as a login-throttle for Winframe/Terminal Servers, there is a separate article here on how to use it even today to obtain valuable statistics about user logon time. On the topic of statistics, it’s also worth mentioning that PowerMenu 2000 included already then the first pieces of Usage Tracking, known back then as PowerWatch.

There are many interesting little tidbits and mental morsels to savor in this piece of old software. I hope however, with this little trip down memory lane, to have shown you both how far ahead of the curve RES technology was already back in 1999 and at the same time indirectly how amazingly far we have come since then. Not only has Workspace Manager evolved over the years into a fullblown enterprise class management software suite, but let’s not forget about the 5 other product lines which has rolled off the block since then: Automation Manager, IT Service Store, VDX, Hyperdrive and BDA.

I for one can’t wait to see what the next 14 years will bring!

All about the Workspace Manager SR2

By Max Ranzau

From the There-We-Fixed-It Dept. Once again it’s that time of year where we get the extra presents that didn’t quite make it under the tree. Today RES Software released the long awaited Service Release 2 for RES Workspace Manager. As always due to that I’m on Pacific time, I’m more or less the last RES guy on the planet to know – but hey – at least I can share the nitty-gritty details with you. This time around you’re in for a treat, as the the update contains a massive overhaul on the Citrix publishing subsystems, among other things. As per usual the Service Release is available to our subscribed customers and partners at the RES Support portal. Now, let’s have a quick look at the most interesting things in SR2:

• Ability to remote publish XenApp published apps ! Yay – this was a personal thorn in my side, as up to now the only way to publish was to run the RES WM console on top of one of the XenApp boxes, as we previously could only communicate with the old MFCOM objects directly underneath. You still need a WM Agent installed on the target publishing XenApp server, as it’s the one doing the handywork. The difference is that now you can publish even from an admin workstation running the WM console.
• Support for XenApp 6.5 WorkerGroups: Another big enhancement on my wishlist. Even though that Workspace Manager has had servergroups for many years providing this functionality back from the early Citrix Presentation Server days, when Citrix finally added a group object in XAS6.5, we of course had to support it, so customers do not have to do double work.
• Cross-Farm publishing: RES Workspace Manager SR2 allows you to publish an XA app across multiple farms. Note that if you’re using Relay Servers, they must be upgraded to SR2 as well for this to work.

There is a few other items that relate to Citrix, which you can read more about in the release notes. Other than that, some other noteworthy items:

• A slew of new registry tweaks to Workspace Manager. The Registry Guide to Workspace Manager has been updated accordingly. See fixes 073 to 066
• Various performance enhancements on Database Connectivity, User Settings and Logon time. Note: There is a specific reghack to boost logon time when offline. 
• A new setting under Setup|Advanced Settings: The option is to quote the release notes; “set delay for network refreshes when network connectivity changes”. This works well where a laptop may change network connectivity within a short period of time, possibly causing unnecessary Workspace Composer refreshes. Also, by configuring a delay, you can ensure that the ‘new’ network connection is fully established before the refresh takes place, preventing long refresh actions. Default value is 0 (zero) seconds, meaning it’s business as usual unless you change it.
• Hiding apps in the startmenu when using merge-mode is now possible when managing the startmenu. Something I’m personally quite happy about, as I got egg on my face during my last training class due to just that :-)
• Several labels and default views have changed as part of decluttering the console. Nothing crucial, but you might just want to glance over the releasenotes to for a heads-up on all items.
• New Zone rule for computer’s AD group membership. This has been a long standing wish of mine since we could check on the site and OU of the computer, so now this part of the big picture is complete.
• New commandline option to export the Network Security log as XML. See this section of the updated WM CommandLine reference for further info.
• Exception tab on Agents: I believe this is a very important piece to understand for designers and architects (which is why it probably deserves it’s own article at some point): The short story about SR2, quoting from the releasenotes, is that Agent-related zone rules set on the Workspace Container are now taken into account when determining the applicability of an exception tab for the node Administration | Agents. This makes it possible, for example, to define different Datastore or Relay Server connections on exception tabs based on Agent-specific properties such as IP address. Note that the following zone rules are not Agent-specific and are therefore not evaluated when defining the Workspace Containers on which to base an exception tab for the Agents node:
  • Citrix Receiver client type
  • Session Type
  • (Partial) terminal server listener name
  • User property
  • VDX / Workspace Extender

  The Workspace Container’s Access Control/Identity is still ignored for exception tabs on the node Administration > Agents; and the evaluation of Workspace Container applicability for an exception tab remains unchanged for all other features and nodes.

