How to (REALLY) disable Citrix Client Drive Access

If you must prevent file movement between your Citrix environment and client machines, you might think that setting the “Client drive redirection” policy to Prohibited would be the end of the story:

But a couple of new Citrix features over the years have created holes in that policy:

1) First up was the “in-browser” HTML5 client, which soon gained the ability to download files to the client and upload files from the client.  To turn off those capabilities completely, you must also set the “Allow file transfer between desktop and client” policy to Prohibited:

2) More recently, as of Virtual Apps and Desktops 1903, it became possible to use Copy & Paste to transfer files between session and client, in both directions, assuming clipboard redirection remains enabled.  Surely that’s covered by the “Client drive redirection” policy, right?  Nope!  This feature is controlled by clipboard-related policies, and you’ll need four of them to fully disable this new file transfer avenue:  two of them, “Restrict client clipboard write” and “Restrict session clipboard write” limit the supported clipboard redirection formats to those that you explicitly list in the other two policies, “Client clipboard write allowed formats” and “Session clipboard write allowed formats”.  Omitting the special Citrix format CFX_FILE from these lists will prevent file copy/paste in both directions:

For reference (and your copy-paste pleasure), here is the full list of supported clipboard formats.  They can be entered in the relevant policy settings on individual lines:

CF_TEXT
CF_BITMAP
CF_METAFILEPICT
CF_SYLK
CF_DIF
CF_TIFF
CF_OEMTEXT
CF_DIB
CF_PALETTE
CF_PENDATA
CF_RIFF
CF_WAVE
CF_UNICODETEXT
CF_ENHMETAFILE
CF_HDROP
CF_LOCALE
CF_DIBV5
CF_OWNERDISPLAY
CF_DSPTEXT
CF_DSPBITMAP
CF_DSPMETAFILEPICT
CF_DISPENHMETAFILE
CF_HTML
CFX_RICHTEXT
CFX_OfficeDrawingShape
CFX_BIFF8
CFX_FILE   <- omit this one to disable file copy/paste

3) And then, of course, there’s Drag & Drop … just kidding, there isn’t! … but you can bet that if Citrix ever adds that feature, it’ll be controlled by an entirely different set of policy settings, which you’ll probably realize several months after your users will have accidentally discovered it. 😉

So go ahead, make your InfoSec overlords happy by implementing the above policies, … if you must!

JB

Follow Jacques Bensimon on Twitter @JacqBens for more great Windows insights and tricks.

TAGS