Suppressing Access Lists to be Exposed by the XML Service

In an earlier article about the XmlServiceExplorer, I explained how to obtain the access list of all published applications in a farm from the XML service.

As this information is offered without authentication, it can be considered a security issue. The XML service should rather offer the resulting list of published applications based on the access lists instead of the access list themselves.

Fortunately, this behaviour of the XML service can be suppressed by changing a registry key on the Presentation Server / XenApp server:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix\XML Service]
"ExposeAccessLists"=dword:00000000

Using the same settings as in the example of my earlier article, the XML service only returns an empty tag called Details.

This configuration option should also be able to settle the discussion in the security forum of Brian’s site.

Please note that this switch is not documented (as far as I know). Be sure to have tested this before deployment in a production environment.