Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stopping Adware and Spyware on Windows w/ Citrix?

Posted by Cliff on from the whre-the-local-environment-doesn't-matter dept.

SilverDivan asks: "A fairly large non-profit charity organization recently asked me how they can permanently take care of the spyware and adware problem that is plaguing their computing environment. I told them to simply use Mozilla/FireFox, but as it turns out they access outside applications that only run in Internet Explorer. So, I am planning to make a recommendation to publish Internet Explorer on a Citrix Farm, and let the users use the IE published on Citrix instead of the locally installed IE This way they can lock down the IE to their heart's desire. Also publishing IE 'anonymously' on Citrix will further secure the environment, as the anonymous profiles can be deleted on a nightly basis. However one issue with 'anonymous' access to Citrix applications, is that the user can not maintain their preference or even their bookmarks. Another issue is that there is no tracking, and no way to hold someone accountable in case of abuse. Has anyone implemented a similar solution before? What was your experience? Will it work? How can you configure the Citrix environment to best handle a situation like this?"

6 of 80 comments (clear)

  1. Firefox Extension by KilobyteKnight · · Score: 3, Interesting

    Make them use Firefox with this extension. Then they only use IE for the sites that require it. Those, one would hope, should be reasonably safe.

    --
    When will Windows be ready for the desktop?
  2. del.icio.us for bookmarks by TRS-80 · · Score: 1, Interesting

    Set them up with del.icio.us accounts for their bookmarks, then have a bookmark for del.icio.us in the default profile.

  3. Other possibilites by mnmn · · Score: 2, Interesting

    There was a way to open a link in a new window without displaying the window's address bar. Couple that with putting up a link like so:
    iexplore.exe http://site.com

    And removing all links to iexplore.exe elsewhere...

    And a better example:
    enforce proxy servers (setup as admin in win2k, and leave the users unprivileged), setup a squid proxy server that only allows the site, and do not setup any proxies for firefox...

    How about this one:
    Hack a spyware and find out how they redirect people's URLs. use that and infect your own machines, so any address in IE takes them to that website. Use firefox for everywhere else.

    And make sure you disable activex!!!

    --
    "Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
    1. Re:Other possibilites by technos · · Score: 2, Interesting

      That isn't really too hard.

      Just add an entry to the registry declaring that any address http and ftp is now prefixed.

      Here's a cheap and easy way to do this on 2K/XP (Mabye other Win32 OS, dunno about those)

      Say you want your users only accessing the company web application hosted at www.server.com/webapp/ with IE.

      Change the default in

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cu rr entVersion\URL\DefaultPrefix

      from "http://" to "http://www.server.com/webapp/"

      and then change all the sub entries in

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cu rr entVersion\URL\Prefixes

      to something similar. (ftp, gopher, home, mosaic, www, etc, should all be changed to http://www.server.com/webapp/)

      So now when a user punches "www.ebay.com" into IE, it will send them instead to the URL

      "http://www.server.com/webapp/www.ebay.com"

      instead, which your webserver will log as an invalid page request along with the requestor, so you can walk to their desk and tell them that IE is only to be used for the web application and nothing else.

      Firefox doesn't depend on that registry entry, and will gleefully ignore it.

      Some spyware vendors use these keys and then do server side redirection. Your browser loads "http://scumwareinc.com/redirect.cgi?www.ebay.com" in a blink, logs it, and you're loading eBay before you realize it even happened.

      --
      .sig: Now legally binding!
  4. Group Policy by Chester+K · · Score: 3, Interesting

    Can't they just "lock down IE to their heart's content" via Group Policy? Or perhaps an outbound proxy that only allows access to the specified pages when the user agent is IE's?

    Citrix seems like a little overkill for this problem.

    --

    NO CARRIER
  5. How to resolve with Citrix by skinfitz · · Score: 4, Interesting

    Quite simple. Firstly you give your users Firefox to stop the spyware problem.

    Now, for the external IE only applications, you create them as applications in Citrix and give each an icon on the user's desktop. If the user wants to use one of the external apps, they click the app icon which will launch a Citrix'ified IE window with the app in it. Obviously configure the Citrix IE to remove the address bar.