As a Citrix Administrator, you may want to force all users to use the Citrix Password Manager Agent. To accomplish this, you must prevent users from disabling the agent by all possible means. The following is a list of steps to accomplish your goal:
1. Prevent the user from being a member of the computer's administrative groups - The user should not have administrative privileges and should not be part of the Administrators, Power Users, Server Operators, Domain Administrators, or any other group that gives the user administrative rights. Without these privileges, the user will not be able to alter any program files, system files, or registry keys that may affect the behavior of the agent.
2. Disable Access to the Add/Remove Control Panel Applet, the Command Prompt, Task Manager, Run, and ability to create/modify shortcuts - It would be efficient to create a Group Policy with the following settings and apply it to the OU or group that contains the user accounts.
- Add/Remove Control Panel: Disabling access to this applet prevents the user from being able to remove the agent or other components that the agent may rely on to operate. To apply this setting, open the group policy and enable the following policy:
User Configuration->Administrative Templates->Control Panel->Add orRemove Programs->Remove Add or Remove Programs
- Command Prompt: Prohibiting a user's access to the command prompt prevents the execution of any commands that may delete or alter files, shutdown programs, or cause other results that would disable the agent. To apply this setting, open the group policy and enable the following policy:
User Configuration->Administrative Templates->System->Prevent access to the command prompt
The above policy only disables the CMD.exe file. In the WINNT\System32 folder, there is another command line utility; command.com, that a user can still run and use to disable the agent. To avoid this, you must restrict a user from running the command.com file. To do this, enable and edit the following policy:
User Configuration->Administrative Templates->System->Don't run specified Windows applications
Click on the 'Show' button and add command.com
OR
Computer Configuration->Windows Settings->Security Settings->Software Restriction Policies->Additional Rules
*Create a new Hash Policy to prohibit the execution of command.com
- Run: Similar to the command prompt, removing the run command prevents the execution of any commands that may delete or alter files, shutdown programs, or cause other results that would disable the agent. To apply this setting, open the group policy and enable the following policy:
User Configuration->Administrative Templates->Start Menu & Taskbar->Remove Run menu from Start Menu
- Task Manager: If a user can access the task manager, they have the capability to end processes and tasks relevant to the agent, causing the agent to stop. You can enforce a policy which prohibits the user from accessing task manager. To apply this setting, open the group policy and enable the following policy:
User Configuration->Administrative Templates->System->Ctrl+Alt+Del Options->Remove Task Manager
- Ability to Create/Modify Shortcuts: Although we have restricted the user from being able to execute any command-line commands, a user is still able to create a shortcut and modify the properties of that shortcut to add the switch "/shutdown" that would disable the agent. To prevent this, you should disable the user's ability to create and modify shortcuts. There are two policies to modify to make this secure. To apply these settings, open the group policy and enable the following policies:
User Configuration->Administrative Templates->Windows Components->Windows Explorer->Remove Windows Explorer's default context menu
User Configuration->Start Menu & Taskbar->Remove Drag-and-drop context menus on the Start Menu
3. Hide the Citrix Password Manager Agent tray icon - If the user has access to the Password Manager Agent tray icon, they can easily right click on the icon and choose to shutdown the agent. As a Password Manager administrator, you can configure the agent to hide the tray icon while the agent still functions normally. To configure this setting, edit your User Configuration and under Agent User Interface, disable the setting "Show notification icon" as shown in the figure below.
4. Force Credential Storage - By default, if a user opens an application requiring authentication, the agent asks if they would like to store their credentials in logon manager. The user could simply press "No" without storing their credentials in logon manager. When this dialog is disabled, users are not prompted with the question to store credentials, but rather are directly prompted to store their credentials in Logon Manager. To configure this behavior, edit your user configuration and under Client-side Interaction, disable the setting "Enable users to cancel credential storage when a new application is detected" as shown in the figure below.
