Novell Home

Secure NAL Access for Citrix Users

Novell Cool Solutions: Trench
By Thomas Walker

Digg This - Slashdot This

Posted: 31 Jan 2001
 

Security Problem

Mike M. wrote: Hope there are some experts out there on ZfD3 and Citrix that have conquered this problem. On a Windows 2000 server I am running Citrix MetaFrame 1.8 and I have published NAL as an application. All was well in the days of ZEN 2, then one fine day one of our Network admins thought we should upgrade to ZfD3. Now Zen doesn't work (well) on Citrix.

I used to run "\\server\sys\public\nal.exe :" as the only published app. It would allow my Citrix users access only to the apps I assigned to them without a desktop or start menu. After the upgrade to ZfD3, nal : would no longer run when a user logged into the Citrix box. The only way I have found to make it run is with the /s switch. Unfortunately this gives any Joe the ability to shut down the Citrix server. Any suggestions/solutions would be muchly appreciated.

My Solution

Well, I have a similar setup where users are logging into Citrix (using a DOS client). By setting up a policy with Dynamic Local Users in NDS, I am able to setup a replacement shell. This replacement shell happens to be nalwin32.exe not nal (as the /s switch does not work!) . The registry is also changed on the local Citrix server to replace Explorer.exe with Nalwin32.exe. This gives the users no other options on the desktop beside the Application Launcher.

By setting up two policies, one for users (no shutdown and restrictions) and one for admins, you can switch back the shell at anytime by logging in as admin and being able to run regedit as a nal or just using taskman. Make sure you can use Dynamic Local Users before changing the shell though.

Within the policy you restrict the shutdown option. Also configure the Application Launcher not to exit (As when they do they get a blank screen which may cause the poor user confusion). This will disable the Shutdown option and keep the Nalwin32 shell active at all times! So, you ask, how do they logout?

Option 1 is to do CTRL-ALT-DEL which will have disconnect and logout options available but not SHUTDOWN.

Option 2 is to setup a Nal object to the Logout program that sits in winnt\system32 directory.

One downside to this is any existing users on 95/98 computers get no option to exit the nal. For this I have downloaded a Freeware program to do a shutdown/logout as a NAL object. This solution offers me full security/access control of programs and the desktop all through the NDS and NWADMIN! Gotta love Novell :-)


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell