Jump to content
Welcome to our new Citrix community!
  • 0

How to disable/prevent Printers from being auto-created to avoid exposing Command Prompt


Pearson VUE ATS

Question

We have a Citrix XenApp 6.5 Farm running on Windows 2008 R2 systems.  We have found through an audit there have been certain printers that when installed via the Auto-Client printer installation allow "Open command window here" if you go to this printer which is Microsoft Print to PDF (for instance) will then bring up the file locations which is ok, but the issue is the fact it is allowing "Open command window here".

I'm looking to see where in Citrix policies or Windows GPO's I can remove this option.  I can't remove command prompt access from the system all together as some of our published applications execute/launch via command prompt/batch script.

So, thinking as a workaround to this issue, we could exclude the auto-generated printers that we know this is a problem for such as Microsoft Print to PDF.  Issue - see that this is using the Citrix Universal Printer. So though I am now using the Printer driver mapping and compatibility policy within XenApp, it appears that the Universal driver will cancel this out.

Checked our Universal driver settings and it is set to use Universal Drivers only if a driver is not found.

So my thought - to locate (which I am searching for - though not having much luck) the print driver for Microsoft Print to PDF itself, install so then the policy should apply as it would have the driver and not use the universal.  And I suppose I'll have to do that for the problematic ones we discover.

Or is there a better way of managing this?

We have to rectify this by end of Feb 2019 due to audit findings and resolution date, so any thoughts are appreciated.

 

Thanks in advance.

Link to comment

1 answer to this question

Recommended Posts

Access to command promt does not disable the command prompt itself, only the access to it.

Any script in a published app will work just fine with that setting enabled.

 

Next, you can always convert a (powershell) script into an .EXE too.

 

I don't think the auto generation of printers is the issue. With every PDF printer you'll probably get a prompt where to save the PDF, and the real "danger" is that window, not the printdriver itself.

 

Maybe there are some PDF printers that can get locked down as to where files are saved, but that limits flexibility of course.

Link to comment

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...