Support  |  News & Events  |  Blog  |  About  |  Help  

Category Archives: Windows 7

A Brief Respite from CryptoLocker

June 4, 2014 4:00 pmLeave a Comment

A couple of days ago (June 2), the UK’s National Crime Agency announced that law enforcement agencies have effectively disabled key nodes of the GOZeuS network, which provided a key delivery mechanism for CryptoLocker’s ransom malware. They’ve also identified a person believed to be the leader of the criminal enterprise behind GOZeuS, and international officials say that other arrests are “in progress.”

While this is good news, it’s unlikely to be a permanent solution to the ransomware problem, given the distributed nature of Internet-based malware. It does, however, give us some breathing room – perhaps as much as a couple of weeks - to think about how to protect against it.

In case you’re not familiar with what CryptoLocker is, it is a particularly nasty form of malware that first appeared in the fall of 2013, and is typically spread by tricking a user into clicking on a disguised executable. Disguised executables are, in part, enabled by the unfortunate design choice Microsoft made in Windows XP that continued through Windows 7, which was to “Hide extensions for known file types” by default. (Personally, this always annoyed me, and one of the first things I always did when setting up a new PC was to deselect that option. It does appear that it is no longer selected by default in Windows 8 and 8.1.)

This meant that, for example, a Word document that was called “My Important Customer Proposal.docx” would display in Windows Explorer (and elsewhere within the OS) as, simply, “My Important Customer Proposal.” That also meant that if someone sent you an email with a file attachment called MalwareDesignedToStealYourMoney.pdf.exe, it would display in Windows as, simply, MalwareDesignedToStealYourMoney.pdf. An unsophisticated or careless user – or someone who perhaps was just exhausted from a long day and not thinking clearly – might look at the file name and think it was an ordinary Adobe PDF file, and double-click on it to open it up…not realizing that the “.exe” that was hidden from them meant that it was really an executable that was designed to install malware on their system.

“But why,” you might ask, “wouldn’t my anti-virus software protect me against this?” The answer is that some anti-virus products might protect you, depending on how the options are set. But many, if not most, users have local administrator rights to their PCs. (Yes, arguably they shouldn’t, but every IT admin that’s ever tried to take those rights away has had to deal with the howls of protest when users – often top executives – suddenly can’t install iTunes or some other equally essential utility on their PCs.) So unless your AV product is set to scan files whenever they are accessed – a setting that often isn’t enabled even on products that are capable of doing it because it can slow your system down – you won’t know that you’re installing something bad until it’s too late. Local administrators, by definition, have the authority to install software. You launched the installation program, you’re a local administrator, so it’s going to get installed.


Once installed, CryptoLocker checks in with a server on the Internet that assigns a public/private key pair to that PC, and CryptoLocker then happily goes to work using the public key to encrypt all the documents, spreadsheets, pictures, etc., on your system. The latest variants will even encrypt files on network drives if they’re mapped using a drive letter. (So far, it doesn’t appear that CryptoLocker knows how to navigate across UNC paths.) There is even some evidence that the latest variants may wait up to two weeks before locking you out of your files, in the hopes that you will move through a full cycle of backups during that time, meaning that all your backups will also be encrypted and therefore useless to you. Once it’s done its dirty work, you will suddenly be unable to access any of your files, and will be presented with a screen that tells you that you have, typically, 72 hours to submit payment – typically via untraceable money cards or bitcoin – in order to obtain the private key that will decrypt your files. Otherwise, the private key will be automatically destroyed, and your files will be forever out of your reach.

If the thought of having to cough up the equivalent of $300 US or lose all your data leaves you with cold chills (as it does me), what can/should you do?

