Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Administration Guide
Guide
Notice
The information contained in this document ("the Material") is believed to be accurate
at the time of printing, but no representation or warranty is given (express or implied)
as to its accuracy, completeness or correctness. AppSense Limited, its associated
companies and the publisher accept no liability whatsoever for any direct, indirect or
consequential loss or damage arising in any way from any use of or reliance placed on
this Material for any purpose.
Copyright in the whole and every part of this manual belongs to AppSense Limited
("the Owner") and may not be used, sold, transferred, copied or reproduced in whole
or in part in any manner or form or in or on any media to any person other than in
accordance with the terms of the Owner's Agreement or otherwise without the prior
written consent of the Owner.
Trademarks
AppSense and the AppSense logo are registered trademarks of AppSense Holdings Ltd.
Microsoft, Windows and SQL Server are trademarks or registered trademarks of
Microsoft Corporation. Fluent is a trademark of Microsoft Corporation and the Fluent
user interface is licensed from Microsoft Corporation. Other brand or product names
are trademarks or registered trademarks of their respective holders.
ii
C O N T E N T S
viii
Welcome
Chapter 1
viii
viii
Feedback
ix
Product Overview
Architecture
Components
Software Agent
Configuration
The Console
Key Benefits
Feature Summary
iii
Chapter 2
Chapter 3
Chapter 4
CONTENTS
Manage Configurations
10
Default Settings
10
Configuration
11
Configuration Elements
11
Rule Matching
12
Configuration Properties
15
Message Settings
15
Archiving
17
Save a Configuration
19
Import a Configuration
19
Export a Configuration
19
Tasks
20
General Features
22
Trusted Owners
22
Trusted Applications
24
Extension Filtering
26
Options
26
Tasks
27
Rules
29
Manage Rules
29
Group Rules
30
User Rules
30
Device Rules
30
Custom Rules
31
Scripted Rules
32
Security Level
35
Tasks
36
iv
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
CONTENTS
Rule Items
40
Accessible Items
40
Prohibited Items
42
Trusted Vendors
43
Tasks
44
46
Manage
46
Items
47
Tasks
48
51
51
52
52
Groups
53
Group Items
53
Tasks
55
Endpoint Analysis
57
57
Endpoint Management
59
Installed Applications
59
59
Application Data
60
Data Files
60
Tasks
61
Rules Analyzer
63
63
Endpoint Management
66
Data Acquisition
66
Data Files
66
Tasks
66
Chapter 10
Chapter 11
Chapter 12
CONTENTS
Auditing
68
Audit
68
Local Events
70
Configuration Profiler
73
Report Type
73
Report Criteria
73
Report Output
74
Best Practices
75
76
76
76
76
76
77
77
77
78
78
78
78
78
79
79
79
79
79
79
79
79
System Requirements
81
Appendixes
Appendix A
vi
CONTENTS
82
82
Writing a Script
82
Sample Scripts
83
Best Practices
84
Appendix C
86
Appendix D
Licensing
87
88
Managing Licenses
89
Troubleshooting
90
Streamed Applications
91
Citrix XenApp
91
Appendix B
Appendix E
Glossary
93
vii
W E L C O M E
Feedback
APAM80-04-130209-1
Publication number
Document Conventions
Convention
Use
Bold
Highlights items you can select in Windows and the product interface, including
nodes, menus items, dialog boxes and features.
Code
Italic
Highlights values you can enter in console text boxes and titles for other guides and
Helps in the documentation set.
viii
Table 3.1
WELCOME
Feedback
Convention
Use
>
Feedback
The AppSense Documentation team aim to provide clear, accurate and high quality
documentation to assist you in the installation, configuration and ongoing operation of
AppSense products.
We are constantly striving to improve the documentation content and greatly value and
appreciate any contribution you wish to make to enhance the detail of the content, based on
your experiences with AppSense products.
Please feel welcome to send in your comments to the following email address and we will
endeavor to incorporate these into future publications:
documentation.feedback@appsense.com
Thanks in advance,
The AppSense Documentation team
ix
Product Overview
Architecture
The Console
Key Benefits
Feature Summary
Product Overview
This document shows how to setup and use the components of AppSense Application
Manager. Application Manager provides centralized management of corporate application
control, eliminating unauthorized application usage and controlling application network access
enterprise wide. Protective measures such as blocking the execution of all unauthorized
software is provided and extensive options for creating rules to manage production application
usage.
Application Manager is part of a closely integrated system of management components and can
be centrally configured and deployed to desktops, servers and Terminal Servers throughout the
enterprise using the AppSense Management Center.
For further information see the AppSense Management Center Administration Guide.
Architecture
This section provides details on the archictecture of Application Manager and includes the
following:
Components
Software Agent
Configuration
Components
3
Client Computer
License
Software Agent
Application Manager is installed and run on endpoints using a lightweight Agent. In Standalone
mode the Agent is installed directly onto the local computer. In Enterprise mode, the Agent is
stored in the AppSense Management Console.
Both Agents and Configurations are constructed as Windows Installer MSI packages and can
also be distributed using any third-party deployment system which supports the MSI format.
Since the Agents and Configurations are installed and stored locally they continue to operate
when endpoints such as notebooks and Tablet PCs are disconnected or offline.
For further information about deploying AppSense software, refer to the AppSense
Management Center Administration Guide.
Configuration
Application Manager Configuration files contain the rule settings for securing your system. The
Agent checks the configuration rules to determine the action to take when intercepting file
execution requests.
Configurations are stored locally in the All Users profile and are protected by NTFS security. In
standalone mode, configuration changes are written directly to the registry from the
Application Manager Console. In centralized management mode, configurations are stored in
the AppSense Management Center database, and distributed in MSI format using the
AppSense Management Console.
Configurations can also be exported and imported to and from MSI file format using the
Application Manager Console which is useful for creating templates or distributing
configurations using third party deployment systems.
After creating or modifying a configuration you must save the configuration with the latest
settings to ensure that they are implemented.
The Console
The Application Manager Console launches when the link is selected in the Start > All
Programs > AppSense menu.
Application Menu
The Application Menu provides options for managing configurations including create new,
open existing, save, import and export configurations and Print.
The Preferences option allows you to modify the console skin and select whether to display the
introductory splash screen.
Option
Description
New
Open
Save
Save As
Saves the configuration with a new name to one of the following locations:
Live configuration on this computer
Configuration in the Management Center
Configuration file on a local or network drive: Application Manager Package Files format
(aamp).
Note A live configuration is located on a computer which has a Application Manager Agent
installed and running.
Warning If using Microsoft Vista operating system with UAC enabled you must ensure that
you open the console with Administrator privileges.
Imports a configuration from MSI format, usually legacy configurations which have been
exported and saved from legacy consoles.
Exports a configuration to MSI format.
Exit
Preferences
Option
Description
Save
Saves changes to the configuration. The configuration will remain locked if opened from the
Appsense Management Center.
Save and unlock
Saves changes and unlocks the configuration. These changes can now be deployed from the
Management Center.
Undo
Clears the action history. Up to 20 previous actions are listed. Select the point at which you want to
clear the actions. The action selected and all proceeding actions are undone.
Redo
Re-applies the cleared action history. Up to 20 cleared actions are listed. Select the point at which you
want to redo the actions. The action selected and all subsequent actions are redone.
Back
Navigates back through the views visited in this session.
Forward
Navigate forward through the views visited this session.
Ribbon Pages
Ribbon Pages include buttons for performing common actions arranged in ribbon groups
according to the area of the Console to which the actions relate. For example, the Home ribbon
page includes all common tasks, such as Cut, Paste and Copy, Help, AppSense website and
Support links.
Split ribbon buttons contain multiple options and are indicated by an arrow just below the
button. Click the arrow to display and select the list of options, or simply click the button for the
default action.
Help
The Home ribbon page includes a Help button which launches the Help for the product and
displays the topic relating to the current area of the console in view. A smaller icon for
launching the Help displays at the far right of the console, level with the ribbon page tabs, for
convenience when the Home ribbon page is not in view. You can also click F1 to launch the
Help topic for the current view.
Navigation Pane
The Navigation Pane consists of the navigation tree and navigation buttons. The navigation
tree is the area for managing nodes of the configuration. The navigation buttons allow you to
view the different areas of the console.
Work Area
The Work Area provides the main area for managing the settings of the configuration and
product. The contents of the work area vary according to the selected nodes in the navigation
tree and the selected navigation buttons. Sometimes the work area is split into two panes. For
example, one pane can provide a summary of the settings in the other pane.
Additional Console Features
Shortcut Menu right-click shortcuts are available in the navigation tree and some areas
of the Console.
Drag and Drop this feature is available in some nodes of the navigation tree.
Cut/Copy/Paste these actions can be performed using the buttons in the Home ribbon
page, shortcut menu options and also using keyboard shortcuts.
Key Benefits
This section provides key benefits of using AppSense Application Manager, they are as follows:
Feature Summary
Application Manager provides the following key features for application control:
Trusted Ownership
By default, only application files owned by an Administrator or the local System are allowed to
execute. Trusted Ownership is determined by reading the NTFS permissions of each file which
attempts to run. Application Manager automatically blocks any file where ownership cannot be
established, such as files located on non-NTFS drives, removable storage devices, or network
locations. These files can optionally be allowed to run either by specifying them as Accessible
Items or by configuring a Self-Authorizing User rule. The Trusted Owner list can be configured
to suit each environment.
User, Group, Device and Custom Rules
Extend application accessibility by applying rules based on username, group membership,
computer or connecting device, and combinations of these. Accessible and Prohibited Items,
and Trusted Vendors can be specified in each rule, and are applied to a user session based on
the environment in which the user operates.
Scripted Rules
Scripted Rules allow administrators to apply Accessible Items, Prohibited Items and Trusted
Vendors to users based on the outcome of a VBScript. The VBScript can be run for each
individual user session or run once per computer.
Trusted Vendors
Allow authentic applications to run which have digital certificates signed by trusted sources, and
which are otherwise prohibited by Trusted Ownership checking. Define a list of Trusted Vendor
certificates for each User, Group, Device, Custom and Scripted Rule of the configuration.
Trusted Applications
Allow authorized applications to run files which are normally prohibited. Authorized
applications are designated as Trusted Applications (parent processes) which are assigned
specific prohibited files as Trusted Content (child processes). Trusted Content is allowed to run
only as the child process of a Trusted Application parent process.
Add certain files and file types as Trusted Content. Extend this trust to folders and drives to
allow files in these locations to run as Trusted Content of the Trusted Applications.
Application Network Access Control
Block access to certain web applications and normal applications based on the outcome of rules
processing. Application Manager has the ability to manage access based on the location of the
requester, for example if they are connecting via VPN or directly to the network.
