Introduction:

The purpose of this article is to present a common sense approach to Setup application security for Citrix published applications. The topics covered will include a centralized approach for securing your simple or complex Citrix applications. A model that is easy to maintain and manage. The key word is EASY.

Defining a Naming Standard for Active Directory Global Groups:

Creating a Standard naming convention is an important key point in simplifying the security model for applications access. Keep in mind that there are many ways to accomplish the same thing, and I am simply presenting what I have found to work well over the years.

For starters, I have found it is important to setup an administrative security model that the next person can easily follow after I am gone.

Defining a naming standard that works in your environment: What has worked well for me is including the application name in the group name, Example: "MS Office Word 2003" and the type of application Example: "Citrix", and what the group purpose is for application security, Example: "App".

Examples of a Group Naming Standard:

App Citrix MS Office
App Citrix Lotus Notes 6.51
App Citrix EMR

I'll bet your wondering why put the App and Citrix in the name of the group, and that it would be too redunant. The answer is, that more than likely there are alot of other groups already created in your Active Directory that are difficult to determine what they provide access to.

Creating an OU named Citrix Applications, or just Applications, then creating groups in the OU named "App Citrix AppName" will allow you to sort easily and differentiate from other group types.

The point I am trying to make here is, you should be able to look at the name of the group and tell what the purpose of the group is. Another advantage is when you need to add a user to a Citrix application group, you can simply type in App Citrix and receive a list of only Citrix application groups.

Integrating Different Types of Application Security into a centrally managed group standard:

Many applicatons you publish in Citrix may require access to a Database and/or a file system network share. By using a single group "App Citrix AppName" to provide security access to your Database and/or file system network share and Citrix published application, you are essentially simplifing the security management of your Citrix published applications.

An extreme example of this is a recent application I published in Citrix. The application was a Microsoft Access database that was located on a networked mapped drive in a sub folder. This MS Access database also requires access to a Microsoft SLQ database.

Here is what I did to setup the security for this new app.

1. Created an Active Directory Global Group named "App Citrix AppName" in the Citrix Applications OU.
2. Added this group to the \\servername\share\app_folder folder security with permissions to read/write.
3. Added the group to the MS SQL database on the SQL Server using Enterprise Manager.
4. Published the application in Citrix using the Citrix Management Console with a launch something like

"C:\Program Files\Microsoft Office\Office\MSACCESS.EXE" "\\servername\share\app_folder\access_database.mdb"

5. Added the "App Citrix AppName" group to the Citrix Published application.

Summary:

Defining standards like the one above will provide an easy to manage security model that will be easy for someone to follow in your footsteps without reinventing the wheel.

Author: Scott Chiara
Date: May 1st 2006