Citrix Workspace app enables customers to deliver to their users’ virtual apps from servers instead of from locally installed and managed apps on client machines. This helps IT teams to manage centralized apps on the servers and their images, minimizing the requirements and impact on the client machines.

Generally, risks to servers can come from end users and their actions. For example, a harmless app is published, but the user could start another, risky application from it, jeopardizing the server or causing a data breach. There are a number of Citrix technologies to help mitigate this risk, and I’ll talk about one new key feature in this blog post.

Recently, in Workspace Environment Management (WEM), we introduced the Process Hierarchy Control feature, which provides the ability to limit new processes started from a specific parent process. For example, in a Citrix Virtual Apps and Desktops environment, the Process Hierarchy feature can help to limit the processes started from the app or desktop published to clients, reducing the overall attack surface and protecting servers. Here, the server is protected from unexpected applications, and data are protected from breaches.

This feature is available only for cloud in WEM. To configure this feature, choose Enable Process Hierarchy Control from the Security tab within the WEM management console, as shown below.

New tab for Process Hierarchy Control feature (click image to view larger)

There are options to enable/toggle on this feature for customer control and to hide the Open With from the context menu. This limits other ways to start new processes, providing another layer of protection against unexpected applications.

Creating a process hierarchy control rule is similar to creating an elevation control rule. First, you define a rule name for it and select how to define the target process as for Path, Hash, and Publisher. You’ll also need to indicate whether you want to use an “allow” or “block” list to define child processes that are allowed/prohibited from this target process.

GUI to provision a process hierarchy control rule (click image to view larger)

You define the target process and the list of allowed or prohibited child processes similarly to how you do for the Elevation Control and AppLocker features in WEM. Just input the data and complete the rule definition.

Provisioning a process hierarchy control rule for target process, with Path condition (click image to view larger)
Provisioning a process hierarchy control rule for the allowed/denied child processes (click image to view larger)

After you’ve defined the rules and enabled the feature, the WEM service on the agent side will start to monitor user behavior and enforce the defined configuration when required. Protected processes will not be able to start unexpected new processes, enhancing overall security and preventing system outages and data leakage. By implementing the feature, you’ve enhanced your overall security posture with your virtual app and desktop environment, protecting from malicious software and preventing your server data from leaking.

Let us know in the comments below if you have questions about applying this feature. If you haven’t tried Workspace Environment Management (WEM), please check it out in the Citrix Virtual Apps and Desktops service or as an on-premises offering.