The render module of an XPSDrv printer driver does not, necessarily, use the GDI-based rendering functions of a GDI-based printer driver. The configuration module of an XPSDrv printer driver provides the same functions as the configuration module of the Printer Interface DLL of a GDI-based driver, but the XPSDrv configuration module also supports the Print Ticket and Print Capabilities technologies. These are the three main components of XPSDrv printer drivers: XPSDrv printer drivers (like the GDI-based ones) consist of three main components. Browse to Printing > Drivers…Įdit the “Printer Driver Mapping and Compatibility” option and click the Add button…Įnter the name of the printer driver (“Microsoft XPS Document Writer”) and set the policy to create the printer with the universal driver only.The XPS printer driver (XPSDrv) is an enhanced, GDI-based Version 3 printer driver that was used prior to Windows Vista. In this case, there is a separate policy that controls printers. Let’s open up our Citrix user policies in Group Policy Management. Fortunately Citrix, drawing on their experience in working around Microsoft’s various incarnations of FAIL, has provided us a very nice solution: The Citrix XPS Universal Printer driver. We need to force the user’s session mapped XPS Document Writer to use a different driver that doesn’t invite them to surf the web from our datacenter. We could remove the XPS driver package, but if you are allowing automatic installation of native drivers on your Citrix servers, Windows will just reinstall it. If he views the Preferences for this printer, he will get the exact same properties window he got before. You’ll notice the user has a session mapped local printer for the XPS Document Writer on his machine. Let’s take a second look at the print dialog box the user sees. The script will forcibly delete the printer for everyone. This can easily be done from an administrative shell with the commmand:Ĭscript C:\Windows\System32\Printing_Admin_Scripts\en-US\prnmngr.vbs -d -p “Microsoft XPS Document Writer” First, unless you really need it, uninstall the Microsoft XPS Document Writer. But chances are there are some published applications that require a browser launch, even if it is only intermediate. In some environments, it is practical to just set file-level permissions on the Internet Explorer executable and deny access to everyone. The user has no access to a published desktop or a command line or “Run” prompt. I used group policies to strip away the bells and whistles and enforce additional restrictions on the user. You may have also noticed that, in this case, the user’s access was severely restricted even within Internet Explorer. Even server admins are not immune from falling victim to a zero-day exploit while on the web. There are other good reasons to block or regulate web access from your Citrix servers as well. How do we fix this? As I’m sure you’ve already considered, web filtering would be a good idea to mitigate the damage an Internet-bound user can mete out on your infrastructure. Your user is now on Youtube watching how-to videos about other great ways to elevate his privilege and bog down your pristine XenApp 6 server with garbage. NOT! Let’s watch some videos!” A few more clicks, and… Your user thinks, “XML Paper Specifiation Overview? This looks interesting. Your user, of course, has an irresistable urge to click the link. “Go online” are two words you do not want your users to see on a Citrix server. Then one day, when your user goes to print something, he is looking at the print dialog and notices this “Microsoft XPS Document Writer” printer as an option. Your user is happily working in your published, seamless application via XenApp 6 running on Windows Server 2008 R2, and life is good.
0 Comments
Leave a Reply. |