It's all about design.
The licensing model has been vastly improved since the days of XP. It's easier and more secure to manage your Citrix licenses. In fact, there used to be a cool utility called TFLKey.exe that would puke up Citrix licenses all day long, including licenses for unlimited servers and connections. You could even activate your existing cals with it.
Of course, using such a utility violates the license agreement (which I guess you wouldn't really need if you had the tool) and may get you thrown in Jail - which is bad because being Bubba's bitch is never fun.
But if it's an architectural design flaw that is a security hole - and you happen to build your environment in such a way that exposes it.. is it still illegal? You're not exploiting or in violation of licensing - and all your servers are working normally. Or are you just leveraging an aspect of the product's design in an unconventional way? Hmm.
Consider the following:
Let's say your environment consists of:
-10 MPS4 servers
-1 Citrix License Server with 100 CALs installed
-1000 users
In this scenario, we're going to potentially consume 100 Citrix CALs, but we're going to get our 1000 concurrent users up and running.
How the hell do we do that? We're simply going to leverage the 30 day Citrix Licensing grace period. You see, each of those 10 MPS servers keeps its own running tally of how many CALs are available. So with the license server up and running you have a max concurrency of 100 users.
Here's where it gets fun.
Kick off all your users and wait a few minutes. At some point, each server will recognize that there are 100 CALs available.
Shut down your license server.
Now you have entered the 30 day grace period where each server thinks that there are 100 licenses available. And since there's no license server to update as users logon and logoff, each server now has the capability to issue 100 cals.
As long as that license server stays offline (for up to 30 days), you can host all of those 1000 users using only 100 CALs.
Obviously the way around this is to bring it back up every 29 days when no users are online for a little while. Once you verify in the event logs on each server that the grace period has been reset you can take it down again, and drive on for another 29 days.
You've just saved your company 315,000 dollars (assuming 350 bucks per CAL).
Is this legal? I honestly don't know.. I think it might be a gray area that could be argued either way. Chances are that Citrix can pay for better lawyers than you or I, so I don't suggest doing something like this.
Is it ethical? No, but all that aside, from a technical perspective it is a pretty cool hack.
-CG
Friday, May 11, 2007
Thursday, May 10, 2007
Tuesday, May 8, 2007
USB Gets Silly
It was bound to happen sooner or later.
Someone has written a worm that leverages USB drives as a means of propagation. I'm surprised that it took this long.
Think about it. What are thumbdrives used for? I plug it into my computer, copy a file or two, and then you take it and copy the file to your machine. You might as well be having unprotected sex, except with a bunch of little ones and zeros.
Here's the skinny from Sophos. Ha get it? Worm.. skinny? Ha! Nevermind.
------------------------------------------
Security researchers at Sophos are warning of a new Trojan worm virus that is being spread via infected USB device.
According to the security software maker, the W32/SillyFD-AA program, or Silly worm, automatically spreads itself to any USB storage device connected to a PC it has infected, and then passes itself along to any subsequent machines to which the removable thumb drive is inserted.
Once loaded onto a computer, the worm creates a hidden file labeled as "autorun.inf" from which it continues to propagate itself. Among the only discernable affects of the attack is that it changes the title of users' Internet Explorer browsers to read: Hacked by 1BYTE.
The same type of attack could be used to spread far more malicious programs such as spyware or rootkits.
Such attempts to infect via physical interface could become increasingly popular. According to a recent report published by Centennial Software, removable storage drives have actually become the leading cause of security concern for IT administrators, based on a survey the company conducted at a European conference.
------------------------------------------
Personally, if I were a l33t hax0r filled with all that post pubescent angst trying to stick it to the man, fuck the system, and all that - I would be kinda pissed that my worm got named Silly.
-CG
Someone has written a worm that leverages USB drives as a means of propagation. I'm surprised that it took this long.
Think about it. What are thumbdrives used for? I plug it into my computer, copy a file or two, and then you take it and copy the file to your machine. You might as well be having unprotected sex, except with a bunch of little ones and zeros.
Here's the skinny from Sophos. Ha get it? Worm.. skinny? Ha! Nevermind.
------------------------------------------
Security researchers at Sophos are warning of a new Trojan worm virus that is being spread via infected USB device.
According to the security software maker, the W32/SillyFD-AA program, or Silly worm, automatically spreads itself to any USB storage device connected to a PC it has infected, and then passes itself along to any subsequent machines to which the removable thumb drive is inserted.
Once loaded onto a computer, the worm creates a hidden file labeled as "autorun.inf" from which it continues to propagate itself. Among the only discernable affects of the attack is that it changes the title of users' Internet Explorer browsers to read: Hacked by 1BYTE.
The same type of attack could be used to spread far more malicious programs such as spyware or rootkits.
Such attempts to infect via physical interface could become increasingly popular. According to a recent report published by Centennial Software, removable storage drives have actually become the leading cause of security concern for IT administrators, based on a survey the company conducted at a European conference.
------------------------------------------
Personally, if I were a l33t hax0r filled with all that post pubescent angst trying to stick it to the man, fuck the system, and all that - I would be kinda pissed that my worm got named Silly.
-CG
Monday, May 7, 2007
Tuesday, May 1, 2007
Citrix Cutting Edge Update Notifications
One of the great features about the Citrix support website is the ability to subscribe to sections so that you get email notifications when things are added or updated. Of course I subscribe to several sections in the interest of keeping myself in the know and having something to blab about on this site.
I received the following email from this system today which demonstrates the effectiveness of this tool.
---------------------------------------------
You asked to be notified if there were any updates to the document type "Tool " in the Citrix Knowledge Base. The following entry was added or updated on Oct 26, 2006 3:17:38 PM:
ProcessHistory v1.1 for 32-bit and 64-bit platforms
To view this entry, please visit:
http://support.citrix.com/kb/entry.jspa?entryID=11487&categoryID=686
If you wish to remove this watch, visit:
http://support.citrix.com/kb/accountEditWatches!default.jspa
Citrix Technical Support
----------------------------------------------
See what I mean? Cutting edge.. give or take 6 months or so. I expect my updated Winframe 1.7 admin guide any day now.
-CG
I received the following email from this system today which demonstrates the effectiveness of this tool.
---------------------------------------------
You asked to be notified if there were any updates to the document type "Tool " in the Citrix Knowledge Base. The following entry was added or updated on Oct 26, 2006 3:17:38 PM:
ProcessHistory v1.1 for 32-bit and 64-bit platforms
To view this entry, please visit:
http://support.citrix.com/kb/entry.jspa?entryID=11487&categoryID=686
If you wish to remove this watch, visit:
http://support.citrix.com/kb/accountEditWatches!default.jspa
Citrix Technical Support
----------------------------------------------
See what I mean? Cutting edge.. give or take 6 months or so. I expect my updated Winframe 1.7 admin guide any day now.
-CG
Edgesight ADM
Yes, it's been a while since the last post. Sorry. Have you looked outside lately? The sun is out. I have a life. That means the give-a-shit quotent regarding things in the office takes a sharp decline. Since I pilfer work hours to update this blog, citrixguy.net falls within the scope of that phenominon.
Anyways, I came up with a basic ADM Template that I thought might be useful for some of you wokies that play with Edgesight. It allows you to set some fundamental settings that make managing your deployment a little less painful. Like most of these things, it's not as pretty as it could be (see also: give-a-shit quotent above), but it gets the job done and gives you something to play with.
There's five parameters I'm setting with this:
- the edgesight app server name
- the app server path
- the app server port
- The Department Name
- The Company Name
If you don't know how to make this work as a GPO, take your hands off the keyboard immediately and go fling yourself in front of the nearest bus. I hate to be the one to break it to you, but you are a pus-filled boil on the ass of the IT industry.
All you not so dumb people, please enjoy with my compliments.
-CG
--------------------------------------------------
CLASS MACHINE
CATEGORY "Edgesight Server Configuration"
POLICY "Server Port"
#if VERSION >= 3 EXPLAIN "This policy defines the port on which the Edgesight web server is running. The default is 80" #endif
KEYNAME "SOFTWARE\Citrix\System Monitoring\Agent\EdgeSight\4.00\NetAccess\"
PART "Server Port" EDITTEXT VALUENAME "ServerPort" DEFAULT "80" #if VERSION >= 2 EXPANDABLETEXT #endif END PART
END POLICY ; Server Port
POLICY "Server Path"
KEYNAME "SOFTWARE\Citrix\System Monitoring\Agent\EdgeSight\4.00\NetAccess\"
PART "ServerPath" EDITTEXT KEYNAME "SOFTWARE\Citrix\System Monitoring\Agent\EdgeSight\4.00\NetAccess\" VALUENAME "ServerPath" END PART
END POLICY ; Server Path
POLICY "ServerName"
#if VERSION >= 3 EXPLAIN "This defines the name of the Edgesight server. The default is EATABAGOFDICKS" #endif
KEYNAME "SOFTWARE\Citrix\System Monitoring\Agent\EdgeSight\4.00\NetAccess"
PART "ServerName" EDITTEXT VALUENAME "ServerName" DEFAULT "ENTER YOUR STUPID SERVER NAME HERE" END PART
END POLICY ; ServerName
POLICY "Department"
#if VERSION >= 3 EXPLAIN "This defines the Department name which usually corresponds to the partinular Farm." #endif
KEYNAME "SOFTWARE\Citrix\System Monitoring\Agent\EdgeSight\"
PART "Department" EDITTEXT VALUENAME "Department" DEFAULT "ENTER YOUR DEPARTMENT" END PART
END POLICY ; Department
POLICY "Company"
KEYNAME "SOFTWARE\Citrix\System Monitoring\Agent\EdgeSight\"
PART "Company" EDITTEXT KEYNAME "SOFTWARE\Citrix\System Monitoring\Agent\EdgeSight\" VALUENAME "Company" DEFAULT "ENTER YOUR COMPANY NAME" #if VERSION >= 2 EXPANDABLETEXT #endif END PART
END POLICY ; Company
END CATEGORY ; Edgesight Server Configuration
[STRINGS]
Anyways, I came up with a basic ADM Template that I thought might be useful for some of you wokies that play with Edgesight. It allows you to set some fundamental settings that make managing your deployment a little less painful. Like most of these things, it's not as pretty as it could be (see also: give-a-shit quotent above), but it gets the job done and gives you something to play with.
There's five parameters I'm setting with this:
- the edgesight app server name
- the app server path
- the app server port
- The Department Name
- The Company Name
If you don't know how to make this work as a GPO, take your hands off the keyboard immediately and go fling yourself in front of the nearest bus. I hate to be the one to break it to you, but you are a pus-filled boil on the ass of the IT industry.
All you not so dumb people, please enjoy with my compliments.
-CG
--------------------------------------------------
CLASS MACHINE
CATEGORY "Edgesight Server Configuration"
POLICY "Server Port"
#if VERSION >= 3 EXPLAIN "This policy defines the port on which the Edgesight web server is running. The default is 80" #endif
KEYNAME "SOFTWARE\Citrix\System Monitoring\Agent\EdgeSight\4.00\NetAccess\"
PART "Server Port" EDITTEXT VALUENAME "ServerPort" DEFAULT "80" #if VERSION >= 2 EXPANDABLETEXT #endif END PART
END POLICY ; Server Port
POLICY "Server Path"
KEYNAME "SOFTWARE\Citrix\System Monitoring\Agent\EdgeSight\4.00\NetAccess\"
PART "ServerPath" EDITTEXT KEYNAME "SOFTWARE\Citrix\System Monitoring\Agent\EdgeSight\4.00\NetAccess\" VALUENAME "ServerPath" END PART
END POLICY ; Server Path
POLICY "ServerName"
#if VERSION >= 3 EXPLAIN "This defines the name of the Edgesight server. The default is EATABAGOFDICKS" #endif
KEYNAME "SOFTWARE\Citrix\System Monitoring\Agent\EdgeSight\4.00\NetAccess"
PART "ServerName" EDITTEXT VALUENAME "ServerName" DEFAULT "ENTER YOUR STUPID SERVER NAME HERE" END PART
END POLICY ; ServerName
POLICY "Department"
#if VERSION >= 3 EXPLAIN "This defines the Department name which usually corresponds to the partinular Farm." #endif
KEYNAME "SOFTWARE\Citrix\System Monitoring\Agent\EdgeSight\"
PART "Department" EDITTEXT VALUENAME "Department" DEFAULT "ENTER YOUR DEPARTMENT" END PART
END POLICY ; Department
POLICY "Company"
KEYNAME "SOFTWARE\Citrix\System Monitoring\Agent\EdgeSight\"
PART "Company" EDITTEXT KEYNAME "SOFTWARE\Citrix\System Monitoring\Agent\EdgeSight\" VALUENAME "Company" DEFAULT "ENTER YOUR COMPANY NAME" #if VERSION >= 2 EXPANDABLETEXT #endif END PART
END POLICY ; Company
END CATEGORY ; Edgesight Server Configuration
[STRINGS]
Subscribe to:
Posts (Atom)