  • First and foremost, educate your users. One of the most basic rules of computer safety is that you simply don’t open email attachments from people you don’t know – and, for that matter, don’t open them from people you do know unless you were expecting them and know what they are. Remember that it’s not that tough to impersonate someone’s email address. At the moment, most CryptoLocker payloads are disguised as invoices from financial institutions, messages from shipping companies, notices from law enforcement agencies, etc., often with scary messages about account closures, final notices, and amounts due. Also beware of zip file attachments. Make sure your users are aware of these common tricks, so they don’t reflexively click to see what a file attachment is.
  • If you’re still running Windows 7 or earlier, deselect the “Hide extensions for known file types” option. This will at least make it slightly more likely that someone will notice that there’s something not quite right about the file they’re about to click on.
  • Keep your anti-virus products up to date.
  • Restrict permissions on shared folders.
  • Consider removing local admin rights from users.
  • Consider using a prevention tool like “CryptoPrevent” from the folks at Foolish IT, LLC. This is a tool that is free for both private and commercial use – although there is a paid version that will automatically update itself and offers additional features like email alerts when applications are blocked. When installed, it will, silently and automatically, lock down a Windows system by, among other things, preventing executables with double extensions (like “something.pdf.exe”) from running, and preventing executables from running if they’re located in folders where you wouldn’t expect legitimate programs to be located. It implements over 200 rules that will help protect you from other forms of malware as well as CryptoLocker.

    It should be noted that, if you’re running a Professional version of Windows that is joined to a Windows domain, all of these rules could be set via group policies, and there are even pre-packaged prevention kits, such as CryptolockerPreventionKit.zip, available at www.thirdtier.net/downloads that will make it easier to set those group policies. But if you’re not comfortable with the whole concept of group policies and/or you’re not in a Windows domain or you’re running a home version of Windows, CryptoPrevent is a fast and easy way to deal with the issue.

Please do not assume that the latest law enforcement announcements mean that we don’t have to worry about CryptoLocker anymore. It’s estimated that CryptoLocker raked in as much as $30 million just in the first 100 days after it appeared in the wild. With that much money in play, it – or something else like it – will inevitably reappear sooner or later.

Posted in: Best Practices, Security, Windows 7, Windows 8Tagged: , ,

Thin Clients vs. Cheap PCs

June 1, 2011 12:09 pm5 Comments

We have, for a long time, been fans of thin client devices. However, if you run the numbers, it turns out that thin-clients may not necessarily be the most cost-effective client devices for a VDI deployment.

Just before writing this post, I went to the Dell Web site and priced out a low-end Vostro Mini Tower system: 3.2 GHz Intel E5800 dual-core processor, 3 Gb RAM, 320 Gb disk drive, integrated Intel graphics, Windows 7 Professional 64-bit OS, 1 year next-business-day on-site service. Total price: $349.00.

When you buy a new PC with an OEM license of Windows on it, you have 90 days to add Microsoft Software Assurance to that PC. That will cost you $109.00 for two years of coverage. You’re now out of pocket $458.00. However, one of the benefits of Software Assurance is that you don’t need any other Microsoft license component to access a virtual desktop OS. You also have the rights, under SA, to install Windows Thin PC (WinTPC) on the system, which strips out a lot of non-essential stuff and allows you to administratively lock it down - think of WinTPC as Microsoft’s own tool kit for turning a PC into a thin client device.

Now consider the thin client option. A new Wyse Winterm built on Embedded Windows 7 carries an MSRP of $499. There are less expensive thin clients, but this one would be the closest to a Windows 7 PC in terms of the user experience (media redirection to a local Windows Media Player, Windows 7 user interface, etc.). However, having bought the thin client, you must now purchase a Microsoft Virtual Desktop Access (VDA) license to legally access your VDI environment. The VDA license is only available through the Open Value Subscription model, and will cost you $100/year forever. So your total cost over two years is $699 for the Wyse device vs. $458 for the Dell Vostro.

After the initial two year term, you’ll have to renew Software Assurance on the PC for another two years. That will continue to cost you roughly $54.50/year vs. $100/year to keep paying for that VDA license.

Arguably, the Wyse thin client is a better choice for some use cases. It will work better in a hostile environment - like a factory floor - because it has no fan to pull dust and debris into the case. In fact, it has no moving parts at all, and will likely last longer as a result…although PC hardware is pretty darned reliable these days, and at that price point, the low-end PC becomes every bit as disposable as a thin client device.

