Use a script to diagnose whether your Site has insecure Access Policy Rules.

To verify that your XenApp or XenDesktop Site is not affected, download the provided GetInsecureAccessPolicyRules PowerShell script and then follow the steps below:

1. Log in as a Full Administrator on a Delivery Controller machine in your XenApp or XenDesktop Site.
2. Copy the GetInsecureAccessPolicyRules PowerShell script onto the machine.
3. Open a PowerShell window as an Administrator.
   • Make sure script execution is enabled by setting the Execution Policy to a value appropriate for your environment:
     Note: Set-ExecutionPolicy –ExecutionPolicy xxxxx
4. Run the GetInsecureAccessPolicyRules script (this might take some time if your Site has many Delivery Groups):
   Note: & '[PathToScriptDirectory]\GetInsecureAccessPolicyRules.ps1'
5. Observe the result.
   1. If your Site is not affected by the insecurity in Access Policy Rules, the script returns the following message:
      “No insecure Access Policy Rules found.”
      No further actions are required on your part.
   2. If you are affected by the insecurity, the script returns the number of insecure rules that were found, guidance on how to use the script to fix the issue, and a list of the rule objects. See the Solution section.

To fix the insecure Access Policy Rules in your XenApp or XenDesktop Site, use the provided GetInsecureAccessPolicyRules PowerShell script and follow the steps below (skip steps 1, 2, and 3 if you have completed the steps in the Symptoms or Errors section, but haven’t yet closed the PowerShell window):

1. Log in as a Full Administrator on a Delivery Controller machine in your XenApp or XenDesktop Site.
2. Copy the GetInsecureAccessPolicyRules PowerShell script onto the machine.
3. Open a PowerShell window as an Administrator.
   • Make sure script execution is enabled by setting the Execution Policy to a value appropriate for your environment:
     Note: Set-ExecutionPolicy –ExecutionPolicy xxxxx>
4. Run the GetInsecureAccessPolicyRules script with switch parameter FixInsecureRules (this might take some time if your Site has many Delivery Groups):
   Note: & '[PathToScriptDirectory]\GetInsecureAccessPolicyRules.ps1' –FixInsecureRules
5. Observe the result.
   1. If your Site is not affected by the insecurity in Access Policy Rules, the script returns the following message:
      “No insecure Access Policy Rules found to fix.”
      No further actions are required on your part.
   2. If you are affected by the insecurity, the script gathers all affected rules and fixes them by setting their IncludedSmartAccessFilterEnabled property to True, and then does one of the following:
      1. If using XenDesktop 5.6, the script removes all existing IncludedSmartAccessTags and provides a list of them, if you want to keep a note of the values for future re-use.
      2. If using XenDesktop versions 7.0 to 7.6 or XenApp 7.5 or 7.6, the script moves any existing IncludedSmartAccessTags to the metadata of their respective rules (to help with future re-use of the values).
         The Studio UI and upgrade logic in XenApp and XenDesktop 7.7 and above understands this metadata. Its structure is:
         [StudioSecurityFix_IncludedSmartAccessTags, Tag1&Tag2&Tag3] where Tag1, 2, and 3 are example IncludedSmartAccessTags.
      3. If using XenApp or XenDesktop version 7.7 and above, the script sets the AllowedConnections property of the affected rules from ‘ViaAG’ to ‘AnyViaAG’.

Note: The underlying issue cannot be fixed in the services, but is no longer exposed by the Studio UI in versions 7.7 and above. The insecurity was also not exposed by the Studio UI back in version 5.6.
Upgrades to XenApp or XenDesktop 7.7 and above (7.8 and above if upgrading from 5.6) would fix any existent occurrences of the insecurity.

Problem Cause

Refer to the Security Bulletin regarding this issue.