Product Documentation

Secure

Mar 28, 2017

This topic contains recommended best practice for securing Profile Management. In general, secure the servers on which the user store is located to prevent unwanted access to Citrix user profile data.

Recommendations on creating secure user stores are available in the article called Create a file share for roaming user profiles on the Microsoft TechNet Web site. These are minimum recommendations that ensure a high level of security for basic operation. Additionally, when configuring access to the user store include the Administrators group, which is required in order to modify or remove a Citrix user profile.

Permissions

Citrix tests and recommends the following permissions for the user store and the cross-platform settings store:
  • Share Permissions: Full control of the user store root folder
  • The following NTFS permissions, as currently recommended by Microsoft:

    Group or User Name

    Permission

    Apply To

    Creator Owner

    Full Control

    Subfolders and files only

    <The group of accounts under Profile management control>

    List Folder / Read Data and Create Folders / Append Data

    This folder only

    Local System

    Full Control

    This folder, subfolders and files

Assuming inheritance is not disabled, these permissions allow the accounts to access the stores, create subfolders for users' profiles, and perform the necessary read and write operations.

Beyond this minimum, you can also simplify administration by creating a group of administrators with full control of subfolders and files only. This makes deleting profiles (a common troubleshooting task) easier for members of that group.

If you use a template profile, users need read access to it.

Access control list (ACL)

If you use the cross-platform settings feature, set ACLs on the folder that stores the definition files as follows: read access for authenticated users, and read-write access for administrators.

Windows roaming profiles automatically removes administrator privileges from the folders containing profile data on the network. Profile Management does not automatically remove these privileges from folders in the user store but, depending on your organization’s security policies, you can do so manually.

Note: If an application modifies the ACL of a file in the user's profile, Profile Management does not replicate those changes in the user store. This is consistent with the behavior of Windows roaming profiles.

Profile streaming and enterprise antivirus products

The streamed user profiles feature of Citrix Profile Management makes use of advanced NTFS features to simulate the presence of files missing from users' profiles. In that respect, the feature is very similar to a class of products known as Hierarchical Storage Managers (HSMs), which are typically used to archive infrequently used files on to slow mass-storage devices such as magnetic tape or rewritable optical storage. When such files are required, HSM drivers intercept the first file request, suspend the process making the request, fetch the file from the archive storage, and then allow the file request to continue. Given this similarity, the streamed user profiles driver, upmjit.sys, is in fact defined as an HSM driver.

In such an environment, it is very important to configure antivirus products to be aware of HSM drivers, and the streamed user profiles driver is no different. In order to defend against the most sophisticated threats, antivirus products must perform some of their functions at the device driver level and, like HSM drivers, they work by intercepting file requests, suspending the originating process, scanning the file, and resuming.

It is relatively easy to misconfigure an antivirus program to interrupt an HSM such as the streamed user profiles driver, preventing it from fetching files from the user store, and causing the logon to hang.

Fortunately, enterprise antivirus products are usually written with the possibility of sophisticated storage products, such as HSMs, in mind and can be configured to delay their scanning until the HSM has done its work. Note that home antivirus products are generally less sophisticated in this respect, so the use of home and SoHo (small office/home office) antivirus products is not supported with streamed user profiles.

To configure your antivirus product for use with streamed user profiles, look for one of the following product features. Feature names are indicative only:
  • Trusted process list. This identifies HSMs to the antivirus product, which allows the HSM to complete the file retrieval process. The antivirus product scans the file when it is first accessed by a non-trusted process.
  • Do not scan on open or status-check operations. This configures the antivirus product to only scan a file when data is accessed (for example, when a file is executed or created). Other types of file access (for example, when a file is opened or its status checked) are ignored by the antivirus product. HSMs generally activate in response to file-open and file-status-check operations, so disabling virus scans on these operations eliminates potential conflicts.

Citrix tests streamed user profiles with versions of the leading enterprise antivirus products to ensure that they are compatible with Profile Management. These versions include:

  • McAfee Virus Scan Enterprise 8.7
  • Symantec Endpoint Protection 11.0
  • Trend Micro OfficeScan 10

Earlier versions of these products are not tested.

If you are using an enterprise antivirus product from other vendors, ensure that it is HSM-aware, that is, it can be configured to allow HSM operations to complete before performing scans.

Some antivirus products allow administrators to choose to only scan-on-read or scan-on-write. This choice balances performance against security. The streamed user profiles feature is unaffected by the choice.

Troubleshoot Profile Management in streaming and antivirus deployments

If you encounter issues, such as logons hanging or taking a very long time, there may be a misconfiguration between Profile Management and your enterprise antivirus product. Try the following procedures, in this order:

  1. Check that you have the latest version of Profile Management. Your issue may already have been found and fixed.
  2. Add the Profile Management service (UserProfileManager.exe) to the list of trusted processes for your enterprise antivirus product.
  3. Turn off virus checking on HSM operations such as open, create, restore, or status check. Only perform virus checks on read or write operations.
  4. Turn off other sophisticated virus checking features. For example, antivirus products may perform a quick scan of the first few blocks of a file to determine the actual file type. These checks match the file contents with the declared file type but can interfere with HSM operations.
  5. Turn off the Windows search-indexing service, at least for the folders where profiles are stored on local drives. This service causes unnecessary HSM retrievals, and has been observed to provoke contention between streamed user profiles and enterprise antivirus products.

If none of these steps work, turn off streamed user profiles (by disabling the Profile streaming setting). If this works, re-enable the feature and disable your enterprise antivirus product. If this also works, gather Profile Management diagnostics for the non-working case and contact Citrix Technical Support. They will need to know the exact version of enterprise antivirus product.

To continue using Profile Management, do not forget to re-enable the enterprise antivirus and turn off streamed user profiles. Other features of Profile Management continue to function in this configuration; only the streaming of profiles is disabled.