So, as much as we love our friends at Wyse, the bottom line is…well, it’s the bottom line. And if you’re looking at a significant VDI deployment, it might be worth running the numbers both ways before you decide for sure which way you’re going to go.

Posted in: Licensing, Microsoft, VDI, Virtualization, Windows 7Tagged: , , , ,

Machine Creation Services and KMS

March 30, 2011 4:58 pmLeave a Comment

We’ve written extensively here about the challenges of using Citrix Provisioning Services to provision VMs that require key activation (i.e., Vista, Win7, and Server 2008/2008R2). We publicly rejoiced when the news broke that PVS v5.6, SP1, supported both KMS and MAK activation.

But now, with the advent of XenDesktop 5, there is a new way to provision desktops: Machine Creation Services (“MCS”). As a public service to those who follow this blog, I thought I’d share Citrix’s official statement regarding MCS and KMS activation:

MCS does not support or work with KMS based Microsoft Windows 7 activation by default, however the following workaround has been provided and will be supported by Citrix Support should an issue arise.

For details on the workaround, click through the link above to the KB article.

It does not appear that there is a workaround that will allow MCS to be used with MAK activation, and I saw a comment by a Citrix employee on a forum post that indicated that there were “no plans to support it in the near future.” So…MCS with KMS, yes; MCS with MAK, no.

Not having MAK support probably isn’t a big deal, since the main reason why you would go with MAK activation rather than KMS activation would be if you had fewer than 25 desktops to activate, and if you have fewer than 25 virtual desktops, you may as well just stick with 1-to-1 images instead of messing around with provisioning anyway. But we thought you should know.

You’re welcome.

Posted in: Citrix, Licensing, Microsoft, VDI, Virtualization, Windows 7, XenDesktopTagged: , , , , , , ,

VM Hosted Apps - and Why You Should Care

December 27, 2010 9:22 pm6 Comments

I’ve found that one of the least-understood features of XenApp is “VM hosted apps.” So, gentle reader, I thought it was time to try to bring some clarity to what is actually a very cool piece of technology, and may actually be the solution for how to continue to deliver IE6 for the Web apps that require it, even after you upgrade to Win7. (As you probably know, Microsoft has, so far, taken the position that packaging, streaming, or otherwise delivering IE6 by itself is a violation of their license - much to the consternation of users who have applications that depend on it.)

Why it exists
Anyone who has been around the block a few times with XenApp knows that there are some applications that just don’t play nicely in a multi-user environment. I can tell you that our own engineering team has become quite talented at making applications run in a XenApp environment even when the application vendors themselves said it couldn’t be done. And as the older DOS-based and 16-bit Windows applications gradually die of old age, things in general are getting better. Tools like application isolation and application streaming can help as well. But every now and then, you’ll run into an application that either just won’t run in a Remote Desktop Services (formerly Terminal Services) environment, or won’t play nicely with other applications, or misbehaves when more than one person at at time tries to run it.

We also occasionally run into applications that require some kind of hardware “dongle” as a license enforcement mechanism. Other applications have license mechanisms that are dependent on IP or MAC addresses, and/or save user-specific information that will require the application user to go back to the same system each time s/he wants to run the application. Finally, there may be users who need a very high-performance graphics processing unit, e.g., to run a graphics-intensive CAD program.

To help you deal with this, Citrix included a little bit of XenDesktop technology in XenApp, beginning with XenApp 5 Feature Pack 2. It’s only fair, after all, since XenApp functionality is now included in XenDesktop Enterprise and Platinum Editions, but while XenDesktop 4 (and now XenDesktop 5) includes all the functionality of XenApp for delivering applications to your XenDesktop users, XenApp’s VM hosted apps feature contains just enough XenDesktop functionality to create virtual - or physical - desktop systems specifically to run individual applications. In fact, that’s all those systems do. You can’t deliver multiple VM hosted apps from a single PC Operating System (well, not very easily anyway).

How it works
First of all, you have to build out the basic components of a XenDesktop farm. Yes, it can share some components with the rest of your infrastructure, but you’re going to need to build a Desktop Delivery Controller, you’re going to need a XenDesktop farm database, you’re going to need either a virtualization host (if you’re going to use virtual PC instances) or some physical PCs or blades, and you’re going to need an Operating System image with the target application installed into it. You may also deploy Provisioning Services if you want to stream the OS image either to your virtual infrastructure or to your blade PCs. In short, you go through the same process that you would go through if you were putting together a XenDesktop infrastructure to deliver a virtual desktop…but in this case, we’re delivering an application, not a desktop.

Here’s a high-level overview of the process:

  • Create an OS image.
  • Install the XenDesktop Virtual Desktop Agent into the image.
  • Install the desired application. If the application needs “helper apps” (e.g., an accounting app may require Microsoft Excel to display reports), you can install them too. You can even install the Citrix Online Plugin, Offline Plugin, Single Sign-On Plugin, etc., if you want to launch those helper apps on a XenApp server or have XenApp stream them down to the desktop image for local execution.
  • Create a shortcut for your desired application. If you really need to launch multiple applications, or launch something like the Citrix Online Plugin, create a script or batch file to launch the applications you want to launch, then create a shortcut to that script or batch file instead.
  • Place that shortcut into the C:Program FilesCitrixICA ServiceSeamlessInitialProgram folder of your desktop image. NOTE: If you try to put more than one shortcut in that folder, you will get an error!
  • Using the Citrix XenDesktop tools, convert your image into a VHD if you’re going to be streaming it via Provisioning Services or deploying it in a virtual environment. Like any other XenDesktop image, it can be a private image that is either preassigned to a specific user or assigned on first logon, or it can be a public image that you use with Provisioning Services to boot and run multiple instances.
  • Publish that application. It can be displayed via the Citrix Web Interface right alongside other applications that are being delivered via XenApp.

When the user clicks the icon, the application will be launched within the desktop OS, but will run as a “seamless app,” meaning that it looks and feels to the user as though it was running locally (just as applications published from the XenApp farm do). The user will never know, or care, which apps are running on XenApp servers and which are running on desktop OS instances.

Just as you would with any other XenDesktop deployment, you can configure, via the Desktop Delivery Controller, how many OS instances you want running in an idle state at any given point in time during the day - this eliminates the need for the user to wait for the PC/OS to boot before launching the app. Remember, though, that a desktop OS is not multiuser…meaning that if you have ten people who may need to run that application at the same time, you have to provide resources for ten virtual PC instances (or ten blades, as the case may be). And if you have two different applications that need to be deployed this way, you’re probably going to need to provide separate resources for each application. (Yes, I suppose you could create a script that launched both apps - but do you really want your users to click on a single icon and launch two completely different apps? Never mind the fact that the users who need one of the apps may have no overlap with the users who need the other one.)

Here are a couple more things to remember:

  • Your users are going to be remotely interacting with a Microsoft Desktop OS. That means you’re going to have to comply with Microsoft’s VDI licensing requirements. We’ve beat that horse to death elsewhere in this blog, so we won’t go into it again here.
  • Citrix never expected that VM hosted apps would be used for more than one or two percent of all the applications you may need to deploy in a XenApp environment. But sometimes that one or two percent represent business-critical apps, even if they’re only business-critical to a handful of your users.
  • You do not need XenDesktop licenses to do this. Users who launch a VM hosted app will consume a concurrent-use license from your XenApp license server. Users who launch multiple apps, e.g., a VM hosted app and several other apps delivered via XenApp, will still consume a single license.
  • You could also use VM hosted apps to quickly deploy an application while you’re figuring out how to make that application run on XenApp. Once you’ve figured that out, just re-publish the application. The users will never know - they’ll go to the same Web Interface and click on the same icon, and the app will launch.

So - back where we started this: If you’re one of those who are struggling to figure out how you’re going to continue to support IE6 in your environment while still migrating your users off of Windows XP, this is one potential answer for you. Deploy IE6 on Windows XP using VM hosted apps. Your users will never see the XP desktop, so they’ll never know.

A very cool tool to have in your toolbox, in our opinion.

If you want to know more about VM hosted apps, here are a couple of videos from Citrix TV. The first is from the XenApp Expert Series, with our old buddy Vinny Sosa (on the left) and Modesto Tabares talking about various use cases for the feature. This one will take you about 25 minutes if you watch the whole thing:

…and here’s a more technical video from the Learning Lap series that actually takes you through the installation and configuration of VM hosted apps. This one is about 20 minutes long:

Posted in: Application Virtualization, Citrix, Microsoft, VDI, Virtualization, Windows 7, XenApp, XenDesktopTagged: , , , , , , ,

Citrix Fixes the Provisioning Services - KMS Problem!

November 17, 2010 12:24 pm7 Comments

This is big news for anyone who wants to use XenDesktop to facilitate a Windows 7 migration. Here’s why: It only takes a moment’s thought to realize that if your desktop virtualization project simply trades inexpensive desktop SATA storage for expensive data center SAN storage, it’s not going to do good things for your ROI. So provisioning your virtual desktops from a shared Standard Image is a must. And that’s what Provisioning Services (“PVS”) allows you to do. If your standard Windows 7 OS image is, say, 15 Gb, you only need one instance of it on your SAN regardless of how many virtual PCs you’re provisioning from it. Then, using the Citrix Profile Management tool in conjunction with standard Group Policy folder redirection techniques, you can merge user personalization at logon time.

There was only one problem…turning a Win7 vDisk into a Standard Image broke the Microsoft license key. The only way around that was to use Key Management Services (KMS) to auto-activate systems as they were provisioned, but there were problems in using KMS with PVS, as we’ve documented in earlier posts.

I am happy to report that the problem has been addressed in PVS v5.6, SP1, which is now available for download at the Citrix download site. Not only that, but PVS v5.6, SP1, also works with a Multiple Activation Key (MAK) for smaller environments where KMS is not justified. Here’s the difference between the two activation methods:

KMS is a service that runs on a server in your own network. It supports Windows Server 2008 and 2008 R2, Vista, Win7, and Office 2010. However, it requires a minimum number of systems checking in for activation before any systems will be activated. That threshold is 8 systems for server activation, and 25 systems for workstation activation. Prior to SP1, systems provisioned from a Standard Image looked to the KMS server like the same system checking in again and again, so the threshold counter didn’t increment. SP1 fixes that. Please note, however, that you must be running KMS on a 2008 R2 server if you want virtual machines to increment the threshold counter.

With an MAK, the activation server is hosted at Microsoft. The MAK is a reusable key that’s good for a predefined number of activations. With SP1, PVS will cache the activation confirmation code for each system, so they will automatically reactivate on subsequent reboots.

Here is the configuration process, straight from Citrix. First of all, the Imaging Wizard allows you to choose which activation method you’re going to use:

PVS Imaging Wizard

Choosing the Activation Method

Once you’ve chosen either KMS or MAK, here are the next steps:

KMS Activation

  • Reset the activation status on the vDisk image:
    • Boot the master target device from vDisk in Private Image mode
    • Run slmgr.vbs -rearm in console on master target device
    • Shut-down master target device
  • Put disk in Standard Image mode and stream. Target devices will automatically register with KMS server, and activate (provided there are at least 25 systems checking in).

MAK Activation

  • Put disk in Standard Image mode and stream.
  • Use “Manage MAK Activations” to remotely activate streamed target devices. This is done only once per group of devices.
  • Provisioning Services will cache activation confirmation code for each device so that devices will automatically reactivate on subsequent reboots.

Kudos to the Citrix PVS development team for getting this done and out the door. Great job!

Posted in: Citrix, Licensing, Microsoft, Provisioning Services, VDI, Virtualization, Windows 7, XenDesktopTagged: , , , , , , ,