Looking at the new 7.6 Clipboard Policies

With the release of XenApp and XenDesktop 7.6 (I’m just going to call it XD 7.6 from now on!) there are some very interesting new Clipboard policies that have been added for us as administrators to take advantage of.  I say interesting because for the longest time clipboard mapping has been one of the largest security holes that we have to deal with.  Not quite as bad as say client drive mapping, but still pretty significant.  On the flip side however it is also one of the things users complain the most about not having!

Let’s talk first about how clipboard mapping functions.  Within a virtual session there is a user clipboard space on the session.  When you copy data to the clipboard within that session the data is stored there.  If however you have client clipboard mapping enabled then the data is ALSO stored on the local client clipboard.  This happens by a process hook that actually inserts itself prior into the dlls that drive clipboard mapping to stub the data out over the ICA clipboard channel.  Additionally, anything you copy to the clipboard on the local client can be pasted in to your virtual session.  The data also sits unencrypted in the cache so it theoretically could be retrieved by malicious software.  And of course you as the administrator have no control over where the data gets pasted to outside the session.

So what do most admins do?  Well, where possible we disable the client clipboard mapping.  The net result of that is that the data still is stored to the clipboard in the virtual session and can be pasted within the SAME virtual session space.  If you are using a published desktop that often works fine since their apps are all in the same virtual space.  XenApp sessions that span multiple servers however cannot paste between the servers and obviously you can’t copy and paste to or from the client device.  In a lot of workflow scenarios that actually won’t allow the user to get their job done.

Citrix made an initial stab at solving this problem by introducing the read-only clipboard policy a couple years ago.  This policy lets you read any data from the client clipboard to your virtual session but not the other way around.  This makes sure your internal data perimeter is secure but allows you to bring in outside data as part of the user session.  This doesn’t do anything to solve the cross-session pasting however so the use cases are limited but it was a step forward.

So now with XenDesktop 7.6 Citrix has increased the flexibility it offers admins.  Let’s first take a look at the clipboard options that are exposed in the policy settings:

Clipboard Options

Looking at the list we still have the read-only clipboard policy available:

readonly

Breaking this down it says that if client clipboard mapping is enabled and the Read-Only clipboard policy is enabled data can be read from the client clipboard but not written to it.  What is interesting though is the Applies to: field.  Note that this policy only applies to 7.5 and below VDA.  So with VDA 7.6 there are now a host of new options.

restrictclient

The “Restrict client clipboard write” policy most closely mimics the read-only clipboard policy.  With client clipboard mapping enabled and this policy enabled you have created a read-only client clipboard as above.  But here’s where it gets really interesting with the “Client clipboard write allowed formats” policy!

clientallowed

So with the “Restrict client clipboard write” enabled you can now make it less of a blanket statement.  What if you have a specific data type that your users NEED to move back and forth either between sessions or between the session and the client?  You can just enable that specific data type and make everything else read-only.  The data types are the standard clipboard formats in Windows.  You can find more about the clipboard formats from Microsoft.

But that new flexibility doesn’t stop with session -> client clipboard mapping.  As you can see from the master policy list, the same policies actually apply with client -> session clipboard mapping!

restrictsessionsessionallowedThe same policies are available and applicable when you are trying to restrict data movement from the client up to the virtual session.  You can define the data format types and even make it a read-only clipboard in that direction.  Pretty cool huh?

*Important Note: If you want to be able to move data between multiple sessions, you must enable the appropriate data types for the clipboard in both directions (unless you simply want to make one side fully read-only) and the other data restricted.

So these are really cool changes and I like them a lot.  There is however a design that is, to me, a better one.  I’ve suggested for many years to Citrix that what they should do instead is provide some sort of clipboard encryption if needed.  That would allow you to not have to restrict the clipboard at all, but instead encrypt it on the client clipboard so that anyone without the proper access couldn’t actually read the data out of it.  It’s actually not incredibly complicated in concept and it would really help in my opinion.

So there you have it… tons of new stuff and what I would love to see instead 🙂  Enjoy the new policies!

 

, , , ,

7 Comments

  • MartinB says:

    It is very useful and interesting arcticle, but I wonder how to achieve this scenario in Xenapp 7.6: users can synchronize everything through clipboard but not files?

    • Paul says:

      Not sure what you mean Martin? Can you give me a scenario?

      • MartinB says:

        I found a tool that answered all my questions: http://www.peterbuettner.de/develop/tools/clipview/. Now I can see clipboard raw data, and I can decide which formats I should allow or prohibit in xenapp session. Thank You for Your help.

      • BjornB says:

        Hi there,

        Iam just struggling with the very same question: Can users copy a TXT-file (or a JPG or an Excel file) into their local clipboard and paste it in their virtual desktop session?

        I have a XD 7.6 LTSR CU2 enviroment with multiple 7.6.3 DesktopOS VDAs and Iam just able to copy-paste text from client to vda (or vise-versa) through the clipboard, copying files (regardingless if TXT or JPG or whatsoever) doesnt seem to be possible, even though I got my local clientdrive mapped with full access into my desktop session.

        Iam wondering if it makes any sense to open up a Citrix support ticket or if this is just a feature Citrix is still missing….

        Maybe you can enlight me? 🙂

  • Akshay Poddar says:

    hey i am looking for a one side clipboard redirection setting, local to vdi copy paste can happen. but from VDI to Local it must be prohibited.

    I am trying all above mentioned policy permutation combination. but which now where i stuck is from both side copy paste is prohibited.

    can you please answer to avoid this.

  • Rafael Rodriguez says:

    is this working for the xenApp 7.6 only or it requires xenDesktop license too?

  • Iss says:

    Hello ,

    I just installed xendesktop 7.12
    1 store,1DC,1 storefront,1 VDA (RDSH 2012R2), client W7 (4.6.0)

    For testing , i’ve create policies (on console) with
    Client Clipboard Redirection: Allowed
    •Restrict Client Clipboard Write: Enabled
    •Restrict Session Clipboard Write: Enabled

    What should normally prevent me from copying / pasting between Client endpoint and the application publish.
    https://support.citrix.com/article/CTX217933

    Yet by , I can copy files (TXT, DOCS, XML ….)
    Drive Client endpoint applications Shared
    applications Shared Drive Client endpoint

    Do I get it wrong?And if so where?

    Iss

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">