How Microsoft’s XPS Driver Lets Citrix XenApp Users Get on the Internet (and how to lock it down)

Your user is happily working in your published, seamless application via XenApp 6 running on Windows Server 2008 R2, and life is good.

Then one day, when your user goes to print something, he is looking at the print dialog and notices this “Microsoft XPS Document Writer” printer as an option.

“HMM I wonder what this does?”

He views the printer Preferences and…

“Go online” are two words you do not want your users to see on a Citrix server. Your user, of course, has an irresistable urge to click the link.

Your user thinks, “XML Paper Specifiation Overview? This looks interesting.. NOT! Let’s watch some videos!” A few more clicks, and…

Your user is now on Youtube watching how-to videos about other great ways to elevate his privilege and bog down your pristine XenApp 6 server with garbage.

How do we fix this? As I’m sure you’ve already considered, web filtering would be a good idea to mitigate the damage an Internet-bound user can mete out on your infrastructure. There are other good reasons to block or regulate web access from your Citrix servers as well. Even server admins are not immune from falling victim to a zero-day exploit while on the web.

You may have also noticed that, in this case, the user’s access was severely restricted even within Internet Explorer. I used group policies to strip away the bells and whistles and enforce additional restrictions on the user. The user has no access to a published desktop or a command line or “Run” prompt.

In some environments, it is practical to just set file-level permissions on the Internet Explorer executable and deny access to everyone. But chances are there are some published applications that require a browser launch, even if it is only intermediate.

There is something else we can do. First, unless you really need it, uninstall the Microsoft XPS Document Writer. This can easily be done from an administrative shell with the commmand:

cscript C:\Windows\System32\Printing_Admin_Scripts\en-US\prnmngr.vbs -d -p “Microsoft XPS Document Writer”

The script will forcibly delete the printer for everyone. But you’re not done yet. Let’s take a second look at the print dialog box the user sees.

You’ll notice the user has a session mapped local printer for the XPS Document Writer on his machine. If he views the Preferences for this printer, he will get the exact same properties window he got before.

We could remove the XPS driver package, but if you are allowing automatic installation of native drivers on your Citrix servers, Windows will just reinstall it.

We need to force the user’s session mapped XPS Document Writer to use a different driver that doesn’t invite them to surf the web from our datacenter. Fortunately Citrix, drawing on their experience in working around Microsoft’s various incarnations of FAIL, has provided us a very nice solution: The Citrix XPS Universal Printer driver.

Let’s open up our Citrix user policies in Group Policy Management. In this case, there is a separate policy that controls printers. Browse to Printing > Drivers…

Edit the “Printer Driver Mapping and Compatibility” option and click the Add button…

Enter the name of the printer driver (“Microsoft XPS Document Writer”) and set the policy to create the printer with the universal driver only.

Now when the user goes to view the preferences of his locally mapped XPS Document Writer, all he gets is the boring Citrix print dialog, free of any web links!