Anda di halaman 1dari 107

Application Manager

Administration Guide

Guide

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

Notice
The information contained in this document ("the Material") is believed to be accurate
at the time of printing, but no representation or warranty is given (express or implied)
as to its accuracy, completeness or correctness. AppSense Limited, its associated
companies and the publisher accept no liability whatsoever for any direct, indirect or
consequential loss or damage arising in any way from any use of or reliance placed on
this Material for any purpose.
Copyright in the whole and every part of this manual belongs to AppSense Limited
("the Owner") and may not be used, sold, transferred, copied or reproduced in whole
or in part in any manner or form or in or on any media to any person other than in
accordance with the terms of the Owner's Agreement or otherwise without the prior
written consent of the Owner.
Trademarks
AppSense and the AppSense logo are registered trademarks of AppSense Holdings Ltd.
Microsoft, Windows and SQL Server are trademarks or registered trademarks of
Microsoft Corporation. Fluent is a trademark of Microsoft Corporation and the Fluent
user interface is licensed from Microsoft Corporation. Other brand or product names
are trademarks or registered trademarks of their respective holders.

ii

C O N T E N T S

viii

Welcome

Chapter 1

About this Document

viii

Terms and Conventions

viii

Feedback

ix

About Application Manager

Product Overview

Architecture

Components

Software Agent

Configuration

The Console

Key Benefits

Feature Summary

iii

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

Chapter 2

Chapter 3

Chapter 4

CONTENTS

Manage Configurations

10

Default Settings

10

Configuration

11

Configuration Elements

11

Rule Matching

12

Configuration Properties

15

Message Settings

15

Archiving

17

Save a Configuration

19

Import a Configuration

19

Export a Configuration

19

Tasks

20

General Features

22

Trusted Owners

22

Trusted Applications

24

Extension Filtering

26

Options

26

Tasks

27

Rules

29

Manage Rules

29

Group Rules

30

User Rules

30

Device Rules

30

Custom Rules

31

Scripted Rules

32

Security Level

35

Tasks

36

iv

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

Chapter 5

Chapter 6

Chapter 7

Chapter 8

Chapter 9

CONTENTS

Rule Items

40

Accessible Items

40

Prohibited Items

42

Trusted Vendors

43

Tasks

44

Signature Group Management

46

Manage

46

Items

47

Tasks

48

Application Network Access Control

51

About Application Network Access Control

51

Network Connection Items

52

Network Connection Group Management

52

Groups

53

Group Items

53

Tasks

55

Endpoint Analysis

57

About Endpoint Analysis

57

Endpoint Management

59

Installed Applications

59

Application Usage Scans

59

Application Data

60

Data Files

60

Tasks

61

Rules Analyzer

63

About Rules Analyzer

63

Endpoint Management

66

Data Acquisition

66

Data Files

66

Tasks

66

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

Chapter 10

Chapter 11

Chapter 12

CONTENTS

Auditing

68

Audit

68

Local Events

70

Configuration Profiler

73

Report Type

73

Report Criteria

73

Report Output

74

Best Practices

75

Use NTFS Security

76

Install Applications with an Administrative Account

76

Take Ownership of Applications Requested by Users

76

Selectively Disable Trusted Ownership

76

Use Signature Checking Selectively

76

Prohibit Access to System Applications

77

Use Folders to Simplify Configurations

77

Use Group Accounts in preference to User Accounts

77

Use Environment Variables for Generic Configurations

78

Audit Unauthorized Activity

78

Use Scripted Rules to Allow Items

78

Use Scripts to Query Information

78

Use Validated Scripts Only

78

Working With Streamed Applications

79

Avoid Whitelisting Websites

79

Control company network infrastructure

79

Configuring reverse DNS lookup entries

79

Add IP Addresses to prohibit network connection

79

When to run Installed Applications scan

79

Period to run Usage Scan

79

Order to run scans

79

System Requirements

81

Appendixes
Appendix A

vi

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

CONTENTS

Working with Scripted Rules

82

About Scripted Rules

82

Writing a Script

82

Sample Scripts

83

Best Practices

84

Appendix C

Application Network Access Control and Reverse DNS Lookup

86

Appendix D

Licensing

87

About License Manager

88

Managing Licenses

89

Troubleshooting

90

Streamed Applications

91

Citrix XenApp

91

Appendix B

Appendix E

Glossary

93

vii

W E L C O M E

This section includes the following:

About this Document

Terms and Conventions

Feedback

About this Document


This document shows how to install, setup and use the components of AppSense Application
Manager. Application Manager provides protective measures such as blocking the execution of
all unauthorized software and supplies you with extensive options for creating rules to manage
production application usage.
Document Information
Document Version

APAM80-04-130209-1

Publication number

Terms and Conventions


Table 3.1 on page viii shows the textual and formatting conventions used in this document:
Table 3.1

Document Conventions

Convention

Use

Bold

Highlights items you can select in Windows and the product interface, including
nodes, menus items, dialog boxes and features.

Code

Used for scripting samples and code strings.

Italic

Highlights values you can enter in console text boxes and titles for other guides and
Helps in the documentation set.

viii

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

Table 3.1

WELCOME
Feedback

Document Conventions (continued)

Convention

Use

>

Indicates the path of a menu option. For example,


Select File > Open" means "click the File menu, and then click Open."
Note Highlights important points of the main text or provides supplementary
information.
Tip Offers additional techniques and help for users, to demonstrate the
advantages and capabilities of the product.

Caution/Warning Provides critical information relating to specific tasks or


indicates important considerations or risks.

Further Information Provides links to further information which include more


detail about the topic, either in the current document or related sources.

Feedback
The AppSense Documentation team aim to provide clear, accurate and high quality
documentation to assist you in the installation, configuration and ongoing operation of
AppSense products.
We are constantly striving to improve the documentation content and greatly value and
appreciate any contribution you wish to make to enhance the detail of the content, based on
your experiences with AppSense products.
Please feel welcome to send in your comments to the following email address and we will
endeavor to incorporate these into future publications:
documentation.feedback@appsense.com
Thanks in advance,
The AppSense Documentation team

ix

About Application Manager

This section provides the following:

Product Overview

Architecture

The Console

Key Benefits

Feature Summary

Product Overview
This document shows how to setup and use the components of AppSense Application
Manager. Application Manager provides centralized management of corporate application
control, eliminating unauthorized application usage and controlling application network access
enterprise wide. Protective measures such as blocking the execution of all unauthorized
software is provided and extensive options for creating rules to manage production application
usage.
Application Manager is part of a closely integrated system of management components and can
be centrally configured and deployed to desktops, servers and Terminal Servers throughout the
enterprise using the AppSense Management Center.
For further information see the AppSense Management Center Administration Guide.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

ABOUT APPLICATION MANAGER


Architecture

Architecture
This section provides details on the archictecture of Application Manager and includes the
following:

Components

Software Agent

Configuration

Figure 1.1 Application Manager Architecture

Components
3

Client Computer

Application Manager Console

Application Manager Agent

License

Software Agent
Application Manager is installed and run on endpoints using a lightweight Agent. In Standalone
mode the Agent is installed directly onto the local computer. In Enterprise mode, the Agent is
stored in the AppSense Management Console.
Both Agents and Configurations are constructed as Windows Installer MSI packages and can
also be distributed using any third-party deployment system which supports the MSI format.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

ABOUT APPLICATION MANAGER


Architecture

Since the Agents and Configurations are installed and stored locally they continue to operate
when endpoints such as notebooks and Tablet PCs are disconnected or offline.
For further information about deploying AppSense software, refer to the AppSense
Management Center Administration Guide.

Configuration
Application Manager Configuration files contain the rule settings for securing your system. The
Agent checks the configuration rules to determine the action to take when intercepting file
execution requests.
Configurations are stored locally in the All Users profile and are protected by NTFS security. In
standalone mode, configuration changes are written directly to the registry from the
Application Manager Console. In centralized management mode, configurations are stored in
the AppSense Management Center database, and distributed in MSI format using the
AppSense Management Console.
Configurations can also be exported and imported to and from MSI file format using the
Application Manager Console which is useful for creating templates or distributing
configurations using third party deployment systems.
After creating or modifying a configuration you must save the configuration with the latest
settings to ensure that they are implemented.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

ABOUT APPLICATION MANAGER


The Console

The Console
The Application Manager Console launches when the link is selected in the Start > All
Programs > AppSense menu.

Figure 1.2 Application Manager Console

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

ABOUT APPLICATION MANAGER


The Console

Application Menu
The Application Menu provides options for managing configurations including create new,
open existing, save, import and export configurations and Print.
The Preferences option allows you to modify the console skin and select whether to display the
introductory splash screen.

APPLICATION MENU OPTIONS

Option

Description

New

Creates a new default configuration which is locked for editing.

Open

Opens an existing configuration from one of the following locations:


Live configuration on this computer
Configuration from the Management Center
Configuration file on a local or network drive: Application Manager Package Files format
(aamp).
Note A live configuration is located on a computer which has an Application Manager
Agent installed and running.

Save

Saves the configuration in one of the following states:


Save and continue editing - save the configuration and keep it locked and open for
editing, you will not be able to deploy the configuration while it is locked.
Save and unlock - save the configuration and unlock it ready for deployment.
Unlock without saving - unlock the configuration without saving changes.

Save As

Saves the configuration with a new name to one of the following locations:
Live configuration on this computer
Configuration in the Management Center
Configuration file on a local or network drive: Application Manager Package Files format
(aamp).
Note A live configuration is located on a computer which has a Application Manager Agent
installed and running.
Warning If using Microsoft Vista operating system with UAC enabled you must ensure that
you open the console with Administrator privileges.

Import & Export

Imports a configuration from MSI format, usually legacy configurations which have been
exported and saved from legacy consoles.
Exports a configuration to MSI format.

Exit

Closes the Console.


You are prompted to save any changes you have made to the current configuration.

Preferences

Launches the Console Preferences dialog box which includes:


Skin Modify the console skin color scheme
Open last configuration by default Deselected by default.
Show splash screen on startup

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

ABOUT APPLICATION MANAGER


The Console

Quick Access Toolbar


The Quick Access Toolbar provides quick functionality for managing the configuration setup,
such as Save, Save and Unlock, Undo, Redo, and navigation to previously and next displayed
views.

QUICK ACCESS TOOLBAR OPTIONS

Option

Description
Save
Saves changes to the configuration. The configuration will remain locked if opened from the
Appsense Management Center.
Save and unlock
Saves changes and unlocks the configuration. These changes can now be deployed from the
Management Center.
Undo
Clears the action history. Up to 20 previous actions are listed. Select the point at which you want to
clear the actions. The action selected and all proceeding actions are undone.
Redo
Re-applies the cleared action history. Up to 20 cleared actions are listed. Select the point at which you
want to redo the actions. The action selected and all subsequent actions are redone.
Back
Navigates back through the views visited in this session.
Forward
Navigate forward through the views visited this session.

Ribbon Pages
Ribbon Pages include buttons for performing common actions arranged in ribbon groups
according to the area of the Console to which the actions relate. For example, the Home ribbon
page includes all common tasks, such as Cut, Paste and Copy, Help, AppSense website and
Support links.
Split ribbon buttons contain multiple options and are indicated by an arrow just below the
button. Click the arrow to display and select the list of options, or simply click the button for the
default action.
Help
The Home ribbon page includes a Help button which launches the Help for the product and
displays the topic relating to the current area of the console in view. A smaller icon for
launching the Help displays at the far right of the console, level with the ribbon page tabs, for
convenience when the Home ribbon page is not in view. You can also click F1 to launch the
Help topic for the current view.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

ABOUT APPLICATION MANAGER


Key Benefits

Navigation Pane
The Navigation Pane consists of the navigation tree and navigation buttons. The navigation
tree is the area for managing nodes of the configuration. The navigation buttons allow you to
view the different areas of the console.
Work Area
The Work Area provides the main area for managing the settings of the configuration and
product. The contents of the work area vary according to the selected nodes in the navigation
tree and the selected navigation buttons. Sometimes the work area is split into two panes. For
example, one pane can provide a summary of the settings in the other pane.
Additional Console Features

Shortcut Menu right-click shortcuts are available in the navigation tree and some areas
of the Console.

Drag and Drop this feature is available in some nodes of the navigation tree.

Cut/Copy/Paste these actions can be performed using the buttons in the Home ribbon
page, shortcut menu options and also using keyboard shortcuts.

Optimum screen resolution for the Console is 1024 x 768 pixels.

Key Benefits
This section provides key benefits of using AppSense Application Manager, they are as follows:

Protects against malicious code.

Controls role based application usage.

Protects out of the box against all unauthorized application usage.

Stops unauthorized device license usage.

Applys time restrictions on when applications can or cannot be run.

Controls network access from within applications.

Controls network access based on location.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

ABOUT APPLICATION MANAGER


Feature Summary

Feature Summary
Application Manager provides the following key features for application control:
Trusted Ownership
By default, only application files owned by an Administrator or the local System are allowed to
execute. Trusted Ownership is determined by reading the NTFS permissions of each file which
attempts to run. Application Manager automatically blocks any file where ownership cannot be
established, such as files located on non-NTFS drives, removable storage devices, or network
locations. These files can optionally be allowed to run either by specifying them as Accessible
Items or by configuring a Self-Authorizing User rule. The Trusted Owner list can be configured
to suit each environment.
User, Group, Device and Custom Rules
Extend application accessibility by applying rules based on username, group membership,
computer or connecting device, and combinations of these. Accessible and Prohibited Items,
and Trusted Vendors can be specified in each rule, and are applied to a user session based on
the environment in which the user operates.
Scripted Rules
Scripted Rules allow administrators to apply Accessible Items, Prohibited Items and Trusted
Vendors to users based on the outcome of a VBScript. The VBScript can be run for each
individual user session or run once per computer.
Trusted Vendors
Allow authentic applications to run which have digital certificates signed by trusted sources, and
which are otherwise prohibited by Trusted Ownership checking. Define a list of Trusted Vendor
certificates for each User, Group, Device, Custom and Scripted Rule of the configuration.
Trusted Applications
Allow authorized applications to run files which are normally prohibited. Authorized
applications are designated as Trusted Applications (parent processes) which are assigned
specific prohibited files as Trusted Content (child processes). Trusted Content is allowed to run
only as the child process of a Trusted Application parent process.
Add certain files and file types as Trusted Content. Extend this trust to folders and drives to
allow files in these locations to run as Trusted Content of the Trusted Applications.
Application Network Access Control
Block access to certain web applications and normal applications based on the outcome of rules
processing. Application Manager has the ability to manage access based on the location of the
requester, for example if they are connecting via VPN or directly to the network.
Digital Signatures
SHA-1 signature checks may be applied to any number of application control rules, providing
enhanced security where NTFS permissions are weak or non-existent, or for applications on
non-NTFS formatted drives. A digital signature wizard allows easy creation and maintenance of
large digital signature lists.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

ABOUT APPLICATION MANAGER


Feature Summary

EndPoint Analysis
Allows an Administrator to browse to any endpoint and retrieve a list of applications that have
been installed on that endpoint. Search for any executable files and add them to the
configuration.
Application Manager records which applications are started and by whom. The recording of
data is started and stopped by the administrator.
End Point Analysis is on demand and inactive by default.
Auditing
Events are raised by Application Manager according to the default Event Filtering configuration
and audited directly to a local file log or the Windows Event Log. Alternatively, events can be
forwarded for auditing to the AppSense Management Center via the Client Communications
Agent (CCA). The Application Manager audit event reports available in the Management Center
can also be used to provide details of current application usage across the enterprise. For more
information, see the AppSense Management Center Administrator Guide and Help.
Windows Scripting Host Validation
All Windows Scripting Host (WSH) scripts, such as VBS, are validated against configuration rules.
This ensures that users can only invoke authorized scripts, eliminating the risk of introducing
WSH scripts that contain viruses or malicious code.

