<div>
Is the problem that you might give access to command prompt that should not have it?<br />
I would assume that the command window opens with the same privilege that the user has. Is this wrong?<br />
<br />
So I'm not sure if this is a bug to get to a super user command prompt or not. <br />
<br />
Can you explain your concern please? Are we just talking about keeping a command prompt from users all together?
</div>


<div>
Not sure if this article is any help or not for your use. But here it is anyway: <a href="https://discussions.citrix.com/topic/387382-citrix-xenapp-7x-windows-server-lockdown-policy-via-gpo/" rel="ugc">https://discussions.citrix.com/topic/387382-citrix-xenapp-7x-windows-server-lockdown-policy-via-gpo/</a>
</div>


<div>
<blockquote>
I can't remove command prompt access from the system all together as some of our published applications execute/launch via command prompt/batch script.
</blockquote>
Within the same user?<br />
<br />
Your only option is to disable CMD all together. You will always have ways to get to it
</div>


<div>
Thanks for all your input, the issue is we can't have users have the ability to access the command prompt via any application. &nbsp;The exception will be admins.<br />
<br />
My concern was if I introduce the policy to block command line access for all, will this render my published apps that use the command prompt and launch a batch script useless?<br />
<br />
Thanks
</div>


<div>
Perhaps I can adjust the permissions on the command prompt executable to get around this? &nbsp;Will try that in a bit and report back.
</div>


<div>
Ok. I was just not sure what a user might be able to do with a command prompt as a non-admin user? (I have never really had to worry about that, so I would have to investigate what a regular user could do if they had access to the command prompt, but no privileges.)<br />
<br />
Let us know what you decide to do.
</div>


<div>
I wasn't able to adjust the permissions on the command prompt itself, so will have to do this via some sort of policy.
</div>


<div>
Still trying to figure out what you are really trying to stop?<br />
<br />
Wondering. If there are certain commands you want to protect, perhaps a new directory can be created with admin access only, addition to path, and move the restricted commands to that directory. &nbsp;Admin use of certain “functions” should still work, but non-admin users would be unable to execute those commands. <br />
<br />
I’ve never tried this approach but maybe it can help limit commands the prompt can use for non-admin users
</div>


<div>
I have provided screen shots and what was provided as part of the finding. &nbsp;As far as the concerns about the command prompt, just wanted to note that we initiate batch scripts that run to launch programs.<br />
<br />
<br />
The audit finding came up that we need to lock down the command line option from the context menu.<br />
<br />
(Audit Finding)<br />
It was possible to access the save file context menu (and thus a command window) through the print menu, using the following steps.<br />
1. Using the Citrix &quot;Help&quot; menu, access the print menu using the print icon (Fig 1)<br />
2. Check the &quot;Print to file&quot; option<br />
3. Click &quot;Print&quot;, a save file context menu will open<br />
4. Right click and click &quot;Open a command window here&quot; (Fig 2)<br />
5. Through this command prompt you can now access server resources (Fig 3)<br />
<a href="https://filedb.experts-exchange.com/incoming/2019/01_w03/1409686/Command_SS1.jpg" target="_blank" class="file-inline" title="Command_SS1.jpg (118 KB)"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M67.508 468.467c-58.005-58.013-58.016-151.92 0-209.943l225.011-225.04c44.643-44.645 117.279-44.645 161.92 0 44.743 44.749 44.753 117.186 0 161.944l-189.465 189.49c-31.41 31.413-82.518 31.412-113.926.001-31.479-31.482-31.49-82.453 0-113.944L311.51 110.491c4.687-4.687 12.286-4.687 16.972 0l16.967 16.971c4.685 4.686 4.685 12.283 0 16.969L184.983 304.917c-12.724 12.724-12.73 33.328 0 46.058 12.696 12.697 33.356 12.699 46.054-.001l189.465-189.489c25.987-25.989 25.994-68.06.001-94.056-25.931-25.934-68.119-25.932-94.049 0l-225.01 225.039c-39.249 39.252-39.258 102.795-.001 142.057 39.285 39.29 102.885 39.287 142.162-.028A739446.174 739446.174 0 0 1 439.497 238.49c4.686-4.687 12.282-4.684 16.969.004l16.967 16.971c4.685 4.686 4.689 12.279.004 16.965a755654.128 755654.128 0 0 0-195.881 195.996c-58.034 58.092-152.004 58.093-210.048.041z"/></svg>Command_SS1.jpg</a><br />
<a href="https://filedb.experts-exchange.com/incoming/2019/01_w03/1409688/Command_SS2.jpg" target="_blank" class="file-inline" title="Command_SS2.jpg (98 KB)"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M67.508 468.467c-58.005-58.013-58.016-151.92 0-209.943l225.011-225.04c44.643-44.645 117.279-44.645 161.92 0 44.743 44.749 44.753 117.186 0 161.944l-189.465 189.49c-31.41 31.413-82.518 31.412-113.926.001-31.479-31.482-31.49-82.453 0-113.944L311.51 110.491c4.687-4.687 12.286-4.687 16.972 0l16.967 16.971c4.685 4.686 4.685 12.283 0 16.969L184.983 304.917c-12.724 12.724-12.73 33.328 0 46.058 12.696 12.697 33.356 12.699 46.054-.001l189.465-189.489c25.987-25.989 25.994-68.06.001-94.056-25.931-25.934-68.119-25.932-94.049 0l-225.01 225.039c-39.249 39.252-39.258 102.795-.001 142.057 39.285 39.29 102.885 39.287 142.162-.028A739446.174 739446.174 0 0 1 439.497 238.49c4.686-4.687 12.282-4.684 16.969.004l16.967 16.971c4.685 4.686 4.689 12.279.004 16.965a755654.128 755654.128 0 0 0-195.881 195.996c-58.034 58.092-152.004 58.093-210.048.041z"/></svg>Command_SS2.jpg</a><br />
<a href="https://filedb.experts-exchange.com/incoming/2019/01_w03/1409689/Command_SS3.jpg" target="_blank" class="file-inline" title="Command_SS3.jpg (58 KB)"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M67.508 468.467c-58.005-58.013-58.016-151.92 0-209.943l225.011-225.04c44.643-44.645 117.279-44.645 161.92 0 44.743 44.749 44.753 117.186 0 161.944l-189.465 189.49c-31.41 31.413-82.518 31.412-113.926.001-31.479-31.482-31.49-82.453 0-113.944L311.51 110.491c4.687-4.687 12.286-4.687 16.972 0l16.967 16.971c4.685 4.686 4.685 12.283 0 16.969L184.983 304.917c-12.724 12.724-12.73 33.328 0 46.058 12.696 12.697 33.356 12.699 46.054-.001l189.465-189.489c25.987-25.989 25.994-68.06.001-94.056-25.931-25.934-68.119-25.932-94.049 0l-225.01 225.039c-39.249 39.252-39.258 102.795-.001 142.057 39.285 39.29 102.885 39.287 142.162-.028A739446.174 739446.174 0 0 1 439.497 238.49c4.686-4.687 12.282-4.684 16.969.004l16.967 16.971c4.685 4.686 4.689 12.279.004 16.965a755654.128 755654.128 0 0 0-195.881 195.996c-58.034 58.092-152.004 58.093-210.048.041z"/></svg>Command_SS3.jpg</a>
</div>


Command_SS2.jpg

Command_SS3.jpg

Command_SS1.jpg

<div>
Ah, thank you. &nbsp;It is still a bit confusing to me, but I see it does create some interesting conflicting needs. <br />
<br />
I wish I had a better answer. It looks to me you either get locking it out, or you get it.<br />
<br />
Maybe policy is the best solution. <br />
<br />
Good luck.
</div>


<div>
Since this is still open hope to get some fresh ideas. &nbsp;We were thinking as a workaround to this issue, we could exclude the auto-generated printers that we know this is a problem for such as Microsoft Print to PDF. &nbsp;Issue - see that this is using the Citrix Universal Printer. So though I am now using the Printer driver mapping and compatibility policy within XenApp, it appears that the Universal driver will cancel this out.<br />
<br />
Checked our Universal driver settings and it is set to use Universal Drivers only if a driver is not found.<br />
<br />
So my thought - to locate (which I am searching for - though not having much luck) the print driver for Microsoft Print to PDF itself, install so then the policy should apply as it would have the driver and not use the universal. &nbsp;And I suppose I'll have to do that for the problematic ones we discover.<br />
<br />
Or is there a better way of managing this?<br />
<br />
We have to rectify this by end of Feb 2019 due to audit findings and resolution date, so any thoughts are appreciated.
</div>


<div>
<div class="content wysiwyg-content">
We have a Citrix XenApp 6.5 Farm running on Windows 2008 R2 systems. &nbsp;We have found through an audit there have been certain printers that when installed via the Auto-Client printer installation allow &quot;Open command window here&quot; if you go to this printer which is Microsoft Print to PDF (for instance) will then bring up the file locations which is ok, but the issue is the fact it is allowing &quot;Open command window here&quot;.<br />
<br />
I'm looking to see where in Citrix policies or Windows GPO's I can remove this option. &nbsp;I can't remove command prompt access from the system all together as some of our published applications execute/launch via command prompt/batch script.<br />
<br />
Any thoughts are appreciated.
</div>
</div>


We have a Citrix XenApp 6.5 Farm running on Windows 2008 R2 systems.  We have found through an audit there have been certain printers that when installed via the Auto-Client printer installation allow "Open command window here" if you go to this printer which is Microsoft Print to PDF (for instance) will then bring up the file locations which is ok, but the issue is the fact it is allowing "Open command window here".

I'm looking to see where in Citrix policies or Windows GPO's I can remove this option.  I can't remove command prompt access from the system all together as some of our published applications execute/launch via command prompt/batch script.

Any thoughts are appreciated.

How to lock down &quot;Open Command Windows here&quot; when accessing certain auto-generated printers on XenApp 6.5

Citrix is the synonym for the virtualization and application infrastructure systems developed by the company of the same name. Main areas are application virtualization, Software-As-A-Service (SaaS), cloud-computing and networking. The two most well-known are Citrix XenApp or Citrix CloudPlatform.

Citrix

This topic area includes legacy versions of Windows prior to Windows 2000: Windows 3/3.1, Windows 95 and Windows 98, plus any other Windows-related versions including Windows Mobile.

Windows OS

Windows Server 2008 and Windows Server 2008 R2, based on the Microsoft Vista codebase, is the last 32-bit server operating system released by Microsoft. It has a number of versions, including including Foundation, Standard, Enterprise, Datacenter, Web, HPC Server, Itanium and Storage; new features included server core installation and Hyper-V.

How to lock down &quot;Open Command Windows here&quot; when accessing certain auto-generated printers on XenApp 6.5

How to lock down "Open Command Windows here" when accessing certain auto-generated printers on XenApp 6.5