This topic contains recommended best practice for securing Profile Management. In general, secure the servers on which the user store is located to prevent unwanted access to Citrix user profile data.
Recommendations on creating secure user stores are available in the article called Create a file share for roaming user profiles on the Microsoft TechNet Web site. These minimum recommendations ensure a high level of security for basic operation. Additionally, when configuring access to the user store, include the Administrators group, which is required to modify or remove a Citrix user profile.
Citrix tests and recommends the following permissions for the user store and the cross-platform settings store:
- Share Permissions: Full control of the user store root folder
The following NTFS permissions, as currently recommended by Microsoft:
Group or User Name Permission Apply To Creator Owner Full Control Subfolders and files only <The group of accounts under Profile management control> List Folder / Read Data and Create Folders / Append Data This folder only Local System Full Control This folder, subfolders, and files
Assuming inheritance is not disabled, these permissions allow the accounts to access the stores. And allow the accounts to create subfolders for users’ profiles and perform the necessary read and write operations.
Beyond this minimum, you can also simplify administration by creating a group of administrators with full control of subfolders and files only. Then deleting profiles (a common troubleshooting task) becomes easier for members of that group.
If you use a template profile, users need read access to it.
Access control list (ACL)
If you use the cross-platform settings feature, set ACLs on the folder that stores the definition files as follows: read access for authenticated users, and read-write access for administrators.
Windows roaming profiles automatically removes administrator privileges from the folders containing profile data on the network. Profile Management does not automatically remove these privileges from folders in the user store. Depending on your organization’s security policies, you can do so manually.
Note: If an application modifies the ACL of a file in the user’s profile, Profile Management does not replicate those changes in the user store. It is consistent with the behavior of Windows roaming profiles.
Profile streaming and enterprise antivirus products
The streamed user profiles feature of Citrix Profile Management uses advanced NTFS features to simulate the presence of files missing from users’ profiles. In that respect, the feature is very similar to a class of products known as Hierarchical Storage Managers (HSMs). HSMs are typically used to archive infrequently used files on to slow mass-storage devices such as magnetic tape or rewritable optical storage. When such files are required, HSM drivers intercept the first file request, suspend the process making the request, fetch the file from the archive storage. And then allow the file request to continue. Given this similarity, the streamed user profiles driver, upmjit.sys, is in fact defined as an HSM driver.
In such an environment, configure antivirus products to be aware of HSM drivers, and the streamed user profiles driver is no different. To defend against the most sophisticated threats, antivirus products must perform some of their functions at the device driver level. And, like HSM drivers, they work by intercepting file requests, suspending the originating process, scanning the file, and resuming.
It is relatively easy to misconfigure an antivirus program to interrupt an HSM such as the streamed user profiles driver, preventing it from fetching files from the user store, and causing the logon to hang.
Fortunately, enterprise antivirus products are written with the possibility of sophisticated storage products, such as HSMs, in mind. And they can be configured to delay their scanning until the HSM has done its work. Home antivirus products are less sophisticated in this respect. So the use of home and SoHo (small office/home office) antivirus products is not supported with streamed user profiles.
To configure your antivirus product for use with streamed user profiles, look for one of the following product features. Feature names are indicative only:
- Trusted process list. Identifies HSMs to the antivirus product, which allows the HSM to complete the file retrieval process. The antivirus product scans the file when it is first accessed by a non-trusted process.
- Do not scan on open or status-check operations. Configures the antivirus product to scan only a file when data is accessed (for example, when a file is executed or created). Other types of file access (for example, when a file is opened or its status checked) are ignored by the antivirus product. HSMs generally activate in response to file-open and file-status-check operations, so disabling virus scans on these operations eliminates potential conflicts.
Citrix tests streamed user profiles with versions of the leading enterprise antivirus products to ensure that they are compatible with Profile Management. These versions include:
- McAfee Virus Scan Enterprise 8.7
- Symantec Endpoint Protection 11.0
- Trend Micro OfficeScan 10
Earlier versions of these products are not tested.
If you are using an enterprise antivirus product from other vendors, ensure that it is HSM-aware. It can be configured to allow HSM operations to complete before performing scans.
Some antivirus products allow administrators to choose to scan-on-read or scan-on-write. This choice balances performance against security. The streamed user profiles feature is unaffected by the choice.
Troubleshoot Profile Management in streaming and antivirus deployments
If you encounter issues, such as logons hanging or taking a very long time, there might be a misconfiguration between Profile Management and your enterprise antivirus product. Try the following procedures, in this order:
- Check that you have the latest version of Profile Management. Your issue may already have been found and fixed.
- Add the Profile Management service (UserProfileManager.exe) to the list of trusted processes for your enterprise antivirus product.
- Turn off virus checking on HSM operations such as open, create, restore, or status check. Only perform virus checks on read or write operations.
- Turn off other sophisticated virus checking features. For example, antivirus products may perform a quick scan of the first few blocks of a file to determine the actual file type. These checks match the file contents with the declared file type but can interfere with HSM operations.
- Turn off the Windows search-indexing service, at least for the folders where profiles are stored on local drives. This service causes unnecessary HSM retrievals, and has been observed to provoke contention between streamed user profiles and enterprise antivirus products.
If none of these steps work, turn off streamed user profiles (by disabling the Profile streaming setting). If it works, re-enable the feature and disable your enterprise antivirus product. If it also works, gather Profile Management diagnostics for the non-working case and contact Citrix Technical Support. They need to know the exact version of enterprise antivirus product.
To continue using Profile Management, do not forget to re-enable the enterprise antivirus and turn off streamed user profiles. Other features of Profile Management continue to function in this configuration. Only the streaming of profiles is disabled.