Weakness in Citrix XenDesktop could result in inconsistent propagation of USB redirection policy changes

The USB redirection feature of Citrix XenDesktop allows a user to redirect USB devices on the client to their XenDesktop Virtual Desktop Agent (VDA).

A weakness has been identified in the Citrix XenDesktop VDA implementation of USB redirection that could result in changes to the server-side policy controlling USB redirection not being propagated to the VDA. This could allow an authenticated user to gain access to their USB devices in contravention of the updated administrator-defined policy.

This issue affects all versions of Citrix XenDesktop Virtual Desktop Agent 5.x, up to and including version 5.6.

This vulnerability has been assigned the following CVE number:

• CVE-2012-6314

Mitigating Factors

Only customers that have modified server-side policy to disable USB redirection are affected by this weakness.

What Customers Should Do

A new version of the VDA has been released to address this issue. Citrix recommends that affected customers upgrade to this version of the VDA, which can be downloaded from the following locations.

Dedicated VM shuts down and remains powered off, even though logoff behavior “ShutdownDesktopsAfterUse” is set to false

Dedicated Virtual Machine shuts down and remains powered off, even though Logoff behavior ShutdownDesktopsAfterUse is set to false.

Cause

The problem occurs after updating the master image of a Dedicated type catalog using the PowerShell SDK commands listed under CTX129205 – How to Update the Master Image for Dedicated and Pooled Machine Types using PowerShell SDK Console.

Changes applied to the master image of a Dedicated Catalog should only affect new machines created from the image and those changes does not apply to the existing machines in that catalog.

The problem occurs because the update process assigns the new updated image to all the Virtual Machines in the catalog, marking the existing ones with the ImageOutOfDate flag. Once the flag is enabled for the Virtual Machine, it shuts down after logging off with the attempt to start to the newly assigned image. At this point, the flag is always enabled since Dedicated machines cannot change to a different image.

Resolution Continue reading “Dedicated VM shuts down and remains powered off, even though logoff behavior “ShutdownDesktopsAfterUse” is set to false”

Database Access and Permission Model for XenDesktop 5

This article describes the SQL Server database access and permission model used by XenDesktop 5.

Background

All runtime access to the central XenDesktop site database is performed by the services running on each controller. These services gain access to the database through their Active Directory machine accounts. This database access is sufficient to allow full day-to-day operation of the site including use of Desktop Studio, Desktop Director, and the service-specific SDKs.

The controller machine accounts and users in the database are granted only the minimum access to the XenDesktop database required for the services to operate.

The use of machine accounts for database access removes the need to securely store SQL logon (SQL authentication) passwords on the controller. It also ensures that only machines that have been configured with appropriate database access at the database server can act as XenDesktop controllers for a particular site.

Use of machine accounts provides a simple and secure model for protecting the critical data in the XenDesktop database. However, the creation and manipulation of the machine account logons at the database server is an inherently privileged operation that falls outside the scope of the permissions granted within the XenDesktop database itself. For this reason, certain key actions on the site are considered privileged administrative operations that require additional database server level permissions not granted to the XenDesktop services themselves; these operations cannot be performed except by a database user with elevated privileges.

The database access performed is summarized in the diagram below: Continue reading “Database Access and Permission Model for XenDesktop 5”

Virtual Desktop Agent (VDA) installation is partially successful in XenDesktop 5.6

Symptoms

Virtual Desktop Agent (VDA) installation is partially successful in XenDesktop 5.6.

When you install the VDA agent software on the windows 7-client machine with windows firewall service in disabled state, the following Installation Successful message is displayed: Continue reading “Virtual Desktop Agent (VDA) installation is partially successful in XenDesktop 5.6”

XenApp / XenDesktop best practices guide

Citrix has released a new best practices guide for XenApp and XenDesktop.

The foundation of any good XenDesktop or XenApp enterprise design should be adherence to a collection of best practices which are based upon knowledge gathered from previous enterprise deployments, lab validations, and lessons learned in the field. Such best practices are just a starting point for a design, as an organization’s specific design requirements will often necessitate deviation from the recommended path. By using the following recommendations as a starting point, the foundation of the design will be robust enough to support many different deployment scenarios.
This document consolidates and summarizes the best practices for XenApp and XenDesktop environments. As products evolve, best practices also change, which is why each best practice discussed in this document is associated with a specific product and version, which includes the following:

  • XenDesktop 5.0, 5.5, 5.6
  • XenApp 6.0, 6.5

Additional best practices are provided for those products which provide complimentary functionality to both XenDesktop and XenApp, including:

  • Citrix Provisioning Services
  • Citrix XenServer
  • Citrix Profile Manager
  • Microsoft Hyper-V
  • VMware vSphere

You can download this guide here.