4 new registry tweaks for Workspace Manager

From the Nuts & Bolts Dept. As the RES WorkspaceManager Updatepack 6 has been finished, we took the time to trawl through the release notes to see what’s been fixed. As always please remember: The RES update packs are not available for direct download and have not been fully regression tested like a Service Release is. You can request these from RES Support if you believe you are affected by one or more of the issues, or if Support recommends you to apply an updatepack. Updatepack 6 contains some rather nifty registry settings, which you can check out here in the one and only WM Registry Guide:

<<< Click here to view the latest registry tweaks in the guide.

Note: if you want to get an earlier heads-up on updates and new articles on this site, consider following @RESguru on Twitter.

All about the Workspace Manager SR2

By Max Ranzau

From the There-We-Fixed-It Dept. Once again it’s that time of year where we get the extra presents that didn’t quite make it under the tree. Today RES Software released the long awaited Service Release 2 for RES Workspace Manager. As always due to that I’m on Pacific time, I’m more or less the last RES guy on the planet to know – but hey – at least I can share the nitty-gritty details with you. This time around you’re in for a treat, as the the update contains a massive overhaul on the Citrix publishing subsystems, among other things. As per usual the Service Release is available to our subscribed customers and partners at the RES Support portal. Now, let’s have a quick look at the most interesting things in SR2:

• Ability to remote publish XenApp published apps ! Yay – this was a personal thorn in my side, as up to now the only way to publish was to run the RES WM console on top of one of the XenApp boxes, as we previously could only communicate with the old MFCOM objects directly underneath. You still need a WM Agent installed on the target publishing XenApp server, as it’s the one doing the handywork. The difference is that now you can publish even from an admin workstation running the WM console.
• Support for XenApp 6.5 WorkerGroups: Another big enhancement on my wishlist. Even though that Workspace Manager has had servergroups for many years providing this functionality back from the early Citrix Presentation Server days, when Citrix finally added a group object in XAS6.5, we of course had to support it, so customers do not have to do double work.
• Cross-Farm publishing: RES Workspace Manager SR2 allows you to publish an XA app across multiple farms. Note that if you’re using Relay Servers, they must be upgraded to SR2 as well for this to work.

There is a few other items that relate to Citrix, which you can read more about in the release notes. Other than that, some other noteworthy items:

• A slew of new registry tweaks to Workspace Manager. The Registry Guide to Workspace Manager has been updated accordingly. See fixes 073 to 066
• Various performance enhancements on Database Connectivity, User Settings and Logon time. Note: There is a specific reghack to boost logon time when offline. 
• A new setting under Setup|Advanced Settings: The option is to quote the release notes; “set delay for network refreshes when network connectivity changes”. This works well where a laptop may change network connectivity within a short period of time, possibly causing unnecessary Workspace Composer refreshes. Also, by configuring a delay, you can ensure that the ‘new’ network connection is fully established before the refresh takes place, preventing long refresh actions. Default value is 0 (zero) seconds, meaning it’s business as usual unless you change it.
• Hiding apps in the startmenu when using merge-mode is now possible when managing the startmenu. Something I’m personally quite happy about, as I got egg on my face during my last training class due to just that :-)
• Several labels and default views have changed as part of decluttering the console. Nothing crucial, but you might just want to glance over the releasenotes to for a heads-up on all items.
• New Zone rule for computer’s AD group membership. This has been a long standing wish of mine since we could check on the site and OU of the computer, so now this part of the big picture is complete.
• New commandline option to export the Network Security log as XML. See this section of the updated WM CommandLine reference for further info.
• Exception tab on Agents: I believe this is a very important piece to understand for designers and architects (which is why it probably deserves it’s own article at some point): The short story about SR2, quoting from the releasenotes, is that Agent-related zone rules set on the Workspace Container are now taken into account when determining the applicability of an exception tab for the node Administration | Agents. This makes it possible, for example, to define different Datastore or Relay Server connections on exception tabs based on Agent-specific properties such as IP address. Note that the following zone rules are not Agent-specific and are therefore not evaluated when defining the Workspace Containers on which to base an exception tab for the Agents node:
  • Citrix Receiver client type
  • Session Type
  • (Partial) terminal server listener name
  • User property
  • VDX / Workspace Extender

  The Workspace Container’s Access Control/Identity is still ignored for exception tabs on the node Administration > Agents; and the evaluation of Workspace Container applicability for an exception tab remains unchanged for all other features and nodes.

• Last but not least is the question on everybody’s lips: Does SR2 support Windows 8? The answer is yes and no. Yes, the software is supported running on Windows 8. Yes, it can now recognize Windows 8 as there’s now OS Zone rules for Win8 and Server 2012. This makes the temporary hack I created in article RG04C obsolete. However SR2 does NOT include management of the Metro/Modern tiles. Aparently there are some things we are working on together with Microsoft in order to make that a reality. Hopefully we’ll see this in the next Service Release.

For now, here are the releasenotes for you to download:

Enjoy!

Could RES Workspace Manager have prevented the spread of the xDocCrypt Virus?

Written by Patrick Kaak

Translation & editing, Max Ranzau.

