In working with the Federal Government, there are often strict security policies. The United States Government Configuration Baseline (USGCB) defines security standards for Information Technology products widely deployed across federal agencies.   For those familiar with government security practices, the USGCB evolved from the Federal Desktop Core Configuration (FDCC) mandate.

How does USGCB affect XenDesktop? After examining the USGCB settings, several settings can prevent virtual desktops deployed through XenDesktop from functioning correctly.  This blog article examines some of the modifications that may be needed for XenDesktop to function with USGCB settings as it pertains to Windows 7.

With XenDesktop there is a local computer account named Ctx_CpsvcUser, which is used to start the Citrix Print Manager Service.  If the XenApp Offline Plugin is used, then another local account, Ctx_Streamingsvc, is also created.  Exceptions for security permissions will be needed for these accounts as well as additional file and registry permission modifications.

The following table  describes the possible modifications with XenDesktop and Citrix Receiver:

(Click here for a full view of the table in PDF format)

Policy Path Policy Name XenDesktop Modification Justification
Computer Configuration\Administrative Templates\System\Remote Assistance Offer Remote Assistance Enabled From Desktop Director, an administrator can request control or offer remote assistance to a XenDesktop session. If this is required, this policy will need to be a deviation. (http://support.citrix.com/article/CTX127388)
Computer Configuration\Administrative Templates\Windows Components\Windows Update Configure Automatic Updates Disabled When running in Standard Image mode, using automatic updates will cause the operating system to download the same updates each time the image is booted.  Citrix recommends turning this feature off to avoid downloading the same updates since the vDisk image is configured as read-only. (http://support.citrix.com/article/CTX119849)
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options Devices: Prevent users from installing printer drivers Caution when having this setting disabled, if a driver is not available the OS may attempt to prompt the end user for a print driver.
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options Domain member: Maximum machine account password age As a Citrix best practice when using Citrix Provisioning Services (PVS) and having PVS control the machine account password, the PVS password reset interval should be set to less than this setting. In this case, less than 30 days.
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment Access this computer from the network Administrators, <All XenDesktop Desktop Delivery Controllers (DDCs) The XenDesktop Desktop Delivery Controllers require this right to be able to communicate with the XenDesktop Virtual Desktop Agent. (http://support.citrix.com/article/CTX119736)
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment Impersonate a client after authentication Administrators, SERVICE, Local Service, Network Service, Ctx_CpsvcUser, Ctx_StreamingSvc The Citrix service accounts require this right in order to perform functions on behalf of the logged on user.
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment Log on as a batch job Ctx_CpsvcUser The Citrix service account requires this right in order to function.
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment Log on as a service Ctx_CpsvcUser,  Ctx_StreamingSvc The Citrix service accounts require this right in order to function properly.
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment Load and unload device drivers Administrators, Ctx_CpsvcUser The Citrix service account requires this right in order to function.
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment Create global objects Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE ,Ctx_StreamingSvc The Citrix service account requires this right in order to function.
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment Replace a process level token Network Service, Local Service, Ctx_StreamingSvc The Citrix service account requires this right in order to function.
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment Restore files and directories Administrators, Ctx_StreamingSvc The Citrix service account requires this right in order to function.
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment Take ownership of files or other objects Administrators, Ctx_StreamingSvc The Citrix service account requires this right in order to function.
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment Deny log on locally Guests, Ctx_StreamingSvc This deny rule is added in order to enhance security.
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment Deny log on through Remote Desktop Services Guests, Ctx_StreamingSvc This deny rule is added in order to enhance security.


In a XenDesktop with XenApp deployment, Citrix Receiver will often be part of the virtual desktop image as well as installed on standalone physical desktops.  Therefore, the above recommendations for the Ctx_StreamingSvc may need to be applied to both physical desktops as well as virtual desktops with Citrix Receiver.

With a couple of scenarios I have seen the following security options causing communication issues with VDA to DDC or virtual desktop to domain and member servers:

  • System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing – (Enabled)
  • Network security: LAN Manager Authentication level – Send NTLMv2 Response only. Refuse LM and NTLM – Ensure that domain and member servers are accepting NTLMv2 response otherwise; this will need to be changed to match the domain and member servers.

As part of the USGCB settings, there are also firewall configurations. The following CTX articles describe additional inbound firewall rules and group policy settings required in order for VDA  to DDC communications to work properly, along with Desktop Shadowing and Windows Remote Management (WinRM) for Desktop Director.

When you add the firewall rules, you may need to have these rules apply to all networks (Domain, Public, and Private), if the Network Category is not defined or identified for the NIC.

As always, thorough testing is recommended as each agency’s settings or requirements may differ.