Manage Configurations

This section provides details on Application Manager Configurations and includes the following:

Default Settings

Configuration

Configuration Properties

Save a Configuration

Import a Configuration

Export a Configuration

Tasks

Default Settings
On installation Application Manager has a configuration loaded with the following default
settings:

Group Rules

BUILTIN\Administrators - Unrestricted

Everyone - Restricted

Trusted Owners Group

Administrators Group

System Account

Trusted Installer

Computer Administrator

Default Restrictions

Make local drives accessible by default

Ignore restrictions during logon

Allow cmd.exe for batch files

Extract self-extracting ZIP files

Validate MSI packages

10

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

Validate Windows Script Host (WSH) scripts

Validate Registry files

MANAGE CONFIGURATIONS
Configuration

Trusted Applications

msiexec.exe can run any .exe or .dll

Configuration
The Application Manager configuration is installed on managed devices and serves as a policy
checklist for the Application Manager Agent to assess how to handle file execution requests.
When a file is executed, Application Manager intercepts the request and performs a check with
the configuration to find a matching rule that indicates the appropriate action to take.
Other default policies specified in a configuration are also applied, for example, event filtering
or handling for specific file extension types as well as general policies such as default rules,
auditing rules and how message notifications are displayed.
This section includes:

Configuration Elements

Rule Matching

Configuration Elements
The Application Manager console provides configuration settings in the following key areas:

Rules

Library

Rules
Rule nodes provide default settings for handling file executions and specific settings which apply
to particular users, groups or devices:
Group, User, Device, Custom and Scripted Rules
Allow you to specify Security Level settings that specify restrictions which apply to users, groups
or devices matching the rule. Custom rules target combinations of particular users or groups
operating on specific collections of devices. Scripted rules allow administrators to apply
Accessible Items and Prohibited Items to users based on the outcome of a VBScript. The
VBScript can be run for each individual user session or run once per computer.

Accessible / Prohibited Items Sub-node lists within each rule which you can populate and
maintain with specific files, folders, drives and digital signatures to provide an additional
level of granularity for controlling file execution requests.
For example, items which Trusted Ownership checking normally prohibits can be made
accessible for the users or devices targeted in the rule. Likewise, files which would normally
be accessible can be prohibited.

Trusted Vendors A sub-node list in each rule which you can populate with digital
certificates issued by trusted sources. Files which fail Trusted Ownership checking are
checked for the presence of digital certificates and allowed to run when a match is made
with the Trusted Vendors list.

11

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

MANAGE CONFIGURATIONS
Configuration

For example, a highly restricted user might be prohibited under normal rule conditions from
introducing executable files on the system but may be required to download and run
software updates from a particular source, from time to time. If the downloaded file
includes a digital certificate which matches a certificate in the Trusted Vendors list, the file is
allowed to run.

Library
Library nodes provide the following:
Signature Group Management
The Signature Group Management node allows you to apply digital signatures to files or
collections of files including the running child processes spawned by applications. Signature
group collections can be added to the accessible and prohibited items lists in a rule.
Network Connection Group Management
The Network Connection Group Management node allows you to create groups in the Network
Connection Group List and add network connections for the groups. The network connections
can be anything from network shares to corporate web applications.

Rule Matching
Rule matching takes place when Application Manager intercepts a file execution request and
checks the configuration policy to determine whether a file is allowed to run.
Applying Rule Policies
The most lenient security policy is applied to a user profile which is affected by more than one
rule. For example, a user who matches both a User Rule assigned the Restricted security level
and also a group rule which assigns the Self-Authorizing security level, is granted
self-authorizing privileges for all decisions and application use.
Matching Files and Rules
The Application Manager agent applies rules by making a suitable match for the file type.

12

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

MANAGE CONFIGURATIONS
Configuration

Figure 2.1 Rule Matching Priorities

Matching is based on a three stage approach which considers security, matching order and
policy decisions:
1. Security:

Is the user restricted?

Is ownership of the executable item trusted?

Where is the executable located?

2. Matching:

Does the executable match a signature?

Does the executable match an Accessible or Prohibited item?

3. Policy:

Is Trusted Ownership checking enabled?

Is there a timed exception?

Is there an Application Limit?

13

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

MANAGE CONFIGURATIONS
Configuration

Trusted Ownership Checking


During the rule matching process, Trusted Ownership checking is performed on files, folders
and drives to ensure that ownership of the items is matched with the list of trusted owners
specified in the default rule configuration.
For example, if a match is made between the file you wish to run and an accessible item, an
additional security check ensures that the file ownership is also matched with the Trusted
Owners list. If a genuine file has been tampered with or a file which is a security threat has been
renamed to resemble an accessible file, trusted ownership checking identifies the irregularity
and prevents the file execution.
Trusted ownership checking is not necessary for items with digital signatures as these cannot be
imitated.
Checking Trusted Applications
Trusted Application matching takes place when a file is prohibited by a rule or fails Trusted
Ownership checking. Application Manager checks the process tree of the prohibited file for a
running parent application which is an authorized application and matches a Trusted
Application. If a match is found, the file is allowed to run.
Trusted Vendors
Trusted Vendor matching takes place when a file is prohibited by failing Trusted Ownership
checking and Trusted Application checking.
Application Manager queries each file execution to detect the presence of a Digital Certificate.
If the file has a valid digital certificate and the signer matches an entry in the Trusted Vendor list,
the file is allowed to run, and overrides any Trusted Ownership check.

14

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

MANAGE CONFIGURATIONS
Configuration

Configuration Properties
This section details the Configuration Properties and includes the following:

Message Settings

Archiving

Message Settings
Use the Message Settings options in General Features ribbon page > Configuration
Properties ribbon group to configure settings for messages issued to users. You can set up
messages for situations where access is denied, application limits have been exceeded and for
self authorization. Time limits for application behaviour can be specified with warning and
denied messages.
Message Box Variables
The message box caption and text may contain user and system-wide environment variables,
and include the following environment variables shown in Table 2.1. Environment variables are
not expanded during testing.
Table 2.1

End User Messages Environment Variables

Environment Variable

Description

%ExecutableName%

Expands to the name of the prohibited application.

%FullPathName%

Expands to the full path of the prohibited application.

%DirectoryName%

Expands to the directory where the prohibited application is located.

Reference

Access Denied
Displays when the user is denied access to an unauthorized application.
Message
%USERNAME% is not authorized to execute %Executablename%.
Application Limits Exceeded
Displays when the user is denied access to an application that has reached an application limit.
Message
%USERNAME% has exceeded the application limit for %ExecutableName%.

15

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

MANAGE CONFIGURATIONS
Configuration

Time Limits
The Warning Message displays when the user is denied access to an application that has a
Timed Exception applied that is not valid at the requested time.
The Denied Message displays when an application has a Timed Exception applied that has now
expired and the application is still running.
Display an initial warning message
Select to display an initial warning message to the user when an application has exceeded time
limits. typically, this gives the user time to save their work and close the application.
Close application
Select to send a close message to the application. When most applications receive a close
message they automatically give the user a chance to save their work.
Terminate application
Select to terminate the application. Typically this is used after the application has been sent a
close message but has failed to terminate.
Wait
Specify the number of seconds to wait between each of the selected termination options. For
example, if the user selects all three of the termination options and then selects 20 seconds, the
warning message will be displayed, followed 20 seconds later by the close message and finally
the application terminates after a further 20 seconds.
Warning Message
Displays when the user is denied access to an application that has a Timed Exception applied
and that is not valid at the requested time.
Message
%USERNAME% is no longer permitted to run %ExecutableName%. Please save all work and
shut down this application immediately
Denied Message
An application has a Time Limit applied that has now expired and the application is still running.
Message
%USERNAME% is not permitted to run %ExecutableName% at this time.
Self-Authorization
The Message displays when a self-authorizing user attempts to run a prohibited application and
the file requires a user decision to run.
The Response displays when a self-authorizing user allows a DLL file that another application
uses and the application may need to be restarted.

16

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

MANAGE CONFIGURATIONS
Configuration

Message
%ExecutableName% cannot run without your authorization. This action may be logged.
Response
%ExecutableName% is now authorized. Applications using this file may need to be restarted.
Click the Test button to preview the message box.

Archiving
Archiving is an optional function allows you to copy any denied executables into a secure folder.
Reference

Use archiving
Select to switch on the archiving function.
Global Properties
Do not archive administrator owned files
Select to prevent Application Manager from adding administrator owned files to the archive.
Do not archive if the file already exists
Select to prevent Application Manager from adding files to the archive which already exist in the
archive, especially if the archive resides on the network.
Use anonymous archiving
Select to prevent Application Manager from adding any user names to the archive. For example,
if a user runs a downloaded file from the $Home drive, the owner of the file is that user and
also the archived filename contains the users name as part of the path from which it was
executed. If Anonymous archiving is selected, the owner of the file is changed to SYSTEM
and any references to the user name are replaced with anonymous.
Total Limit
The maximum size in MB that the archive is allowed to reach before archiving stops. If When a
users archive is full allow the oldest files to be overwritten is selected, files are
overwritten.

17

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

MANAGE CONFIGURATIONS
Configuration

User Limit
The maximum size in MB that a single user archive is allowed to reach before files are
overwritten. For example, if an archive path is specified as C:\archive\%username%, every user
on the system has a separate archive under the C:\archive directory. It is this user archive that is
subject to the user limit.
A limit setting of zero (0) denotes an unlimited size for an archive.

File Options
Only archive files less than _Mb
Limits the size of the files that are copied to the archive. This is particularly useful if a network
archive is specified since copying large files to a network location is a potentially time
consuming operation.
When a users archive is full allow the oldest files to be overwritten
Select to allow Application Manager to overwrite the oldest files in the archive in cases where
the archive size has reached either the Total limit or the User limit.
Folders
Archive Folder
The list of folder paths to which archive files are copied.
Browse
Browse to the location where you want the archive to exist.
Add
Add an archive location to the list. The archive may contain environment variables. For example,
%SYSTEMDRIVE%\Archive\%USERNAME% is expanded when Application Manager attempts
to archive the file. Each user has a personal archive.
Move Up
Moves the selected archive up the list of available archives. The order of the archive list is
important as Application Manager attempts to copy the file to the first archive in the list. If this
copy fails, Application Manager continues to make attempts to copy the file to the next archive
location until it is successful.
Move Down
Moves the selected archive down the list of available archives. The order of the archive list is
important as Application Manager attempts to copy the file to the first archive in the list. If this
copy fails, Application Manager continues to make attempts to copy the file to the next archive
location until it is successful.

18

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

MANAGE CONFIGURATIONS
Save a Configuration

Save a Configuration
When changes are made to a configuration you have the following options:

Save - to save and continue editing.

Save and Unlock this configuration the configuration is saved and unlocked and can
now be edited by other users.

Unlock only, do not save reverts the configuration to the original state and unlocks
the configuration for editing by other users.

Save As

Live configuration on this computer


To replace/update the configuration on the local computer with the currently open
configuration.

Configuration in Management Center


To save the configuration in the package store on the selected Management Server.

Configuration file on local or network drive


To Save the configuration to a file on a local or network drive.

Import a Configuration
Configurations can be imported in to Application Manager.
1. Click the Application Menu button.
2. Click Import & Export. The Import & Export Options display.
3. Click Import Configuration from MSI. The Open dialog box displays.
4. Navigate to the location of the MSI, select it and click Open.

Export a Configuration
Configurations can be exported from Application Manager.
1. Click the Application Menu button.
2. Click Import & Export. The Import & Export Options display.
3. Click Export Configuration as MSI. The Save As dialog box displays.
4. Navigate to the location to where you want to save the MSI, click Save.

19

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

MANAGE CONFIGURATIONS
Tasks

Tasks
This section includes the following tasks:

CREATE A CONFIGURATION

1. Launch the Application Manager console from the Start menu.


2. Click the Application Menu button.
3. Click New.
A new configuration displays and automatically provides the following protection by
default:

Applications not stored on local hard drives are prohibited. For example, applications
on network drives and removable media are prohibited.

Applications that are not owned by the administrator are prohibited. For example, any
applications copied onto the computers hard drives by a non-administrator are
prohibited.

All administrators can run any applications.


You must save a new configuration before the default settings are implemented.

TEST A CONFIGURATION
You must have a test user set up before proceeding with this task.

1. Log on as the Administrator.


2. Start AppSense Application Manager.
3. In the navigation tree, navigate to Rules > User.
4. Click the Add Rule ribbon button in the Rules ribbon page > Manage group and select
User Rule.
The Add User Rule dialog box displays.
5. Click Browse.
The Active Directory Select Users dialog box displays.
6. Click Advanced.
7. Click Find Now. The Search results display in the bottom part of the dialog box.
8. Scroll down to locate the test user, select and click OK.
The Select Users dialog box re-displays with the test user displayed in the object name.

20

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

MANAGE CONFIGURATIONS
Tasks

9. Click OK.
The User rule work area displays the newly created test user.
The test account should not be one of the Trusted Owners in the configuration.

10. Log off as the Administrator.


11. Log on as the test user to see Application Manager working.

21

General Features

This section provides details on the general features of Application Manager and includes the
following:

Trusted Owners

Trusted Applications

Extension Filtering

Options

Tasks

Trusted Owners
During the rule matching process, Trusted Ownership checking is performed on files, folders
and drives to ensure that ownership of the items is matched with the list of trusted owners
specified in the default rule configuration.
For example, if a match is made between the file you want to run and an accessible item, an
additional security check ensures that the file ownership is also matched with the Trusted
Owners list. If a genuine file has been tampered with or a file which is a security threat has been
renamed to resemble an accessible file, trusted ownership checking identifies the irregularity
and prevents the file execution.
Trusted ownership checking is not necessary for items with digital signatures as these cannot be
imitated.
The list of Trusted Owners is maintained in the General Features ribbon page > Default
Restrictions group > Trusted Owners . Application Manager trusts all local administrators
and SYSTEM owned applications by default and you can extend this list to include other users or
groups. You can also designate certain Trusted Applications, such as antivirus applications, to
be permitted to execute files which would otherwise be prohibited from running.
When using Application Manager for the first time, we recommend you use the default
settings. To avoid complex customizations do not extend the Trusted Owners list or change
any default settings.

22

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

GENERAL FEATURES
Trusted Owners

FILE OVERWRITE AND RENAME

When the option Change a file's ownership when it is overwritten or renamed is


selected, Application Manager selectively changes the NTFS file ownership of executable files
when they are overwritten or renamed.
Attempts by a user who is not a Trusted Owner to overwrite a file which is accessible due to
Trusted Ownership or an Accessible Item rule, could constitute a security threat if the file
contents have changed. Application Manager changes the ownership of an overwritten file to
the user performing the action, making the file untrusted and ensuring that the system is
secure.
Likewise, attempts to rename a prohibited file to the name of an accessible item could also
constitute a security threat. Application Manager also changes the ownership of these files to
the user who performs the rename action and ensures the file remains untrusted.
Overwrite and rename actions are both audited.

