Delete User's Data Folder and Registry Keys When the Agent is Shut Down as a Security Mechanism

Added by Jennifer Lang , last edited by Jennifer Lang on May 14, 2008
Tags: 

Delete user's data folder and registry keys when the agent is shut down (previously DeleteOnShutdown) can be used by an administrator to make the Agent more secure. When enabled, Delete user's data folder and registry keys when the agent is shut down removes specific files and registry keys from a user's profile and from HKEY_CURRENT_USER.

Enabling Delete user's data folder and registry keys when the agent is shut down should be considered when a high number of users use the same computer or when there are physical security concerns.
Location of files

  • Windows Vista
    \Users%Username%\AppData\Roaming\Citrix\MetaFrame Password Manager
  • Windows 2000, Windows XP Pro, and Windows 2003
    Documents and Settings%Username%\Application Data\Citrix\MetaFrame Password Manager
  • Windows 2000 and Windows XP Pro - Hot Desktop
    Documents and Settings\All Users\Application Data\Citrix\MetaFrame Password Manager%Username%
  • Windows NT 4.0 %SystemRoot%\Profiles%Username%\Application Data\Citrix\MetaFrame Password Manager

Files removed by the Agent during shutdown from the user's profile:

  • AEList.ini - Consists of merged applist.ini and entlist.ini files. Agents use aelist.ini to identify and respond to credential and password change requests initiated by applications.
  • ENTList.ini - Contains the application definitions for Windows, Web, and Host applications.
  • Username.MMF - The local storage file used by the Agent.
  • Lock Folder - The folder contains a lock file that tracks changes made to the MMF file.
  • FTUList.ini - This file contains the Administrator created questions and Bulk-Add information.
  • Registry.MMF - This file contains the registry information normally found at HKEY_CURRENT_USER\Software\Citrix\MetaFrame Password Manager. This file will only be present on a Hot Desktop enabled workstation.

Registry keys removed by the Agent during shutdown from HKEY_CURRENT_USER:

HKEY_CURRENT_USER\Software\Citrix\MetaFrame Password Manager

Note: This is not the case when working with a Hot Desktop enabled workstation.

Using Console Settings to Secure the Agent

There are additional settings that can be used to secure the Agent against a walk-away scenario or when using sensitive applications.

Force User To Re-Authenticate before Submitting Application Credentials is an application specific setting that instructs the Agent to verify the user. When enabled, the user is required to re-authenticate with the Agent prior to the Agent submitting credentials to an application. This setting can be used to prevent a third party from using an authenticated Agent's configured credentials. This setting could be used if users have access to confidential applications such as payroll.

Time Between Agent Re-Authentication Requests determines how long the user remains authenticated with the Agent. By default the timer is set to eight hours but it can be set to a shorter length of time. Decreasing the time between agent re-authentication requests will force the user to re-authenticate frequently and make it more difficult for a third party to access stored credentials. This setting can be found under the Basic Agent Interaction section of the User Configuration.

The Windows Screensaver functionality is monitored by the Agent and is used to trigger a lock down event. Depending on how the screensaver options are set, the Agent will behave differently during the lock down process.

Windows Screensaver with Password Protected option enabled: When the screensaver activates, the workstation will be placed in a lock-down mode. Unlocking the workstation will also unlock the Agent because the Agent's GINA monitors the unlocking of the workstation and passes the same credentials to the Agent.

Windows Screensaver with Password Protected option disabled: When the screensaver activates, the Agent will continue to run but it will not provide credentials to any applications that might run in the background. Any input from the user will disable the screensaver and allow the Agent to once again provide credentials without requiring the user to re-authenticate.

Comments  (Hide Comments)

HI,

We have a farm of 20 servers or so, I was wondering if there is a utility that I can user to get rid of the users information in the registry without having to log in as them to each server. 

Please let me know

Posted by Dimitar Panov at Sep 04, 2008 14:10 | Reply To This

Hello, editing comment for update. I ran this past my Password Manager experts and it looks like such a utility does not exist:

"You would need a utility that can load the users NTUSER.DAT file, then find and delete the HKCU CPM data. I do not know of such a utility. In the past, admins have just deleted the whole user profile.

The real solution is to just enable Provisioning and flag the user for reset. Then the agent will automatically fix all the profiles without the need to find and delete registry entries."

For additional Password Manager assistance please be sure to check out the Password Manager support forum and the newly redesigned Citrix Developer Network.

Sorry, but I hope this helps.
JenniferL

Posted by Jennifer Lang at Sep 04, 2008 16:43Updated by Jennifer Lang | Reply To This

  • Add to Bookmarks