Citrix states in their article: CTX991230

Document ID: CTX991230, Created on: Aug 5, 2002, Updated: May 17, 2006

Products: Citrix MetaFrame XP 1.0 for Microsoft Windows 2000, Citrix MetaFrame XP 1.0 for Microsoft NT 4.0 Server Terminal Server Edition, Citrix MetaFrame XP 1.0 for Microsoft Windows 2003, Citrix MetaFrame Presentation Server 3.0 for Microsoft Windows 2000, Citrix MetaFrame Presentation Server 3.0 for Microsoft Windows 2003, Citrix Presentation Server 4.0 for Microsoft Windows 2000, Citrix Presentation Server 4.0 for Microsoft Windows 2003

Problem Description

When connecting to an ICA published application either in a fixed or seamless window mode, or an RDP session configured for an Initial Program, it may be possible to launch the Explorer desktop.

Invoking the desktop from a published application session is perceived as a security issue.

CTX101664 – User Can Launch Desktop Instead Of Published Application

CTX108784 – Preventing the Explorer.exe from Launching in Shell Mode

CTX103376 – How to disable the Windows explorer functions in a published Internet Explorer

CTX112134 – ICA Seamless Host Agent Dialog box Displayed when Connecting to a Seamless Application

Examples

1. Winword.exe. If a Word document contains a hyperlink to a UNC folder such as \\Server\Share and the hyperlink is clicked, an instance of Explorer.exe is started and the desktop is displayed.

2. Accessing the Microsoft Outlook Web Toolbar. This allows a user to simply type file://x:/winnt/explorer.exe in the Text control.

Below is a documented workaround for examples 1 and 2 that can be used until Microsoft implements new code to address this issue.

WARNING! Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

To launch Internet Explorer instead of Explorer to view files in the UNC folder, modify the keys below. (Please note that @ means the Default string value). Open the registry on the server hosting MetaFrame and change the following keys.

HKCR\Folder\shell\explore\command

"@ = "c:\progra~1\intern~1\iexplore.exe" -nohome %L" (or the path where you have Internet Explorer installed on your machines).

HKCR\Folder\shell\explore\ddexec

"@ = """

HKCR\Folder\shell\explore\ddexec\application

"@ = "IExplore""

3. Pressing Ctrl+F1 inside an ICA session brings up the Windows Security dialog box. Set a policy to disable Task Manager from being executed or users can do a "file" - "new task" and type explorer.exe.

4. Restrict user access to a command prompt. This prevents users from launching a process from a command line.

5. Configure the Citrix ICA listener to "run only published applications" and publish the desktop for only the users or groups allowed to access the server desktop.

6. Lock down Explorer with policies to prevent access to the desktop.

By default, in some applications, the user has access to Explorer when opening or saving a file. For example, in Notepad, if you go into File/Save As, it brings up the file selector. If you choose a file and right-click with the mouse, you can access explorer. In a published application, this may bring up a Citrix error message about CTXUNDO not being able to find a file. After the error, you end up with the desktop of the MetaFrame server.

In another scenario, the user may receive the desktop from published Internet Explorer.

Through an ICA session on a client device:

• Run Internet Explorer as a published application.

• Select File and click Open.

• When opened, type explorer in the blank field. The server desktop opens.

You cannot apply the Disable Windows Explorer's default context menu policy after you install Internet Explorer 6 SP1

Resolution

Windows 2000

Create the following registry entries to prevent Explorer from being executed:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun (DWORD) = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileUrl (DWORD) = 1

You can also use Group Policies to lock down the server.

You cannot apply the Disable Windows Explorer's default context menu policy after you install Internet Explorer 6 SP1

Terminal Server 4.0

Explorer Context Menu:
Category: Windows NT Shell
Subcategory: Restrictions
Selection: Disable Explorers default context menu
Description: Removes the context menu that would normally appear when the user right clicks on the desktop or in the Explorer right results pane. (This option was added in Service Pack 2.)
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Policies\Explorer
Registry Value Registry Data Description
NoViewContextMenu REG_DWORD Off = 0 or value is removed; On = 1
See Q185590 for additional information.

7. For additional information in locking down a Terminal Services environment, see: CTX9333 - Tricerate Desktop Management , Locking Down Windows Server 2003 Terminal Server Sessions, and Securing Windows 2000 Terminal Services.

8. Back Door to RUN Command in Microsoft Office97 Applications.

In all Office97 applications, there is a back door to the RUN command.

a.. Launch one of the Office applications; for example, Word97.

b. Click Help, About Microsoft Word, and then System Info.

c. From the File pull-down menu, select Run. The Run Application dialog box appears. Select an
application to run as well as provide a command line to execute applications.

NOTE: This applies to all the applications in the Office Suite.

To prevent this from occurring, you must deny users the ability to execute Msinfo32.exe.
Use NTFS permissions to restrict access to this file.

9. You may experience problems in Windows Explorer or in the Windows shell after you install security update MS06-015