Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stopping Adware and Spyware on Windows w/ Citrix?

Posted by Cliff on from the whre-the-local-environment-doesn't-matter dept.

SilverDivan asks: "A fairly large non-profit charity organization recently asked me how they can permanently take care of the spyware and adware problem that is plaguing their computing environment. I told them to simply use Mozilla/FireFox, but as it turns out they access outside applications that only run in Internet Explorer. So, I am planning to make a recommendation to publish Internet Explorer on a Citrix Farm, and let the users use the IE published on Citrix instead of the locally installed IE This way they can lock down the IE to their heart's desire. Also publishing IE 'anonymously' on Citrix will further secure the environment, as the anonymous profiles can be deleted on a nightly basis. However one issue with 'anonymous' access to Citrix applications, is that the user can not maintain their preference or even their bookmarks. Another issue is that there is no tracking, and no way to hold someone accountable in case of abuse. Has anyone implemented a similar solution before? What was your experience? Will it work? How can you configure the Citrix environment to best handle a situation like this?"

7 of 80 comments (clear)

  1. Remove Microsoft :) by tlacicer · · Score: 1, Insightful

    You could always run Win4Lin Terminal Services. Then you could run a linux server farm and still let users run their windows desktops. Then you could let them do what ever they want.

    Once you remove Microsoft from the important job, it gets pretty easy :)

    --
    "A synonym is a word you use when you can't spell the word you first thought of." - Burt Bacharach
    1. Re:Remove Microsoft :) by arkanes · · Score: 3, Insightful
      Sweet holy jesus. Did you actually read anything or do you have a "Use linux" postbot? Win4Lin won't solve any of the problems mentioned, although it would be a lot cheaper than a Citrix farm.

      A possibly better alternative would be to secure IE using AD policies (and migrate to AD if they aren't on one), and standardize on Firefox/Mozilla for everything except these specific applications. Use a proxy server if neccesary. You could do this with Citrix also but a Citrix farm is a huge chunk of change and I don't see why you'd want to spend that much just for this.

      In fact, a good transparent proxy might be sufficent anyway - simply restrict anything with an IE user-agent to the specific IE only applications required.

  2. Re:RTFA by tlacicer · · Score: 3, Insightful

    Yeah, I know, I read the article. So let them run IE under the Win$lin TS. What is the worst that could happen that particular users windows session needs to be restored. under win4lin that would take all of a couple minutes. And if you did a nightly back up of their bookmarks and userfiles, you could restore them too.

    I fail to see the problem here.

    --
    "A synonym is a word you use when you can't spell the word you first thought of." - Burt Bacharach
  3. Tell them to complain to their vendors by kalidasa · · Score: 2, Insightful

    About writing IE only applications. It's the web, for heaven's sake - the idea is that it's not supposed to depend upon any given application.

  4. Sites require IE? by Anonymous Coward · · Score: 2, Insightful

    My bet is the outside sites they access only say they require IE. Try changing the user agent string in firefox so it looks like IE (with prefbar extension for example), and the sites will likely work just fine. It's worth trying anyway.

  5. all half-assed patches by passthecrackpipe · · Score: 4, Insightful

    They are all half assed patches. I find, time and time again, that it is better, faster, and cheaper to remove the dependency on IE - like, re-write the app or use a vendor that actually supports decent, secure software.

    Citrix?!? Just to run Internet Explorer?!? Absolute rubbish. Fix the real issue instead just doing a half assed patchjob like that. What's wrong with you whippersnappers....

    --
    People who think they know everything are a great annoyance to those of us who do.
  6. Two helpful steps by mdielmann · · Score: 2, Insightful

    Let me preface this by saying that I'm not a Citrix administrator or a web site administrator, but here's two things that might make this simpler on many of the fronts you listed.

    1. Make a custom home page for IE on the Citrix Server. Include links to where they enter all these custom IE applications so they can get to them in one click after starting IE.

    2. Optional. Disable pretty much every domain but the ones these custom apps are on. A thorough test should verify if they will (currently) work in that configuration.

    This might be a better option than using the anonymous option in Citrix, which will mean that they can still use bookmarks (but to what?) and preferences (good for all those passwords), and you will have abuse-tracking logs.

    --
    Sure I'm paranoid, but am I paranoid enough?