Digital Signatures
SHA-1 signature checks may be applied to any number of application control rules, providing
enhanced security where NTFS permissions are weak or non-existent, or for applications on
non-NTFS formatted drives. A digital signature wizard allows easy creation and maintenance of
large digital signature lists.
EndPoint Analysis
Allows an Administrator to browse to any endpoint and retrieve a list of applications that have
been installed on that endpoint. Search for any executable files and add them to the
configuration.
Application Manager records which applications are started and by whom. The recording of
data is started and stopped by the administrator.
End Point Analysis is on demand and inactive by default.
Auditing
Events are raised by Application Manager according to the default Event Filtering configuration
and audited directly to a local file log or the Windows Event Log. Alternatively, events can be
forwarded for auditing to the AppSense Management Center via the Client Communications
Agent (CCA). The Application Manager audit event reports available in the Management Center
can also be used to provide details of current application usage across the enterprise. For more
information, see the AppSense Management Center Administrator Guide and Help.
Windows Scripting Host Validation
All Windows Scripting Host (WSH) scripts, such as VBS, are validated against configuration rules.
This ensures that users can only invoke authorized scripts, eliminating the risk of introducing
WSH scripts that contain viruses or malicious code.
Manage Configurations
This section provides details on Application Manager Configurations and includes the following:
Default Settings
Configuration
Configuration Properties
Save a Configuration
Import a Configuration
Export a Configuration
Tasks
Default Settings
On installation Application Manager has a configuration loaded with the following default
settings:
Group Rules
BUILTIN\Administrators - Unrestricted
Everyone - Restricted
Administrators Group
System Account
Trusted Installer
Computer Administrator
Default Restrictions
10
MANAGE CONFIGURATIONS
Configuration
Trusted Applications
Configuration
The Application Manager configuration is installed on managed devices and serves as a policy
checklist for the Application Manager Agent to assess how to handle file execution requests.
When a file is executed, Application Manager intercepts the request and performs a check with
the configuration to find a matching rule that indicates the appropriate action to take.
Other default policies specified in a configuration are also applied, for example, event filtering
or handling for specific file extension types as well as general policies such as default rules,
auditing rules and how message notifications are displayed.
This section includes:
Configuration Elements
Rule Matching
Configuration Elements
The Application Manager console provides configuration settings in the following key areas:
Rules
Library
Rules
Rule nodes provide default settings for handling file executions and specific settings which apply
to particular users, groups or devices:
Group, User, Device, Custom and Scripted Rules
Allow you to specify Security Level settings that specify restrictions which apply to users, groups
or devices matching the rule. Custom rules target combinations of particular users or groups
operating on specific collections of devices. Scripted rules allow administrators to apply
Accessible Items and Prohibited Items to users based on the outcome of a VBScript. The
VBScript can be run for each individual user session or run once per computer.
Accessible / Prohibited Items Sub-node lists within each rule which you can populate and
maintain with specific files, folders, drives and digital signatures to provide an additional
level of granularity for controlling file execution requests.
For example, items which Trusted Ownership checking normally prohibits can be made
accessible for the users or devices targeted in the rule. Likewise, files which would normally
be accessible can be prohibited.
Trusted Vendors A sub-node list in each rule which you can populate with digital
certificates issued by trusted sources. Files which fail Trusted Ownership checking are
checked for the presence of digital certificates and allowed to run when a match is made
with the Trusted Vendors list.
11
MANAGE CONFIGURATIONS
Configuration
For example, a highly restricted user might be prohibited under normal rule conditions from
introducing executable files on the system but may be required to download and run
software updates from a particular source, from time to time. If the downloaded file
includes a digital certificate which matches a certificate in the Trusted Vendors list, the file is
allowed to run.
Library
Library nodes provide the following:
Signature Group Management
The Signature Group Management node allows you to apply digital signatures to files or
collections of files including the running child processes spawned by applications. Signature
group collections can be added to the accessible and prohibited items lists in a rule.
Network Connection Group Management
The Network Connection Group Management node allows you to create groups in the Network
Connection Group List and add network connections for the groups. The network connections
can be anything from network shares to corporate web applications.
Rule Matching
Rule matching takes place when Application Manager intercepts a file execution request and
checks the configuration policy to determine whether a file is allowed to run.
Applying Rule Policies
The most lenient security policy is applied to a user profile which is affected by more than one
rule. For example, a user who matches both a User Rule assigned the Restricted security level
and also a group rule which assigns the Self-Authorizing security level, is granted
self-authorizing privileges for all decisions and application use.
Matching Files and Rules
The Application Manager agent applies rules by making a suitable match for the file type.
12
MANAGE CONFIGURATIONS
Configuration
Matching is based on a three stage approach which considers security, matching order and
policy decisions:
1. Security:
2. Matching:
3. Policy:
13
MANAGE CONFIGURATIONS
Configuration
14
MANAGE CONFIGURATIONS
Configuration
Configuration Properties
This section details the Configuration Properties and includes the following:
Message Settings
Archiving
Message Settings
Use the Message Settings options in General Features ribbon page > Configuration
Properties ribbon group to configure settings for messages issued to users. You can set up
messages for situations where access is denied, application limits have been exceeded and for
self authorization. Time limits for application behaviour can be specified with warning and
denied messages.
Message Box Variables
The message box caption and text may contain user and system-wide environment variables,
and include the following environment variables shown in Table 2.1. Environment variables are
not expanded during testing.
Table 2.1
Environment Variable
Description
%ExecutableName%
%FullPathName%
%DirectoryName%
Reference
Access Denied
Displays when the user is denied access to an unauthorized application.
Message
%USERNAME% is not authorized to execute %Executablename%.
Application Limits Exceeded
Displays when the user is denied access to an application that has reached an application limit.
Message
%USERNAME% has exceeded the application limit for %ExecutableName%.
15
MANAGE CONFIGURATIONS
Configuration
Time Limits
The Warning Message displays when the user is denied access to an application that has a
Timed Exception applied that is not valid at the requested time.
The Denied Message displays when an application has a Timed Exception applied that has now
expired and the application is still running.
Display an initial warning message
Select to display an initial warning message to the user when an application has exceeded time
limits. typically, this gives the user time to save their work and close the application.
Close application
Select to send a close message to the application. When most applications receive a close
message they automatically give the user a chance to save their work.
Terminate application
Select to terminate the application. Typically this is used after the application has been sent a
close message but has failed to terminate.
Wait
Specify the number of seconds to wait between each of the selected termination options. For
example, if the user selects all three of the termination options and then selects 20 seconds, the
warning message will be displayed, followed 20 seconds later by the close message and finally
the application terminates after a further 20 seconds.
Warning Message
Displays when the user is denied access to an application that has a Timed Exception applied
and that is not valid at the requested time.
Message
%USERNAME% is no longer permitted to run %ExecutableName%. Please save all work and
shut down this application immediately
Denied Message
An application has a Time Limit applied that has now expired and the application is still running.
Message
%USERNAME% is not permitted to run %ExecutableName% at this time.
Self-Authorization
The Message displays when a self-authorizing user attempts to run a prohibited application and
the file requires a user decision to run.
The Response displays when a self-authorizing user allows a DLL file that another application
uses and the application may need to be restarted.
16
MANAGE CONFIGURATIONS
Configuration
Message
%ExecutableName% cannot run without your authorization. This action may be logged.
Response
%ExecutableName% is now authorized. Applications using this file may need to be restarted.
Click the Test button to preview the message box.
Archiving
Archiving is an optional function allows you to copy any denied executables into a secure folder.
Reference
Use archiving
Select to switch on the archiving function.
Global Properties
Do not archive administrator owned files
Select to prevent Application Manager from adding administrator owned files to the archive.
Do not archive if the file already exists
Select to prevent Application Manager from adding files to the archive which already exist in the
archive, especially if the archive resides on the network.
Use anonymous archiving
Select to prevent Application Manager from adding any user names to the archive. For example,
if a user runs a downloaded file from the $Home drive, the owner of the file is that user and
also the archived filename contains the users name as part of the path from which it was
executed. If Anonymous archiving is selected, the owner of the file is changed to SYSTEM
and any references to the user name are replaced with anonymous.
Total Limit
The maximum size in MB that the archive is allowed to reach before archiving stops. If When a
users archive is full allow the oldest files to be overwritten is selected, files are
overwritten.
17
MANAGE CONFIGURATIONS
Configuration
User Limit
The maximum size in MB that a single user archive is allowed to reach before files are
overwritten. For example, if an archive path is specified as C:\archive\%username%, every user
on the system has a separate archive under the C:\archive directory. It is this user archive that is
subject to the user limit.
A limit setting of zero (0) denotes an unlimited size for an archive.
File Options
Only archive files less than _Mb
Limits the size of the files that are copied to the archive. This is particularly useful if a network
archive is specified since copying large files to a network location is a potentially time
consuming operation.
When a users archive is full allow the oldest files to be overwritten
Select to allow Application Manager to overwrite the oldest files in the archive in cases where
the archive size has reached either the Total limit or the User limit.
Folders
Archive Folder
The list of folder paths to which archive files are copied.
Browse
Browse to the location where you want the archive to exist.
Add
Add an archive location to the list. The archive may contain environment variables. For example,
%SYSTEMDRIVE%\Archive\%USERNAME% is expanded when Application Manager attempts
to archive the file. Each user has a personal archive.
Move Up
Moves the selected archive up the list of available archives. The order of the archive list is
important as Application Manager attempts to copy the file to the first archive in the list. If this
copy fails, Application Manager continues to make attempts to copy the file to the next archive
location until it is successful.
Move Down
Moves the selected archive down the list of available archives. The order of the archive list is
important as Application Manager attempts to copy the file to the first archive in the list. If this
copy fails, Application Manager continues to make attempts to copy the file to the next archive
location until it is successful.
18
MANAGE CONFIGURATIONS
Save a Configuration
Save a Configuration
When changes are made to a configuration you have the following options:
Save and Unlock this configuration the configuration is saved and unlocked and can
now be edited by other users.
Unlock only, do not save reverts the configuration to the original state and unlocks
the configuration for editing by other users.
Save As
Import a Configuration
Configurations can be imported in to Application Manager.
1. Click the Application Menu button.
2. Click Import & Export. The Import & Export Options display.
3. Click Import Configuration from MSI. The Open dialog box displays.
4. Navigate to the location of the MSI, select it and click Open.
Export a Configuration
Configurations can be exported from Application Manager.
1. Click the Application Menu button.
2. Click Import & Export. The Import & Export Options display.
3. Click Export Configuration as MSI. The Save As dialog box displays.
4. Navigate to the location to where you want to save the MSI, click Save.
19
MANAGE CONFIGURATIONS
Tasks
Tasks
This section includes the following tasks:
CREATE A CONFIGURATION
Applications not stored on local hard drives are prohibited. For example, applications
on network drives and removable media are prohibited.
Applications that are not owned by the administrator are prohibited. For example, any
applications copied onto the computers hard drives by a non-administrator are
prohibited.
TEST A CONFIGURATION
You must have a test user set up before proceeding with this task.
20
MANAGE CONFIGURATIONS
Tasks
9. Click OK.
The User rule work area displays the newly created test user.
The test account should not be one of the Trusted Owners in the configuration.
21
General Features
This section provides details on the general features of Application Manager and includes the
following:
Trusted Owners
Trusted Applications
Extension Filtering
Options
Tasks
Trusted Owners
During the rule matching process, Trusted Ownership checking is performed on files, folders
and drives to ensure that ownership of the items is matched with the list of trusted owners
specified in the default rule configuration.
For example, if a match is made between the file you want to run and an accessible item, an
additional security check ensures that the file ownership is also matched with the Trusted
Owners list. If a genuine file has been tampered with or a file which is a security threat has been
renamed to resemble an accessible file, trusted ownership checking identifies the irregularity
and prevents the file execution.
Trusted ownership checking is not necessary for items with digital signatures as these cannot be
imitated.
The list of Trusted Owners is maintained in the General Features ribbon page > Default
Restrictions group > Trusted Owners . Application Manager trusts all local administrators
and SYSTEM owned applications by default and you can extend this list to include other users or
groups. You can also designate certain Trusted Applications, such as antivirus applications, to
be permitted to execute files which would otherwise be prohibited from running.
When using Application Manager for the first time, we recommend you use the default
settings. To avoid complex customizations do not extend the Trusted Owners list or change
any default settings.
22
GENERAL FEATURES
Trusted Owners
WHITE LISTS
If you prefer to use a white list approach where nothing is allowed to run by default, clear the
Make local drives accessible by default check box in the General Features ribbon page >
Default Restrictions group > Options. To make items accessible add them to the Accessible
Items folder of a configuration node.
If you use a White List approach, ensure that you allow important system files to run, by
adding a Group Rule for the Everyone group in which all of the relevant files or folders have
been added to Accessible Items. Otherwise, many crucial executable files and DLLs such as
those which are stored in the system32 directory can be prevented from running and
adversely affect correct system functioning.
Clear the Trust. Ownership check box in the Accessible Items sub-nodes:
Assign self-authorization status to users and devices to allow the user to decide whether or
not to allow a file to run.
Set the Self-Authorizing security level for a rule in the Group Rules, User Rules, Device
Rules and Custom Rules nodes.
Trusted Applications override restrictions resulting from matches with Prohibited Items.
Reference
23
GENERAL FEATURES
Trusted Applications
Trusted Owners
Textual SID
The Textual Security Identifier of the Trusted Owner. For example, S-1-5-32-544.
Add Trusted Owner
Launches the Add Trusted Owners dialog box. Enter or Browse to select an Account to add
to the Trusted Owner list.
Trusted Applications
Trusted Applications are files which are authorized by Application Manager configuration rules
and are permitted to execute specified files which are normally prohbited.
Once an application is designated as a Trusted Application, you can add, as Trusted Content,
those files and file types which are normally prohibited, and run them as child processes of the
specified Trusted Applications. You can also add folders and drives as Trusted Content to allow
Trusted Applications to run prohibited files in those locations.
Trusted Application matching takes place when a file is prohibited by a rule or fails Trusted
Ownership checking. Application Manager checks the process tree of the prohibited file for a
running parent application which is an authorized application and matches a Trusted
Application. If a match is found, the file is allowed to run.
Reference
Options
Configure Trusted Application settings.
Disable Trusted Applications checking
Select to switch off Trusted Applications checking.
Check all denied requests
Select to perform Trusted Application matching both on files prohibited by Trusted Ownership
checking and files prohibited by configuration rules.
24
GENERAL FEATURES
Trusted Applications
Add Signature
Launches the File Selection dialog box. Enter or Browse to select the file you want to add.
The digital signature of the selected application is added to the list under the Signatures
heading.
Configuration > Trusted Content
Add File
Launches the File Selection dialog box. Enter or Browse to select the file you want to add. This
file will be allowed to run as a child process of the selected trusted application.
Includes Replace with environment variables option, which is selected by default. This
option replaces the file and filepath entered with the environment variables.
Add Folder
Launches the Folder Selection dialog box. Enter or Browse to select the folder you want to
add. This allows application files in this folder to be allowed to run as child processes of the
selected trusted application.
Includes Recurse subdirectories option, which is selected by default. This option indicates
whether the subdirectories of the folder are included.
Includes Replace with environment variables option, which is selected by default. This
option replaces the file and filepath entered with the environment variables.
Add Drive
Launches the Add Drive dialog box. Enter a drive letter to allow application files in this location
ro run as child processes of the selected trusted application.
25
GENERAL FEATURES
Extension Filtering
Extension Filtering
Apply Application Manager rules to specific file extensions.
Reference
Options
The Options in the General Features ribbon tab > Default Restrictions group provide
general Application Manager settings to apply to all application and process execution requests.
The Options are divided in to two sections:
Validation - all options are selected by default with the exception of Validate System
processes.
26
GENERAL FEATURES
Tasks
Tasks
This section includes the following tasks:
1. Introduce one or more applications using a test user account. For more details see Test a
Configuration.
2. Copy one or more applications to the users home drive or another suitable location, such
as calc.exe from the System32 folder or copy a file from a CD.
3. Attempt to run a copied file.
The application is prohibited because the files are owned by the test user and not a member
of the Trusted Owners list.
You can verify the ownership of a file by viewing the Properties using Windows Explorer.
1. Create a rule in the User Rules node which applies to a test user account.
2. Add calc.exe to Prohibited Items.
3. Save the configuration.
4. Run calc.exe.
Calc is blocked and an error notification is displayed.
5. Add to Accessible Items, a VBS file containing the following script sample which attempts
to launch calc.exe:
set objShell = CreateObject ("Wscript.Shell")
objShell.Run "calc.exe"
6. Add to Trusted Applications, wscript.exe which is the process that hosts VBScripts.
7. Add calc.exe to the Trusted Content for wscript.exe.
8. Save the configuration.
9. Run VBScript file.
calc.exe is allowed to run.
27
GENERAL FEATURES
Tasks
28
Rules
This section provides details on Rules in Application Manager and includes the following:
Manage Rules
Security Level
Tasks
Manage Rules
Rule nodes allow you to create rules targeting specific users, groups and devices and assign
security level policies, resource access and resource restrictions which apply to the users, groups
and devices matching the rules.
Rule nodes provide Security Level settings for specifying the levels of restrictions to execute files.
Rule nodes also provide a further layer of granularity for controlling application use with
Accessible Items, Prohibited Items and Trusted Vendors for specifying lists of files, folders, drives
and signature groups which are allowed or prevented from running.
To display all Rules in the configuration click on Rules in the navigation tree. A summary
displays with all rules listed under the rule type. The security level assigned to each rule is seen
and can also be amended.
Select to add a rule to one of the following:
Group - Launches the Add Group Rule dialog box. Enter or Browse to select an Account.
User - Launches the Add User Rule dialog box. Enter or Browse to select an Account.
Device
Custom
Scripted
To remove a rule, select a rule and click Remove Rule. A confirmation message displays, click
Yes to confirm the removal.
29
4 RULES
Manage Rules
Group Rules
User Rules
Device Rules
Custom Rules
Scripted Rules
Group Rules
The Group rules node allows you to match security control rules with specific user groups
within the enterprise.
The Group summary displays the group name, Textual Security Identifier (SID) and Security Level
of the rule.
To add a group rule click Add Rule in the Rules ribbon page > Manage group. The Add
Group Rule dialog box displays. Enter or Browse to select an Account.
To remove a group rule, select a rule and click Remove Rule in the Rules ribbon page >
Manage group. A confirmation message displays, click Yes to confirm the removal.
You can also add items to the Accessible Items node, Prohibited Items node or the Trusted
Vendors node in each group rule node, see the Rule Items chapter for more details.
User Rules
The User rules node allows you to match security control rules with specific users within the
enterprise.
The User summary displays the User, Textual Security Identifier (SID) and Security Level of the
rule.
To add a user rule click Add Rule in the Rules ribbon page > Manage group. The Add User
Rule dialog box displays. Enter or Browse to select an Account.
To remove a user rule, select a rule and click Remove Rule in the Rules ribbon page >
Manage group. A confirmation message displays, click Yes to confirm the removal.
You can also add items to the Accessible Items node, Prohibited Items node or the Trusted
Vendors node in each user rule node, see the Rule Items chapter for more details.
Device Rules
The Device rules node allows you to match security control rules with specific devices within
the enterprise. Device rules can apply the rule settings either to the device hosting the
Application Manager agent and configuration or to devices connecting through terminal
services to the host.
For example, a configuration rule can allow certain applications to run on a server but prohibit
the application from running when launched by users operating from specific devices listed in
the rule as connecting devices to the host server.
The Device summary displays the Rule Name and the Security Level.
30
4 RULES
Manage Rules
To add a device rule click Add Rule in the Rules ribbon page > Manage group.
To remove a device rule, select a rule and click Remove Rule in the Rules ribbon page >
Manage group. A confirmation message displays, click Yes to confirm the removal.
You can also add items to the Accessible Items node, Prohibited Items node or the Trusted
Vendors node in each device rule node, see the Rule Items chapter for more details.
Reference
Devices
Hostname/IP Address
Devices are added to a rule by hostname or IP address.
When entering an IP address under a Device the following formats are valid:
The address must be standard IPV4 dotted quad notation. For example, 127.0.0.1
The address can replace zero or more of the sections with a wildcard or a range.
A wildcard is an asterisk (*) character and must be the only character in the section. For example,
127.*.0.1.
An address range is denoted by two numbers separated by an asterisk (*) character. The numbers
must be in the range 0-255. The first number must be lower than the second number. For example,
127.0.0.1-255. You can combine the two numbers. For example, 128-128.0.*.30-125.
Custom Rules
The Custom rule node allows you to match security control settings with combinations of
specific users or groups and devices within the enterprise. The rule can apply settings to devices
hosting the Application Manager agent and configuration or to devices connecting through
terminal services to the host.
For example, a rule that targets computer IP address 192.168.0.2 as a connecting device and
domain\user, allows you to apply security controls when the specific user logs on from the
specified device through terminal services to the computer hosting the Application Manager
agent and configuration.
31
4 RULES
Manage Rules
The Custom summary displays the Rule Name, User/Group Name and the Security Level.
To add a custom rule click Add Rule in the Rules ribbon page > Manage group.
To remove a custom rule, select a rule and click Remove Rule in the Rules ribbon page >
Manage group. A confirmation message displays, click Yes to confirm the removal.
You can also add items to the Accessible Items node, Prohibited Items node or the Trusted
Vendors node in each custom rule node. See the Rule Items chapter for more details.
Reference
Devices
Hostname/IP Address
Devices are added to a rule by hostname or IP address.
When entering an IP address under a Custom rule the following formats are valid:
The address must be standard IPV4 dotted quad notation. For example, 127.0.0.1
The address can replace zero or more of the sections with a wildcard or a range.
A wildcard is an asterisk (*) character and must be the only character in the section. For example,
127.*.0.1.
An address range is denoted by two numbers separated by an asterisk (*) character. The numbers
must be in the range 0-255. The first number must be lower than the second number. For example,
127.0.0.1-255. You can combine the two numbers. For example, 128-128.0.*.30-125.
Scripted Rules
The Scripted rules node allows you to create rules based on custom VB Scripts which run
whenever a user logs on. The success or failure of a VB Script determines whethere the Security
Level settings, Accessible Items and Prohibited Items, which are part of the rule, apply to the
user.
Scripted rules can take advantage of any interface accessible via VB Script, such as COM and
WMI, and allow the administrator to define Application Manager policy based on any
computer, user, registry, file or system property. Scripted rules also allow intergration with the
other third party solutions, such as Microsoft Active Directory and Citrix advanced Access.
Scripted rules can run for each new session in the context of the user or in the context of the
SYSTEM. Alternatively, Scripted Rules can run once per computer and the result is applied to all
user sessions.
Scripted rules are re-evaluated when a new configuration is deployed to the computer.
32
4 RULES
Manage Rules
Scripts run when the Application Manager Agent starts up or when the configuration changes.
For more information about creating and using scripts, see Working with Scripted Rules in the
Appendixes.
The Scripted summary displays the Rule Name, Entry Function, Run Script - frequency and by
whom and the Security Level.
Rules ribbon page > Manage group provides you with the following options to manage
Scripted rules:
Add Rule - see Add a Scriptable Rule on page 36 in the Tasks section.
Remove Rule - select a rule and click Remove Rule, a confirmation message displays, click
Yes to confirm the removal.
Edit Script - displays the Scripted Rule dialog box > Script tab.
Script Options - displays the Scripted Rule dialog box > Options tab.
You can also add items to the Accessible Items node, Prohibited Items node or the Trusted
Vendors node in each scripted rule node, see the Rule Items chapter for more details.
Reference
In the Scripted Rule work area in the Current Script section click on Click here to edit
the script.
The script editor allows you to write the rule VB Script functions and specify the main function.
Entry Function
The main function which is called when the script runs and evaluates the outcome of the rule.
Export
Launches the Save As dialog box which allows you to save the script in VBS format.
Import
Launches the Open dialog box which allows you to open an existing VB Script from another
location.
33
4 RULES
Manage Rules
In the Scripted Rule work area in the Current Script section click on Click here to edit
the script and click on the Options tab.
The script options allow you to specify settings for the script execution and timing.
Execution
Select one of the following:
34
4 RULES
Security Level
Security Level
Apply security levels to control whether the user, group and devices specified in a rule are fully
restricted by Application Manager rules, unrestricted, audited only or granted self-authorization
status entitling the user decide whether to run an application. Self-authorized users can be
audited by raising events in the Auditing component and the Windows Event Log.
To set the Security Level, select the required node and do one of the following:
Click and drag the slider to the required level, in the rule node work area in the Security
Level section.
Click the ribbon button for the required level in the Rules ribbon page > Security Level
group.
RESTRICTED
Select to restrict users, groups, and devices in the rule to run only authorized applications. These
include files owned by members of the Trusted Owners list and files listed in the Accessible
Items node.
SELF-AUTHORIZE
Select to prompt users, groups and devices in the rule to decide whether to allow execute
requests for each unauthorized file. Unauthorized files either do not belong to the Trusted
Owners list or are not specified in the Accessible Items list of a given rule.
A Self-authorizing user prompt includes the following options:
Remember my decision for this session only - The authorization decision is upheld only
for the current session. The user is prompted again for an authroization decision when
attempting to run an application in any future sessions.
Remember my decisions permanently - The user decision is upheld for all future
sessions.
If neither of these options are selected, the decision is upheld only for the current
instance the user is attempting to run. The Self-authorization prompt is reissued for any
future attempts to run instances of the application.
AUDIT ONLY
Select to permit all actions but log and audit events for monitoring purposes, according to the
policy settings in Auditing.
35
RULES
Tasks
UNRESTRICTED
Tasks
The following are common tasks that are performed for Application Manager Rules:
TESTING SELF-AUTHORIZATION
1. Create a rule in the User Rules node which applies to a test user account that is not a
member of a group which belongs to the Trusted Owners list. For more details see Test a
Configuration.
2. Set the security control level to Self-Authorizing to allow the test user to self-authroize
applications to run.
3. Save the configuration.
4. Run the Registry Editor.
The application is prohibited and a message box displays with a prompt for a decision to
allow the file to run and informing that the action will be logged.
Open an existing script in a script editor and copy/cut the content and paste.
36
RULES
Tasks
This task demonstrates how to set up an Application Manager configuration to enforce the
Microsoft Office License Policy on Terminal Server. An administrator can specify which machines
can connect to the Terminal Server and run Microsoft Office. Terminal Server Office licenses
correspond with the amount of machines that could connect to the terminal server, therefore,
every machine in the organization that can connect would need a license. By creating a rule,
where to run any of the Microsoft Office applications, depends on whether the machine
connecting is allowed or not, licenses would only be required for those machines which are
explicitly allowed.
The task is made up of 3 individual steps, Application Manager is installed on the Terminal
Server and that is where the task is to be performed.
Step 1
Create a Signature Group for Office applications.
1. Navigate to Signature Group Management in the navigation tree.
2. Select Add Group in the Signature Groups ribbon page > Manage group.
A new Group is added to the Signature Group Management work area.
3. Click on the Group and enter a name, for example Office Applications.
4. Select Launch Signature Wizard in the Signature Groups ribbon page > Items group.
The Application Manager Signature Wizard displays.
5. Click Next to display the Search Method screen.
6. Select Search folders. Click Next.
The Searching folders screen displays.
7. Enter the Office folder location. Alternatively, select the ellipsis (...) to display the Browse
For Folder dialog box to locate the folder.
8. Select Include subfolders and click Next.
9. Review the list of files and click Next.
10. The signatures are generated, once complete, click Next.
11. Click Finish to exit the wizard.
The Signatures are listed in the Group Items in the Signature Group Management work area.
Step 2
Setup a Device Rule to prohibit connecting devices.
1. Navigate to the Device node in the navigation tree.
2. Select Add Rule in the Rules ribbon page > Manage group.
A new Rule is created in the All Device Rules work area.
37
RULES
Tasks
7. Click OK.
The selected machines are listed in Devices on the Device Rule work area.
8. Select Connecting Device as the Device Type.
9. Select Prohibited Items for the new Device Rule in the navigation tree.
10. Select Add Item in the Rule Items ribbon page > Accessible & Prohibited Items group.
11. Select Prohibited > Signature Group.
The Select Signature Group dialog box displays.
12. Select the previously created Office Application Signature Group and click OK.
The Signature Group is added to the Prohibited Items.
Step 3
Add devices that are allowed to run Office applications on the Terminal Server.
1. Navigate to the Device node in the navigation tree.
2. Select Add Rule in the Rules ribbon page > Manage group.
A new Rule is created in the All Device Rules work area.
3. Click on the Rule and enter a name.
4. Select the new Rule.
The Device Rule work area displays.
5. Select Add Client Device.
The Client Device Selection dialog box displays.
6. Enter the machines for which you want to allow access. Alternatively, select Browse to
perform an Active Directory search for the required machines.
7. Click OK.
The selected machines are listed in Devices on the Device Rule work area.
38
RULES
Tasks
39
Rule Items
This section provides details on Rule Items and includes the following:
Accessible Items
Prohibited Items
Trusted Vendors
Tasks
Accessible Items
Accessible Item nodes are sub-nodes automatically created in any Rule node when you create a
new rule. They allow you to add Items to which the groups, users and devices specified in the
rule are granted access.
Items you can add are as follows:
Files
Folders
If you add a network file or folder path you must use the UNC name, as the Application
Manager Agent ignores any paths that are configured where the Drive letter is not a local
fixed disk. The user can access the network application through a network mapped drive
letter as the path is converted to UNC format before validating it against the
configuration settings.
40
Drives
Signature Items
Signature Groups
Network Connections
5 RULE ITEMS
Accessible Items
To add an Item select the Accessible Items node and click the Add Item ribbon button on the
Rule Items ribbon page > Accessible & Prohibited Items group, select Accessible, then
select the type of accessible item you want to add.
To remove an Item select the Item you want to remove in the Accessible Items node, click the
Remove Item ribbon button on the Rule Items ribbon page > Accessible & Prohibited Items
group.
When using the default option, which trusts all locally installed Trusted Owner applications, you
only need to add any applications that run directly from network locations including mapped
network shares and DFS shares.
Application Manager includes support for adding items on Citrix client mapped drives. You can
add items by specifying paths using the following format: \\client\C$\<item name>.
We recommend you use signatures instead of file paths on client mapped drives as this offers
high security.
Application Manager drag and drop functionality can be used to add files, folders, drives and
signature groups from Windows Explorer or copy or move items between Accessible Items or
Prohibited Items nodes in each of the main configuration nodes.
If you have changed the default options to use a white list approach, you should also add any
locally installed applications that you want users to run.
41
5 RULE ITEMS
Prohibited Items
Prohibited Items
Prohibited Item nodes are sub-nodes automatically created in any Rule node when you create a
new rule. They allow you to add Items to which the groups, users and devices specified in the
rule are refused access.
Items you can add are as follows:
Files
Folders
If you add a network file or folder path you must use the UNC name, as the Application
Manager Agent ignores any paths that are configured where the Drive letter is not a local
fixed disk. The user can access the network application through a network mapped drive
letter as the path is converted to UNC format before validating it against the
configuration settings.
Drives
Signature Items
Signature Groups
Network Connections
42
5 RULE ITEMS
Trusted Vendors
To add an Item select the Prohibited Items node and click the Add Item ribbon button on the
Rule Items ribbon page > Accessible & Prohibited Items group, select Prohibited, then
select the type of prohibited item you want to add.
To remove an Item select the Item you want to remove in the Prohibited Items node, click the
Remove Item ribbon button on the Rule Items ribbon page > Accessible & Prohibited Items
group.
If you are using the default option, which trusts all locally installed Trusted Owner applications,
you only need to add specific applications that you do not want users to run. For instance, you
may add administrative tools, such as management and registry editing tools.
You do not need to use this list to prohibit applications that are not owned by an administrator,
as they are blocked by trusted ownership checking.
Application Manager drag and drop functionality can be used to add files, folders, drives and
signature groups from Windows Explorer or copy or move items between the Accessible Items
node and Prohibited Items nodes in each of the main configuration nodes.
