App-V Security

Virtualization products such as VMware Workstation and Microsoft’s Hyper-V help IT professionals create virtual instances of desktop or server OSs. IT pros and enthusiasts use such technology to create sandboxed environments in which to test software, or for provisioning multiple servers on a single hardware device, thus isolating changes and protecting the core OS configuration. Although virtualization changed the way IT pros test software and deploy servers, these technologies aren’t easily implemented by the average end user.

Application Virtualization
If you want to test a new application in a virtual environment, you must first deploy a virtual machine (VM) and install an OS before you can load the application. In the case of Windows OSs, you might also need to purchase an additional license.

Application virtualization isn’t a new technology, but it really started gaining ground with Microsoft’s 2006 purchase of SoftGrid from Softricity. SoftGrid has since been renamed Microsoft Application Virtualization (App-V) and is available as part of Microsoft Desktop Optimization Pack (MDOP).

Application virtualization lets software run in a virtualization layer, without the overhead associated with a VM. Microsoft’s App-V client, which comes in varieties for desktops and terminal servers, uses a technology called SystemGuard to sandbox changes that an application would usually make to the registry, file system, and other OS components, and intercepts requests between the application and the virtualized resources. In addition, SystemGuard also isolates virtualized applications from each other.

App-V includes an optional server component that allows the App-V client to stream virtual applications on demand from a server, and run the applications offline (i.e., when disconnected from the server) if necessary. IT departments can sequence programs once and stream them to desktops and terminal servers without having to test for application conflicts. When a program is updated on the App-V server, changes can be streamed automatically to clients. All these factors lead to reduced support, deployment, and patching costs. (For more information about streaming and sequencing in App-V, see the sidebar "App-V Streaming and Sequencing.")

Application Virtualization and Security
Secure desktops are often less flexible because users must depend on the IT department to provision and configure software. You need to consider this trade-off when weighing the pros and cons of securing your desktops, especially in environments in which users have had autonomy over their own PCs.

Application virtualization reduces the flexibility trade-off for least-privilege security implementations by letting users install applications on demand without any special system rights, while simultaneously isolating applications from one another and the OS. You can quickly sequence applications and provision them to users through Microsoft Installer (MSI) or the SoftGrid Client Management Console, which supports streamed applications from an App-V server or local installation packages.

Sequencing an Application and Creating an MSI Package
To illustrate how to sequence an application and create an MSI package, let’s sequence Adobe Acrobat Reader 8.0 for virtualization on Windows XP so that it can run without a streaming server. We’ll need two machines: one to sequence Acrobat Reader and create an MSI package, and one to install the SoftGrid client. You can’t run the client and sequencer on the same machine. For illustration purposes, let’s assume both machines are running XP.

You can download Acrobat Reader 8.0 from www.adobe.com/products/acrobat/readstep2.html?type=distrib. You can download the necessary App-V (SoftGrid) components from support.microsoft.com/kb/941408. These components include the following:

• SoftGrid Sequencer 4.2.2.15 (softgrid_sequencer_setup_4.2.2.15)
• SoftGrid Client for Windows Desktops 4.2.2.15 (softgrid_wd_setup_4.2.2.15)
• SoftGrid MSI Utility 1.0.0.16 (MSI_Utility_1.0.0.16)

To sequence an application for App-V, you need a freshly installed version of XP on which to sequence Acrobat Reader. App-V Sequencer works by monitoring the installation process and taking before and after snapshots of the reference machine. Once XP is installed, complete the following steps before loading the Sequencer:

1. Turn off any anti-malware or antivirus applications, including Windows Defender.
2. Disable automatic defragmentation and Automatic Updates.
3. Create a partition with the driver letter Q, with enough space to install the Acrobat Reader 8.0 binaries.