Citrix Virtual Apps and Desktops

Secure Web Studio deployment

April 17, 2025

Contributed by:

This article highlights configuration areas that can affect system security when deploying Web Studio.

Note:

To secure communication between users’ web browsers and Web Studio, see Enable TLS on Web Studio and Director.

Configure IIS settings

As a security best practice, configure Web Studio with a restricted IIS configuration:

Restrict request filtering:
- If you install Web Studio with Director, IIS is automatically configured with the following filtering rules.
- If you install Web Studio as a stand-alone component, manually configure IIS as follows:
  - Allow only the following file name extensions:
    
    ., .aspx, .css, .eot, .html, .ico, .js, .png, .svc, .svg, .jpg, .gif, .json, .woff, .woff2, .ttf
    
    For more information, see this Microsoft article.
  - Allow only the following HTTP verbs:
    
    GET, POST, HEAD
    
    For more information, see this Microsoft article.
Remove unrequired handler mappings.

Web Studio requires only the StaticFile handler mapping. Remove all others. For more information, see this Microsoft article.
Remove unused ISAPI filters.

Web Studio does not require any ISAPI filters. You can remove all of them. For more information, see this Microsoft article.

Note:

ASP.NET requires the ISAPI Windows feature.
Delete the following default IIS landing page files from C:\inetpub\wwwroot:
- iisstart.htm
- welcome.png
Ensure that .NET Trust Level remains set to Full Trust. This setting is configured automatically during installation and is required for Web Studio to function correctly. Do not change it.

Remove unused application pool rights

During installation, the Web Studio application pool is granted the following user rights:

Log on as a service
Adjust memory quotas for a process
Generate security audits
Replace a process level token

These rights are standard for IIS application pools. Web Studio does not use them, and you can remove them.

Isolate Web Studio deployment

You can deploy any web applications in the same web domain (domain name and port) as Web Studio. However, any security risks in those web applications can potentially reduce the security of your Web Studio deployment. Where a greater degree of security separation is required, we recommend that you deploy Web Studio in a separate web domain from any other third-party applications.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

Secure Web Studio deployment

April 17, 2025

Contributed by:

April 17, 2025

Contributed by:

Secure Web Studio deployment

Configure IIS settings

Remove unused application pool rights

Isolate Web Studio deployment

In this article