Trusted Vendors
The Trusted Vendors sub-node is available in each Application Manager rule node, for listing
valid digital certificates. Files which fail Trusted Ownership checking but contain digital
certificates, signed by trusted sources that match digital certificates listed in Trusted Vendors,
are allowed to run.
Select the Add ribbon button in the Rule Items ribbon page > Trusted Vendors group to add
digital certificates from files, select from file-based certificate stores or import file-based
certificate stores into the Trusted Vendors node.
Advanced options allow you specify parameters for validating a certificate by ignoring or
allowing specific attributes, the certificate must be valid for the rule to be applicable, but there
are different levels of validation with which you can configure a certificate. A test option helps
to validate the certificate based on the options you have selected and, where relevant,
dependent on connectivity with the appropriate Certification Authority.
Changing the settings in Advanced Options in the Rule Items ribbon page > Trusted
Vendors group could reduce the level of security required to validate a certificate and present
a security risk.
43
RULE ITEMS
Tasks
Tasks
This section includes the following tasks:
1. Select the Accessible Items node in Rules > Group > Everyone.
2. Click the Add Item ribbon button in the Rule Items ribbon page > Accessible &
Prohibited Items and click Accessible.
3. Select File. The File Selection dialog box displays. Enter or Browse for an application.
The selected application is listed in the Accessible Items work area.
4. Test that users can run the application.
5. Test that the Trusted Ownership rule prohibits users from copying files elsewhere to the
local hard disk and running the copies.
1. Select the Prohibited Items node in Rules > Group > Everyone.
2. Click the Add Item ribbon button in the Rule Items ribbon page > Accessible &
Prohibited Items and select Prohibited.
3. Select File. The File Selection dialog box displays. Enter or Browse for an application, for
example, regedit.exe.
The selected application is listed in the Prohibited Items work area.
4. Attempt to run the selected application.
The application is prohibited and a message box displays with the notification that the
application is not authorized
1. Select the Trusted Vendors node in Rules > Group > Everyone.
2. Click the Add ribbon button in the Rule Items ribbon page > Trusted Vendors group and
select From Signed File.
The Open dialog box displays.
3. Navigate to a file which has a certificate and click Open.
You can check whether a file has a digital certificate by displaying the Properties dialog
box. A file has a digital certificate if there is a Digital Signatures tab in which you can
view details of the certificate including, signer information, advanced settings and an
option to display the certificate.
44
RULE ITEMS
Tasks
1. In the navigation tree, navigate to Accessible Items in the target Rule node.
2. Click Add Item in the Rule Items ribbon page > Accessible & Prohibited Items group.
Select Accessible and then Signature Item.
The Select Accessible Signature File dialog box displays.
3. Browse to the target file located on a non-NTFS drive.
4. Select the file and click Open to create a digital signature for the file.
5. The file is added to the Accessible Items list.
Trusted Ownership is disabled by default to allow the file to run.
45
This section provides details on Signature Group Management and includes the following:
Manage
Items
Tasks
Manage
The Signature Group Management node allows you to create groups of application types which
you can populate with digitally signed applications. Using the Wizard or a manual approach,
you can scan directories and folders for installed applications and apply digital signatures. You
can also examine a running process and locate all the executable files used by that process and
then apply digital signatures to those files. Files are added to groups which you can later add to
the accessible and prohibited files of User and Group rules
To add a Signature Group click Add Group in the Signature Groups ribbon page > Manage
group.
To remove a Signature Group, select a Group in the Signature Group Management work area
and click Remove Group in the Signature Groups ribbon page > Manage group. A
confirmation message displays, click Yes to confirm the removal.
Any associated Group Items are deleted with the Group.
Once a Signature Group has Items you can conduct a full group re-scan to ensure all signatures
are still accurate, select the Rescan Group ribbon button.
46
Reference
Items
Signature groups can be populated with digitally signed application files, known as Group
Items.
To add a Group Item, select the Group to which you want to add items in the Signature Group
Management work area and do one of the following:
ADD ITEM
You can manually locate executable files and applications to digitally sign and add to a group.
To do this follow the following instructions:
1. Click the Add Item ribbon button in the Signature Groups ribbon page > Items group.
The Open dialog box displays.
2. Navigate to the file you want to add as a Group Item.
3. Click Open.
A digital signature is added to the file and the file is added to the Group Items in the
Signature Group Management work area.
You can use the Signature Wizard to create Group Items in the following ways:
Examine a running process - find the executable file used by one of the processes running
on the computer.
If you want to examine a specific process, make sure the relevant application is running
before launching the Signature Wizard.
To remove a Group Item, select an Item in the Signature Group Management work area and
click Remove Item in the Signature Groups ribbon page > Items group. A confirmation
message displays, click Yes to confirm the removal.
You can re-scan the group items at any time to make sure the signature is still accurate and has
not changed, select a Group Item in the Signature Group Management work area and click the
Rescan Signature ribbon button in the Signature Groups ribbon page > Items group.
47
Reference
Tasks
This section includes the following tasks:
This procedure shows how to examine a running process for executable files used by that
process, digitally sign and add the files to a group.
1. In the navigation tree, navigate to Library > Signature Group Management.
2. Select an existing group or create a new group in the Signature Group Management work
area, to which to add any found files in the examination process.
3. Click the Launch Signature Wizard ribbon button.
The Application Manager Signature Wizard dialog box displays.
If you wish to examine a specific process, make sure you have launched the relevant
application before proceeding.
48
This procedure shows how to manually locate executable files and applications to digitally sign
and add to a group:
1. In the navigation tree, navigate to Library > Signature Group Management.
2. Select an existing group or create a new group in the Signature Group Management work
area to which to manually add files.
3. Click the Add Item ribbon button.
The Open dialog box displays.
4. Locate the required files. Click Open.
A digital signature is added to the file and the file is added to the Group Items list.
This procedure shows how to allow files on non-NTFS formatted drives to run using digital
signatures. By default Application Manager blocks applications on non-NTFS formatted drives as
file ownership cannot be determined for these files.
1. In the navigation tree, navigate to Accessible Items in the target Rule node.
2. Click Add Item in the Rule Items ribbon page > Accessible & Prohibited Items group.
Select Accessible and then Signature Group.
The Select Signature Group dialog box displays.
3. Select the Group and click OK.
Trusted Ownership is disabled by default to allow the file to run.
49
50
This section provides details on Application Network Access Control and includes the following:
Tasks
51
Application Network Access Control best practices can be found in the Best Practices chapter
in the Application Network Access Control section.
For details on working with AppSense Application Manager and Streamed Applications refer
to the Streamed Applications appendix.
Directly to a Rule.
Adding single Network Connection Items to Accessible and Prohibited Item lists are
advantageous when a more granular level of control is required, or when only a few items
are required. However, using this method could prove time consuming.
For further information refer to Add a Network Connection Item directly to a Rule in the
Tasks section.
Network Connection Items can be cut, copied or dragged and dropped between rules. There
are no default Network Connection Items in a configuration.
The full path of the Network Connection Item cannot exceed 400 characters.
Groups
Group Items
52
Groups
Network Connection Groups can be created to group multiple generic Network Connection
Items. Managed centrally, they can be named and re-named easily. The Groups can then be
applied to any Rule.
If the Group Name is amended, it automatically updates in any Rule where the Group is
applied.
Group Items
Network Connection Group Items can be created and added to any Group. Select any existing
Group to display the list of Group Items.
The options available for Group Items are as follows:
Edit Network Connection - Displays the Network Connection Details dialog box for the
selected item. Make the required amendments. Click OK to save and close the dialog box.
Remove Item - Remove a selected item. A confirmation message box displays, click Yes to
confirm removal.
Reference
IP ADDRESS
NETWORK SHARE
Select to control access to UNC paths. The prefix \\ is added to the Host field.
HOST NAME
53
Connection Options
The combined number of characters for all three fields, Host, Port and Path must not exceed
400.
Host
The IP Address or Host Name for the network connection. This depends on the type of
connection selected. The wildcards ? and * can be used. Additionally, ranges can be used for IP
Addresses, which are indicated by use of a hyphen (-).
An IP Address must be in IP4 octal format. For example, n.n.n.n
If Network Share is selected as the connection type, the \\ prefix is required.
The full path for the target resource can be entered in Host.
Example:
Enter http://server1.company.local:80/resource1/ in Host.
Move focus away from Host and the path is automatically split into the separate connectionm
options:
Port
The port number of the network connection. This can be used in combination with IP Address
or Host Name to control access to a specific port. Ranges and comma separated values are
allowed as a part of the port number.
Click Common Ports to display a list of commonly used ports. Select as many ports as
required.
Path
The path of the network connection. The wildcards ? and * can be used. To use wildcards in the
Path, Text contains wildcard characters must be selected.
The Path is only relevant for controlling HTTP and FTP connections.
54
Include subdirectories
Only applicable if the connection type Network Share is selected. Select to include
subdirectories in the rules processing.
Description
Enter a meaningful description to describe the network connection.
Tasks
The following are common tasks that are performed in Application Network Access Control:
Network Items can be added to any Accessible Items or Prohibited Items node.
1. Navigate to the required node, for example, Prohibited Items for a specific user group.
2. Select Add Item > Prohibited (or Accessible) > Network Connection Item on the Rule
Items ribbon page > Accessible & Prohibited Items group.
The Network Connection Details dialog box displays.
3. Create the Network Connection Item.
Example: A Network Connection Item is set up for an IP Address. The Network Connection
Item is assigned to Prohibited Items, in a Group Rule. The group members of that rule, will
not have access to any network resources with that IP Address.
1. Navigate to the Rule node in the navigation tree where the Network Connection Item to be
amended is located.
The relevant work area displays.
2. Click on the Network Connection Item to be amended, listed under Network
Connections.
3. Select Edit Network Connections on the Rule Items ribbon page > Accessible &
Prohibited Items group.
The Network Connection Details dialog box displays.
4. Make the required amendments.
5. Click OK to save the changes and close the dialog box.
55
56
Endpoint Analysis
This section provides details on Endpoint Analysis and includes the following:
Endpoint Management
Installed Applications
Application Data
Data Files
Tasks
Endpoint Scans
Data Analysis - Analysis of endpoint data and imports into the AM configuration.
Endpoint Scans
The first step is to add Endpoints to the configuration.
Adding an endpoint
Browse Deployment Group - Displays the Select Management Server dialog box
Browse Domain/Workgroup - Displays the Active Directory Select Computers dialog box.
57
8 ENDPOINT ANALYSIS
About Endpoint Analysis
Installed Applications - Select an Endpoint on which to run the scan. Alternatively, you can
select Run Scan for all Endpoints. A list of all installed applications is retrieved and
displayed in the Installed Applications work area.
Application Usage - Select an Endpoint on which to start recording. A list of all running
applications is recorded until the time when you click Stop Application Usage Scan. The
list is saved as an XML file and a new node created for each file under the Recorded Data
node for that Endpoint.
The endpoint data is gathered in real time and does not affect the rules processing.
Removing an Endpoint
To remove an endpoint, highlight the required endpoint and select Remove Endpoint in the
Endpoint Analysis Ribbon page > Endpoint Management group.
Data Analysis
All the collected data can be seen in either the Installed Applications or Recorded Data work
area for the selected Endpoint.
You can show any associated files which the application has loaded and also digital certificates
(if the file has been signed).
Adding files to the configuration
You can add any of the applications or associated files or certificates to the configuration by
dragging and dropping.
If you drag and drop files into any of the Accessible or Prohibited Items lists they are
dropped in as files:
If files are placed in Accessible Items, any associated loaded files are automatically
included.
If files are placed in Prohibited Items, any associated loaded files are not included, only
the main application executable.
You can drag and drop into Signature Groups. When a file is dropped over the Signature
Groups node the available signature groups are displayed. You can then select which group
or groups to which to add the files. The file is then converted to a signature and added to
the selected signature group or groups.
To add a certificate to any of the Trusted Vendors you can either drag and drop a file to the
Trusted Vendors node, if any certificates exist for that file they are added or you can select
Show Digital Certificates to display the Certificates dialog box and then drag and drop
from that window into the configuration.
58
8 ENDPOINT ANALYSIS
Endpoint Management
Endpoint Management
You can add and remove endpoints from the configuration.
You can add an endpoint by one of the following methods:
Browse Deployment Group - Displays the Select Management Server dialog box
Browse Domain/Workgroup - Displays the Active Directory Select Computers dialog box.
For futher information see Adding an Endpoint by Domain/Workgroup in the Tasks section.
To remove an endpoint, highlight the required endpoint and select Remove Endpoint in the
Endpoint Analysis Ribbon page > Endpoint Management group.
Installed Applications
To retrieve a list of applications that are installed on an endpoint do one of the following:
Run Endpoint Scan - Select the endpoint in the navigation tree for which to run a scan. All
installed applications display in the Installed Applications work area.
An Endpoint Status dialog box displays while the scan is completing.
You can make the Endpoint Status dialog box transparent by clicking and dragging the
Transparency slider.
For further details see Running an Endpoint Installed Applications Scan in the Tasks section.
Run Scan for all Endpoints - to scan all endpoints listed in the navigation tree. Click on an
endpoint to display the list of installed applications in the Installed Applications work area.
The Installed Applications Scan detects applications that have been installed using Windows
Installer technology.
59
ENDPOINT ANALYSIS
Application Data
To stop recording, select the Endpoint being scanned and click Stop Application Usage Scan
on the Endpoint Analysis ribbon page > Application Usage group.
We recommend you run the Application Usage Scan for a minimum of 5 days, or a period
over which the user would perform all their normal activities in their role, to ensure all
applications are captured.
When the recording has been stopped, the File dialog box displays. Enter a name to save the
file. The files are saved in xml format and a new node is created for each xml file in the
navigation tree under the Recorded Data node of the selected Endpoint.
For further details, see Running an Application Usage Scan in the Tasks section.
To delete any of the xml files select Delete File on the Endpoint Analysis ribbon page >
Application Usage Scans group.
Application Data
The application data can be seen in detail for both the Installed Applications Scan and the
Application Usage Scan.
You can select to display the associated loaded files or the digital certificates.
Show Loaded Files - displays the Loaded Files dialog box. Drag and Drop any of the files to
add to the configuration.
Show Digital Certificates - displays the Certificates dialog box. Drag and Drop any of the
certificates to add to any of the Trusted Vendors node in the configuration.
On occasion a duplicate certificate will be present, for example:
Calc.exe loads Msvcrt.dll, Ntdll.dll and Msutil.dll
Calc.exe is signed with Microsoft Certificate A and Ntdll.dll is also signed with
Microsoft Certificate A
Refer to the Signed File column to clearly identify which file has been signed with which
certificate.
Data Files
You can select to Import or Export the data gathered by either the Installed Applications Scan or
the Application Usage Scan.
Import - displays the Import dialog box. Locate the xml file you want to import and click
Open.
Export - displays the Export dialog box. Navigate to the folder to export to and enter the file
name and click Save.
60
ENDPOINT ANALYSIS
Tasks
Tasks
The following tasks are provided to help with EndPoint Analysis:
1. In the navigation tree, navigate to the Endpoint that you want to scan.
2. Click Run Endpoint Scan in the Endpoint Analysis ribbon page > Installed
Applications group.
The Endpoint Status dialog box displays.
You can increase/decrease the transparency by clicking and dragging the Transparency
slider, this allows you to see the console to continue work while the scan is taking place.
3. Once the scan is complete the Installed Applications node under the selected Endpoint is
populated with the data, seen in the Installed Applications work area.
1. In the navigation tree, navigate to the Endpoint that you want to scan.
The work area displays the Endpoint Summary, the endpoint needs to be showing as
Connected in order to proceed with the scan.
2. Click Start Application Usage Scan in the Endpoint Analysis ribbon page >
Application Usage group.
Notice in the Endpoint Summary section in the work area, the status changes from Not
recording to Recording and the light changes from red to green.
61
ENDPOINT ANALYSIS
Tasks
3. To stop the recording, click Stop Application Usage Scan in the Endpoint Analysis
ribbon page > Application Usage group.
The File dialog box displays.
4. Enter a file name and click OK to save the file.
The file is saved in xml format and a new node is created with the file name under the
Recorded Data node for the selected Endpoint.
62
Rules Analyzer
This section provides details on Application Manager Rules Analyzer and includes the following:
Endpoint Management
Data Acquisition
Data Files
Tasks
FEATURE SUMMARY
The Rules Analyzer console allows you to diagnose Application Manager problems by
connecting directly to computers controlled by Application Manager, and includes:
Creating Log Files You can create log files on computers controlled by Application
Manager.
Examining Log Files You can retrieve and examine log files to view the requests processed
by Application Manager. In particular you can see which rules were applied to each request
and whether the request was allowed or denied.
Anonymous logging - This means that user names are not written to the log file. User
names appear as Unknown\Anonymous. Navigate to the Endpoints node in the navigation
tree and select Anonymous Logging checkbox in the work area.
63
9 RULES ANALYZER
About Rules Analyzer
GETTING STARTED
The Rules Analyzer console is used to create Application Manager log files and to retrieve and
examine the log files.
A computer node allows you to control logging on a specific computer and to retrieve log files
from that computer. Below each computer node is a node for each retrieved log file.
You can view a summary page, view all requests or view the requests for a specific user. You
can restrict the view to the denied or the allowed requests. Within the analysis panel you can
navigate to a specific request and view the full details of that request, including which rules
were applied by Application Manager.
Users must be logged on with an account that allows read and write access to the registry of
any machine for which you wish to generate logs using Rules Analyzer, and read and write
access to the local registry of the machine on which the management console operates.
Testing whether the endpoint has Admin share rights
Open Explorer and in the Address Bar enter \\<computername>\c$ and press Enter. If you can
browse the folders you have access rights, if not, you will be prompted for user credentials
which will allow access.
Testing whether you have remote Registry access
Open the Registry Editor dialog box (Start > Run > Regedit). Select File > Connect Network
Registry, this displays the Active Directory Select Computers dialog box. Locate the machine
and click OK. If you can see the Registry Keys, you have access.
On remote computers running Microsoft Vista, File Sharing and the Remote Registry Service
are disabled by default and must be enabled to ensure the Rules Analyzer can create or access
log files.
Start the Remote Registry Service in Start > Control Panel > Administrative Tools > Services.
Turn on File Sharing in Start > Control Panel > Network and Sharing Center.
CHECKLIST
Reference
64
9 RULES ANALYZER
About Rules Analyzer
It shows the number of requests processed by Application Manager. The top row of the table
shows the total number of requests for all users. The remaining rows show the number of
requests for each user. The Total column shows the total number of requests, allowed and
denied. The Allowed/Denied column shows the number of allowed or denied requests.
Click on any Total link to display the Log File Contents Request List.
To export the log file in XML format select the Export ribbon button.
You can select View the requests by processing time on the Summary page to display a
Request List page showing requests sorted with the longest running request first.
65
9 RULES ANALYZER
Endpoint Management
Endpoint Management
Add and remove endpoints to navigation tree. See Add an Endpoint on page 66 in the Tasks
section.
Data Acquisition
Start and stop logging on endpoints. See Create and retrieve a log file on page 66 in the Tasks
section.
Data Files
Import, Export or delete a data file. Data files are in XML format and can be opened and
imported into Rules Analyzer nodes or saved and exported out.
Tasks
This section shows how to perform common tasks using Rules Analyzer, and includes:
ADD AN ENDPOINT
1. Locate and highlight the endpoint you want to analyze in the navigation tree.
2. Click the Start Logging button on the Rules Analyzer ribbon page > Data Acquisition
group.
3. When you want to stop logging, click the Stop Logging button on the Rules Analyzer
ribbon page > Data Acquisition group.
4. Enter a name for the retrieved log file. The log file is retrieved and saved locally as a new
node.
On remote computers running the Microsoft Vista operating system, File Sharing and the
Remote Registry Service are disabled by default and must be enabled to ensure the Rules
Analyzer can create or access log files.
Stat the Remote Registry service in Start > Control Panel > Administrative Tools > Services.
Turn on File Sharing in Start > Control Panel > Network and Sharing Center.
66
RULES ANALYZER
Tasks
To analyze a log file, select the log file node. The first page shown in the analysis work area is
the summary page. You navigate inside the analysis panel by following links. Use the Return
link at the top of the page to go back to the previous page.
To view the requests for a specific user click one of the links in the table on the summary page.
You can click in the Total column to see all the requests for the user and you can click in the
Allowed column or the Denied column to see only the allowed or denied requests.
To find requests that take a long time click View the requests by processing time on the
summary page.
This shows the requests sorted, with the longest running request first. The processing time
shown is the elapsed time taken by the AppSense Application Manager agent to process the
request.
67
10
Auditing
This section provides details on AppSense Application Manager Auditing and includes the
following:
Audit
Local Events
Audit
Auditing allows you to define rules for the capture of auditing information, includes rules about
where event data is stored for logging to a local file and the application event log, and includes
a filter for specifying the events you wish to capture in the log.
Local Auditing allows you to specify whether to log events in the Windows Application Event
Log or to a custom AppSense Event Log. Events can be written to a local file in CSV or XML
format.
By default, the log file is located at
%SYSTEMDRIVE%\AppSenseLogs\Auditing\ApplicationManagerEvents_%COMPUTERNAME%.
csv (or .xml)
An alternative location can be configured for the log file. In this mode auditing also includes an
event filter to log only specific events.