WHITE LISTS

If you prefer to use a white list approach where nothing is allowed to run by default, clear the
Make local drives accessible by default check box in the General Features ribbon page >
Default Restrictions group > Options. To make items accessible add them to the Accessible
Items folder of a configuration node.
If you use a White List approach, ensure that you allow important system files to run, by
adding a Group Rule for the Everyone group in which all of the relevant files or folders have
been added to Accessible Items. Otherwise, many crucial executable files and DLLs such as
those which are stored in the system32 directory can be prevented from running and
adversely affect correct system functioning.

TRUSTED OWNERSHIP CHECKING

To ignore Trusted Ownership for individual files do one of the following:

Clear the Trust. Ownership check box in the Accessible Items sub-nodes:

Assign self-authorization status to users and devices to allow the user to decide whether or
not to allow a file to run.
Set the Self-Authorizing security level for a rule in the Group Rules, User Rules, Device
Rules and Custom Rules nodes.

Trusted Applications override restrictions resulting from matches with Prohibited Items.

Trusted Vendors override restrictions resulting from Trusted Ownership checking.

Reference

Configure Trusted Ownership settings.


Properties
Enable Trusted Ownership checking
Select to switch on Trusted Ownership checking. Selected by default.

23

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

GENERAL FEATURES
Trusted Applications

Change the ownership of a file when it is overwritten or renamed


Select to change the ownership of any trusted accessible file which is overwritten by an
untrusted user, who is not in the Trusted Owners List.
When a prohibited file is renamed by an untrusted user, in an attempt to bypass a prohibited
item rule, the ownership is changed to the untrusted user. Once the ownership has changed,
Trusted Ownership checking then prevents the file from being executed.

Trusted Owners
Textual SID
The Textual Security Identifier of the Trusted Owner. For example, S-1-5-32-544.
Add Trusted Owner
Launches the Add Trusted Owners dialog box. Enter or Browse to select an Account to add
to the Trusted Owner list.

Trusted Applications
Trusted Applications are files which are authorized by Application Manager configuration rules
and are permitted to execute specified files which are normally prohbited.
Once an application is designated as a Trusted Application, you can add, as Trusted Content,
those files and file types which are normally prohibited, and run them as child processes of the
specified Trusted Applications. You can also add folders and drives as Trusted Content to allow
Trusted Applications to run prohibited files in those locations.
Trusted Application matching takes place when a file is prohibited by a rule or fails Trusted
Ownership checking. Application Manager checks the process tree of the prohibited file for a
running parent application which is an authorized application and matches a Trusted
Application. If a match is found, the file is allowed to run.
Reference

Options
Configure Trusted Application settings.
Disable Trusted Applications checking
Select to switch off Trusted Applications checking.
Check all denied requests
Select to perform Trusted Application matching both on files prohibited by Trusted Ownership
checking and files prohibited by configuration rules.

24

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

GENERAL FEATURES
Trusted Applications

Only check requests denied by Trusted Ownership


Select to perform Trusted Application matching only on files prohibited specifically by Trusted
Ownership checking.
Configuration > Application
Add File
Launches the File Selection dialog box. Enter or Browse to select the file you want to add.
Includes Replace with environment variables option, which is selected by default. This
option replaces the file and filepath entered with the environment variables.
All child processes of the selected trusted application which are normally prohibited, are
trusted when launched by this application.

Add Signature
Launches the File Selection dialog box. Enter or Browse to select the file you want to add.
The digital signature of the selected application is added to the list under the Signatures
heading.
Configuration > Trusted Content
Add File
Launches the File Selection dialog box. Enter or Browse to select the file you want to add. This
file will be allowed to run as a child process of the selected trusted application.
Includes Replace with environment variables option, which is selected by default. This
option replaces the file and filepath entered with the environment variables.
Add Folder
Launches the Folder Selection dialog box. Enter or Browse to select the folder you want to
add. This allows application files in this folder to be allowed to run as child processes of the
selected trusted application.
Includes Recurse subdirectories option, which is selected by default. This option indicates
whether the subdirectories of the folder are included.
Includes Replace with environment variables option, which is selected by default. This
option replaces the file and filepath entered with the environment variables.
Add Drive
Launches the Add Drive dialog box. Enter a drive letter to allow application files in this location
ro run as child processes of the selected trusted application.

25

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

GENERAL FEATURES
Extension Filtering

Extension Filtering
Apply Application Manager rules to specific file extensions.
Reference

Enable extension filtering


Select to switch on extension checking.
Properties
Exclude files with extensions in the list below
Select to ensure that Application Manager rules do not apply to the file types listed in the
Extensions list.
Only check files with extensions in the list below
Select to ensure that Application Manager rules apply only to the file types in the Extensions
list. All other file types are allowed to execute normally.
Extensions
A list of file extensions to filter. You can Add to and Delete from the list.

Options
The Options in the General Features ribbon tab > Default Restrictions group provide
general Application Manager settings to apply to all application and process execution requests.
The Options are divided in to two sections:

General Features - all options are selected by default.

Validation - all options are selected by default with the exception of Validate System
processes.

26

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

GENERAL FEATURES
Tasks

Tasks
This section includes the following tasks:

TESTING TRUSTED OWNERSHIP

1. Introduce one or more applications using a test user account. For more details see Test a
Configuration.
2. Copy one or more applications to the users home drive or another suitable location, such
as calc.exe from the System32 folder or copy a file from a CD.
3. Attempt to run a copied file.
The application is prohibited because the files are owned by the test user and not a member
of the Trusted Owners list.
You can verify the ownership of a file by viewing the Properties using Windows Explorer.

TESTING TRUSTED APPLICATIONS

1. Create a rule in the User Rules node which applies to a test user account.
2. Add calc.exe to Prohibited Items.
3. Save the configuration.
4. Run calc.exe.
Calc is blocked and an error notification is displayed.
5. Add to Accessible Items, a VBS file containing the following script sample which attempts
to launch calc.exe:
set objShell = CreateObject ("Wscript.Shell")
objShell.Run "calc.exe"

6. Add to Trusted Applications, wscript.exe which is the process that hosts VBScripts.
7. Add calc.exe to the Trusted Content for wscript.exe.
8. Save the configuration.
9. Run VBScript file.
calc.exe is allowed to run.

TESTING PROHIBITED MEDIA

1. Attempt to run an application directly from a CD-ROM, DVD-ROM or floppy disk.


The applications are prohibited because you are trying to run an application from
removable media.
Copying the files to the hard disk does not bypass the security as the files are prohibited by
the Trusted Ownership rule.

27

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

GENERAL FEATURES
Tasks

TESTING NETWORK FILES

1. Attempt to run an application from a network share or mapped drive.


This action is not permitted because the network files are prohibited.
Copying the files to the local hard disk does not bypass the security as the files are prohibited
by the Trusted Ownership rule.

28

Rules

This section provides details on Rules in Application Manager and includes the following:

Manage Rules

Security Level

Tasks

Manage Rules
Rule nodes allow you to create rules targeting specific users, groups and devices and assign
security level policies, resource access and resource restrictions which apply to the users, groups
and devices matching the rules.
Rule nodes provide Security Level settings for specifying the levels of restrictions to execute files.
Rule nodes also provide a further layer of granularity for controlling application use with
Accessible Items, Prohibited Items and Trusted Vendors for specifying lists of files, folders, drives
and signature groups which are allowed or prevented from running.
To display all Rules in the configuration click on Rules in the navigation tree. A summary
displays with all rules listed under the rule type. The security level assigned to each rule is seen
and can also be amended.
Select to add a rule to one of the following:

Group - Launches the Add Group Rule dialog box. Enter or Browse to select an Account.

User - Launches the Add User Rule dialog box. Enter or Browse to select an Account.

Device

Custom

Scripted

To remove a rule, select a rule and click Remove Rule. A confirmation message displays, click
Yes to confirm the removal.

29

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

4 RULES
Manage Rules

This section includes the following:

Group Rules

User Rules

Device Rules

Custom Rules

Scripted Rules

Group Rules
The Group rules node allows you to match security control rules with specific user groups
within the enterprise.
The Group summary displays the group name, Textual Security Identifier (SID) and Security Level
of the rule.
To add a group rule click Add Rule in the Rules ribbon page > Manage group. The Add
Group Rule dialog box displays. Enter or Browse to select an Account.
To remove a group rule, select a rule and click Remove Rule in the Rules ribbon page >
Manage group. A confirmation message displays, click Yes to confirm the removal.
You can also add items to the Accessible Items node, Prohibited Items node or the Trusted
Vendors node in each group rule node, see the Rule Items chapter for more details.

User Rules
The User rules node allows you to match security control rules with specific users within the
enterprise.
The User summary displays the User, Textual Security Identifier (SID) and Security Level of the
rule.
To add a user rule click Add Rule in the Rules ribbon page > Manage group. The Add User
Rule dialog box displays. Enter or Browse to select an Account.
To remove a user rule, select a rule and click Remove Rule in the Rules ribbon page >
Manage group. A confirmation message displays, click Yes to confirm the removal.
You can also add items to the Accessible Items node, Prohibited Items node or the Trusted
Vendors node in each user rule node, see the Rule Items chapter for more details.

Device Rules
The Device rules node allows you to match security control rules with specific devices within
the enterprise. Device rules can apply the rule settings either to the device hosting the
Application Manager agent and configuration or to devices connecting through terminal
services to the host.
For example, a configuration rule can allow certain applications to run on a server but prohibit
the application from running when launched by users operating from specific devices listed in
the rule as connecting devices to the host server.
The Device summary displays the Rule Name and the Security Level.

30

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

4 RULES
Manage Rules

To add a device rule click Add Rule in the Rules ribbon page > Manage group.
To remove a device rule, select a rule and click Remove Rule in the Rules ribbon page >
Manage group. A confirmation message displays, click Yes to confirm the removal.
You can also add items to the Accessible Items node, Prohibited Items node or the Trusted
Vendors node in each device rule node, see the Rule Items chapter for more details.
Reference

Devices
Hostname/IP Address
Devices are added to a rule by hostname or IP address.
When entering an IP address under a Device the following formats are valid:

The address must be standard IPV4 dotted quad notation. For example, 127.0.0.1
The address can replace zero or more of the sections with a wildcard or a range.
A wildcard is an asterisk (*) character and must be the only character in the section. For example,
127.*.0.1.
An address range is denoted by two numbers separated by an asterisk (*) character. The numbers
must be in the range 0-255. The first number must be lower than the second number. For example,
127.0.0.1-255. You can combine the two numbers. For example, 128-128.0.*.30-125.

Device Type > Computer


Select if the device is hosting the Application Manager agent and configuration.
Device Type > Connecting Device
Select if the device is connecting through terminal services to the computer hosting the
Application Manager agent and configuration.

Custom Rules
The Custom rule node allows you to match security control settings with combinations of
specific users or groups and devices within the enterprise. The rule can apply settings to devices
hosting the Application Manager agent and configuration or to devices connecting through
terminal services to the host.
For example, a rule that targets computer IP address 192.168.0.2 as a connecting device and
domain\user, allows you to apply security controls when the specific user logs on from the
specified device through terminal services to the computer hosting the Application Manager
agent and configuration.

31

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

4 RULES
Manage Rules

The Custom summary displays the Rule Name, User/Group Name and the Security Level.
To add a custom rule click Add Rule in the Rules ribbon page > Manage group.
To remove a custom rule, select a rule and click Remove Rule in the Rules ribbon page >
Manage group. A confirmation message displays, click Yes to confirm the removal.
You can also add items to the Accessible Items node, Prohibited Items node or the Trusted
Vendors node in each custom rule node. See the Rule Items chapter for more details.
Reference

Devices
Hostname/IP Address
Devices are added to a rule by hostname or IP address.
When entering an IP address under a Custom rule the following formats are valid:

The address must be standard IPV4 dotted quad notation. For example, 127.0.0.1
The address can replace zero or more of the sections with a wildcard or a range.
A wildcard is an asterisk (*) character and must be the only character in the section. For example,
127.*.0.1.
An address range is denoted by two numbers separated by an asterisk (*) character. The numbers
must be in the range 0-255. The first number must be lower than the second number. For example,
127.0.0.1-255. You can combine the two numbers. For example, 128-128.0.*.30-125.

Device Type > Computer


Select if the device is hosting the Application Manager agent and configuration.
Device Type > Connecting Device
Select if the device is connecting through terminal services to the computer hosting the
Application Manager agent and configuration.

Scripted Rules
The Scripted rules node allows you to create rules based on custom VB Scripts which run
whenever a user logs on. The success or failure of a VB Script determines whethere the Security
Level settings, Accessible Items and Prohibited Items, which are part of the rule, apply to the
user.
Scripted rules can take advantage of any interface accessible via VB Script, such as COM and
WMI, and allow the administrator to define Application Manager policy based on any
computer, user, registry, file or system property. Scripted rules also allow intergration with the
other third party solutions, such as Microsoft Active Directory and Citrix advanced Access.
Scripted rules can run for each new session in the context of the user or in the context of the
SYSTEM. Alternatively, Scripted Rules can run once per computer and the result is applied to all
user sessions.
Scripted rules are re-evaluated when a new configuration is deployed to the computer.

32

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

4 RULES
Manage Rules

Scripts run when the Application Manager Agent starts up or when the configuration changes.
For more information about creating and using scripts, see Working with Scripted Rules in the
Appendixes.
The Scripted summary displays the Rule Name, Entry Function, Run Script - frequency and by
whom and the Security Level.
Rules ribbon page > Manage group provides you with the following options to manage
Scripted rules:

Add Rule - see Add a Scriptable Rule on page 36 in the Tasks section.

Remove Rule - select a rule and click Remove Rule, a confirmation message displays, click
Yes to confirm the removal.

Edit Script - displays the Scripted Rule dialog box > Script tab.

Script Options - displays the Scripted Rule dialog box > Options tab.

You can also add items to the Accessible Items node, Prohibited Items node or the Trusted
Vendors node in each scripted rule node, see the Rule Items chapter for more details.
Reference

Scripted Rule > Script


To display this dialog box, select a Scripted Rule and do one of the following:

In the Scripted Rule work area in the Current Script section click on Click here to edit
the script.

Click the Edit Script ribbon button.

Right-click to display the context menu, select Edit Script.

The script editor allows you to write the rule VB Script functions and specify the main function.
Entry Function
The main function which is called when the script runs and evaluates the outcome of the rule.
Export
Launches the Save As dialog box which allows you to save the script in VBS format.
Import
Launches the Open dialog box which allows you to open an existing VB Script from another
location.

33

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

4 RULES
Manage Rules

Scripted Rule > Options


To display this dialog box, select a Scripted Rule and do one of the following:

In the Scripted Rule work area in the Current Script section click on Click here to edit
the script and click on the Options tab.

Click the Script Options ribbon button.

Right-click to display the context menu, select Script Options.

The script options allow you to specify settings for the script execution and timing.
Execution
Select one of the following:

Run script once per logon session as the logged on user.


The script runs for each user logging on. Settings are only applied for the duration of the
user session.

Run script once per logon session as the SYSTEM user.


The script runs with SYSTEM account permissions once for each user logging on. Settings
are only applied for the duration of the user session.

Run script once per computer as the SYSTEM user.


The script runs with SYSTEM account permissions once at computer startup. Settings are
applied to all user sessions until the computer restarts, the Application Manager agent
restarts or there is a configuration change.
Running scripts as the SYSTEM user can cause serious damage to your computer and should
only be enabled by experienced script authors.

Timing > Wait for logon to complete


Select to prevent the script from running until user logon is complete.
Timing > Wait for <n>seconds before script timeout
Allows you specify the number of seconds to allow a script to continue running before the script
times out. A setting of zero (0) seconds prevents the script timeout. If a timeout occurs the
result is fail and settings cannot be applied.

34

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

4 RULES
Security Level

Security Level
Apply security levels to control whether the user, group and devices specified in a rule are fully
restricted by Application Manager rules, unrestricted, audited only or granted self-authorization
status entitling the user decide whether to run an application. Self-authorized users can be
audited by raising events in the Auditing component and the Windows Event Log.
To set the Security Level, select the required node and do one of the following:

Click and drag the slider to the required level, in the rule node work area in the Security
Level section.

Click the ribbon button for the required level in the Rules ribbon page > Security Level
group.

RESTRICTED

Select to restrict users, groups, and devices in the rule to run only authorized applications. These
include files owned by members of the Trusted Owners list and files listed in the Accessible
Items node.

SELF-AUTHORIZE

Select to prompt users, groups and devices in the rule to decide whether to allow execute
requests for each unauthorized file. Unauthorized files either do not belong to the Trusted
Owners list or are not specified in the Accessible Items list of a given rule.
A Self-authorizing user prompt includes the following options:

Remember my decision for this session only - The authorization decision is upheld only
for the current session. The user is prompted again for an authroization decision when
attempting to run an application in any future sessions.

Remember my decisions permanently - The user decision is upheld for all future
sessions.
If neither of these options are selected, the decision is upheld only for the current
instance the user is attempting to run. The Self-authorization prompt is reissued for any
future attempts to run instances of the application.

Allow - Allows the application to run.

Block - Blocks the application from running.


When a DLL file is allowed to run, a message notifies the user that the application which
uses the DLL may need to be restarted. The default message which displays can be
modified in the General Features ribbon page > Configuration Properties group >
Message Settings.

AUDIT ONLY

Select to permit all actions but log and audit events for monitoring purposes, according to the
policy settings in Auditing.

35

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

RULES
Tasks

UNRESTRICTED

Select to permit all actions without even logging or auditing.

Tasks
The following are common tasks that are performed for Application Manager Rules:

TESTING SELF-AUTHORIZATION

1. Create a rule in the User Rules node which applies to a test user account that is not a
member of a group which belongs to the Trusted Owners list. For more details see Test a
Configuration.
2. Set the security control level to Self-Authorizing to allow the test user to self-authroize
applications to run.
3. Save the configuration.
4. Run the Registry Editor.
The application is prohibited and a message box displays with a prompt for a decision to
allow the file to run and informing that the action will be logged.

ADD A SCRIPTABLE RULE

1. Navigate to the Scripted rules node in the navigation tree.


2. Create a new rule. Click Add Rule on the Rules ribbon page > Manage group and select
Scripted Rule.
A new rule is added to the All Scripted Rules work area.
3. Select the created rule in the All Scripted Rules work area and click Edit Script on the
Rules ribbon page > Manage goup.
The Scripted Rule dialog box displays.
4. To enter a script do one of the following:

Type the script.

Open an existing script in a script editor and copy/cut the content and paste.

Click Import to import an existing script.

5. Select the correct Entry Function.


6. Click OK to save the script.
The All Scripted Rules work area displays.
For script examples see Working with Scripted Rules in the Appendixes.

36

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

RULES
Tasks

CREATE A CONFIGURATION TO CONTROL MICROSOFT OFFICE LICENSES IN A TERMINAL SERVER


ENVIRONMENT

This task demonstrates how to set up an Application Manager configuration to enforce the
Microsoft Office License Policy on Terminal Server. An administrator can specify which machines
can connect to the Terminal Server and run Microsoft Office. Terminal Server Office licenses
correspond with the amount of machines that could connect to the terminal server, therefore,
every machine in the organization that can connect would need a license. By creating a rule,
where to run any of the Microsoft Office applications, depends on whether the machine
connecting is allowed or not, licenses would only be required for those machines which are
explicitly allowed.
The task is made up of 3 individual steps, Application Manager is installed on the Terminal
Server and that is where the task is to be performed.
Step 1
Create a Signature Group for Office applications.
1. Navigate to Signature Group Management in the navigation tree.
2. Select Add Group in the Signature Groups ribbon page > Manage group.
A new Group is added to the Signature Group Management work area.
3. Click on the Group and enter a name, for example Office Applications.
4. Select Launch Signature Wizard in the Signature Groups ribbon page > Items group.
The Application Manager Signature Wizard displays.
5. Click Next to display the Search Method screen.
6. Select Search folders. Click Next.
The Searching folders screen displays.
7. Enter the Office folder location. Alternatively, select the ellipsis (...) to display the Browse
For Folder dialog box to locate the folder.
8. Select Include subfolders and click Next.
9. Review the list of files and click Next.
10. The signatures are generated, once complete, click Next.
11. Click Finish to exit the wizard.
The Signatures are listed in the Group Items in the Signature Group Management work area.
Step 2
Setup a Device Rule to prohibit connecting devices.
1. Navigate to the Device node in the navigation tree.
2. Select Add Rule in the Rules ribbon page > Manage group.
A new Rule is created in the All Device Rules work area.

37

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

RULES
Tasks

3. Click on the Rule and enter a name.


4. Select the new Rule.
The Device Rule work area displays.
5. Select Add Client Device.
The Client Device Selection dialog box displays.
6. Enter the machines you want to prohibit. Alternatively, select Browse to perform an Active
Directory search for the required machines.
To prohibit all machines, enter the asterisk (*) wildcard.

7. Click OK.
The selected machines are listed in Devices on the Device Rule work area.
8. Select Connecting Device as the Device Type.
9. Select Prohibited Items for the new Device Rule in the navigation tree.
10. Select Add Item in the Rule Items ribbon page > Accessible & Prohibited Items group.
11. Select Prohibited > Signature Group.
The Select Signature Group dialog box displays.
12. Select the previously created Office Application Signature Group and click OK.
The Signature Group is added to the Prohibited Items.
Step 3
Add devices that are allowed to run Office applications on the Terminal Server.
1. Navigate to the Device node in the navigation tree.
2. Select Add Rule in the Rules ribbon page > Manage group.
A new Rule is created in the All Device Rules work area.
3. Click on the Rule and enter a name.
4. Select the new Rule.
The Device Rule work area displays.
5. Select Add Client Device.
The Client Device Selection dialog box displays.
6. Enter the machines for which you want to allow access. Alternatively, select Browse to
perform an Active Directory search for the required machines.
7. Click OK.
The selected machines are listed in Devices on the Device Rule work area.

38

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

RULES
Tasks

8. Select Connecting Device as the Device Type.


9. Select Accessible Items for the new Device Rule in the navigation tree.
10. Select Add Item in the Rule Items ribbon page > Accessible & Prohibited Items group.
11. Select Accessible > Signature Group.
The Select Signature Group dialog box displays.
12. Select the previously created Office Application Signature Group and click OK.
The Signature Group is added to the Accessible Items.

39

Rule Items

This section provides details on Rule Items and includes the following:

Accessible Items

Prohibited Items

Trusted Vendors

Tasks

Accessible Items
Accessible Item nodes are sub-nodes automatically created in any Rule node when you create a
new rule. They allow you to add Items to which the groups, users and devices specified in the
rule are granted access.
Items you can add are as follows:

Files

Folders
If you add a network file or folder path you must use the UNC name, as the Application
Manager Agent ignores any paths that are configured where the Drive letter is not a local
fixed disk. The user can access the network application through a network mapped drive
letter as the path is converted to UNC format before validating it against the
configuration settings.

To automatically apply environment variables select Replace with Environment


Variables in the File or Folder Selection dialog box. This makes the paths more generic
for applying on different machines. Wildcards support provides an additional level of
control for specifying generic file paths.

40

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

Drives

Signature Items

Signature Groups

Network Connections

Network Connection Groups

5 RULE ITEMS
Accessible Items

To add an Item select the Accessible Items node and click the Add Item ribbon button on the
Rule Items ribbon page > Accessible & Prohibited Items group, select Accessible, then
select the type of accessible item you want to add.
To remove an Item select the Item you want to remove in the Accessible Items node, click the
Remove Item ribbon button on the Rule Items ribbon page > Accessible & Prohibited Items
group.
When using the default option, which trusts all locally installed Trusted Owner applications, you
only need to add any applications that run directly from network locations including mapped
network shares and DFS shares.
Application Manager includes support for adding items on Citrix client mapped drives. You can
add items by specifying paths using the following format: \\client\C$\<item name>.
We recommend you use signatures instead of file paths on client mapped drives as this offers
high security.

Application Manager drag and drop functionality can be used to add files, folders, drives and
signature groups from Windows Explorer or copy or move items between Accessible Items or
Prohibited Items nodes in each of the main configuration nodes.
If you have changed the default options to use a white list approach, you should also add any
locally installed applications that you want users to run.

41

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

5 RULE ITEMS
Prohibited Items

Accessible Items and Trusted Ownership


By default Trusted Ownership checking is enabled, therefore an application must always pass
trusted ownership checking if it is enabled, even if the application is an accessible item.
Although trusted ownership checking can be disabled comletely, this is not recommended.
However, if you need to provide a user with access to an executable file that is not owned by a
trusted user then you can disable the trusted ownership check on individual accessible items select the item, and clear the Trusted Ownership check box in the Accessible Items work area.
The Trust.Ownership column shows the status of trusted ownership checking for each
accessible item.
Access Times
You can apply specific access times to Accessible Items.
Select an Accessible Item in the Accessible Items work area and click the Access Limits ribbon
button. The Access Times dialog box dsiplays.
Application Limits
The number of instances of an application that are permitted to run can be set using the
Application Limits. This feature can be enabled or disabled.

Prohibited Items
Prohibited Item nodes are sub-nodes automatically created in any Rule node when you create a
new rule. They allow you to add Items to which the groups, users and devices specified in the
rule are refused access.
Items you can add are as follows:

Files

Folders
If you add a network file or folder path you must use the UNC name, as the Application
Manager Agent ignores any paths that are configured where the Drive letter is not a local
fixed disk. The user can access the network application through a network mapped drive
letter as the path is converted to UNC format before validating it against the
configuration settings.

To automatically apply environment variables select Replace with Environment


Variables in the File or Folder Selection dialog box. This makes the paths more generic
for applying on different machines. Wildcards support provides an additional level of
control for specifying generic file paths.

Drives

Signature Items

Signature Groups

Network Connections

Network Connection Groups

42

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

5 RULE ITEMS
Trusted Vendors

To add an Item select the Prohibited Items node and click the Add Item ribbon button on the
Rule Items ribbon page > Accessible & Prohibited Items group, select Prohibited, then
select the type of prohibited item you want to add.
To remove an Item select the Item you want to remove in the Prohibited Items node, click the
Remove Item ribbon button on the Rule Items ribbon page > Accessible & Prohibited Items
group.
If you are using the default option, which trusts all locally installed Trusted Owner applications,
you only need to add specific applications that you do not want users to run. For instance, you
may add administrative tools, such as management and registry editing tools.
You do not need to use this list to prohibit applications that are not owned by an administrator,
as they are blocked by trusted ownership checking.
Application Manager drag and drop functionality can be used to add files, folders, drives and
signature groups from Windows Explorer or copy or move items between the Accessible Items
node and Prohibited Items nodes in each of the main configuration nodes.

Trusted Vendors
The Trusted Vendors sub-node is available in each Application Manager rule node, for listing
valid digital certificates. Files which fail Trusted Ownership checking but contain digital
certificates, signed by trusted sources that match digital certificates listed in Trusted Vendors,
are allowed to run.
Select the Add ribbon button in the Rule Items ribbon page > Trusted Vendors group to add
digital certificates from files, select from file-based certificate stores or import file-based
certificate stores into the Trusted Vendors node.
Advanced options allow you specify parameters for validating a certificate by ignoring or
allowing specific attributes, the certificate must be valid for the rule to be applicable, but there
are different levels of validation with which you can configure a certificate. A test option helps
to validate the certificate based on the options you have selected and, where relevant,
dependent on connectivity with the appropriate Certification Authority.
Changing the settings in Advanced Options in the Rule Items ribbon page > Trusted
Vendors group could reduce the level of security required to validate a certificate and present
a security risk.

43

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

RULE ITEMS
Tasks

Tasks
This section includes the following tasks:

ADD AN ACCESSIBLE ITEM


This test allows all users access to an application on a network share.

1. Select the Accessible Items node in Rules > Group > Everyone.
2. Click the Add Item ribbon button in the Rule Items ribbon page > Accessible &
Prohibited Items and click Accessible.
3. Select File. The File Selection dialog box displays. Enter or Browse for an application.
The selected application is listed in the Accessible Items work area.
4. Test that users can run the application.
5. Test that the Trusted Ownership rule prohibits users from copying files elsewhere to the
local hard disk and running the copies.

ADD A PROHIBITED ITEM


This test prevents all users accessing an application on a network share.

1. Select the Prohibited Items node in Rules > Group > Everyone.
2. Click the Add Item ribbon button in the Rule Items ribbon page > Accessible &
Prohibited Items and select Prohibited.
3. Select File. The File Selection dialog box displays. Enter or Browse for an application, for
example, regedit.exe.
The selected application is listed in the Prohibited Items work area.
4. Attempt to run the selected application.
The application is prohibited and a message box displays with the notification that the
application is not authorized

ADD A TRUSTED CERTIFICATE TO A TRUSTED VENDOR

1. Select the Trusted Vendors node in Rules > Group > Everyone.
2. Click the Add ribbon button in the Rule Items ribbon page > Trusted Vendors group and
select From Signed File.
The Open dialog box displays.
3. Navigate to a file which has a certificate and click Open.
You can check whether a file has a digital certificate by displaying the Properties dialog
box. A file has a digital certificate if there is a Digital Signatures tab in which you can
view details of the certificate including, signer information, advanced settings and an
option to display the certificate.

The selected file is listed in the Trusted Vendors work area.

44

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

RULE ITEMS
Tasks

USE DIGITAL SIGNATURES TO ALLOW FILES ON NON-NTFS FORMATTED DRIVES TO RUN

1. In the navigation tree, navigate to Accessible Items in the target Rule node.
2. Click Add Item in the Rule Items ribbon page > Accessible & Prohibited Items group.
Select Accessible and then Signature Item.
The Select Accessible Signature File dialog box displays.
3. Browse to the target file located on a non-NTFS drive.
4. Select the file and click Open to create a digital signature for the file.
5. The file is added to the Accessible Items list.
Trusted Ownership is disabled by default to allow the file to run.

6. Save the configuration to confirm your settings.

45

Signature Group Management

This section provides details on Signature Group Management and includes the following:

Manage

Items

Tasks

Manage
The Signature Group Management node allows you to create groups of application types which
you can populate with digitally signed applications. Using the Wizard or a manual approach,
you can scan directories and folders for installed applications and apply digital signatures. You
can also examine a running process and locate all the executable files used by that process and
then apply digital signatures to those files. Files are added to groups which you can later add to
the accessible and prohibited files of User and Group rules
To add a Signature Group click Add Group in the Signature Groups ribbon page > Manage
group.
To remove a Signature Group, select a Group in the Signature Group Management work area
and click Remove Group in the Signature Groups ribbon page > Manage group. A
confirmation message displays, click Yes to confirm the removal.
Any associated Group Items are deleted with the Group.

