Archive

Archive for the ‘Citrix’ Category

a Slick Way to to bypass Terminal Services Remote Apps/ Citrix XenApp to gain access to command line from Internet Explorer

January 20, 2014 2 comments

Today, a friend of mine who works in our security team, shared with me a slick way to bypass published applications (in our case IE) to gain command line and PowerShell access.

Although users will have access based on his permissions; so if he is a user he won’t be able to do much, yet , in my opinion it bypasses the hall point of Remote Apps/ Citrix XenApp and gives the user access to execution capabilities on the server, if he is a knowledgeable enough, he will be able to compromise the server.

Setup:

XenApp 6.5 Server on Windows Server 2008 R2 with all patches installed, Only IE published.

How to:

Since IE is published only, we assume that user has no execution capabilities on the server, to gain access to PowerShell or command line, do the following:

  • From IE open help.
  • Within help, search for notepad.
  • click on How I can How can I use my devices and resources in a Remote Desktop session?
  • image

  • Scroll down and click open notepad

image

  • once note pad opened (note that we have access to another application now), type in the file PowerShell and save the file as filename.bat.
  • once you saved the file, from Internet Explorer choose, file, Open and open the saved file and voilaaaa, you have powershell and cmd access.

although we can discuss for years if this is a security issue or not, I believe it is for some organizations and it sheds some light on a area where people can bypass a specific published application and gain execution mechanism on servers, Any thoughts ?!

Advertisements

Configuring Citrix Web Interface with RSA SecureID , Notes from the field

March 7, 2013 2 comments

Configuring your Web Interface to work with RSA SecureID can be troublesome, I spent 2 days trying to figure how to make it work, here are the configuration steps:

Follow the steps mentioned in this CTX article: http://support.citrix.com/article/CTX126843

BUT, as usual there is a trick, completing the above configuration will not work, you will get the following error:

There was a problem with the RSA SecurID ACE/Agent. Check that the ACE/Agent is installed correctly and that the path to the file aceclnt.dll has been added to the PATH environment variable.

To solve this problem, first, follow the following steps:

– make sure to install the RSA Web Agent, the Web Agent must be installed as it will add some keys in the applicationhost.config that are needed by the IIS.

– Configure the Web interface not to send the domain name, from Explicit authentication, properties, Explicit/Two-Factor Authentication and uncheck (Send Domain and username to ACE/Server)

some additional troubleshooting steps are here (Like the PATH and secret key reset)

http://support.citrix.com/article/CTX125097

Microsoft Egypt Open Doors, what to expect, meet us there #Microsoft #Egypt #Cairo #opendoors

February 15, 2012 Leave a comment

it has been a while since the last blog entry, I so moved with this post and proud of it, we are so excited about the upcoming event for Microsoft Egypt open doors that will be held next Monday 20/2/2012.

I will not speak in the event, Microsoft has decided that this year speakers should be MSFTs, but we will have some cool demos to run in the demo area, my team and I will have some very cool demo to show you in the event, we have 3 main demos to run:

  • I will be presenting Exchange/SQL workload on Hyper-v and the benefits/challenges of running those workloads on top of Hyper-v.
  • Karim Hamdy and I will be presenting the DR site how to with Windows Data Center  2008 R2 edition, Hyper-v and Netapp for Active Directory, SQL, Exchange and Hyper-v workloads demystifying the building blocks for having a DR site for your main site on top of Hyper-v.
  • Mai Fawzi, will be demoing large VDI workload on top of Windows Data Center 2008 R2 with Citrix Xendesktop.

