June 29, 2017 - Nick
Potential Files Leaving Your Environment: Citrix XenDesktop 7.6 FP3 & Google Chrome OS
My team came across an interesting discovery (credit to Connor Gorman). He noticed that he was able to take files off of his virtual desktop and into his Google Chrome device by simply using the ‘Upload’ & ‘Download’ features present in Receiver for Chrome:
This was strange to us because we went through an extensive Citrix policy review when we implemented 7.6 in our environment to make sure we had the most secure settings and that everything was locked down in such a way that prevented unauthorized data to come in/out of our environment. Of course we have other measures in place to prevent such data leakage, but to see these buttons exist and almost work, was a big concern.
First step, we took to google. After a little bit of searching, I found this article: https://www.citrix.com/blogs/2016/03/09/receiver-for-html5-and-chrome-file-transfer-explained/
The article explains that “File upload and download can be enabled or disabled using Citrix Studio Policy giving the required control to the admin. Admin has to install the Group Policy Management Hotfix 7.6.300 to set these policies.” It also went on to explain that “By default, File transfer is enabled; to disable it, we need to use the Group Policy, as mentioned above.” Really Citrix???
So in summary, by default, Citrix opened up an avenue of file transfer that required an additional group policy hotfix to do the actual configuration to prevent said file transfer. Would love to hear anyone’s thoughts on this one. For me, I’d love to advise Citrix to start taking a more conservative stance on these types of decisions and always change the default setting to ‘Disabled’ when it comes to anything that could be considered a security risk. One could probably say, “well then you should have read all the release notes”, but c’mon now we all know that can be missed!
Anyway, after installing the group policy management hotfix that is part of feature pack 3 and here: https://support.citrix.com/article/CTX142464 – you can configure the following policies as disabled. I would recommend putting them as your baseline policy:
Hopefully this helps someone else!