XenApp and XenDesktop added new capabilities in version 7.6 for one-way clipboard functions including for the first time, one-way, either-way, clipboard data transfer as well as the ability to limit the clipboard formats that are permitted to flow across the connection. These capabilities were added to address a growing demand for flipping the classic server based computing security model upside-down, a term described as “browsing down.”
One-way client to server clipboard support has existed since XenApp 5 Feature Pack 2. Here is a link to a year 2009 blog describing how it works, a support article and even an officially produced support team video showing how to enable this function.
Flipping The Security Model
What is new is that customers are starting to flip the security model upside down. In classic server based computing, the XenApp or XenDesktop servers are “in the data center”, close to the beloved data. With the assistance of NetScaler Gateway performing ICA Proxy, end user computers have no network connection to the protected spaces. Screen, Keyboard and other user interaction travels to and fro, but the endpoint computer has no network connection itself to the protected spaces. This model of execution has been very successful and does an excellent job protecting enterprise data.
In this model of ICA Proxy, it is also true that the host computers have no network visibility to the endpoint computers, a feature many customers are utilizing to separate “high risk” applications from vetted and trusted endpoint computers.
Browse The Web In Peace
Consider that if you have a validated endpoint configuration, well locked down and approved for the purpose that it has, then how do you add to that environment an application that doesn’t match the security requirements of the endpoint? The problem application is almost always “web browser” and today, customers are setting up XenApp and XenDesktop farms adjacent to their other farms and endpoints for the sole purpose of running web browsers.
Payment Card Industry
For credit card processing companies, “PCI Compliance” is a bank requirement. A QSA (Auditor) reviews and ultimately approves the data processing environment; the security requirements normally grow over time and also more directly security expectations grow as the PCI Tier changes. The more credit card data processed, the higher the “risk” and the higher the bar for compliance.
For some customers, the configuration requires essentially no network connection from the protected spaces to the Internet, but they still have a requirement that users are able to browse the web. Customer has two choices, double the number of endpoint computers and double the networking infrastructure, or deliver the web browser application via ICA Proxy from hosted XenApp/XenDesktop machines. Option B is popular.
Customers were happily using this configuration well before 7.6, but they had a request, … their users want clipboard to work and in their locked configurations, data is not permitted to flow from the less trusted server environment to the endpoint.
Request For Enhancement
Request for enhancement arrives on my desk. One way clipboard support, server to client and also please filter the clipboard formats to prevent things other than text and BMP from going into the protected world. Some other customers submitted the same with a different set of clipboard formats requested, ultimately a configurable solution is the right answer.
The requirement was accepted and implemented for XenApp and XenDesktop 7.6. The developers exceeded all expectations by getting this added to the Desktop Studio UI, to make it easier for administrators to enable the function and manage the clipboard formats. Compare to the XenApp 5 FP2 function one way support which was registry configuration. Gold star to our Citrix HDX development team!
Here’s A Picture
By default, clipboard is not restricted, but if the restrict feature is enabled, the immediate effect is that the clipboard data transfer is restricted for all clipboard formats. This is effectively the same as turning off clipboard in that direction.
The administrator can individually enable server to client, client to server and they can separately configure the clipboard formats that are permitted to transfer. This is described in detail in the official product eDocs.
Server Environment Is Yours Too
Turning the security model upside down is a neat use of server based computing. While the protected endpoint space is well controlled and trusted, it is also true that the non trusted space is not exactly a free for all. It is also managed, often by the same administrators that define the endpoint configuration. So when configuring, it is really separating the spaces, moving higher risk applications onto a XenApp or XenDesktop hosted space where you still work to restrict what is allowed to happen.
For web browsing functions, it is common to lock the machine down server side as well as client. Users should be USERS even if it is a hosted Desktop. Any capability that exposes the endpoint should be turned off and this includes client drive mapping, USB redirection and Flash remoting. Following the full lock down guidance of your organization is correct even though the host environments are thrown away.
Throw Everything Away
I recently tweeted
Dedicated Citrix farm, pooled with no persistent storage, no user profile, one-way clipboard and no admin rights; browse the web in peace.
With this guidance in 160 characters, your endpoint high value systems can be insulated from evil on the Internet, winner! I have since received feedback that it is not possible to throw everything away, logs for example are required to be maintained. Okay, you should throw away everything you possibly can. Browse the web, do your work, go get the information you need and when done, throw it all away except for that really tiny part that you allow to traverse into your protected space via the clipboard, or other well controlled means.
This is a neat function and I am interested in hearing about your success in using this model, please add comments below.