Stopping Adware and Spyware on Windows w/ Citrix?
SilverDivan asks: "A fairly large non-profit charity organization recently asked me how they can permanently take care of the spyware and adware problem that is plaguing their computing environment. I told them to simply use Mozilla/FireFox, but as it turns out they access outside applications that only run in Internet Explorer. So, I am planning to make a recommendation to publish Internet Explorer on a Citrix Farm, and let the users use the IE published on Citrix instead of the locally installed IE This way they can lock down the IE to their heart's desire. Also publishing IE 'anonymously' on Citrix will further secure the environment, as the anonymous profiles can be deleted on a nightly basis. However one issue with 'anonymous' access to Citrix applications, is that the user can not maintain their preference or even their bookmarks. Another issue is that there is no tracking, and no way to hold someone accountable in case of abuse. Has anyone implemented a similar solution before? What was your experience? Will it work? How can you configure the Citrix environment to best handle a situation like this?"
A possibly better alternative would be to secure IE using AD policies (and migrate to AD if they aren't on one), and standardize on Firefox/Mozilla for everything except these specific applications. Use a proxy server if neccesary. You could do this with Citrix also but a Citrix farm is a huge chunk of change and I don't see why you'd want to spend that much just for this.
In fact, a good transparent proxy might be sufficent anyway - simply restrict anything with an IE user-agent to the specific IE only applications required.
Yeah, I know, I read the article. So let them run IE under the Win$lin TS. What is the worst that could happen that particular users windows session needs to be restored. under win4lin that would take all of a couple minutes. And if you did a nightly back up of their bookmarks and userfiles, you could restore them too.
I fail to see the problem here.
"A synonym is a word you use when you can't spell the word you first thought of." - Burt Bacharach
They are all half assed patches. I find, time and time again, that it is better, faster, and cheaper to remove the dependency on IE - like, re-write the app or use a vendor that actually supports decent, secure software.
Citrix?!? Just to run Internet Explorer?!? Absolute rubbish. Fix the real issue instead just doing a half assed patchjob like that. What's wrong with you whippersnappers....
People who think they know everything are a great annoyance to those of us who do.