Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Automatic locking or log-out on CiTRiX terminals

Status
Not open for further replies.
haemphyst

haemphyst

IS-IT--Management
Dec 2, 2003
74
US
I have a CiTRiX server in a 2K Domain. In the medical field, we have a little rule that says "When you leave your PC, you must lock it or logoff." (this, BTW, is paraphrased - Look up HIPAA if you want to know the rest) I cannot make my users do this. I am looking for any way to lock the ICA thinnet session after a given period of time, without necessarily ending the ICA session. I have tried screensavers, and the like, but when you run a screensaver on a thinnet (18 of them) the network and the server drag to a crawl, impacting dramatically the thinnet (and PC) users that are still working. I cannot sacrifice network performance for this. I cannot seem to locate any settings for LOCAL locking screensavers, either. I had considered segmenting the network, but the servers are not identical, and the CiTRiX server only has a 10/100 NIC in it - I belive it needs more bandwidth to do it's job effectively... The DC has the 10/100/1000 NIC installed, and it, unfortunately, is plenty of server to host the 10 or so PC's that access it for the practice management software... the doctor would not go for replacing or moving it (in favor of replacing the CiTRiX server) right now. Any suggestions of where to go from here would be appreciated.

Additionally, if there is any way to EASILY require a user to use his/her given user name to logon to the thinnet clients those hints will be well appreciated, also. (They logon by LOCATION right now i.e. everybody going into room number 1 will log on as patientroom1 and everybody knows the password. I cannot implement effective auditing this way. OR a user can sit wherever they find an open PC, and logon as any user on the domain, because everybody knows all of the passwords. I know this is wrong - everybody knows all of the common passwords for all of the terminals - Please don't shoot the messenger... I inherited this mess. When I *did* inherit this mess, everybody had admin rights to everything! - no longer, blessedly.)

e-mail me at ddraper at igalaxy dot net
 
Sort by date Sort by votes
Hi,

Why don't you use the Blank Screen Saver, this will create little traffic to your network/server and give you security.

You can find the settings for screen saver etc in:-

HKEY_CURRENT_USER\Software\Desktop

If you configure your session to do what you want, then export the Desktop reg key, you can script it by GPO or usrlogon.cmd to write for every user when they logon.

Hope this helps,
Carl.
 
Upvote 0 Downvote
For locking the workstation you can use group policys. Look in user configuration, admin templates, control panel display. There are settings there where you can specify the screensaver and force it to password protect.

As for forcing people to use there login details for citrix, set the permissions as so the generic accounts (such as patient1) do not have rights to run the applications. This should force them to use there own login details.
Also forcing password changes should start eliminating people knowing each others passwords, users wont like it but they never do!!!

Arun
 
Upvote 0 Downvote
The other thing that might annoy users, but help with the security issue, is to set the ICA-TCP settings to disconnect an idle session after 5 minutes or whatever it is you have the screen saver set to. Then allow the disconnect setting to be an hour or something like that.

That way when the users are idle the session will disconnect, but still be available for the user to reconnect to for up to an hour.

This is a little unconventional, and not something I would normally practice, but hey every situation is unique.

And like ap1612 mentioned above specifically assign rights to the applications. I prefer to treat every single published application like a network resource, just like a shared folder or printer. So create a group in AD or NT UMFD for that application. Then put the users you want to grant access to that app in the group and assign that group permission to the application from the Management Console.

Another step I implement for security is to assign permissions to the ICA-TCP protocol on the server. Create another group called "Citrix" or something like that and grant that group permission to login with user access to the ICA-TCP protocol in the Citrix Connection Configuration tool. This way only users in the Citrix group can even login to the farm. It may sound like overkill, but in my opinion simple implementation of multiple layers of security never hurts.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

VicM
  • Locked
  • Question
Win7 backup on Win11 Pro box not completing as it had in the past
Replies
2
Views
775
VicM
VicM
DreemaGurl
  • Locked
  • Question
Can't log on to Citrix through emote access portal
Replies
1
Views
653
ntinlin
ntinlin
damienenglish
  • Locked
  • Question
Citrix Replication Fault Detection
Replies
0
Views
321
damienenglish
damienenglish
Hfnet
  • Locked
  • Question
Office 2010 KMS stoppped working on PVS Citrix
Replies
0
Views
304
Hfnet
Hfnet
MattRoche
  • Locked
  • Question
Citrix Receiver Pass-through Authentication on Wyse C90LEW terminal
Replies
0
Views
223
MattRoche
MattRoche

Part and Inventory Search

Sponsor

Back
Top