• Last but not least is the question on everybody’s lips: Does SR2 support Windows 8? The answer is yes and no. Yes, the software is supported running on Windows 8. Yes, it can now recognize Windows 8 as there’s now OS Zone rules for Win8 and Server 2012. This makes the temporary hack I created in article RG04C obsolete. However SR2 does NOT include management of the Metro/Modern tiles. Aparently there are some things we are working on together with Microsoft in order to make that a reality. Hopefully we’ll see this in the next Service Release.

For now, here are the releasenotes for you to download:

Enjoy!

New Reference Architecture doc for WM

From the Document Division. Those following me on twitter (@RESguru) saw yesterday the release of the Reference Architechture document for RES Workspace Manager. This document is interesting as it covers many of the questions our partners and customers have had in regards to best practices, the Relay Server, diskspace consumption and bandwidth usage. The document also covers the complete solution scope, making it easier to understand where RES Workspace Manager fits in.

The document can be downloaded here:  

New Technote: WM and XA prelaunched apps

From the Community Hero Dept. A new technote has been added to the RESguru Library. This time we are joined by guestwriter Mr. Lasse T. Hohmann, who besides being a former colleague of mine in the past, is a Citrix Systems Engineer at JN Data in Denmark. JN has been running RES for quite a long time and it’s great to be able to share some of their experiences with our products.

The article at hand explains how to use the PreLaunch feature of XenApp 6.5 together with RES Workspace Manager.

<<< Click here to read the article

How NOT to use Workspace Containers

From the You’re-doing-it-wrong Dept. This is a little quick and dirty techpost to hopefully help some of you folks who are learning the ropes with Workspace Manager. One of the very powerful features in WM is the Workspace Container object. You can think of these types of container objects as being to Workspace Manager, what OU’s are for Active Directory, but they can do so much more. For your convenience, I’ve listed none less than 6 different real-world examples in article RG037 – Workspace Containers Inside-out.

<<< Click here to read the rest of the article
 

Technote: Workspace life on Windows 8

From the Flux Capacitor Dept. I don’t know about you, but it seems to me that once every now and then, time loops in on itself in this line of work. While you don’t need a Delorean to experience it, this is the story of how an almost antiquated piece of code within the RES Workspace Manager suddenly saw itself repurposed by some of our customers to deal with Windows 8′s Metro interface.

My good friends in product management would probably whack me over the head, but hey – there’s nothing preventing anyone from obtaining a trial Workspace Manager 2012, slapping it on a Win8 and writing about it. So, rather the devil you know I guess. Anyway, this is not a comprehensive wall-to-wall test to see what floats and sinks, as RES Workspace Manager 2012 at the time of writing DOES NOT officially support Win8, but that’s expected in January 2013. Note: Automation Manager actually does support Win8 with 2012 SR3 at this time. Update per March 2013: With the release of Workspace Manager 2012 SR2  Windows 8 is supported..somewhat. See this article for more info.

<<< Read the full article here

Could RES Workspace Manager have prevented the spread of the xDocCrypt Virus?

Written by Patrick Kaak

Translation & editing, Max Ranzau.

Editors note: This article is an english translation of Patrick's original Dutch article, available here. If my translation leaves room for improvement (80% Google, 20% guesswork :), feel free to comment.

Recently, the Netherlands and the rest of the world has been under the spell of a nasty piece of viral code, spreading quickly, causing damage to office documents. This virus is called xDocCrypt / Dorifel. Most virus scanners did not have the signature of the virus in time, hence there's already quite an outbreak on the loose. Most are however updated at this point

The xDocCrypt virus does not infect a computer in the usual manner. Normally, a virus enters a system via infected external drives, via downloaded files or arrives by mail. In the case of xDocCrypt, the virus is downloaded and installed by existing malware (Citadel / Zeus) which already is on the computer. This software is already sitting dormant on the machine, routinely connecting to a server hosted by it's creator, waiting for orders. The order in this case is downloading a virus, which once active will start infecting documents. It appears the malware payload now includes a new virus (Hermes), which can cause even more damage as it focusses on obtaining bank details.

