“Citrix Receiver – Security Warning” explained and demystified

Author : Ingmar Verheij

Citrix Receiver - Security WarningWhen you’ve worked with a Citrix XenApp or XenDesktop environment you must be familiar with the Security Warning dialog. It prevents a remote machine (your hosted application or desktop) from accessing resources on the client device, a security boundary you want to protect when from unmanaged systems.

But on managed systems you want to prevent this message, you don’t want your users to be confronted with a message you tell them to accept (otherwise it won’t work and they’re to blame).

In this article I’ll explain why this message is displayed and how you can prevent it.

Resources types

A users can be confronted with a security warning dialog for different resources, this depends on the client used:

Resource description Client version < 12.0 Client version > 12.0
Client drives X X
Microphone and webcams X X (only audio)
PDA devices X
USB and other devices X

 

Client versions

“Back in the old days”, or when you’re using Citrix Presentation Server 4.5 or older, a Citrix ICA Client is used with a version lower than 12.0.  The security warning dialog can be configured with the webica.ini file in the users profile.

The Citrix Receiver (version 12.0 and up) ignores the webica.ini file and is solely configured via the registry. A new feature with the name ‘Client Selective Trust’ was introduced to allow a more fine grained configuration that can be set via a group policy.

 

Before version 12.0

When you’re using a Citrix ICA client before version 12.0 the user will be asked what access level should be allowed. The users can choose between three access levels:

  • No Access
  • Read Access
  • Full Access

Depending of the version used the following message will be displayed

Client File Security 10.xClient File Security 11.xICA Client File Security

Preventing the message

This message can be prevented by placing a webica.ini file in the %SystemRoot% (version 10.0 or lower) or the %AppData%\ICAClient directory (version 10.1 or higher).

The file has the following content

[Access]
GlobalSecurityAccess=403

[AudioInput]
GlobalSecurityAccess=803

Where the number represents an access level

Access AudioInput
-1 No security setting configured 803 No Access, never ask me again
403 No Access 804 Full Access, never ask me again
403 Read Access 806 Never prompt current application
405 Full Access 807 Never prompt any application
808

 

Version 12.0 and up (Citrix Receiver)

From Citrix Online Plugin 12.0 and up, including the current Citrix Receiver 3.x, users are presented the following dialog:

File Security - Citrix Online PluginCitrix Receiver - Security Warning

The content of the message depends on the resource that is accessed from the remote server.

GUID

For each target environment that is accessed a unique registry key is made in registry with the name HKCU\SOFTWARE\Citrix\ICA Client\Client Selective Trust\{GUID}. It seems that the {GUID} is generated during runtime and (therefore) cannot be predicted. You can find what GUID belongs to what connection by reading the value HKCU\SOFTWARE\Citrix\ICA Client\Client Selective Trust\{GUID}\RegionName\@.This value contains the name of the environment.

If you connect via a webinterface / cloudgateway this key contains the URL (like lab.pepperbyte.com). When you connected directly to a published application / server via an ICA file the content will be something like ica://172.31.50.132:1494.

 

Preventing the message

The message van be configured per resource type, where each resource type is a subkey of ICA Client\Client Selective Trust\{GUID}IcaAuthorizationDecision (no \ after the GUID!).

Resource type Subkey
Client drives FileSecurityPermission
Microphones and webcams MicrophoneAndWebcamSecurityPermission
PDA devices PdaSecurityPermission
USB and other devices ScannerAndDigitalCameraSecurityPermission

The access level can be set in the default (@) value where the number represents an access level

Value Description
0 No access
1 Read access
2 Full access
3 Prompt the user for access

The access level can be set per accessed environment (per GUID) or per region. By configuring the access level on the HKEY_LOCAL_MACHINE (HKLM) hive instead on the HKEY_CURRENT_USER (HKCU) hive the setting is inherited by all users.

oidUserRestrictedSitesRegionIf you can to configure the access permission per region you need to change the value of IsIsmDeferalEnabled to true and set the access level per resource type.

The regions that can be configured in HKLM match the regions that can be found (and configured) in Internet Explorer.

Zone Subkey
Internet oidInternetRegion
Local Intranet oidIntranetRegion
Trusted sites oidTrustedSitesRegion
Restricted sites oidRestrictedSitesRegion

Keep in mind that if you configure the settings on a x64 operating system the keys are stored in HKLM\SOFTWARE\Wow6432Node\Citrix\ICA Client\Client Selective Trust.

Was once an enthusiastic PepperByte employee but is now working at Citrix. His blogs are still valuable to us and we hope to you too.

1 reply
  1. Julie
    Julie says:

    Nice post. I was checking constantly this blog and I’m impressed!

    Very useful information particularly the last part 🙂 I care for such information much.
    I was looking for this particular information for a long
    time. Thank you and best of luck.

    Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *