Citrix XenApp Disable File Execution From Mapped Drive

By default, the drives on the client system are mapped automatically to drive letters on the server when users log on. The client’s disk drives appear as shared folders with mapped drive letters. These drives are used by Windows Explorer and other applications like any other network drive.

In general, XenApp tries to match the client drives to the client drive letters; for example, the client device’s first floppy disk drive to A, the second floppy disk drive to B, the first hard disk partition to C, and so forth. This allows the user to access client drive letters in the same way locally and within sessions.

However, the same drive letters are often in use by the drives on the server. In this case, client drives are mapped to different drive letters. The server starts at V and searches in ascending order for unassigned drive letters.

You can turn off client drive mapping through policies you configure in XenApp. Similarly, you can turn off mapping to client floppy disk drives, hard drive, CD-ROM drives, or remote drives.

If access to the floppy disk drives is not needed, consider disabling access to speed up the logon process.

As a security precaution, when a user logs on to XenApp, by default, the server maps client drives without user execute permission. For users to be able to execute files residing on mapped client drives, override this default by editing the value of ExecuteFromMappedDrive in the registry on a XenApp server.

 

To enable users to execute files on mapped drives

  1. After installing XenApp, run regedit.
  2. Find the key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCdmParametersExecuteFromMappedDrive
  3. To grant users execute permission on mapped drives, set ExecuteFromMappedDrive to 1. This is the default setting. To deny users execute permission on mapped drives, set ExecuteFromMappedDrive to 0.
  4. Restart the server.

Leave a Reply

Your email address will not be published. Required fields are marked *