In Enterprise installations, events can be forwarded to the AppSense Management Center via
the Client Communications Agent (CCA). When using this method for auditing, event data
storage and filtering is configured through the AppSense Management Console. For more
information see the AppSense Management Center Administration Guide.
Reference
Summary
The following allows you to configure the event logging:
Send events to the Application Event Log
Select whether to send events to the Application Event log.
68
10
AUDITING
Audit
Text box
The path for the local log file. The default is
%SYSTEMDRIVE%\AppSenseLogs\Auditing\ApplicationManagerEvents_%COMPUTER
NAME%
69
10 AUDITING
Local Events
Local Events
The Event filter table is a comprehensive list of all events and is used to select the events you
wish to audit. You can sort the table numerically by ID number, or alphabetically by Event Name
or Event Description. Selected events are highlighted in bold. Click Toggle to change the states
between selected and cleared.
9001, 9007 and 9014 events are disabled by default as they can generate excessive event
data on busy endpoints. We recommend these events are only used for troubleshooting
purposes, and only for short periods of times.
A warning displays at the top right of the Event filter list if you select a high volume events some event IDs such as 9001, 9007 and 9014 can generate a very high volume of events on
busy endpoints.
Table 10.1
Event ID
Event Name
Event Description
9000
Denied Execution
Warning
9001
Allowed Execution
Information
9002
Overwrite Changed
Owner
Warning
9003
Rename Changed
Owner
Warning
9004
Application Limit
Denial
Warning
9005
Warning
9006
Self-Authorization
Warning
9007
Self-Authorized allow
Warning
9009
Warning
9010
Warning
9011
Information
9012
Warning
70
Table 10.1
10 AUDITING
Local Events
Event ID
Event Name
Event Description
9013
Warning
9014
Information
9095
Not configured
Warning
9096
Configuration
upgraded
Information
9099
Error
System Events
The following are non-configurable system events:
Table 10.2
Event ID
Event Name
Event Description
8000
Service Started
8001
Service Stopped
8095
No Configuration found
8096
Configuration Upgraded
8099
Invalid License
Reference
71
10 AUDITING
Local Events
72
11
Configuration Profiler
This section provides on the Configuration Profiler and includes the following:
Report Type
Report Criteria
Report Output
Report Type
The configuration profiler allows administrators to report on configurations stored locally or in
the central database. General reports are produced to assist auditing and compliance such as
Sarbanes Oxley or HIPAA. Custom reports can be produced for specific users applications and
devices to assist troubleshooting of large configurations.
The configuration profiler is a basic reporting tool that can be used to generate quick reports
based on the details of a loaded product configuration. The report can be generated in the
following ways:
Complete Report - Produces a report which Includes all aspects of the configuration.
Report based on specific criteria - Produces a report which is based on the specified criteria
as selected in the Report Criteria section.
Report Criteria
Use the criteria to specify what is to be included in the report.
Enter the value to match for any of the following:
User
Group
File
Folder
Network Connection
Device
73
11
CONFIGURATION PROFILER
Report Output
Report Output
The report output is produced in sections and sub-sections.
In the preview window you can change the following:
Paper
Size
Watermarks
The option to Save the report in various formats for example, PDF and Print the report is also
available from this preview view.
74
12
Best Practices
This section provides information about best practices for managing you Application Manager
configuration and includes the following:
General Application Manager
Scripted Rules
Endpoint Analysis
75
12 BEST PRACTICES
Use NTFS Security
76
12 BEST PRACTICES
Prohibit Access to System Applications
Signature checking can be used in a more effective way by securing application files that cannot
be protected by the default Trusted Ownership checking. The combination of generic Trusted
Ownership checks with specific signature checks as necessary provides a secure, but easily
maintainable solution.
77
12 BEST PRACTICES
Use Environment Variables for Generic Configurations
Depending on how you set up the rule, your settings may not be enforced until after the
user logon is complete.
In the event that the scripted rule times out, the rule settings do not apply.
In the event that the Scripted Rule fails to complete because of an error in the script, the
rule settings do not apply.
78
12 BEST PRACTICES
Working With Streamed Applications
79
A P P E N D I X E S
This section provides additional or supporting information about topics covered in the Guide
and includes:
System Requirements
Licensing
Streamed Applications
80
SYSTEM REQUIREMENTS
System Requirements
This appendix provides details on the System Requirements for AppSense Application Manager.
Supported Operating Systems
The following 32-bit and 64-bit Operating Systems are supported:
Supported Technologies
Citrix XenApp
Citrix XenDesktop
For details on working with AppSense Application Manager and Streamed Applications refer
to the Streamed Applications appendix.
Installed Components
The following components are installed as part of the AppSense Management Suite Installer:
81
This section provides details about creating the scripts used in scripted rules and includes a
sample, the following are covered:
Writing a Script
Sample Scripts
Best Practices
Once per computer. Rule settings are enforced for all users.
At agent startup.
Writing a Script
Each script is run within a hosted script engine allowing greater control over the script execution
providing a high degree of input and output control.
A script must be written as a function. The script can contain many functions, but a main start
function must be specified. The start function is run by the Application Manager agent. Other
functions can be called by the start function.
The start function must return a True value for the script to pass and apply the rule settings.
Otherwise, the start function returns False, by default, and the rule does not apply.
82
The AMScriptRule COM object is built into the scripting engine and provides access to the
following methods:
strUsername = AMScriptRule.UserName
strUserdomain = AMScriptRule.UserDomain
strSessionid = AMScriptRule.SessionID
strStationname = AMScriptRule.WinStation
The Microsoft standard in this instance means that WinStation returns the value of the
name of the Terminal Services Session, which is determined by the type of session with
typical values being Console or RDP-Tcp#34, instead of the Window Station name
which is typically WinSta0.
Allows you to output logging strings to the agent log file for use with debugging scripted
rules.
strEnvironmentvar = AMScriptRule.ExpandEnvironment
("%MyEnvironmentVariables%")
Sample Scripts
The following are sample scripts:
The following sample script shows the main components of a script and demonstrates how to
access information about the username of the user logging on to the system, and match with a
specific domain and organizational unit:
Function MyScript()
'Get the username of the user logging in (also works when running as SYSTEM)
strUserName = AMScriptRule.UserName
'Get the domain of the user logging in (also works when running as SYSTEM)
strUserDomain = AMScriptRule.UserDomain
'Look up user environment variables (when running as SYSTEM, only SYSTEM
variables are available)
strClientName = AMScriptRule.ExpandEnvironment ("%ClientName%")
'Log the output
AMScriptRule.Log strUserName & " logged in on " & strClientName
'Check if the user is a member of the domain
If strUserdomain = "MyDomain" Then
'If so, see if the user is in the MyOU OU
Set objOU = GetObject ("LDAP://ou=MyOU,dc=MyDomain,dc=com")
83
objOU.Filter = Array("user")
For Each objUser In objOU
'Check if there is a match with the user logging on
If objUser.sAMAccountName = strUserName Then
'if there is, then set the function to True
MyScript = True
End If
Next
End If
'Unless there is a username match, the function defaults to False
End Function
The following script demonstrates how to control the applications to which a user has access.
Function ScriptedRule()
Name of Filter scan expected to pass
ExpectedFilter = "FWALL"
Get Server Name
Set objNTinfo = CreateObject ("WinNTSystemInfo")
ServerName = lcase (objNTInfo.ComputerName)
Set initial return value
ScriptedRule = False
Create MetaFrame Session Object
Set MFSession = Createobject ("MetaFrameCOM.MetaFrameSession")
Initialize the session filters for this session
For Each x in MFSession.SmartAccessFilters
return true if our filter is found
If x = ExpectedFilter Then
ScriptedRule=True
AMScriptRule.Log "SmartAccessFilter match found."
End If
Next
End Function
Best Practices
The following are recommended as best practices for creating and running scripted rules:
Use Scripted Rules to Allow Items
Since Scripted rules do not apply settings until the script is complete, use scripted rules for
allowing items in the Accessible Items list rather than prohibiting items in the Prohibited Items
list.
We recommend Application Manager blocks an item until the scripted rule allows the item to
run. Otherwise, your system can be exposed to challenges in any of the following scenarios:
Depending on how you set up the rule, your settings may not be enforced until after the
user logon is complete.
84
In the event that the scripted rule times out, the rule settings do not apply.
In the event that the Scripted Rule fails to complete because of an error in the script, the
rule settings do not apply.
85
This appendix provides details on extending Application Network Access Contol to use reverse
DNS lookups.
The Application Network Access Control feature can use reverse DNS lookups when evaluating
Network Connection rules. The feature is turned off by default, as the time it takes to retrieve
this information from DNS servers, may degrade the performance of network applications.
Enabling this feature ensures the network rules are more effective, in situations when users or
applications make requests for network resources, using IP addresses when the configuration is
based upon host names.
The reverse DNS lookups can be enabled by configuring a set of engineering keys.
For further information refer to the AppSense Application Manager Engineering Keys Guide.
This feature requires an administrator to enable and configure Reverse DNS Zones on the DNS
servers.
86
Licensing
The AppSense Local Licensing Console allows you to create and manage AppSense product
licenses.
This section provides details about using the console, and includes the following:
Managing Licenses
Troubleshooting
87
D LICENSING
About License Manager
Manage licenses for single products, the AppSense Management Suite or Evaluation
licenses.
Export license packages to MSI file format for saving to the AppSense Management Center
or other computers which can be remotely accessed.
We recommend using the Management Center Enterprise Licensing for Enterprise
installations.
License
Description
Activate
AppSense Management
Suite
Application Manager
Evaluation
88
D LICENSING
Managing Licenses
Managing Licenses
The following procedures show how to add and activate a new license and import and export
licenses to Microsoft Windows Installer files (*.msi) file for distribution to other computers or to
backup a set of licenses.
1. Click Add to create a new entry in the license grid and enter the license code in the License
Code entry box.
You can manually enter each digit or copy and paste the license straight in to the entry box.
When a license entry is highlighted, a description displays in the lower portion of the
console and includes the following details:
License Code
Expiry Date
2. Click Activate to enter the activation code by entering each digit manually or copy and
paste the activation code directly in to the Activation Code entry box, and click Enter.
The description in the grid view updates with the license information as do the details
about the license validation status and, where relevant, the expiry date, in the lower portion
of the console.
Once a license is active, the icon changes to indicate the current license state.
3. Save the configuration to confirm your settings.
1. Click Import to display the file Open dialog box and navigate to the location of the license
MSI file.
2. Click Open to load the license file in the Local Licensing Console.
1. Click Export to display the file Save As dialog box and browse to the location for saving
the license MSI file.
2. Provide a name for the file and click Save to save the file.
You can copy this file to any network location and load the file in the Local Licensing
Console or in Management Center Enterprise Licensing.
89
D LICENSING
Troubleshooting
Troubleshooting
I received an AppSense license, what do I do?
If you have received an AppSense product license, from AppSense, you can load the license by
launching the Local Licensing Console on your client computer and entering the license code
and activation code.
Enter the product license exactly as received. Once a license has been successfully entered, the
system updates the description details stating the products and duration for which the license is
valid.
I have entered an AppSense license, but it is for evaluation, what does this
mean?
If you are trying an AppSense product before purchasing, the product installs with an option to
automatically install an evaluation license. Evaluation licenses are limited to 21 days, during
which time you can familiarise yourself with the product.
Once the expiry date has been reached, contact AppSense to obtain a full license to continue
using the product.
I have entered an AppSense license, but it says it is not activated, why?
AppSense licenses require activation, apart from evaluation licenses, before they can be used.
Activation codes are provided by AppSense. Activate a license by entering the activation code.
For more information, see Managing Licenses.
I have tried to enter an AppSense license, but it says it is invalid, what can I
do?
Check that the license code has been typed correctly. Check it is a license code and not an
activation code that has been entered.
If you are still sure you have entered the license correctly but it is not accepted, contact
AppSense support.
90
Streamed Applications
This section provides details on how to allow Application Manager to work with Streamed
Applications and includes the following:
Citrix XenApp
Citrix XenApp
To set up Citrix XenApp to work with Application Manager functionality you need to specify
certain exclusions, as follows:
1. Navigate to Citrix Streaming Profiler for Windows.
2. Open the Application Profile.
3. Highlight the relevant Target and select the Edit menu.
4. Select Target Properties.
The Target Properties screen displays.
5. Select Rules.
The Rules work area displays on the right hand side.
6. Click Add in the Rules work area.
The New Rule Select Action and Objects dialog box displays.
7. In the Action section leave the default setting as Ignore.
8. In the Object section select Named Objects and click Next.
The New Rule Select Objects dialog box displays.
9. Select All Named Objects and click Next.
The New Rule Name Rule dialog box displays.
91
STREAMED APPLICATIONS
Citrix XenApp
10. Enter a name for the rule or accept the default and click Finish.
11. Click OK.
The Target Properties screen re-displays and the Ignore all named objects rule is now
listed in the work area on the right hand side.
12. Save the Profile.
13. Repeat for each Application Profile as required.
92
G L O S S A R Y
AAC
Accessible Items
Agent
Application Limit
Audit Only
CCA
Configuration
Configuration File
Configuration Profiler
Console
Deploy
Digital Signature
Event
Node
OU
Prohibited Items
Rule
Security Level
Security Identifier
Self-Authorizing User
SID
Time Limits
Trusted Applications
Trusted Ownership
Trusted Vendors
Wildcards
93
GLOSSARY AAC
Configuration File
AAC
Citrix Advanced Access Control.
Accessible Items
Accessible Items are files, folders, drives or digitally signed files or groups of files in an
Application Manager configuration Rule which are allowed to run when file execution requests
are matched with the rule security settings and would otherwise be prohibited by other
configuration settings.
See also: Prohibited Items and Trusted Vendors
Agent
A proactive software component which implements the product configuration rules. For
example, the Application Manager Agent is software that runs as a Windows service to validate
execute requests according to the rules in the configuration installed on a computer.
Application Limit
Application Limits specify the number of instances of an application a user can run. An
application limit can be applied to an item in the Accessible Items node.
Audit Only
Security Level assigned to users, groups or devices in an Application Manager Rule which audits
events according to the Auditing Configuration without applying the rule. Used for passive
monitoring in evaluations to assess application usage on the host environment.
CCA
Client Communications Agent. Installed on computers operating in an Enterprise installation to
provide a link between the product agent running on a managed computer and the AppSense
Management Center.
The CCA sends event data generated by the product agents to the Management Server and
also polls the Management Server to manage the download and installation for software
configuration, agent and package updates.
The CCA can be downloaded and installed directly on managed machines from the
Management Server website.
Configuration
The Application Manager configuration consists of lists of files/folders that you have decided
should be Accessible Items, Prohibited Items and Trusted Vendors. The configuration also
contains optional settings and text to be displayed to the user. A configuration is created and
managed using the Application Manager Console and used by the Application Manager Agent
and is saved in Application Manager Package Files (*.aamp). The agent uses the configuration
settings to determine whether or not an execute request is to be denied.
Configuration File
An Application Manager configuration exported from the Console and saved to Windows
Installer .MSI file format. The file can be installed on any computer and the configurations rules
94
GLOSSARY
CONFIGURATION PROFILER
Prohibited Items
applied when an Application Manager Agent is present and running as a service on the
computer.
Configuration Profiler
Generates reports detailing the current settings in the Configuration. Filtering options allow you
to query settings affecting specific users or groups, devices, and files or folders.
Console
AppSense Application Manager software interface.
Deploy
To deliver a configuration or AppSense software component to one or more computers, which
can include the local machine.
Digital Signature
Application Manager uses the SHA-1 algorithm for applying a digital signature to uniquely
identify files.
The signature can be used as a security measure when adding files as Accessible Items,
Prohibited Items and Trusted Vendors.
Signatures can also be used for allowing applications on non-NTFS formatted drives to run,
which Application Manager would otherwise block by default. Add the digital signatures to the
Accessible Items list and disable trusted ownership checking for the individual files. Signature
Group Management provides easier administration for large groups of signatures.
Accessible Items with digital signatures can be used to verify that the file which the user is
attempting to run is actually the file permitted by the administrator.
Prohibited Items with digital signatures can be used to ensure the file is always prevented from
executing, even when the user renames the file.
Event
An Event is generated by Application Manager to report file execution requests, overwrites or
renames and Self-Authorizing User decisions. The event number indicates the outcome of the
request. Events are logged according to the method set up in the Auditing node.
Node
A node is a term used in the Application Manager Console to represent a branch in the
navigation tree.
OU
Organizational Unit. A container that holds users and computers in Active Directory.
Prohibited Items
Prohibited items are files, folders, drives or digitally signed files or groups of files specified in an
Application Manager Rule which are not allowed to run when file execution requests are
95
GLOSSARY RULE
Time Limits
matched with the rule security settings and would otherwise be allowed by other Configuration
settings.
See also: Accessible Items and Trusted Vendors
Rule
A Configuration rule assigns a Security Level to the specified users or groups, devices and
combinations of these and contains control lists for Accessible Items, Prohibited Items and
Trusted Vendors. Application Manager intercepts kernel level file execution requests and
matches these with the configuration rules to implement security controls.
Security Level
Application Manager configuration Rule settings include security levels which specify how to
manage requests to run unauthorized applications by the users, groups or devices which a rule
matches.
Restricted Only authorized applications can run. These include files owned by members of
the Trusted Owners list and files listed in Accessible Items, Trusted Vendors and Trusted
Applications.
Self-Authorizing Users are prompted for decisions about blocking or running unauthorized
files on the host device.
Audit only All actions are permitted but events are logged and audited, for monitoring
purposes.
Unrestricted All actions are permitted without event logging or auditing.
Security Identifier
(SID) A data structure of variable length that identifies user, group, and computer accounts.
Every account on a network is issued a unique SID when the account is first created. Internal
processes in Windows refer to an accounts SID rather than the accounts user or group name.
Likewise Application Manager also refers to a user or group SID unless the SID could not be
found when added to the configuration.
Self-Authorizing User
User, group or device granted control to choose whether to block or run an unauthorized
application on the host computer. The Self-authorizing Security Level can be assigned in an
Application Manager Rule to match a file execute request for users, groups or devices.
SID
See Security Identifier.
Time Limits
Settings applied to entries in the Accessible Items and Prohibited Items nodes of an Application
Manager Rule which determine day and time ranges when the controls apply.
For example, an entry in the Prohibited Items node of a rule can restrict use of the local web
browser to users except between the hours of 12pm and 2pm on specific days of the week.
96
GLOSSARY
TRUSTED APPLICATIONS
Wildcards
Trusted Applications
Trusted Applications are files which are authorized to run by the Application Manager
configuration and can execute files which are normally prohibited. Trusted Applications are
designated in the Default Rules and include specified Trusted Content which includes files
normally prohibited but allowed when run executed as a child process of the associated Trusted
Application.
For example, essential applications, such as antivirus update software is usually allowed to run
but can also depend on being able to run particular downloaded executables, which are
normally prohibited, to perform an update. The antivirus software is added to the rules as a
Trusted Application, and the downloaded executable prohibited file which the antivirus needs
to run, is added as Trusted Content of the Trusted Application.
Add certain files and file types as Trusted Content. Extend this trust to folders and drives to
allow files in these locations to run as Trusted Content of the Trusted Applications. Trusted
Application matching takes place when a file is prohibited by a rule or fails Trusted Ownership
checking.
Trusted Ownership
Trusted Ownership checking is a secure method Application Manager uses to prevent users
running unauthorized applications is. On NTFS formatted drives, files have owners and
Application Manager is configured, by default, to only allow files to be executed if the file
owner is a member of the Trusted Owners list. If a user tries to run a file that is not owned by
a trusted owner, the execute request is denied and a message notifies the user. Any files
downloaded from the internet or received in e-mail are owned by the user, so those files are not
permitted to run unless ownership is held by members of the trusted owner list.
By default, Application Manager blocks execution requests for all applications on non-NTFS
formatted drives.
Trusted Vendors
Trusted Vendors are digital certificates signed by trusted sources. Trusted Vendor checking
allows applications which fail Trusted Ownership checking to match digital certificates with the
Trusted Vendors list.
A list of Trusted Vendors can be defined for each User, Group, Device, Custom and Scripted
Rule of the configuration.
Application Manager queries each file execution which fails Trusted Ownership checking to
detect the presence of a digital certificate. If the file has a digital certificate which is signed by a
certificate authority matching a valid entry in the Trusted Vendor list, the file is allowed to run.
Trusted Vendor matching takes place when a file is prohibited by failing Trusted Ownership
checking and Trusted Application checking.
Wildcards
Both the asterisk (*) and question mark (?) characters can be used in a file or folder path in the
Application Manager Console. The asterisk represents one or more characters, excluding the
back slash (\) character, whilst the question mark wildcard represents one character, excluding
the forward slash (/) character. Both of the wildcard characters can be used in any part of a file
path, including the drive letter for local paths.
97
GLOSSARY
WILDCARDS
Wildcards
For example, c:\sample path\test?\*.exe, matches all files with the .exe extension that existed in
the folders c:\sample path\test1, c:\sample path\test2, ... c:\sample path\testn, etc. But since the
question mark can only replace one character, it does not match c:\sample path\test100. The
only limitation imposed by Application Manager on the use of wildcards is that the asterisk
cannot be used to match more than one subdirectory.
98