XenApp 6 – Best Practise …………………… Hint #1 – Disable IESC for W2K8R2

August 11, 2010
Thomas Poppelgaard
HowTo, XenApp

For better user expirence on a Citrix XenApp 6 environment i recommend to disable IE Enhanced Security for Administrator and Users.

To verify the IE ESC configuration at the RD host, you can check the values of these two registry entries:

1. HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}\IsInstalled.
If the value is 1, then Internet Explorer Enhanced Security Configuration is enabled for users. If the value is 0 or the entry is not present, then Internet Explorer Enhanced Security Configuration is disabled for users.

2. HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}\IsInstalled.
If the value is 1, then Internet Explorer Enhanced Security Configuration is enabled for administrators. If the value is 0 or the entry is not present, then Internet Explorer Enhanced Security Configuration is disabled for administrators.

Reason:

For a better experience when Remote Desktop is enabled, it is a good idea to remove the enhanced security configuration from members of the Administrator & Users group. These users have less permission on the server, so they present a lower level of risk if they are victims of an attack.

Please refer to: http://support.microsoft.com/kb/815141/en-us

Reference:
“Managing Internet Explorer Enhanced Security Configuration”
http://www.microsoft.com/downloads/details.aspx?FamilyID=d41b036c-e2e1-4960-99bb-9757f7e9e31b&displaylang=en