Once a Signature Group has Items you can conduct a full group re-scan to ensure all signatures
are still accurate, select the Rescan Group ribbon button.

46

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

SIGNATURE GROUP MANAGEMENT


Items

Reference

Signature Group Management


Groups
The user defined name for a group of digitally signed files. For example, Windows XP SP2
Signatures, or, Microsoft Office Signatures.

Items
Signature groups can be populated with digitally signed application files, known as Group
Items.
To add a Group Item, select the Group to which you want to add items in the Signature Group
Management work area and do one of the following:

ADD ITEM

You can manually locate executable files and applications to digitally sign and add to a group.
To do this follow the following instructions:
1. Click the Add Item ribbon button in the Signature Groups ribbon page > Items group.
The Open dialog box displays.
2. Navigate to the file you want to add as a Group Item.
3. Click Open.
A digital signature is added to the file and the file is added to the Group Items in the
Signature Group Management work area.

LAUNCH SIGNATURE WIZARD

You can use the Signature Wizard to create Group Items in the following ways:

Search Folders - choose a folder to search for files.

Examine a running process - find the executable file used by one of the processes running
on the computer.
If you want to examine a specific process, make sure the relevant application is running
before launching the Signature Wizard.

To remove a Group Item, select an Item in the Signature Group Management work area and
click Remove Item in the Signature Groups ribbon page > Items group. A confirmation
message displays, click Yes to confirm the removal.
You can re-scan the group items at any time to make sure the signature is still accurate and has
not changed, select a Group Item in the Signature Group Management work area and click the
Rescan Signature ribbon button in the Signature Groups ribbon page > Items group.

47

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

SIGNATURE GROUP MANAGEMENT


Tasks

Reference

Signature Group Management


Group Items > Signature File
File to which a signature is applied.
Group Items > Description
Obtained from the file resources and describes the file to which a signature is applied. For
example, system32\sol.exe is described as Solitaire Game Applet.
Group Items > File Version
Obtained from the file resources and provides the version of the digitally signed file.

Tasks
This section includes the following tasks:

CREATE A SIGNATURE GROUP

1. In the navigation tree, navigate to Library > Signature Group Management.


2. Click the Add Group ribbon button in the Signature Groups ribbon page > Manage
group.
A new group is added to the Groups list in the Signature Group Management work area.

EXAMINING A RUNNING PROCESS

This procedure shows how to examine a running process for executable files used by that
process, digitally sign and add the files to a group.
1. In the navigation tree, navigate to Library > Signature Group Management.
2. Select an existing group or create a new group in the Signature Group Management work
area, to which to add any found files in the examination process.
3. Click the Launch Signature Wizard ribbon button.
The Application Manager Signature Wizard dialog box displays.
If you wish to examine a specific process, make sure you have launched the relevant
application before proceeding.

4. Click Next. The Search Method dialog box displays.


5. Select Examine a running process. Click Next.
The Examine a running process dialog box displays.

48

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

SIGNATURE GROUP MANAGEMENT


Tasks

6. Select a process and click Next.


The Review Files dialog box displays the list of executable files used by the selected
running process.
7. Click Next to generate digital signatures for the list of files.
The number of generated signatures displays.
8. Click Next to complete the Wizard.
9. Click Finish to Exit.
The files are listed in Group Items under the relevant Group in the Signature Group
Management work area.

ADDING FILES TO A GROUP

This procedure shows how to manually locate executable files and applications to digitally sign
and add to a group:
1. In the navigation tree, navigate to Library > Signature Group Management.
2. Select an existing group or create a new group in the Signature Group Management work
area to which to manually add files.
3. Click the Add Item ribbon button.
The Open dialog box displays.
4. Locate the required files. Click Open.
A digital signature is added to the file and the file is added to the Group Items list.

USE DIGITAL SIGNATURES TO ALLOW FILES ON NON-NTFS FORMATTED DRIVES TO RUN

This procedure shows how to allow files on non-NTFS formatted drives to run using digital
signatures. By default Application Manager blocks applications on non-NTFS formatted drives as
file ownership cannot be determined for these files.
1. In the navigation tree, navigate to Accessible Items in the target Rule node.
2. Click Add Item in the Rule Items ribbon page > Accessible & Prohibited Items group.
Select Accessible and then Signature Group.
The Select Signature Group dialog box displays.
3. Select the Group and click OK.
Trusted Ownership is disabled by default to allow the file to run.

The Signature Group is added to the Accessible Items work area.


An alternative method is as follows:
1. In the navigation tree, navigate to Accessible Items in the target Rule node.
2. Click Add Item in the Rule Items ribbon page > Accessible & Prohibited Items group.
Select Accessible and then Signature Item.
The Select Accessible Signature File dialog box displays.

49

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

SIGNATURE GROUP MANAGEMENT


Tasks

3. Browse to the target file located on a non-NTFS drive.


4. Select the file and click Open to create a digital signature for the file.
5. The file is added to the Accessible Items list.
Trusted Ownership is disabled by default to allow the file to run.

6. Save the configuration to confirm your settings.

50

Application Network Access Control

This section provides details on Application Network Access Control and includes the following:

About Application Network Access Control

Network Connection Items

Network Connection Group Management

Tasks

About Application Network Access Control


Application Network Access Control provides the ability to control outbound network
connections by IP Address, Host name, URL, UNC or Port, based on the outcome of the rules
processing. For example, access based on location of requestor - connecting through VPN or
directly to network.
Application Network Access Control is designed to control access within a company network
infrastructure. This control is achieved by intercepting application requests made through the
WINSOCK layer. For example, HTTP, FTP and RDP. In Application Manager access to these
resources are controlled by adding a Network Connection Item.
Network Connection Items can be created individually or as part of a Network Connection
Group.
Network Connection Groups and Items can be applied to any Rule in Accessible Items to allow
access or in Prohibited Items to deny access.
Application Manager will intercept and block network access if requests are made to prohibited
network resources. The execution of applications is not controlled.
Access is allowed to all network resources until actively prohibited.

51

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

APPLICATION NETWORK ACCESS CONTROL


Network Connection Items

Application Network Access Control best practices can be found in the Best Practices chapter
in the Application Network Access Control section.

For details on working with AppSense Application Manager and Streamed Applications refer
to the Streamed Applications appendix.

Network Connection Items


Network Connection Items can be created for any network resource and can be added to a
configuration in the following ways:

Directly to a Rule.
Adding single Network Connection Items to Accessible and Prohibited Item lists are
advantageous when a more granular level of control is required, or when only a few items
are required. However, using this method could prove time consuming.
For further information refer to Add a Network Connection Item directly to a Rule in the
Tasks section.

Assign to a Network Connection Group.


Duplicate Network Connection Items are not allowed in the same Network Connection
Group.
For further information refer to the Group Items section in Network Connection
Group Management.

Network Connection Items can be cut, copied or dragged and dropped between rules. There
are no default Network Connection Items in a configuration.
The full path of the Network Connection Item cannot exceed 400 characters.

Network Connection Group Management


Network Connection Group Management is located in the Library node in the navigation tree.
The Network Connection Group Management work area is split into 2 areas:

Groups

Group Items

52

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

APPLICATION NETWORK ACCESS CONTROL


Network Connection Group Management

Groups
Network Connection Groups can be created to group multiple generic Network Connection
Items. Managed centrally, they can be named and re-named easily. The Groups can then be
applied to any Rule.
If the Group Name is amended, it automatically updates in any Rule where the Group is
applied.

Once a Group has been created, Group Items can be added.

Group Items
Network Connection Group Items can be created and added to any Group. Select any existing
Group to display the list of Group Items.
The options available for Group Items are as follows:

Add Item - Displays the Network Connection Details dialog box.


Multiple entries for the same resource name are not allowed in any one list.

Edit Network Connection - Displays the Network Connection Details dialog box for the
selected item. Make the required amendments. Click OK to save and close the dialog box.

Remove Item - Remove a selected item. A confirmation message box displays, click Yes to
confirm removal.

Reference

Network Connection Details


Connection Type
Select one of the following connection types:

IP ADDRESS

Select to control access to a specific IP Address.

NETWORK SHARE

Select to control access to UNC paths. The prefix \\ is added to the Host field.

HOST NAME

Select to control access to a specific Host Name.

53

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

APPLICATION NETWORK ACCESS CONTROL


Network Connection Group Management

Connection Options
The combined number of characters for all three fields, Host, Port and Path must not exceed
400.

Host
The IP Address or Host Name for the network connection. This depends on the type of
connection selected. The wildcards ? and * can be used. Additionally, ranges can be used for IP
Addresses, which are indicated by use of a hyphen (-).
An IP Address must be in IP4 octal format. For example, n.n.n.n
If Network Share is selected as the connection type, the \\ prefix is required.
The full path for the target resource can be entered in Host.
Example:
Enter http://server1.company.local:80/resource1/ in Host.
Move focus away from Host and the path is automatically split into the separate connectionm
options:

http:// is removed from the Host field and server1.company.local remains.

: is removed and 80 is moved to Port.

/resource1/ is moved to Path.

This allows a full path to be copied and pasted with ease.

Port
The port number of the network connection. This can be used in combination with IP Address
or Host Name to control access to a specific port. Ranges and comma separated values are
allowed as a part of the port number.
Click Common Ports to display a list of commonly used ports. Select as many ports as
required.

Path
The path of the network connection. The wildcards ? and * can be used. To use wildcards in the
Path, Text contains wildcard characters must be selected.
The Path is only relevant for controlling HTTP and FTP connections.

Text contains wildcard characters


Select to use the characters ? and * as wildcards in the Path. If not selected, ? and * will be
treated as URL delimiters.

54

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

APPLICATION NETWORK ACCESS CONTROL


Tasks

Include subdirectories
Only applicable if the connection type Network Share is selected. Select to include
subdirectories in the rules processing.
Description
Enter a meaningful description to describe the network connection.

Tasks
The following are common tasks that are performed in Application Network Access Control:

ADD A NETWORK CONNECTION ITEM DIRECTLY TO A RULE

Network Items can be added to any Accessible Items or Prohibited Items node.
1. Navigate to the required node, for example, Prohibited Items for a specific user group.
2. Select Add Item > Prohibited (or Accessible) > Network Connection Item on the Rule
Items ribbon page > Accessible & Prohibited Items group.
The Network Connection Details dialog box displays.
3. Create the Network Connection Item.
Example: A Network Connection Item is set up for an IP Address. The Network Connection
Item is assigned to Prohibited Items, in a Group Rule. The group members of that rule, will
not have access to any network resources with that IP Address.

EDIT A NETWORK CONNECTION DIRECTLY IN A RULE

1. Navigate to the Rule node in the navigation tree where the Network Connection Item to be
amended is located.
The relevant work area displays.
2. Click on the Network Connection Item to be amended, listed under Network
Connections.
3. Select Edit Network Connections on the Rule Items ribbon page > Accessible &
Prohibited Items group.
The Network Connection Details dialog box displays.
4. Make the required amendments.
5. Click OK to save the changes and close the dialog box.

CREATE A NETWORK CONNECTION GROUP

1. Navigate to the Network Connection Group Management node.


2. First create a Network Connection Group - select Add Group on the Network
Connection Groups ribbon page > Manage Group.
An entry is added under Group Name in the work area. This name can be edited.

55

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

APPLICATION NETWORK ACCESS CONTROL


Tasks

ASSIGN A NETWORK CONNECTION ITEM TO A NETWORK CONNECTION GROUP

1. Navigate to the Network Connection Group Management node.


2. Click on the Network Connection Group, to which to add the Network Connection Item, in
the Network Connection Group Management work area > Groups.
3. Select Add Item on the Network Connection Groups ribbon page > Items group.
The Network Connection Details dialog box displays.
4. Create the network item. Once completed, click OK.
The item displays under Group Items in the work area.

EDIT A NETWORK CONNECTION ITEM IN A NETWORK CONNECTION GROUP


Once created, Network Connection Items are easily amended.

1. Navigate to Network Connection Group Management in the navigation tree.


The Network Connection Group Management work area displays.
2. Click on the Network Connection Item to be amended, listed under Group Items.
3. Select Edit Network Connections on the Network Connection Groups ribbon page >
Items group.
The Network Connection Details dialog box displays.
4. Make the required amendments.
5. Click OK to save the changes and close the dialog box.

56

Endpoint Analysis

This section provides details on Endpoint Analysis and includes the following:

About Endpoint Analysis

Endpoint Management

Installed Applications

Application Usage Scans

Application Data

Data Files

Tasks

About Endpoint Analysis


Select the Endpoint Analysis navigation button.
Endpoint Analysis allows you to scan single or multiple endpoints, to provide a list of
applications that are present and that have run on that endpoint and helps to simplify the
creation of an appropriate AM configuration. Endpoint Analysis is available on demand and
inactive by default.
Endpoint Analysis is made up of two parts:

Endpoint Scans

Installed Applications - Retrieves a list of programs that are present on an endpoint.

Application Usage - Records the usage of applications on an endpoint.

Data Analysis - Analysis of endpoint data and imports into the AM configuration.

Endpoint Scans
The first step is to add Endpoints to the configuration.
Adding an endpoint

Browse Deployment Group - Displays the Select Management Server dialog box

Browse Domain/Workgroup - Displays the Active Directory Select Computers dialog box.

57

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

8 ENDPOINT ANALYSIS
About Endpoint Analysis

Retrieving Application data


There are two scans that can be performed in order to retrieve application data for selected
Endpoints:

Installed Applications - Select an Endpoint on which to run the scan. Alternatively, you can
select Run Scan for all Endpoints. A list of all installed applications is retrieved and
displayed in the Installed Applications work area.

Application Usage - Select an Endpoint on which to start recording. A list of all running
applications is recorded until the time when you click Stop Application Usage Scan. The
list is saved as an XML file and a new node created for each file under the Recorded Data
node for that Endpoint.
The endpoint data is gathered in real time and does not affect the rules processing.

Removing an Endpoint
To remove an endpoint, highlight the required endpoint and select Remove Endpoint in the
Endpoint Analysis Ribbon page > Endpoint Management group.
Data Analysis
All the collected data can be seen in either the Installed Applications or Recorded Data work
area for the selected Endpoint.
You can show any associated files which the application has loaded and also digital certificates
(if the file has been signed).
Adding files to the configuration
You can add any of the applications or associated files or certificates to the configuration by
dragging and dropping.

If you drag and drop files into any of the Accessible or Prohibited Items lists they are
dropped in as files:

If files are placed in Accessible Items, any associated loaded files are automatically
included.

If files are placed in Prohibited Items, any associated loaded files are not included, only
the main application executable.

You can drag and drop into Signature Groups. When a file is dropped over the Signature
Groups node the available signature groups are displayed. You can then select which group
or groups to which to add the files. The file is then converted to a signature and added to
the selected signature group or groups.

To add a certificate to any of the Trusted Vendors you can either drag and drop a file to the
Trusted Vendors node, if any certificates exist for that file they are added or you can select
Show Digital Certificates to display the Certificates dialog box and then drag and drop
from that window into the configuration.

58

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

8 ENDPOINT ANALYSIS
Endpoint Management

Endpoint Management
You can add and remove endpoints from the configuration.
You can add an endpoint by one of the following methods:

Browse Deployment Group - Displays the Select Management Server dialog box

Browse Domain/Workgroup - Displays the Active Directory Select Computers dialog box.

