This is the first installment in a series of posts about the new features and options in AppSense Version 8 Service Pack 2. (If you have not yet downloaded this latest release, you can read more info and download it from here )
AppSense Environment Manager 8.0 Service Pack 2 introduces a new option – Run As.
This emulates the Microsoft Run As command and allows actions to be executed in the context of another, specified user. For example launching an application in a different user context.
When selecting the Run As tab in an action you are presented with one, two or three options:
Current User: Available on all relevant User actions. This is the default selected method and runs the action in the context of the logged on user.
System: Available on all actions. This is the default method for Computer nodes and runs the action in the context of the System user.
User: Available on all relevant User actions. On selection of this option the administrator is prompted to select a friendly name to run as. If no friendly name exists, the Run As Library can be launched where friendly names, usernames and passwords can be stored for re‐use.
The friendly names are stored in the configuration in a reusable library section. Each friendly name is accompanied by the username and password. The password is encrypted using a one‐way public key. This prevents passwords from being reverse engineered.
During installation of the AppSense Environment Manager Agent, the private key is added to the machines key store. This is a write only store, i.e. it cannot be read.
When an action is run as a specified user the associated username and password are used to impersonate said user. AppSense Environment Manager uses a handle to the private key to decrypt the password at this point.
Note: The Run As specified user only impersonates that user. This means the user’s profile and registry hive are not loaded from the domain due to the associated overhead. This results in the environment variables for the action representing the System user and not the currently logged on user or specified user.
Note: This is both a very powerful and potentially dangerous function. Even though the password is encrypted, the username and password pair can be applied to any action and a malicious user may be able to alter the configuration to possibly bypass security. Therefore, this function must be used with extreme care.
As this is an ever growing blog topic, more posts on the other new features we have detailed can be found below: