Google Frame: Bypassing Security, Lockdown & Admin controls – A mockery, or an awakening to managing the Unknown?

June 22, 2011

 Google has just launched a new version of Google Frame – a plug-in designed for Internet Explorer based on the open-source Chromium project.  Unfortunately, it presents a significant problem for IT departments, in that users can install the plug-in even if they don’t have Administrator Rights on their desktop.  Now, I am not picking on Google in this blog, but using Google Frame as an excellent example of how unauthorized and unknown software can easily enter corporate desktops that are only protected by managing and blocking ‘known’ code and software.

 Back to Google Frame, A comment on the Hacker News site sums this up nicely saying:

“Yay for clever technical hacks that help users circumvent ossified IT bureaucracy. But I’m a little astonished that this is possible. They’re running a second process that detects new instances of IE starting up and injects Chrome Frame into them. Doesn’t that make a mockery of “admin rights”?

Fair comment indeed… but those Admin rights are often there for a reason – to protect the desktop, the data and the user from unknown software. Google isn’t doing end-users any favours by circumventing established security protocols – it will just encourage IT departments to try and lock down desktops even further.

According an insightful article from Cade Metz, at The Register: “Google is well aware of this. But the company says that if admins don’t like it, they can use separate Google admin tools to stop it from happening.” But that assumes IT admins are aware of the issue, and the separate Google admin tools in the first place, in order to control it .. ouch?!

My thought here is – you only know what you know, you don’t know what you don’t know – Making some aspects of managing the desktop for some IT departments, especially in this case, a reactive, firefighting process. 

My question therefore is – How can you control, manage and protect against the unknown?!

The answer to my question and for AppSense customers concerned about this issue, I’m happy to confirm that this is something automatically handled out of the box by Application Manager – One of the requirements of a User Virtualization solution is to dynamically and automatically control application entitlement and the ability to control what a user can introduce and execute into their desktop environment.  For over 10 years Application Manager has been protecting millions and millions of corporate desktops around the world, AppSense will recognise any attempt by the user to install or run any unknown or unauthorized piece of software, even a plug-in and block it unless permission has been given.

AppSense User virtualization achieves this with a kernel level filter driver within the Windows operating system. This filter intercepts all execution requests, whether known or unknown software, scripts, DLL’s etc,  prior to an application or code actually launching or executing, to determine if the request is to be authorized or prohibited. Any unauthorized requests are blocked and the user receives a message, configurable by the administrator, stating that execution has been denied.  Authorization or denial can be manged in a number of ways:

AppSense Trusted Ownership: Managing the Unknown

Protect the system without complex lists and constant management. Only code installed and owned by ‘trusted owners’ is allowed to execute. By using this method, current application access policy is immediately enforced ‘out of the box’ without the need for scripting or list management.  In this case, Google Frame would be prevented from running the installation and the application is blocked automatically, even though the code itself is unknown to the IT department! – Problem Solved.   (note – The trusted owners list can be extended to suit any environment or content directory infrastructure.)

White & Black List Configurations: Granular Management of the Known

White & black List configurations can be used in conjunction with Trusted Ownership to control known applications which pass the NTFS owner check. Applications that users should not have access to such as administrator owned tools like cmd.exe or ftp.exe  are automatically denied. Or, create white lists to guarantee only known and trusted applications can
execute on a system.

So… there we have it, while vendors are developing software that can bypass desktop controls and enter the corporate desktop environment, and unknown (malware) threats challenge our IT departments, there is a solution available in the form of AppSense User Virtualization.

If anyone has any further specific thoughts or questions about Google Frame, any other ( potentially unknown) applications  or User Admin Rights, then please do share them here on the AppSense blog – as ever we love to hear what the community has to say.

Hope this helps, and keen to hear your thoughts…

Gaz


You Know Where The Door is – Use It!.. But Do You Have To?

January 17, 2010

Yes. Something that has happened  several times before has happened again this week.

A Reseller/Solution Provider implements a Citrix/Terminal Services/VDI/Streamed Application solution for an end user client.  The end user  has since received a Software Asset Management review, and at the end of it, the client receives a big un-budgetted invoice from Software Vendor XYZ because their Citrix/Terminal Services/VDI/Streamed Application solution does not enforce a ‘Per Device’ based application access control and licensing model.  As a result, the end user client gets upset and in the case this week, the Reseller/Solution Provider was shown the door and lost the Client.

As mentioned, I have seen this many times before, and I must sound like a broken record to my reseller techies, but this scenario keeps happening and can be avoided!

Now, before you blame it all on one particular application vendor, just remember that MOST if not ALL of your typical Software Vendors have a DEVICE based model for licensing, not user based.  It’s pretty simple, if a device can potentially access the application (regardless of where the actual code executes, or, even if it executes or not) that device needs a licence.  Even if you try and block access to the application at the user level with GPO’s, SRP’s or white and black lists at a user level, this does not comply as the authorized users can still access the application from all devices and so all devices still require a licence.

For example, If I own 50 PC’s and install Application A on each PC I need to buy 50 licenses. I can’t just say I only have one user login, so I only need one license – the world doesn’t work like that.

And “network techniologies” (CTX/TS/VDI/STREAMED APPS) are no different. If I can run the application for any single one of my 400 thin clients, then either I need to buy 400 device licenses of the application, or I need a way of enforcing the number of devices that can execute it.

If you want to see this explained you can can see me white board this on the AppSense YouTube Channel here -> Whiteboarding a per device licence scenario

Now I understand not everyone sees things the same way, but my experience is the Reseller/Solution provider is often the scape goat in these scenarios when it all goes pear-shaped.  So, for the partner to protect their rear end, and be a bit proactive, some of our Aussie Solution Providers highlight this to the end user by sending a short email, not only to the IT Manager who may be running the project, but also to the CFO and CIO who sign the cheques.

This email points out that the Solutions provider is bound by their status with Software Vendor XYZ to inform the client that the solution they are looking to implement does not fulfill the licensing requirements of the Software Vendor they are wanting to use and they may be liable for additional licence fees and even financial penalties in the event of an audit.. if, they do not also include a per device application access control solution as part of their overall SBC or VDI solution.

I was having this discussion in the office this week when, Hey Presto – in jumps AppMan with his  favorite AppSense product Application Manager – he’s a jovial fellow, looking resplendent in his red outfit.  Sure he’s not the tallest guy in the office, he could do with a few visits to the gym (couldn’t we all?) and yes I agree some of his hair has left the building for greener pastures but everyone with a wife and kids has that issue :-)

However, his heart ‘s in the right place.  He wants everyone to be compliant with their software licensing, he doesn’t want to see companies paying out for licences they don’t need, and he only wants to see Trusted/Authorized Applications running on corporate architecture (more info on how AppMan and his solution Application Manager can help with per device software licensing can be found here).

In addition, there’s a side benefit – not only will AppSense Application Manager enforce a per Device licensing model, it’s also one of the most effective security products on the market.  Trusted ownership ensured only software that is installed by a Trusted Owner (typically the IT Team) it’s allowed to run. Any file installed by a user will instantly be blocked.

Effective and bullet proof, that’s AppSense Application Manager. And as I always say when the subject of security comes up, It’s not that the security team at your organisation has done a bad job, it just they don’t know what they don’t know, so how can they protect against something they do not know about, or some piece of code that has only just been written today by someone they dont know of?  On the other hand,  AppSense Application Manager will show you EVERY file users try to execute, so you do now know what is going on.

And maybe, just maybe, if we all work harder at helping our clients, we can all join a Gym, take some measures to stop our hair falling out, avoid any software licensing issues and costs.. and all live happily ever after :-)

For more information on cost reduction in your environment, please visit the cost reduction pages on the AppSense website.



How To Guide: Streaming Microsoft Office with Citrix XenApp 5 – Best Practice Guide & Licensing Overview

August 27, 2009

Citrix Technology Professional (CTP) Alexander Ervik Johnsen has written a very useful piece on how to Profile and Stream Microsoft Office 2007 using Citrix XenApp 5.0

This is a great guide and covers how to stream Office to a desktop, or, into a Citrix XenDesktop session.  His article and guide can be found on his website here.

Further to the actual process of profiling and streaming the Office application, I also want to ensure everyone is aware of the Microsoft Per Device Licensing Model for Server Hosted Applications.

Many Microsoft applications, including Microsoft Office™, Project™ and Visio™, are licensed on a per-device basis. This means a desktop application license is required for each and every device that is able to potentially access the application or server where the application is installed, regardless of whether a user executes and runs the application of not.  This makes licensing Microsoft applications in virtual environments a tricky, potentially very costly, and misunderstood subject. 

One misconception is that by ‘publishing’ or ’streaming’ applications to a limited “user” group, that group is compliant with the Microsoft license agreement – in other words, Microsoft licenses their applications per user.  This is in fact in breach of the Microsoft licensing model, and can lead to legal action.

I have written a blog, which also includes official Microsoft approved whitepapers on how to control and enforce application access and license compliance on a per device basis  in such virtual environments,  that blog can be found here

In addition to helping ensure compliance, effective license control and management can also reduce Microsoft License requirements and associated costs – more information on this can be found here.

If anyone has any questions or comments, as always, please do let me know.

Thanks
Gareth


VDI Personalization and Configuration: Profile Management & Logon Scripts – not enough for multiple delivery mechanisms & OS platforms?

July 24, 2009

As a leading user environment management vendor, AppSense are in a unique position in that we have been involved many VDI projects and rollouts, of which the majority vary in architecture, technology and requirements.  One thing that does however remain the same between such projects is that of the requirement for user personalization management.

For many years the roaming profile provided user personalization in SBC environments, however as VDI deployments become more and more complex, with varying methods of desktop and applications delivery, along with multiple desktop operating systems and subsequently, profile versions, the roaming profile is no longer able to provide the user with their required settings in such (complex?) scenarios.

Furthermore, these desktops must now be constructed and configured based on the context of the user and/or connecting device.  i.e. mapping specific printers local to the user and device dependent on the location of the user logging on, or applying security policies to hide or remove access to network drives, folders, data and functionality such as copy and paste or print, again, based on the location of the user.  Whereby the desktop delivered to a user when connected locally inside the corporate LAN is different to that of the desktop delivered to the same user when connecting remotely from outside of the LAN.

One more point to consider is that of enabling the user to freely roam between the server hosted or provisioned virtual desktop, and the users local desktop device such as their PC or roaming laptop.  How do you as IT enable user settings to automically follow the user between different platforms?

AppSense Environment Manager was designed from the ground-up with functionality to accommodate the above requirements, making it, or, other user environment management solutions essential to the mass adoption of VDI on an enterprise scale.  In essence, AppSense provides the ability to encompass multiple delivery technologies and OS platforms by allowing the user to roam between the paradigms without any noticeable change to their desktop or user experience, enabling IT and the organization to benefit from flexibility, agility and lower TCO.  I do at this point want to highlight that this is different to the personalization management provided by the leading VDI vendors (Citrix, Microsoft, VMware etc), as their in-built functionality is typically designed for their delivery platform, not each other’s.   In essence, further to the advanced personalization and simplification of desktop management, AppSense also enables an organization to use combinations of both existing technologies, and (potentially) more importantly, any future VDI delivery technologies and vendors.
 
I have just found a very nice blog covering the functionality of not only AppSense Environment Manager, but also the base technology inherent within the leading VDI service providers – Citrix, VMware and Microsoft.  Hopefully from this blog post, and the information over at GenerationV, you will see how AppSense bridges the gap between the roaming user and a dynamic, flexible VDI model..

For more information on this, the GenerationV Profile Management blog can be found here


AppSense Technical University Training For Partners

July 22, 2009

I am excited about writing this one, the much awaited 2009 AppSense Technical University is soon upon us! It will take place in October and November!!  Following on from our previous events, there are some exciting new developments at AppSense that we would like to share with you; amongst other topics:

  • User Introduced Applications (UIA) Technology – do we need, and how do we enable, users to install applications into non-persistent VDI sessions, and have the applications (and settings and preferences) remain available in the next non persistent vdi session?!
  • AppSense Management Suite Version 8.1 Product RoadMap
  • ‘Policy & Personalization’ best practices across virtual and multi OS platform environments

Uni

 

Why attend the AppSense Technical University?

The AppSense University is a ‘free of charge’ event to our AppSense Certified Solution Partners, and is a great chance to meet up with the AppSense Technical teams, as well as your peers from within the community. As a valued member of our Certified Solutions Partner program, you are invited to this comprehensive technical update and networking event.

The 2 day event will include in-depth, hands on training designed to enable you to provide consultancy services and implement the AppSense Management Suite for prospects and customers.

Register for further information

As always, AppSense is hosting several Technical University events in locations around the globe. If you are interested in attending an AppSense Technical University, click on the country or region most relevant to you and we will keep you informed of the event details:

United States, November 2009 

United Kingdom, October 2009

Norway, November 2009

DACH Region, November 2009

BeNeLux, November 2009

Australia, October/November 2009

We look forward to seeing you there!

Best Regards,

The AppSense Technical University Team.

Website: http://www.appsense.com
Email: university@appsense.com
Telephone: +44 (0)1928 793 444


Follow

Get every new post delivered to your Inbox.