For futher information see Adding an Endpoint by Domain/Workgroup in the Tasks section.
To remove an endpoint, highlight the required endpoint and select Remove Endpoint in the
Endpoint Analysis Ribbon page > Endpoint Management group.

Installed Applications
To retrieve a list of applications that are installed on an endpoint do one of the following:

Run Endpoint Scan - Select the endpoint in the navigation tree for which to run a scan. All
installed applications display in the Installed Applications work area.
An Endpoint Status dialog box displays while the scan is completing.
You can make the Endpoint Status dialog box transparent by clicking and dragging the
Transparency slider.

For further details see Running an Endpoint Installed Applications Scan in the Tasks section.

Run Scan for all Endpoints - to scan all endpoints listed in the navigation tree. Click on an
endpoint to display the list of installed applications in the Installed Applications work area.
The Installed Applications Scan detects applications that have been installed using Windows
Installer technology.

Application Usage Scans


Application Manager can record which applications are being or have been run on selected
endpoints. The Application Usage Scan will detect applications in use that have not been
installed using Windows Installer technology and therefore not detected on the Installed
Applications Scan, for example, Firefox or Shareware.
To start recording, select the Endpoint you want to scan and click Start Application Usage
Scan on the Endpoint Analysis ribbon page > Application Usage Scans group.
Make sure that the selected endpoint is connected. In order for a connection to be made you
have to have the following installed on the target endpoint:

Application Manager Agent

Application Manager License

Access to admin share


- To test access - Open Windows Explorer, in the Address bar enter: \\<computer name>\C$ if you
can see the files the share is working.

59

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

ENDPOINT ANALYSIS
Application Data

To stop recording, select the Endpoint being scanned and click Stop Application Usage Scan
on the Endpoint Analysis ribbon page > Application Usage group.
We recommend you run the Application Usage Scan for a minimum of 5 days, or a period
over which the user would perform all their normal activities in their role, to ensure all
applications are captured.

When the recording has been stopped, the File dialog box displays. Enter a name to save the
file. The files are saved in xml format and a new node is created for each xml file in the
navigation tree under the Recorded Data node of the selected Endpoint.
For further details, see Running an Application Usage Scan in the Tasks section.

To delete any of the xml files select Delete File on the Endpoint Analysis ribbon page >
Application Usage Scans group.

Application Data
The application data can be seen in detail for both the Installed Applications Scan and the
Application Usage Scan.
You can select to display the associated loaded files or the digital certificates.

Show Loaded Files - displays the Loaded Files dialog box. Drag and Drop any of the files to
add to the configuration.

Show Digital Certificates - displays the Certificates dialog box. Drag and Drop any of the
certificates to add to any of the Trusted Vendors node in the configuration.
On occasion a duplicate certificate will be present, for example:
Calc.exe loads Msvcrt.dll, Ntdll.dll and Msutil.dll
Calc.exe is signed with Microsoft Certificate A and Ntdll.dll is also signed with
Microsoft Certificate A
Refer to the Signed File column to clearly identify which file has been signed with which
certificate.

Data Files
You can select to Import or Export the data gathered by either the Installed Applications Scan or
the Application Usage Scan.

Import - displays the Import dialog box. Locate the xml file you want to import and click
Open.

Export - displays the Export dialog box. Navigate to the folder to export to and enter the file
name and click Save.

60

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

ENDPOINT ANALYSIS
Tasks

Tasks
The following tasks are provided to help with EndPoint Analysis:

ADDING AN ENDPOINT BY DOMAIN/WORKGROUP

1. Select the Endpoint Analysis navigation button.


The Endpoint Analysis navigation tree displays.
2. Click Add Endpoint in the Endpoint Analysis ribbon page > Endpoint Management
group and select Browse Domain/Workgroup.
The Active Directory Select Computers dialog box displays.
3. Enter the name of the computer you want to add as the endpoint in Enter the object
names to select box.
Alternatively, click Advanced and then click Find Now. Select the required computer from
the Search results and click OK.
4. Click OK.
A new node with the name of the selected computer is added to the navigation tree under
the Endpoints node .

RUNNING AN ENDPOINT INSTALLED APPLICATIONS SCAN

1. In the navigation tree, navigate to the Endpoint that you want to scan.
2. Click Run Endpoint Scan in the Endpoint Analysis ribbon page > Installed
Applications group.
The Endpoint Status dialog box displays.
You can increase/decrease the transparency by clicking and dragging the Transparency
slider, this allows you to see the console to continue work while the scan is taking place.

3. Once the scan is complete the Installed Applications node under the selected Endpoint is
populated with the data, seen in the Installed Applications work area.

RUNNING AN APPLICATION USAGE SCAN

1. In the navigation tree, navigate to the Endpoint that you want to scan.
The work area displays the Endpoint Summary, the endpoint needs to be showing as
Connected in order to proceed with the scan.

2. Click Start Application Usage Scan in the Endpoint Analysis ribbon page >
Application Usage group.
Notice in the Endpoint Summary section in the work area, the status changes from Not
recording to Recording and the light changes from red to green.

61

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

ENDPOINT ANALYSIS
Tasks

3. To stop the recording, click Stop Application Usage Scan in the Endpoint Analysis
ribbon page > Application Usage group.
The File dialog box displays.
4. Enter a file name and click OK to save the file.
The file is saved in xml format and a new node is created with the file name under the
Recorded Data node for the selected Endpoint.

ADDING EPA DATA TO A CONFIGURATION


Refer to the Adding files to the configuration section.

62

Rules Analyzer

This section provides details on Application Manager Rules Analyzer and includes the following:

About Rules Analyzer

Endpoint Management

Data Acquisition

Data Files

Tasks

About Rules Analyzer


Rules Analyzer allows you to troubleshoot the behavior of AppSense Application Manager,
either locally or remotely, by creating and analyzing AppSense Application Manager log files.
When you first configure Application Manager, you may find that Application Manager allows
files that you intended to deny or denies files that you intended to allow.
Rules Analyzer helps you to examine exactly which rules are applied by Application Manager
and identify any inconsistencies or inaccuracies in your configuration settings when processing a
request. You can then make appropriate changes to the configuration using the Application
Manager console.
This section includes:

FEATURE SUMMARY

The Rules Analyzer console allows you to diagnose Application Manager problems by
connecting directly to computers controlled by Application Manager, and includes:

Creating Log Files You can create log files on computers controlled by Application
Manager.

Examining Log Files You can retrieve and examine log files to view the requests processed
by Application Manager. In particular you can see which rules were applied to each request
and whether the request was allowed or denied.

Anonymous logging - This means that user names are not written to the log file. User
names appear as Unknown\Anonymous. Navigate to the Endpoints node in the navigation
tree and select Anonymous Logging checkbox in the work area.

63

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

9 RULES ANALYZER
About Rules Analyzer

GETTING STARTED

The Rules Analyzer console is used to create Application Manager log files and to retrieve and
examine the log files.
A computer node allows you to control logging on a specific computer and to retrieve log files
from that computer. Below each computer node is a node for each retrieved log file.
You can view a summary page, view all requests or view the requests for a specific user. You
can restrict the view to the denied or the allowed requests. Within the analysis panel you can
navigate to a specific request and view the full details of that request, including which rules
were applied by Application Manager.
Users must be logged on with an account that allows read and write access to the registry of
any machine for which you wish to generate logs using Rules Analyzer, and read and write
access to the local registry of the machine on which the management console operates.
Testing whether the endpoint has Admin share rights
Open Explorer and in the Address Bar enter \\<computername>\c$ and press Enter. If you can
browse the folders you have access rights, if not, you will be prompted for user credentials
which will allow access.
Testing whether you have remote Registry access
Open the Registry Editor dialog box (Start > Run > Regedit). Select File > Connect Network
Registry, this displays the Active Directory Select Computers dialog box. Locate the machine
and click OK. If you can see the Registry Keys, you have access.
On remote computers running Microsoft Vista, File Sharing and the Remote Registry Service
are disabled by default and must be enabled to ensure the Rules Analyzer can create or access
log files.

Start the Remote Registry Service in Start > Control Panel > Administrative Tools > Services.
Turn on File Sharing in Start > Control Panel > Network and Sharing Center.

CHECKLIST

You must have the following to use Rules Analyzer:


3

Application Manager Agent installed on endpoint.

License installed on endpoint.

Application Manager configuration installed on the endpoint.

Admin share rights to endpoint.

Reference

Log File Contents Summary


The Summary page displays when you select a log file node in the navigation tree.

64

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

9 RULES ANALYZER
About Rules Analyzer

It shows the number of requests processed by Application Manager. The top row of the table
shows the total number of requests for all users. The remaining rows show the number of
requests for each user. The Total column shows the total number of requests, allowed and
denied. The Allowed/Denied column shows the number of allowed or denied requests.
Click on any Total link to display the Log File Contents Request List.
To export the log file in XML format select the Export ribbon button.

You can select View the requests by processing time on the Summary page to display a
Request List page showing requests sorted with the longest running request first.

Log File Contents Request List


The Request List page displays a list of Application Manager requests when you click a Total link
in the Summary page.
The requests are listed in the order in which they were processed by Application Manager.
Each request displays a green tick or red cross indicating to indicate whether the request was
allowed or denied.
Click on a request link to display the Log File Contents Request Details.
Log File Contents Request Details
The Request Detail page displays details of a particular request when you click a request in the
Request List page.
The Request Detail page displays each rule applied by Application Manager manager in
processing the request. The rules are listed in the order applied. The last rule in the list
determines the final result allow or deny. The rule information includes links which, when
selected, display popup messages providing explanations explanation for the rule item.
Use the Return link at the top of the page to navigate to the previous page and the
Summary link to return to the Summary page. The Back button on the console toolbar is
for navigating the navigation tree.

65

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

9 RULES ANALYZER
Endpoint Management

Endpoint Management
Add and remove endpoints to navigation tree. See Add an Endpoint on page 66 in the Tasks
section.

Data Acquisition
Start and stop logging on endpoints. See Create and retrieve a log file on page 66 in the Tasks
section.

Data Files
Import, Export or delete a data file. Data files are in XML format and can be opened and
imported into Rules Analyzer nodes or saved and exported out.

Tasks
This section shows how to perform common tasks using Rules Analyzer, and includes:

ADD AN ENDPOINT

1. Select the Rules Analyzer navigation button.


The Rules Analyzer navigation tree displays.
2. Click the Add Endpoint button on the Rules Analyzer ribbon page > Endpoint
Management group.
3. Select either Browse Deployment Group or Browse Domain/Workgroup depending
on the location of the endpoint you want to add.
Browse Deployment Group displays the Select Management Server dialog box.
Browse Domain/Workgroup displays the Active Directory Select Computers dialog box.
Locate the required endpoint and click OK.
4. A new node is created for the selected endpoint under the Endpoints node in the
navigation tree.

CREATE AND RETRIEVE A LOG FILE

1. Locate and highlight the endpoint you want to analyze in the navigation tree.
2. Click the Start Logging button on the Rules Analyzer ribbon page > Data Acquisition
group.
3. When you want to stop logging, click the Stop Logging button on the Rules Analyzer
ribbon page > Data Acquisition group.
4. Enter a name for the retrieved log file. The log file is retrieved and saved locally as a new
node.
On remote computers running the Microsoft Vista operating system, File Sharing and the
Remote Registry Service are disabled by default and must be enabled to ensure the Rules
Analyzer can create or access log files.

Stat the Remote Registry service in Start > Control Panel > Administrative Tools > Services.
Turn on File Sharing in Start > Control Panel > Network and Sharing Center.

66

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

RULES ANALYZER
Tasks

ANALYZE A LOG FILE

To analyze a log file, select the log file node. The first page shown in the analysis work area is
the summary page. You navigate inside the analysis panel by following links. Use the Return
link at the top of the page to go back to the previous page.

VIEW THE REQUESTS FOR A SPECIFIC USER

To view the requests for a specific user click one of the links in the table on the summary page.
You can click in the Total column to see all the requests for the user and you can click in the
Allowed column or the Denied column to see only the allowed or denied requests.

FIND REQUESTS THAT TAKE A LONG TIME

To find requests that take a long time click View the requests by processing time on the
summary page.
This shows the requests sorted, with the longest running request first. The processing time
shown is the elapsed time taken by the AppSense Application Manager agent to process the
request.

67

10

Auditing

This section provides details on AppSense Application Manager Auditing and includes the
following:

Audit

Local Events

Audit
Auditing allows you to define rules for the capture of auditing information, includes rules about
where event data is stored for logging to a local file and the application event log, and includes
a filter for specifying the events you wish to capture in the log.
Local Auditing allows you to specify whether to log events in the Windows Application Event
Log or to a custom AppSense Event Log. Events can be written to a local file in CSV or XML
format.
By default, the log file is located at
%SYSTEMDRIVE%\AppSenseLogs\Auditing\ApplicationManagerEvents_%COMPUTERNAME%.
csv (or .xml)
An alternative location can be configured for the log file. In this mode auditing also includes an
event filter to log only specific events.
In Enterprise installations, events can be forwarded to the AppSense Management Center via
the Client Communications Agent (CCA). When using this method for auditing, event data
storage and filtering is configured through the AppSense Management Console. For more
information see the AppSense Management Center Administration Guide.
Reference

Summary
The following allows you to configure the event logging:
Send events to the Application Event Log
Select whether to send events to the Application Event log.

68

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

10

AUDITING
Audit

Send events to the AppSense Event Log


Select whether to send events to the AppSense Event log.
You can only send the events to the Application Event Log or the AppSense Event Log.

Make events anonymous


Specify whether events are to be anonymous. If, Yes, the computer name and user name is
omitted from all events. Anonymous logging also searches the file path for any instances where
a directory matches the username and replaces the directory name with the string USERNAME.
Send events to local file log
Select whether to send events to the local file log. If Yes, the events are sent to the local log file
as specified in the Text box.

Text box
The path for the local log file. The default is
%SYSTEMDRIVE%\AppSenseLogs\Auditing\ApplicationManagerEvents_%COMPUTER
NAME%

Local file log format


Specify whether the event log is to be saved in XML format or CSV format.

69

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

10 AUDITING
Local Events

Local Events
The Event filter table is a comprehensive list of all events and is used to select the events you
wish to audit. You can sort the table numerically by ID number, or alphabetically by Event Name
or Event Description. Selected events are highlighted in bold. Click Toggle to change the states
between selected and cleared.
9001, 9007 and 9014 events are disabled by default as they can generate excessive event
data on busy endpoints. We recommend these events are only used for troubleshooting
purposes, and only for short periods of times.

A warning displays at the top right of the Event filter list if you select a high volume events some event IDs such as 9001, 9007 and 9014 can generate a very high volume of events on
busy endpoints.

Table 10.1

Application Manager Events List

Event ID

Event Name

Event Description

Event Log Type

9000

Denied Execution

Prohibited execution request.

Warning

9001

Allowed Execution

Allowed execution request.

Information

9002

Overwrite Changed
Owner

Overwrite of an allowed executable.

Warning

9003

Rename Changed
Owner

Rename of a prohibited executable.

Warning

9004

Application Limit
Denial

Application limit denial.

Warning

9005

Time Limit Denial

Time limit denial.

Warning

9006

Self-Authorization

Self-authorization decision by user.

Warning

9007

Self-Authorized allow

Self-authorization execution request.

Warning

9009

Scripted Rule Timeout

Script execution timed out.

Warning

9010

Scripted Rule Fail

Script failed to complete.

Warning

9011

Scripted Rule Success

Script completed successfully

Information

9012

Trusted Vendor Denial

Digital Certificate failed Trusted Vendor check.

Warning

70

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

Table 10.1

10 AUDITING
Local Events

Application Manager Events List

Event ID

Event Name

Event Description

Event Log Type

9013

Network Item denied

Prohibited Network Item request.

Warning

9014

Network Item allowed

Allowed Network Item request.

Information

9095

Not configured

AppSense Application Manager has not been


configured.

Warning

9096

Configuration
upgraded

An old configuration has been found and was


upgraded.

Information

9099

Agent not licensed

AppSense Application Manager is not


licensed.

Error

System Events
The following are non-configurable system events:
Table 10.2

Application Manager System Events

Event ID

Event Name

Event Description

8000

Service Started

Application Manager Agent: Service Started.

8001

Service Stopped

Application Manager Agent: Service stopped.

8095

No Configuration found

Application Manager cannot find a valid


configuration.

8096

Configuration Upgraded

A configuration for a previous version of Application


Manager has been detected and upgraded.

8099

Invalid License

Application Manager software is not licensed.

Reference

Local Event Filter


Log Locally
Select the events to log locally.
Toggle Selected
Select any number of events from one to all. Toggle to switch the Log Locally check box
between being selected and cleared.
Event Filtering
Select to display the Event Filtering dialog box.

71

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

File Event Filtering


Enable event filtering
Select to enable event filtering. Enabled by default.
File and Event IDs
Select the files to audit for each event. You can add or delete files from the list.

10 AUDITING
Local Events

72

11

Configuration Profiler

This section provides on the Configuration Profiler and includes the following:

Report Type

Report Criteria

Report Output

Report Type
The configuration profiler allows administrators to report on configurations stored locally or in
the central database. General reports are produced to assist auditing and compliance such as
Sarbanes Oxley or HIPAA. Custom reports can be produced for specific users applications and
devices to assist troubleshooting of large configurations.
The configuration profiler is a basic reporting tool that can be used to generate quick reports
based on the details of a loaded product configuration. The report can be generated in the
following ways:

Complete Report - Produces a report which Includes all aspects of the configuration.

Report based on specific criteria - Produces a report which is based on the specified criteria
as selected in the Report Criteria section.

Report Criteria
Use the criteria to specify what is to be included in the report.
Enter the value to match for any of the following:

User

Group

File

Folder

Network Connection

Device

73

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

11

CONFIGURATION PROFILER
Report Output

Report Output
The report output is produced in sections and sub-sections.
In the preview window you can change the following:

Paper

Size

Watermarks

The option to Save the report in various formats for example, PDF and Print the report is also
available from this preview view.

74

12

Best Practices

This section provides information about best practices for managing you Application Manager
configuration and includes the following:
General Application Manager

Use NTFS Security

Install Applications with an Administrative Account

Take Ownership of Applications Requested by Users

Selectively Disable Trusted Ownership

Use Signature Checking Selectively

Prohibit Access to System Applications

Use Folders to Simplify Configurations

Use Group Accounts in preference to User Accounts

Use Environment Variables for Generic Configurations

Audit Unauthorized Activity

Scripted Rules

Use Scripted Rules to Allow Items

Use Scripts to Query Information

Use Validated Scripts Only

Application Network Access Control

Working With Streamed Applications

Avoid Whitelisting Websites

Control company network infrastructure

Configuring reverse DNS lookup entries

Endpoint Analysis

When to run Installed Applications scan

Period to run Usage Scan

75

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

12 BEST PRACTICES
Use NTFS Security

Order to run scans

Use NTFS Security


Application Manager provides optimum protection when used in conjunction with NTFS file
system security. Trusted Ownership interrogates the owner of all application files, and ensures
that only applications installed or files introduced by a trusted user is allowed to run. A Trusted
user is an administrator or System account, by default. With this single check, Application
Manager prevents all user-introduced applications from running and prevent the biggest
potential threat to system integrity and stability.
Use NTFS security to lock down all authorized applications and system files, where possible to
prevent end users from deleting or overwriting important application and system files.
By default, all applications on non-NTFS formatted drives are not trusted and execution
requests are blocked. It is highly recommended to use digital signatures for files on non-NTFS
formatted drives by adding the signatures to the Accessible Items list to allow applications to
run.

Install Applications with an Administrative Account


Avoid installing applications or copying application files onto a system with a non-administrative
user account, as this results in the applications being blocked by Trusted Ownership checking.
In addition, install all ActiveX components, that users may require, with an administrative
account.

Take Ownership of Applications Requested by Users


Where possible, an administrator should either install or take ownership of any applications
requested by users. Do not simply add these files as accessible items and disable trusted
ownership Trusted Ownership checking. Taking administrative ownership of all application files
provides a more secure solution.

Selectively Disable Trusted Ownership


Only disable Trusted Ownership checking as a last resort. It should be possible to disable Trusted
Ownership checking on individual files or folders, rather than turning off Trusted Ownership
checking completely. The only scenario where Trusted Ownership should need to be disabled
on a file is where application files, such as DLLs, are copied during logon processing or created
in real-time. Where possible, try to avoid this behavior, especially if alternative strategies are
available that can keep ownership of application files with the administrator.

Use Signature Checking Selectively


If you have to disable Trusted Ownership checking on an application file, this is an ideal
situation to force a signature check of the file. This ensures that if the file is modified by a user,
Application Manager detects the signature change and prevents the application from
launching.
Although you can use a white list approach and create a rule that uses signature checking for
each and every application file, this creates extensive rules that can become difficult to manage
and maintain.

76

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

12 BEST PRACTICES
Prohibit Access to System Applications

Signature checking can be used in a more effective way by securing application files that cannot
be protected by the default Trusted Ownership checking. The combination of generic Trusted
Ownership checks with specific signature checks as necessary provides a secure, but easily
maintainable solution.

TO PERFORM DIGITAL SIGNATURE CHECKING ON A FILE

1. Highlight the Signature Group Management node.


2. Click the Add Group ribbon button to create a new group with the name Calc.
3. Click the Add Item ribbon button. The Open dialog displays.
4. Locate the Calc.exe file in the Windows System32 folder and click Open.
A digital signature is added to the file and the file is added to the group items list.
5. Add a new User Rule for a test user and highlight the Accessible Items list.
6. Click the Add Item ribbon button. The Select Signature Groups dialog box displays.
7. Select the Calc group.
8. Click OK.
9. Save the configuration.
10. Log on as a non-administrative user and copy calc.exe from system32 into a temp directory.
This will change the ownership of the file to the user, who is not a trusted user. Normally,
the user would be unable to execute this copied application, but as the signature of the
copied application matches the stored signature in the configuration, the executable is
allowed to run.
11. Log in as an administrator and delete the copy of calc.exe from the temp directory.
12. Create a copy of Notepad.exe from the original in system32 into the temp directory and
rename the Notepad.exe copy to calc.exe.
13. Log on as the user again, and attempt to run Notepad.exe.
The executable is not allowed to run because the signature of the executable does not
match the stored signature in the configuration.

Prohibit Access to System Applications


Use Prohibited Items to restrict access to system applications, such as registry editing tools
(regedit.exe and regedt32.exe), and any other tools that a user could misuse to find or exploit
weaknesses in system security.

Use Folders to Simplify Configurations


Where multiple files are located in a single folder, try to use folders in Prohibited Items and
Accessible Items to simplify the configuration. This maintains a concise configuration that is
easier to manage.

Use Group Accounts in preference to User Accounts


Where possible, use Windows groups when configuring exceptions and overrides, as groups are
easier to maintain than individual user accounts. Only specify user accounts where an
appropriate group does not exist.

77

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

12 BEST PRACTICES
Use Environment Variables for Generic Configurations

Use Environment Variables for Generic Configurations


All drive, folder and file paths in Application Manager can be defined in terms of environment
variables. For instance, after adding a file from the system32 directory, right-click on the file
path and select Replace with Environment Variables. This replaces the Windows directory
with the generic environment variable %SystemRoot%.
Environment variables enable you to deploy generic configurations to workstations or servers
with minor configuration variations, such as a different system drive letters or Windows
installation directory names.

Audit Unauthorized Activity


We recommend you create an Auditing configuration that logs events to application event logs
each time users try to execute prohibited applications.
Although Application Manager deters the majority of users, effective auditing can pinpoint
those users who continually attempt to run prohibited applications. In particular, any attempts
by users to run applications that pose a security risk, such as password crackers, need to be
identified.

Use Scripted Rules to Allow Items


Since Scripted rules do not apply settings until the script is complete, use scripted rules for
allowing items in the Accessible Items list rather than prohibiting items in the Prohibited Items
list.
We recommend Application Manager blocks an item until the scripted rule allows the item to
run. Otherwise, your system can be exposed to challenges in any of the following scenarios:

Depending on how you set up the rule, your settings may not be enforced until after the
user logon is complete.

In the event that the scripted rule times out, the rule settings do not apply.

In the event that the Scripted Rule fails to complete because of an error in the script, the
rule settings do not apply.

Use Scripts to Query Information


We recommend you use scripts only to query information, not perform tasks or activities.

Use Validated Scripts Only


Running scripts can cause serious damage to your system and should only be created and
enabled by authors with experience of scripting using VBScript.

78

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

12 BEST PRACTICES
Working With Streamed Applications

Working With Streamed Applications


For details on working streamed applications refer to the Streamed Applications appendix.

Avoid Whitelisting Websites


Allow access to all network resources and prohibit specific network resources to which to block
access. Rather than, prohibiting all network resources and making specific network resources
accessible.

Control company network infrastructure


Application Network Access Control is designed to control company network infrastructure and
is not a recommended web filtering tool.

Configuring reverse DNS lookup entries


If using the engineering keys to configure reverse DNS lookup entries only add IP Addresses that
are within the company network infrastructure to the relevant engineering key.
For further information on the use of reverse DNS lookups in Application Network Access
Control refer to the Appendix Application Network Access Control and Reverse DNS Lookup.

Add IP Addresses to prohibit network connection


When prohibiting a network connection, add a Host Name and an IP Address to fully prohibit.

When to run Installed Applications scan


Run the Installed Applications scan in low usage times to help prevent any possible delays, for
example, out of hours or when users have logged off.

Period to run Usage Scan


You should record user data for a minimum of 5 days to ensure all applications are captured.
If you shutdown while an Application Usage Scan is taking place, the scan will carry on from
when it stopped once the machine is restarted.

Order to run scans


Run the Installed Applications scan first to produce an initial list of installed applications and
then run the Usage scan so that the results can be checked against the installed applications list
to see if any applications are missing.

79

A P P E N D I X E S

This section provides additional or supporting information about topics covered in the Guide
and includes:

System Requirements

Working with Scripted Rules

Licensing

Application Network Access Control and Reverse DNS Lookup

Streamed Applications

80

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

SYSTEM REQUIREMENTS

System Requirements

This appendix provides details on the System Requirements for AppSense Application Manager.
Supported Operating Systems
The following 32-bit and 64-bit Operating Systems are supported:

Microsoft Windows XP SP2

Microsoft Windows Server 2003 SP1 (including Terminal Services)

Microsoft Windows Vista

Microsoft Windows Server 2008 (including Terminal Services)

Supported Technologies

Citrix XenApp

Citrix XenDesktop
For details on working with AppSense Application Manager and Streamed Applications refer
to the Streamed Applications appendix.

Installed Components
The following components are installed as part of the AppSense Management Suite Installer:

Windows Installer 3.1 Redistributable (v2)

Microsoft Core XML Services (MSXML) 6.0

Microsoft .NET Framework 2.0 Redistributable Package

Microsoft Visual C++ 2005 SP1 Redistributable package

81

Working with Scripted Rules

This section provides details about creating the scripts used in scripted rules and includes a
sample, the following are covered:

About Scripted Rules

Writing a Script

Sample Scripts

Best Practices

About Scripted Rules


Scripted Rules allow the administrator to base configuration rules on any conditions, not just
users, groups and devices. Scripts are written in VBScript, and allow access to any information
accessible via COM, WMI, or any other scripting interfaces available to VBScript.
A script must return a True value to enforce rule settings, which include Security Level,
Accessible Items, Prohibited Items and Trusted Vendors.
Scripts can run:

For every user that logs on as the user or as SYSTEM.

Once per computer. Rule settings are enforced for all users.

At agent startup.

Whenever there is a configuration change.

Writing a Script
Each script is run within a hosted script engine allowing greater control over the script execution
providing a high degree of input and output control.

No VBS file is used.

No separate process is spawned.

A script must be written as a function. The script can contain many functions, but a main start
function must be specified. The start function is run by the Application Manager agent. Other
functions can be called by the start function.
The start function must return a True value for the script to pass and apply the rule settings.
Otherwise, the start function returns False, by default, and the rule does not apply.

82

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

WORKING WITH SCRIPTED RULES


Sample Scripts

The AMScriptRule COM object is built into the scripting engine and provides access to the
following methods:

strUsername = AMScriptRule.UserName

strUserdomain = AMScriptRule.UserDomain

strSessionid = AMScriptRule.SessionID

strStationname = AMScriptRule.WinStation
The Microsoft standard in this instance means that WinStation returns the value of the
name of the Terminal Services Session, which is determined by the type of session with
typical values being Console or RDP-Tcp#34, instead of the Window Station name
which is typically WinSta0.

The AMScriptRule COM object also includes the following methods:

strLog = AMScriptRule.Log "My Log Statement"

Allows you to output logging strings to the agent log file for use with debugging scripted
rules.

strEnvironmentvar = AMScriptRule.ExpandEnvironment
("%MyEnvironmentVariables%")

Expands environment variables of the user running the script.


Using WScript. shell to expand environment variables only returns SYSTEM variables.

Sample Scripts
The following are sample scripts:

SCRIPTABLE RULE TO DETERMINE IF A USER IS A MEMBER OF A CERTAIN OU

The following sample script shows the main components of a script and demonstrates how to
access information about the username of the user logging on to the system, and match with a
specific domain and organizational unit:
Function MyScript()
'Get the username of the user logging in (also works when running as SYSTEM)
strUserName = AMScriptRule.UserName
'Get the domain of the user logging in (also works when running as SYSTEM)
strUserDomain = AMScriptRule.UserDomain
'Look up user environment variables (when running as SYSTEM, only SYSTEM
variables are available)
strClientName = AMScriptRule.ExpandEnvironment ("%ClientName%")
'Log the output
AMScriptRule.Log strUserName & " logged in on " & strClientName
'Check if the user is a member of the domain
If strUserdomain = "MyDomain" Then
'If so, see if the user is in the MyOU OU
Set objOU = GetObject ("LDAP://ou=MyOU,dc=MyDomain,dc=com")

83

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

WORKING WITH SCRIPTED RULES


Best Practices

objOU.Filter = Array("user")
For Each objUser In objOU
'Check if there is a match with the user logging on
If objUser.sAMAccountName = strUserName Then
'if there is, then set the function to True
MyScript = True
End If
Next
End If
'Unless there is a username match, the function defaults to False
End Function

SCRIPTABLE RULE TO DETERMINE IF AN AAC FILTER HAS BEEN PASSED.

The following script demonstrates how to control the applications to which a user has access.
Function ScriptedRule()
Name of Filter scan expected to pass
ExpectedFilter = "FWALL"
Get Server Name
Set objNTinfo = CreateObject ("WinNTSystemInfo")
ServerName = lcase (objNTInfo.ComputerName)
Set initial return value
ScriptedRule = False
Create MetaFrame Session Object
Set MFSession = Createobject ("MetaFrameCOM.MetaFrameSession")
Initialize the session filters for this session
For Each x in MFSession.SmartAccessFilters
return true if our filter is found
If x = ExpectedFilter Then
ScriptedRule=True
AMScriptRule.Log "SmartAccessFilter match found."
End If
Next
End Function

Best Practices
The following are recommended as best practices for creating and running scripted rules:
Use Scripted Rules to Allow Items
Since Scripted rules do not apply settings until the script is complete, use scripted rules for
allowing items in the Accessible Items list rather than prohibiting items in the Prohibited Items
list.
We recommend Application Manager blocks an item until the scripted rule allows the item to
run. Otherwise, your system can be exposed to challenges in any of the following scenarios:

Depending on how you set up the rule, your settings may not be enforced until after the
user logon is complete.

84

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

WORKING WITH SCRIPTED RULES


Best Practices

In the event that the scripted rule times out, the rule settings do not apply.

In the event that the Scripted Rule fails to complete because of an error in the script, the
rule settings do not apply.

Use Scripts to Query Information


We recommend you use scripts only to query information, not perform tasks or activities.
Use Validated Scripts Only
Running scripts can cause serious damage to your system and should only be created and
enabled by authors with experience of scripting using VBScript.

85

Application Network Access Control and


Reverse DNS Lookup

This appendix provides details on extending Application Network Access Contol to use reverse
DNS lookups.
The Application Network Access Control feature can use reverse DNS lookups when evaluating
Network Connection rules. The feature is turned off by default, as the time it takes to retrieve
this information from DNS servers, may degrade the performance of network applications.
Enabling this feature ensures the network rules are more effective, in situations when users or
applications make requests for network resources, using IP addresses when the configuration is
based upon host names.
The reverse DNS lookups can be enabled by configuring a set of engineering keys.
For further information refer to the AppSense Application Manager Engineering Keys Guide.

This feature requires an administrator to enable and configure Reverse DNS Zones on the DNS
servers.

86

Licensing

The AppSense Local Licensing Console allows you to create and manage AppSense product
licenses.
This section provides details about using the console, and includes the following:

About License Manager

Managing Licenses

Troubleshooting

87

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

D LICENSING
About License Manager

About License Manager


AppSense Local Licensing allows you to manage individual AppSense product licenses, full
Management Suite licenses and evaluation licenses for computers operating in Standalone
mode.
For information about Enterprise license management and deployment, see the AppSense
Management Center Administration Guide.

The console allows you to:


3

Manage licenses for single products, the AppSense Management Suite or Evaluation
licenses.

Export license packages to MSI file format for saving to the AppSense Management Center
or other computers which can be remotely accessed.
We recommend using the Management Center Enterprise Licensing for Enterprise
installations.

Import and manage licenses from MSI file format.

An installation requires one of the license codes shown in Table D.1:


Table D.1

AppSense License Types

License

Description

Activate

AppSense Management
Suite

Full Suite license.


Requires activation using the activation code sent from
AppSense Ltd. with the license code.

Application Manager

Single product license.


Requires activation using the activation code sent from
AppSense with the license code.

Evaluation

Full Suite or single product licenses.


Evaluation licenses are availabe during the first installation of
the product and do not require activation. They are valid for 21
days.

88

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

D LICENSING
Managing Licenses

Managing Licenses
The following procedures show how to add and activate a new license and import and export
licenses to Microsoft Windows Installer files (*.msi) file for distribution to other computers or to
backup a set of licenses.

ADD AND ACTIVATE A LICENSE

1. Click Add to create a new entry in the license grid and enter the license code in the License
Code entry box.
You can manually enter each digit or copy and paste the license straight in to the entry box.
When a license entry is highlighted, a description displays in the lower portion of the
console and includes the following details:

License Code

License State: Not Activated, Valid, Invalid

Expiry Date

Description indicates the number of days remaining.


A license remains invalid until a code is entered in the Activation Code column.
Evaluation licenses do not require activation.

2. Click Activate to enter the activation code by entering each digit manually or copy and
paste the activation code directly in to the Activation Code entry box, and click Enter.
The description in the grid view updates with the license information as do the details
about the license validation status and, where relevant, the expiry date, in the lower portion
of the console.
Once a license is active, the icon changes to indicate the current license state.
3. Save the configuration to confirm your settings.

TO IMPORT A LICENSE FILE

1. Click Import to display the file Open dialog box and navigate to the location of the license
MSI file.
2. Click Open to load the license file in the Local Licensing Console.

TO EXPORT A LICENSE FILE

1. Click Export to display the file Save As dialog box and browse to the location for saving
the license MSI file.
2. Provide a name for the file and click Save to save the file.
You can copy this file to any network location and load the file in the Local Licensing
Console or in Management Center Enterprise Licensing.

89

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

D LICENSING
Troubleshooting

Troubleshooting
I received an AppSense license, what do I do?
If you have received an AppSense product license, from AppSense, you can load the license by
launching the Local Licensing Console on your client computer and entering the license code
and activation code.
Enter the product license exactly as received. Once a license has been successfully entered, the
system updates the description details stating the products and duration for which the license is
valid.
I have entered an AppSense license, but it is for evaluation, what does this
mean?
If you are trying an AppSense product before purchasing, the product installs with an option to
automatically install an evaluation license. Evaluation licenses are limited to 21 days, during
which time you can familiarise yourself with the product.
Once the expiry date has been reached, contact AppSense to obtain a full license to continue
using the product.
I have entered an AppSense license, but it says it is not activated, why?
AppSense licenses require activation, apart from evaluation licenses, before they can be used.
Activation codes are provided by AppSense. Activate a license by entering the activation code.
For more information, see Managing Licenses.
I have tried to enter an AppSense license, but it says it is invalid, what can I
do?
Check that the license code has been typed correctly. Check it is a license code and not an
activation code that has been entered.
If you are still sure you have entered the license correctly but it is not accepted, contact
AppSense support.

90

Streamed Applications

This section provides details on how to allow Application Manager to work with Streamed
Applications and includes the following:

Citrix XenApp

Citrix XenApp
To set up Citrix XenApp to work with Application Manager functionality you need to specify
certain exclusions, as follows:
1. Navigate to Citrix Streaming Profiler for Windows.
2. Open the Application Profile.
3. Highlight the relevant Target and select the Edit menu.
4. Select Target Properties.
The Target Properties screen displays.
5. Select Rules.
The Rules work area displays on the right hand side.
6. Click Add in the Rules work area.
The New Rule Select Action and Objects dialog box displays.
7. In the Action section leave the default setting as Ignore.
8. In the Object section select Named Objects and click Next.
The New Rule Select Objects dialog box displays.
9. Select All Named Objects and click Next.
The New Rule Name Rule dialog box displays.

91

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

STREAMED APPLICATIONS
Citrix XenApp

10. Enter a name for the rule or accept the default and click Finish.
11. Click OK.
The Target Properties screen re-displays and the Ignore all named objects rule is now
listed in the work area on the right hand side.
12. Save the Profile.
13. Repeat for each Application Profile as required.

92

G L O S S A R Y

AAC

Accessible Items

Agent

Application Limit

Audit Only

CCA

Configuration

Configuration File

Configuration Profiler

Console

Deploy

Digital Signature

Event

Node

OU

Prohibited Items

Rule

Security Level

Security Identifier

Self-Authorizing User

SID

Time Limits

Trusted Applications

Trusted Ownership

Trusted Vendors

Wildcards

93

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

GLOSSARY AAC
Configuration File

AAC
Citrix Advanced Access Control.
Accessible Items
Accessible Items are files, folders, drives or digitally signed files or groups of files in an
Application Manager configuration Rule which are allowed to run when file execution requests
are matched with the rule security settings and would otherwise be prohibited by other
configuration settings.
See also: Prohibited Items and Trusted Vendors
Agent
A proactive software component which implements the product configuration rules. For
example, the Application Manager Agent is software that runs as a Windows service to validate
execute requests according to the rules in the configuration installed on a computer.
Application Limit
Application Limits specify the number of instances of an application a user can run. An
application limit can be applied to an item in the Accessible Items node.
Audit Only
Security Level assigned to users, groups or devices in an Application Manager Rule which audits
events according to the Auditing Configuration without applying the rule. Used for passive
monitoring in evaluations to assess application usage on the host environment.
CCA
Client Communications Agent. Installed on computers operating in an Enterprise installation to
provide a link between the product agent running on a managed computer and the AppSense
Management Center.
The CCA sends event data generated by the product agents to the Management Server and
also polls the Management Server to manage the download and installation for software
configuration, agent and package updates.
The CCA can be downloaded and installed directly on managed machines from the
Management Server website.
Configuration
The Application Manager configuration consists of lists of files/folders that you have decided
should be Accessible Items, Prohibited Items and Trusted Vendors. The configuration also
contains optional settings and text to be displayed to the user. A configuration is created and
managed using the Application Manager Console and used by the Application Manager Agent
and is saved in Application Manager Package Files (*.aamp). The agent uses the configuration
settings to determine whether or not an execute request is to be denied.
Configuration File
An Application Manager configuration exported from the Console and saved to Windows
Installer .MSI file format. The file can be installed on any computer and the configurations rules

94

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

GLOSSARY

CONFIGURATION PROFILER
Prohibited Items

applied when an Application Manager Agent is present and running as a service on the
computer.
Configuration Profiler
Generates reports detailing the current settings in the Configuration. Filtering options allow you
to query settings affecting specific users or groups, devices, and files or folders.
Console
AppSense Application Manager software interface.
Deploy
To deliver a configuration or AppSense software component to one or more computers, which
can include the local machine.
Digital Signature
Application Manager uses the SHA-1 algorithm for applying a digital signature to uniquely
identify files.
The signature can be used as a security measure when adding files as Accessible Items,
Prohibited Items and Trusted Vendors.
Signatures can also be used for allowing applications on non-NTFS formatted drives to run,
which Application Manager would otherwise block by default. Add the digital signatures to the
Accessible Items list and disable trusted ownership checking for the individual files. Signature
Group Management provides easier administration for large groups of signatures.
Accessible Items with digital signatures can be used to verify that the file which the user is
attempting to run is actually the file permitted by the administrator.
Prohibited Items with digital signatures can be used to ensure the file is always prevented from
executing, even when the user renames the file.
Event
An Event is generated by Application Manager to report file execution requests, overwrites or
renames and Self-Authorizing User decisions. The event number indicates the outcome of the
request. Events are logged according to the method set up in the Auditing node.
Node
A node is a term used in the Application Manager Console to represent a branch in the
navigation tree.
OU
Organizational Unit. A container that holds users and computers in Active Directory.
Prohibited Items
Prohibited items are files, folders, drives or digitally signed files or groups of files specified in an
Application Manager Rule which are not allowed to run when file execution requests are

95

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

GLOSSARY RULE
Time Limits

matched with the rule security settings and would otherwise be allowed by other Configuration
settings.
See also: Accessible Items and Trusted Vendors
Rule
A Configuration rule assigns a Security Level to the specified users or groups, devices and
combinations of these and contains control lists for Accessible Items, Prohibited Items and
Trusted Vendors. Application Manager intercepts kernel level file execution requests and
matches these with the configuration rules to implement security controls.
Security Level
Application Manager configuration Rule settings include security levels which specify how to
manage requests to run unauthorized applications by the users, groups or devices which a rule
matches.
Restricted Only authorized applications can run. These include files owned by members of
the Trusted Owners list and files listed in Accessible Items, Trusted Vendors and Trusted
Applications.
Self-Authorizing Users are prompted for decisions about blocking or running unauthorized
files on the host device.
Audit only All actions are permitted but events are logged and audited, for monitoring
purposes.
Unrestricted All actions are permitted without event logging or auditing.
Security Identifier
(SID) A data structure of variable length that identifies user, group, and computer accounts.
Every account on a network is issued a unique SID when the account is first created. Internal
processes in Windows refer to an accounts SID rather than the accounts user or group name.
Likewise Application Manager also refers to a user or group SID unless the SID could not be
found when added to the configuration.
Self-Authorizing User
User, group or device granted control to choose whether to block or run an unauthorized
application on the host computer. The Self-authorizing Security Level can be assigned in an
Application Manager Rule to match a file execute request for users, groups or devices.
SID
See Security Identifier.
Time Limits
Settings applied to entries in the Accessible Items and Prohibited Items nodes of an Application
Manager Rule which determine day and time ranges when the controls apply.
For example, an entry in the Prohibited Items node of a rule can restrict use of the local web
browser to users except between the hours of 12pm and 2pm on specific days of the week.

96

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

GLOSSARY

TRUSTED APPLICATIONS
Wildcards

Trusted Applications
Trusted Applications are files which are authorized to run by the Application Manager
configuration and can execute files which are normally prohibited. Trusted Applications are
designated in the Default Rules and include specified Trusted Content which includes files
normally prohibited but allowed when run executed as a child process of the associated Trusted
Application.
For example, essential applications, such as antivirus update software is usually allowed to run
but can also depend on being able to run particular downloaded executables, which are
normally prohibited, to perform an update. The antivirus software is added to the rules as a
Trusted Application, and the downloaded executable prohibited file which the antivirus needs
to run, is added as Trusted Content of the Trusted Application.
Add certain files and file types as Trusted Content. Extend this trust to folders and drives to
allow files in these locations to run as Trusted Content of the Trusted Applications. Trusted
Application matching takes place when a file is prohibited by a rule or fails Trusted Ownership
checking.
Trusted Ownership
Trusted Ownership checking is a secure method Application Manager uses to prevent users
running unauthorized applications is. On NTFS formatted drives, files have owners and
Application Manager is configured, by default, to only allow files to be executed if the file
owner is a member of the Trusted Owners list. If a user tries to run a file that is not owned by
a trusted owner, the execute request is denied and a message notifies the user. Any files
downloaded from the internet or received in e-mail are owned by the user, so those files are not
permitted to run unless ownership is held by members of the trusted owner list.
By default, Application Manager blocks execution requests for all applications on non-NTFS
formatted drives.
Trusted Vendors
Trusted Vendors are digital certificates signed by trusted sources. Trusted Vendor checking
allows applications which fail Trusted Ownership checking to match digital certificates with the
Trusted Vendors list.
A list of Trusted Vendors can be defined for each User, Group, Device, Custom and Scripted
Rule of the configuration.
Application Manager queries each file execution which fails Trusted Ownership checking to
detect the presence of a digital certificate. If the file has a digital certificate which is signed by a
certificate authority matching a valid entry in the Trusted Vendor list, the file is allowed to run.
Trusted Vendor matching takes place when a file is prohibited by failing Trusted Ownership
checking and Trusted Application checking.
Wildcards
Both the asterisk (*) and question mark (?) characters can be used in a file or folder path in the
Application Manager Console. The asterisk represents one or more characters, excluding the
back slash (\) character, whilst the question mark wildcard represents one character, excluding
the forward slash (/) character. Both of the wildcard characters can be used in any part of a file
path, including the drive letter for local paths.

97

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE

GLOSSARY

WILDCARDS
Wildcards

For example, c:\sample path\test?\*.exe, matches all files with the .exe extension that existed in
the folders c:\sample path\test1, c:\sample path\test2, ... c:\sample path\testn, etc. But since the
question mark can only replace one character, it does not match c:\sample path\test100. The
only limitation imposed by Application Manager on the use of wildcards is that the asterisk
cannot be used to match more than one subdirectory.

98

Anda mungkin juga menyukai