Best Practices For Citrix Virtual Apps & Desktops Clipboard Redirection

1912 LTSR

Introduction

My CTP fellow James Rankin has written a very good article about the CVAD Clipboard Redidrection here , this article will share my findings and research about the clipboard redirection based on CVAD 1912 LTSR.

Out-Of-Box Installation and the Security part

If you install CVAD 1912 out of the box or updating it from earlier releases and you dont’ configured the clipboard redirection in the past, this feature is enabled by default.

From a security prospective many companies won’t allow client drive mapping, if you are connecting through a external gateway to the VDA. But with the default settings of the clipboard redirection you can copy files directly through the virtual HDX Clipboard channel, via Copy & Paste in the Windows Explorer through any HDX Connection.

Clipboard Format Citrix (CFX)

Citrix has created 4 own Clipboard formats, these are enabled by default

CFX_RICHTEXT

To copy office formatting like Headers, etc. through the HDX Channel

Clipboard redirection without CFX_RICHTEXT

CFX_OfficeDrawingShape

Specifies the Office Drawing, or OfficeArt, binary file format. This file format exists as part of various Microsoft Office application binary file formats. The OfficeArt data represents the drawing elements and all their associated formatting in those Office applications. Typically these elements are represented as shapes contained within drawings or diagrams, but may include form controls or tables.

Source: https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-odraw/8560795e-7759-4745-838f-f7f2ef2f1872

CFX_BIFF8

Microsoft Office Excel 97-2003 Binary File Format (.xls). Also known as BIFF8.

The Microsoft Excel Binary File format, with the .xls extension and referred to as XLS or MS-XLS, was the default format used for spreadsheets in Excel through Microsoft Office 2003. The format is also referred to as Binary Interchange File Format (BIFF) in Microsoft’s technical documentation. This format description is primarily for version 8 of BIFF (BIFF8), introduced with Excel 97 in 1997. Although it cannot support the latest functionality of the Excel application, BIFF8 has continued to be available as an alternative to the XLSX/OOXML format, standardized as ISO/IEC 29500, for saving spreadsheet files in Excel. As of late 2019, the documentation for File formats that are supported in Excel, from Microsoft, lists two variants of XLS format, distinguishing between “Excel 5.0/95 Binary file format” and “Excel 97-Excel 2003 Binary file format.” These correspond to BIFF5 and BIFF8, respectively.

.xlsExcel 97 – Excel 2003 Binary file format (BIFF8).
.xltExcel 97 – Excel 2003 Binary file format (BIFF8) for an Excel template.

Source: https://www.loc.gov/preservation/digital/formats/fdd/fdd000510.shtml

Depending on your envionment you using, it can be necessary to enable.

The Excel content can be copied without this setting.

CFX_FILE

Pasting files directly from clipboard to the client or the VDA through the virtual HDX Clipboard Channel.

Note: If you have restricted the policy for Text only (CF_TEXT) and added CFX_FILE, all files can be copied and not Text only. In my opinion, if you use CFX_FILE, it’s not required to restrict the format. The user is able to copy every file in a direct way !!

With CFX_File you can copy any file with (Copy & Paste) without Client Drive Mapping, like a Powershell Script as you can see in the example as follows:

If the CFX_File is not enabled, you can’t paste the document to the local client or the HDX session. If a previous file is in the clipboard this will be pasted.

Recommend Clipboard Formats

I have created my own recommend list for a good starting point, this will give you back the most usefull clipboard content with a high level of security.

System Defined Clipboard FormatsRecommended List
CF_TEXT
CF_BITMAP
CF_METAFILEPICT
CF_SYLK
CF_DIF
CF_TIFF
CF_OEMTEXT
CF_DIB
CF_PALETTE
CF_PENDATA
CF_RIFF
CF_WAVE
CF_UNICODETEXT
CF_ENHMETAFILE
CF_HDROP
CF_LOCALE
CF_DIBV5
CF_OWNERDISPLAY
CF_DSPTEXT
CF_DSPBITMAP
CF_DSPMETAFILEPICT
CF_DSPENHMETAFILE
CF_HTML
CF_TEXT
CF_BITMAP
CF_METAFILEPICT
CF_DIF
CF_TIFF
CF_OEMTEXT
CF_DIB
CF_PALETTE
CF_PENDATA
CF_RIFF
CF_WAVE
CF_UNICODETEXT
CF_ENHMETAFILE
CF_LOCALE
CF_DIBV5
CF_OWNERDISPLAY
CF_DSPTEXT
CF_DSPBITMAP
CF_DSPMETAFILEPICT
CF_DSPENHMETAFILE
CFX_RICHTEXT
CFX_OfficeDrawingShape

About CF_HTML

I don’t using HTML format clipboard copy support. This will copy any scripts from the source of the copied content to the destination. Check that you trust the source before proceeding to copy. If you do copy content containing scripts, they are live only if you save the destination file as an HTML file and execute it.

Registry Settings

The Clipboard Settings for the User are stored in the following registry path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\<SessionID>\User\VCPolicies

Trust Computers with 3rd Party deviceTRUST

The best way to trust a computer in a dynamic world is 3rd Party Tool deviceTRUST

Contextualize the corporate enterprise, allowing users the freedom to access their corporate workspace from any location, on any device, over any network, while giving IT departments the information and control they need to meet their governance requirements.

With its patent pending technologies, deviceTRUST delivers more than 200 hardware, software, network, security, performance and location contextual properties into the virtual and physical workspaces. deviceTRUST can easily integrate with any existing workspace management solution and requires no additional infrastructure. The context is always up-to-date and any change triggers a definable action.

Conclusion

The functionalities with the clipboard redirection is a very useful feature and allows you to control the content between Client/VDA in a more secure way. Adjust the out-of box settings on your requirements.

EUCweb.com | EUCblog.com | Founder Base Image Script Framework (BIS-F) | IT-Architect EUC | Automation Enthusiast

Leave A Comment

CAPTCHA ImageChange Image