Workspace Environment Management

Protect Citrix Workspace environments using process hierarchy control

In a Citrix Workspace environment, some applications might be launched not as intended. This situation can pose security risks, especially if powerful Windows tools such as CMD and PowerShell are launched.

As an administrator, you might want to restrict your users only to launching allowed applications. Workspace Environment Management (WEM) provides you with the process hierarchy control feature, which helps prevent end users from launching child processes.

You can control whether certain child processes can be started from their parent processes in a Citrix Workspace environment. The feature is useful in scenarios where you want to prevent unintended processes from running through published applications.

This article uses CMD as an example. With process hierarchy control, you can protect against attacks launched through CMD in a Citrix virtual app environment by preventing CMD from being started through the published app. A general workflow for using the feature is as follows:

  1. Enable process hierarchy control on the WEM agent

  2. Configure process hierarchy control rules in the WEM console

Recommendation

We recommend that you use the WEM tool VUEMAppCmd to publish applications. The tool ensures that the WEM agent finishes processing process hierarchy control rules before published applications start.

Use the Full Configuration management interface to edit the application settings and then add an executable file path that points to VUEMAppCmd.exe. For more information, see Applications.

Application settings

Enable process hierarchy control on the WEM agent

To enable the feature, use the AppInfoViewer tool on the agent machine. The tool is located in the agent installation folder. A machine restart is required after you enable or disable the feature.

Application Info Viewer

Configure process hierarchy control rules in the WEM console

Suppose you want to block CMD from launching through Notepad. To create process hierarchy control rules, complete the following steps:

  1. Go to Legacy Console > Security > Process Hierarchy Control and select Enable Process Hierarchy Control.

    Process hierarchy control

  2. Click Add Rule, configure settings as follows, and click Next.

    Note:

    In this example, you create a rule to prevent CMD from launching through Notepad. You can use one of the three rule types (Path, Publisher, and Hash) to specify parent and child processes. Under Assignments, you choose the users to which you want to apply the rule. For more information about the settings, see Process hierarchy control.

    Add process hierarchy control rule 1

  3. Configure Notepad as the parent process and click Next.

    Note:

    The user interface differs depending on which rule type you select in step 2.

    Add process hierarchy control rule 2

  4. Add multiple child processes in the rule as needed and click Create.

    Add process hierarchy control rule 3

This completes creating the rule. The agent will prevent CMD from launching through Notepad in the Citrix Workspace environment.

Protect Citrix Workspace environments using process hierarchy control