As virus scanners may be slow to learn and intercept the virus, the question must be asked. Is there a way to prevent this from happening preemtively?. Our answer to this is that you can never prevented 100% off all attacks but you can sure make it very difficult by means of a good Workspace Management security solution.

If we look at Microsoft Windows itself, we already have an option to block the virus from starting by using the AppLocker feature in Windows Vista, 2008 or higher to protect against the execution of unknown binaries. RES Workspace Manager provides a similar yet much more flexible feature, which blocks the launch of executables that the user has no rights to, or that are unknown in the system. Configuring things like this usually would take a lot of time as you specify exeptions on a whitelist of allowed executables. Fortunately RES Workspace Manager has the ability to quickly learn what the user should be allowed to execute. In addition to these learned authorizations, the executables for the managed apps assigned to a given user, are automatically authorized by WM for only that user. Another advantage of the Workspace Manager, is that a user can launch applications which normally requires administrative privledges.

Additionally the RES Workspace Manager can log any executables being blocked. These logs can be forwarded to any administrator or security officer via email or SNMP through the Workspace Manager Alerting feature (available in the Advanced Administration module, Ed.). This is a great way to detect the initialization of the Citadel / Zeus malware, as these will be unknown executables.

Besides Application Security, RES Workspace Manager also has a Network Security feature. This feature makes it possible to white- or blacklist individual executable's TCP/UDP access to given IP ranges. If you chose a whitelist approach and the virus was already present on your network, it would never get any access to the outside world, being blocked by the Workspace Manager. Alternatively, knowing the servers where the virus downloads from, one could also employ a blacklisting scheme to block any traffic to/from those sites.

Finally, the Read-Only Blanketing security feature in RES Workspace Manager provides a good protection against writing to the local disks. This ensures that unauthorized processes/applications can't deposit any kind of data payload on for example the system drive. Read-Only Blanketing will per design not protect the following paths:

• The Recycle Bin on each local drive (so user's actually can delete files)
• %allusersprofile% and %userprofile (where %appdata% resides per default)
• Tmp and temp locations (user processes may write data here)
• Spool directory (if write permissions were removed here, users couldn't print)Debug\usermode in Windows folder
• The server console

However, in the case of the malware discussed here, this feature will not be able to protect you as the malware stores it's payload under %appdata%. Since the virus lives in the user's profile, there is something to be said about how you handle your profile. If you use the combination of a Mandatory Profile with RES Workspace Manager's User Settings feature, you can explicitly specify what is to be retained when the session is ended and the profile and it's contens (including the virus) are henceforth destroyed. That would not be the case with default configured roaming profiles.

The above features RES Workspace Manager are suggested to work with the advice given by the Dutch National Cyber Security Center of the Ministry of Security and Justice. The configuration of any Workspace solution, however, is not just something you do in a few minutes without knowing what you're doing. For more information, please visit my company at Centric.eu. There you can also read more about how to resolve the damage caused by the virus, specifically what ports and hosts to block.

Sources:

• damnthoseproblems.com
• blog.fox-it.com/2012/08/09/xdoccryptdorifel-document-encrypting-and-network-spreading-virus/
• ressoftware.com

Closing note: While RES Software has never intended nor marketed the Workspace Manager product as an antivirus solution, it is self-evident from the examples above that the 6 current security subsystems may be employed to take a huge bite out of the looming threats of malware, spyware and vira floating around out there. As they say; an ounce of prevention is worth two pounds of cure. While we're at it, you might also want to have a look at the RESguru article here, which discusses working with the RES Workspace Manager's security model.

The RES Relay Server

From the Skunkworks Dept. As we are approaching the release of Workspace Manager 2012 later this year, here's a sneakpeek into the goodiebag of good things to come. Specifically I've taken the RES Relay Server for a spin and kicked the tires in the lab, in order to give you a better understanding of what this thing is. This technote article should hopefully help you gain a better understanding on what new options we will have at our disposal for designing tomorrows workspace solutions.

<<< Click here to read the article

While we're at it, I've updated an old article RG004 – Workspace Manager commandline parameters, so it reflects the new parameters to unattended configure a Relay Server connection for a Workspace Manager 2012 agent. Click here to see the updates.