Results 1 to 3 of 3

Thread: W2K Terminal Servers / Citrix

  1. #1
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Third planet from the Sun

    W2K Terminal Servers / Citrix

    Of late I have been working on an enterprise with Citrix XPe installed on W2K servers. As the majority of security focus has been on Citrix, the underlying Terminal services were ignored. For anyone implementing Citrix or just using Terminal services, here is a basic / minimum script for reducing unauthorised access to system files on the W2K terminal server.

    I can offer more details as to Terminal and Citrix Security if anoyne is interested.


    REM ** The following commands should not be ran in one script **
    REM ** Break each command after the Echo Statement **
    REM ** Terminal Server W2K Security settings **

    REM ** Grant local administrators and SYSTEM full control **
    REM ** Grant local users read access to entire volume. **

    XCacls c:\ /T /c /g administrators:F System:F Users:r
    XCacls D:\ /T /c /g administrators:F System:F Users:r

    Echo y|xcacls c:\* /T /c /g Administrators:F System:F Users:r

    REM ** deny user access to system boot files **

    XCacls c:\boot.ini /e /c /r Users
    XCacls c:\ntdetect /e /c /T /r Users
    Xcacls ntldr /e /c /T /r Users

    REM ** Revoke user access as required **

    XCacls c:\winnt\config /e /c /T /r Users

    XCacls c:\winnt\Ctxundo /e /c /T /r Users

    XCacls c:\winnt\ICA /e /c /T /r Users

    XCacls c:\winnt\INF /e /c /T /r Users

    XCacls c:\winnt\profiles\administrator /e /c /T /r Users

    XCacls c:\winnt\repair /e /c /T /r Users

    XCacls c:\winnt\system32\clients /e /c /T /r Users

    XCacls c:\winnt\system32\drivers /e /c /T /r Users

    XCacls c:\winnt\system32\ICA Passthrough /e /c /T /r Users

    XCacls c:\winnt\system32\lserver /e /c /T /r Users

    XCacls c:\winnt\system32\ras /e /c /T /r Users


  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Washington D.C. area
    An approach that you may want to take (which I always do) is to use the tool from MS called everyone2user. This little app removes all "everyone" perms and allows you to build ACLs without having to worry if you missed something.

    Anyway, for what it is worth....

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #3
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Third planet from the Sun

    Absoulty correct! I should have been more specific. My issue is that I came onboard with the project years after implementation. I tried everyone2user in the lab and legacy software quit working - whole other issue (no documentation - no noticable naming convention). Anyway, the ACL changes only affect TS and system files. This approach is for environments where Security is an after thought.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts