Citrix Virtual Apps and Desktops clipboard redirection

It’s been a long time since I’ve explored Citrix clipboard redirection….how well has it evolved?

When you are working with remote applications and desktops, often clipboard redirection is vital to have for users to be able to do their jobs. I regularly copy and paste code snippets into and out of remote applications and desktops on Citrix. But unfortunately, because there are nefarious people out there, sometimes this can be seen as a security risk. The chances of exfiltrating data by copying and pasting is, unfortunately, a significant area of data loss prevention.

I always used to take the attitude of “there are seldom technological solutions to behavioural problems”, and maintain that securing data in this way was more a problem for HR (in hiring the right people) than for I.T. (in locking all of the doors and windows). Some of this still stands up to scrutiny, obviously – a bad actor can always take a photo on his phone, write it down, even memorize it. But these days, a lot of security standpoints are to do with slowing down the ability of a bad actor to do damage, to restrict their progress deeper into your systems – mainly to remove some of the more obvious methods for stealing data or compromising devices, which therefore increases the chances of detection with less damage done.

As said earlier, I hadn’t looked at Citrix clipboard redirection for a long time, so I was pleasantly surprised that we now have a much more granular set of policies associated with the clipboard to choose from. The requirement we had was from developers who often had to copy and paste into their session but security wished them to be prevented from copying any data back out. A quick perusal of the available Citrix policies allowed me to quickly see this could easily be achieved.

Citrix policies for clipboard

First let’s have a quick run-through of the policies that we actually have available for clipboard redirection at this point in time.

Client clipboard redirection

This policy has been around for a very long time, and simply allows clipboard redirection to be done. It is turned on by default – we most commonly used to see this policy defined when we were looking to turn off the redirection.

Clipboard redirection bandwidth limit

Specifies the maximum allowed bandwidth (kbps) for data transfer between the session and the local clipboard.

Clipboard redirection bandwidth limit percent

Pretty similar to the above, and again one that has been around a while, this specifies the maximum amount of bandwidth the clipboard transfer can consume, as a percentage of the total session bandwidth.

Read-only clipboard

This is one of the newer policies (well, it came along in 7.0, so new-ish), and this gave the first control around in which direction clipboard redirection would work. This policy simply disables session-to-client redirection, and allows client-to-session redirection. However this policy no longer applies if you are on a VDA version higher than 7.5.

Restrict client clipboard write

These settings came along in 7.6, and this one simply works the same as the previous setting – it disables session-to-client (writing to the client), and enables client-to-session (writing to the session). However this policy can be extended by using another policy (Client clipboard write allowed formats), whereas the previous policy can not – and anyway, the previous policy only applies to 7.5 or lower VDAs.

Restrict session clipboard write

Again from 7.6 onwards, this is the flip side of the previous setting and allows you to disable client-to-session (writing to the session) and enables session-to-client (writing to the client). Again, this can be extended by another policy (Session clipboard write allowed formats).

Client clipboard write allowed formats AND Session clipboard write allowed formats

These two policies (again, available from 7.6 onwards) are identical in activity except that they work on client-only clipboard or session-only clipboard as defined above. Obviously, the corresponding “Restrict xxx clipboard write” policy needs to be defined in order for this to take effect. This works as a kind of “override”, in that the respective session or client clipboard write is disabled (by the respective policies), but the data types defined here are selectively allowed to be copied and pasted. If you wanted to allow this to work in both directions, you would need to defined both the “restrict write” policies and then both the “write allowed formats” policies as well.

There are a number of data formats to choose from – there are some system-defined formats, there are some custom XenApp and XenDesktop formats, and you could even define your own. The system defined formats are described in this article. The Citrix custom formats are not defined anywhere I can seem to reference, although there are a number of articles out there discussing their usage.

So, if you’re concerned specifically about users cutting and pasting screenshots or lifting the contents of Word documents, then restricting to the text formats is a pretty good place to start (my “copy-text-only-from-client-to-session” setting is below)

That’s it for the policies, that’s all we have (there are some clipboard-related policies for Linux VDA, but we will ignore those :-))

Testing

Let’s see if our policy works. Remember, we wanted to allow the user to copy and paste only text, and only from the client into the session – not the other way, and not any other formats.

Quick video showing the one-way clipboard redirection in action

So that’s that, all well and good – testing was exactly what we expected 🙂

Copy and paste direct

Now, an interesting aside to this is that for a while now, we’ve been able to copy and paste files and folders directly into RDP sessions, but not into Citrix sessions. However if your Workspace App is at the latest version and the VDA of your Citrix session is 1903 or higher, you should now be able to enable this. However, if you’re using Clipboard policies as above, you will need to add a further format type – CFX_FILE – into the policy to allow this to be achieved in your chosen direction (or directions).

Summary

So here’s a quick summary of what to configure for some possible sets of requirements:-

Full, bi-directional clipboard redirection

Set “Client clipboard redirection” to Allowed

Full, client-to-session only clipboard redirection

Set “Client clipboard redirection” to Allowed

Set “Restrict client clipboard write” to Enabled

Full, session-to-client only clipboard redirection

Set “Client clipboard redirection” to Allowed

Set “Restrict session clipboard write” to Enabled

Selective formats, bi-directional clipboard redirection

Set “Client clipboard redirection” to Allowed

Set “Restrict session clipboard write” to Enabled

Set “Restrict client clipboard write” to Enabled

Set “Session clipboard write allowed formats” to required formats

Set “Client clipboard write allowed formats” to required formats

Selective formats, client-to-session only clipboard redirection

Set “Client clipboard redirection” to Allowed

Set “Restrict session clipboard write” to Enabled

Set “Restrict client clipboard write” to Enabled

Set “Session clipboard write allowed formats” to required formats

Selective formats, session-to-client only clipboard redirection

Set “Client clipboard redirection” to Allowed

Set “Restrict session clipboard write” to Enabled

Set “Restrict client clipboard write” to Enabled

Set “Client clipboard write allowed formats” to required formats

Here’s a quick diagram to help, with the policies numbered out. The most-used ones are highlighted but you can use any.

That’s all I have on clipboard redirection – we can now mix and match these policies to (hopefully!) make your environments a little bit more secure without actually interrupting some of your user workflows.

11 comments

  1. Hi Team,

    Our client requirement is we need to allow some formats like .docx .doc .xlsx .xls .txt .pdf .msg .pptx .jpg .xml .png. those things only client need bidirectional clipboard access from CVAD 1906 APP/HSD environment.
    cloud please share the standard formats of above listed things.

    1. Unfortunately I don’t think it is possible to limit on extension. Have a look at the list of formats and see if they fit into any of those.

  2. Is it possible to allow Copy/Paste of text ONLY on both directions? we also want our user to be able to copy text from session to the client but prevent screenshots.

    1. Yes. See the diagram I just added to the post. You want to configure all the policies (1,2,3,4 and 5) as shown here to get what you want.

  3. this is all working awesome for text so far! if i want to take a screenshot with my client (in my case mac) and paste it into my citrix vda session and still keep this locked down so files cant be copied back and forth is that possible?

  4. Great summary – thank you, James.
    Here is another use case to examine… Users having multiple sessions (connecting to a desktop and to streamed applications); they need to have copy and paste enabled between the virtualized sessions, but completely blocked, or allowed only unidirectional access external->internal between their computer and their virtualized environment.

  5. Excellent article. very interesting and complete.
    My problem is that Citrix does not meet all of my requirements.
    Limiting only characters is good, but not enough. It would be necessary to be able to limit the number of characters, and especially to be able to log the copied information.
    Do you know a solution for this?

    1. I can’t say too much but I know Citrix are looking at extending their security offerings in this space. However at the present moment you’d probably have to look at a third-party solution. I don’t know of any offhand unfortunately – I will try and have a look into it at some point.

Leave a Reply

Your email address will not be published. Required fields are marked *