1 of 1 people found this helpful
We put VSE on all our Windows servers (but tune/tweak the settings as per McAfee/MS recommendations).
First, we publish our citrix apps and only very special people get the "desktop".
Second, we have GPO that restrict access to the Citrix server C drives
However, we don't want people using the email client and/or web browser and possibly getting a virus and saving it to either the Citrix server itself, infecting the citrix server, OR saving it to networked drives (or opening it from a network drive). Hence the VSE on the citrix servers.
HIPS, etc. will certainly help mitigate things, but IMO, I'd use both. However, it depends upon how you've setup your Citrix sessions (IMO, you're more at risk if you give the person access to the entire desktop vs say, all they can do is run a published instance of Word).
The risk level is up to you. Technically by even configuring VSE to not scan certain directories on a Windows server (or any server/workstation, for that mattter) is a security risk.
On servers that people do not have access to (ie, our Domain controllers), we actually disable the VSE OnDemand scan and only run scheduled scans. We can always use EPO to turn on the OnDemand scan if necessary. But we don't allow file sharing on those machines and only a handful of people can actually connect/login to them directly.
Even if you "blow up" a citrix server or workstation, you still don't want the malicious code spreading to other machines.
For our citrix sessions, we are talking about locking the user out of the local desktop (except for a handful of IE sites that use a lot of bandwidth) and having all the other apps pushed from the citrix server. We would absolutly run VSE on the citrix servers. The thought process being that on the desktops if the apps are locked down we might not need VSE to run since the user technically only sees a session and can't really do anything else.