Editors note: This article is an english translation of Patrick's original Dutch article, available here. If my translation leaves room for improvement (80% Google, 20% guesswork :), feel free to comment.

Recently, the Netherlands and the rest of the world has been under the spell of a nasty piece of viral code, spreading quickly, causing damage to office documents. This virus is called xDocCrypt / Dorifel. Most virus scanners did not have the signature of the virus in time, hence there's already quite an outbreak on the loose. Most are however updated at this point

The xDocCrypt virus does not infect a computer in the usual manner. Normally, a virus enters a system via infected external drives, via downloaded files or arrives by mail. In the case of xDocCrypt, the virus is downloaded and installed by existing malware (Citadel / Zeus) which already is on the computer. This software is already sitting dormant on the machine, routinely connecting to a server hosted by it's creator, waiting for orders. The order in this case is downloading a virus, which once active will start infecting documents. It appears the malware payload now includes a new virus (Hermes), which can cause even more damage as it focusses on obtaining bank details.

As virus scanners may be slow to learn and intercept the virus, the question must be asked. Is there a way to prevent this from happening preemtively?. Our answer to this is that you can never prevented 100% off all attacks but you can sure make it very difficult by means of a good Workspace Management security solution.

If we look at Microsoft Windows itself, we already have an option to block the virus from starting by using the AppLocker feature in Windows Vista, 2008 or higher to protect against the execution of unknown binaries. RES Workspace Manager provides a similar yet much more flexible feature, which blocks the launch of executables that the user has no rights to, or that are unknown in the system. Configuring things like this usually would take a lot of time as you specify exeptions on a whitelist of allowed executables. Fortunately RES Workspace Manager has the ability to quickly learn what the user should be allowed to execute. In addition to these learned authorizations, the executables for the managed apps assigned to a given user, are automatically authorized by WM for only that user. Another advantage of the Workspace Manager, is that a user can launch applications which normally requires administrative privledges.

Additionally the RES Workspace Manager can log any executables being blocked. These logs can be forwarded to any administrator or security officer via email or SNMP through the Workspace Manager Alerting feature (available in the Advanced Administration module, Ed.). This is a great way to detect the initialization of the Citadel / Zeus malware, as these will be unknown executables.

Besides Application Security, RES Workspace Manager also has a Network Security feature. This feature makes it possible to white- or blacklist individual executable's TCP/UDP access to given IP ranges. If you chose a whitelist approach and the virus was already present on your network, it would never get any access to the outside world, being blocked by the Workspace Manager. Alternatively, knowing the servers where the virus downloads from, one could also employ a blacklisting scheme to block any traffic to/from those sites.

Finally, the Read-Only Blanketing security feature in RES Workspace Manager provides a good protection against writing to the local disks. This ensures that unauthorized processes/applications can't deposit any kind of data payload on for example the system drive. Read-Only Blanketing will per design not protect the following paths:

• The Recycle Bin on each local drive (so user's actually can delete files)
• %allusersprofile% and %userprofile (where %appdata% resides per default)
• Tmp and temp locations (user processes may write data here)
• Spool directory (if write permissions were removed here, users couldn't print)Debug\usermode in Windows folder
• The server console

However, in the case of the malware discussed here, this feature will not be able to protect you as the malware stores it's payload under %appdata%. Since the virus lives in the user's profile, there is something to be said about how you handle your profile. If you use the combination of a Mandatory Profile with RES Workspace Manager's User Settings feature, you can explicitly specify what is to be retained when the session is ended and the profile and it's contens (including the virus) are henceforth destroyed. That would not be the case with default configured roaming profiles.

The above features RES Workspace Manager are suggested to work with the advice given by the Dutch National Cyber Security Center of the Ministry of Security and Justice. The configuration of any Workspace solution, however, is not just something you do in a few minutes without knowing what you're doing. For more information, please visit my company at Centric.eu. There you can also read more about how to resolve the damage caused by the virus, specifically what ports and hosts to block.

Sources:

• damnthoseproblems.com
• blog.fox-it.com/2012/08/09/xdoccryptdorifel-document-encrypting-and-network-spreading-virus/
• ressoftware.com

Closing note: While RES Software has never intended nor marketed the Workspace Manager product as an antivirus solution, it is self-evident from the examples above that the 6 current security subsystems may be employed to take a huge bite out of the looming threats of malware, spyware and vira floating around out there. As they say; an ounce of prevention is worth two pounds of cure. While we're at it, you might also want to have a look at the RESguru article here, which discusses working with the RES Workspace Manager's security model.

The RES Relay Server

From the Skunkworks Dept. As we are approaching the release of Workspace Manager 2012 later this year, here's a sneakpeek into the goodiebag of good things to come. Specifically I've taken the RES Relay Server for a spin and kicked the tires in the lab, in order to give you a better understanding of what this thing is. This technote article should hopefully help you gain a better understanding on what new options we will have at our disposal for designing tomorrows workspace solutions.

<<< Click here to read the article

While we're at it, I've updated an old article RG004 – Workspace Manager commandline parameters, so it reflects the new parameters to unattended configure a Relay Server connection for a Workspace Manager 2012 agent. Click here to see the updates.