We will be waiting for you in the event, will be also happy to speak to you with regarding any specific technical workload you have enquiry about.

you can register in this link: https://msevents.microsoft.com/CUI/InviteOnly.aspx?EventID=39-14-67-BB-B1-DE-12-3D-F4-CC-1B-89-E1-F2-07-4F&Culture=en-EG

See you there

Speaking on Wednesday 28/9 at Microsoft about VDI building blocks with #Microsoft,#Citrix & #Netapp #mvpbuzz #xendesktop

September 11, 2011 Leave a comment

next Wednesday I will speak at Microsoft hero event about VDI building blocks with Microsoft, Citrix and Netapp solutions.

the session will be level 300-350 going from design to implementation, the session content will be:

No Marketing stuff , it is All Hot technical materials. so Drink a lot of Coffee :), The session is for Arabic language speakers

 book your calendar, you can confirm your registration and share it on linedin or facebook:

Linkedin:  http://events.linkedin.com/VDI-Building-Blocks-Microsoft-Citrix/pub/785942

Facebook: http://www.facebook.com/event.php?eid=215307091861783

– Introduction to Desktop Virtualization and what does it mean.

– Benefits of VDI for corporates

– Building Blocks for VDI:

    • Understand Hypervisor Requirements, Hyper-v, SCVMM
    • Understand Connection Broker Requirements Xendesktop
    • Understand application delivery requirements (Terminal Services and Xenapp)
    • Understand VDI Type and OS Delivery Types.

– Get your VDI on the right track:

  • Sizing your Hypervisor correctly Including Memory, Processor and Storage.
  • Designing Operating System Delivery
  • Sizing your application delivery infrastructure
  • Sizing remote access and network
  • Storage optimization matrix for VDI deployments (De-duplication, Thin Provisioning and Snapshots)
  • Design backup and restore

– Lab for end to end solution implementation

See you there,

NetApp and VMware View 5,000-Seat Performance Report #Netapp #vmware #vdi

September 5, 2011 Leave a comment

I got evolved in the past few months in designing and implementing large VDI solution, that will be weird for an Exchange MVP but I love the virtualization technology and couldn’t resist the temptation.

one of the most ugly parts of the VDI project is the storage design, in fact every VDI architect knows that storage sizing is one the painful aspects and one of the most critical parts for the VDI deployment success.

I spent hours trying to figure out the best model for the IOPs and Storage calculations for best and optimum user experience, and through hundreds of documents from Citrix, Netapp and Microsoft I found my method.

to start here is a nice link that will help you understand how things will go and spare the time of re-explaining the process

http://blogs.citrix.com/?s=Finding+a+Better+Way+to+Estimate+IOPS+for+VDI&submit_button=Search

to better know Citrix’s Side of the story (watch out, the CTX holds a lot of netapp’s data although that it doesn’t use or recommend netapp) http://support.citrix.com/article/CTX130632

and finally we see a closer look to storage performance from netapp, I have to say that this is one of the most well written documents concerning storage, storage performance and storage reporting, the document can be read here

http://media.netapp.com/documents/tr-3949.pdf

 

what I really loved that the report says that storage performance goes into several stages of its life cycle within the VDI project. the biggest IOPs hits are received during the first login attempts which is displayed in table 11 in the TR:

image

what made me excited that I developed my own IOPs predictor that I used for my projects, gladly my calculation were less than 1000 IOPs difference than the actual testing WOOOOOOOOOOHOOOOOOOOOO

image

I will put the calculator under further testing and it should be published later this month.

 

have a nice VDI sizing.

#Lync Client #Virtualization the full story #ucoms #Citrix #xendesktop #xenapp

April 27, 2011 Leave a comment

if you have been reading carefully, Citrix released a document the article published here http://support.citrix.com/article/CTX128831 .

by that time, I knew internally that Microsoft didn’t support Client virtualization for OCS/Lync. although if you have been reading and even attended Citrix Xenapp 6 or Xendesktop training you will hear a lot about Lync/OCS client virtualization delivery with Xenapp or Xendesktop.

starting 14/4, Microsoft released a document that explains the supportability statement for Xenapp and Xendesktop and virtualization techniques that they support/no support.

the document is available here http://www.microsoft.com/downloads/en/details.aspx?FamilyID=f865e66d-1163-46ef-ba9c-d585376dfbae.

in summary Microsoft now supports client virtualization through full desktop or application delivery/streaming with some considerations “check the document for more details” it is so amazing to see that Microsoft finally released such a support statement and changed the fully rigid statement of the big NO before.

%d bloggers like this: