Windows services are a popular topic for the inquisitive security auditor.  Those services are easily visible, and there’s a simple checklist to apply (“#1 – Disable services you do not need”).  To satisfy that auditor, here’s a detailed explanation.

To get the job done, some XenDesktop services require Windows privilege.  Built-in Windows accounts are typically used, following the general principle of least privilege. The pattern of usage is:

  • Local Service - for services that do not require powerful privilege, and do not need to authenticate themselves to other computers.  You might be surprised to see the Citrix USB Service here; in fact, all the privileged logic is in a device driver.
  • Network Service - for services that do not require powerful privilege, but do need to authenticate themselves to other computers. The Citrix Desktop Service appears here, as you’d expect; it needs to authenticate itself to the delivery controller.
  • System - for services that need several powerful privileges, possibly including the notorious “Act as part of the operating system“.  For these, the service can automatically remove from itself the other powerful privileges that System has, but which this service doesn’t need.  Beyond that, further privilege reduction isn’t practical.
  • A Citrix-specific account - for services that need one or two powerful privileges, but no more.  This is the tricky case.

That last one is a tricky case, because your security auditor now spots a Citrix-specific account being used, and digs deeper.  Explain it like this:

  • Local Service (or Network Service) isn’t enough - the service needs a privilege that these accounts don’t have, and won’t work without it.
  • System is too much - it adds unnecessary risk.
  • A Citrix-specific local account is created with just the privileges needed.  The initial password is a strong password, compatible with all Group Policy settings for password policy

In fact, for XenDesktop there is usually only one service like this – the Citrix Print Manager Service. (XenApp has more.)  And it requires just one powerful privilege: “Load and unload device drivers“.  By default it uses the Ctx_CpsvcUser account. Here are your choices for the Citrix Print Manager Service:

  • Disable the service.  Do this if all printing is direct to a Windows network printer, rather than via the Citrix Print Manager service. Some regulated environments require this.
  • Use the Ctx_CpsvcUser account.   This is recommended for most environments.
  • Use another account of your choice.  Commonly, this is a specially created domain account.  Some regulated environments forbid the use of local accounts by services, because their passwords can’t be managed centrally; this is then the best option.
  • Use System. This is only recommended during troubleshooting.

One more thing – for Windows Vista, and Windows 7, the Ctx_CpsvcUser account does not need to be a member of the Power Users group.  Here’s why.

When Windows checks whether a process is allowed to do something, three mechanisms come into play. First privileges (like “Act as part of the operating system” and “Load and unload device drivers” mentioned above).  Second, access control to securable objects (like files and registry keys).  The third mechanism is so rarely described that doesn’t even have an official name; let’s call it built-in capabilities.   These capabilities are checked by the membership of well-known groups such as Administrators and Power Users (for example, the capability to create a local account).   These built-in capabilities are effectively hardwired, and can’t be granted to other groups – so you can’t create another group that behaves the same way as Administrators (should you ever think of doing this).

Anyway, it turns out that in Vista and later the Citrix Print Manager Service doesn’t need a built-in capability that used to be conferred by Power Users.  So it doesn’t need that group membership. A final tip, then. You may already be using the Active Directory restricted groups mechanism to force Power Users to be empty – a good security practice.  But be careful to exclude Windows XP virtual desktops from any such GPO, as that will affect the Citrix Print Manager Service.