Using the “Security Descriptors” within the App-V 4.5 Sequencer.

Using Security Descriptors
When using the new App-V 4.5 sequencer, Security Descriptors are switched on by default.

But what is this security Descriptors function in the first place? How does it work? And is it of any use at all? In this article I will answer those questions.

What are Security Descriptors?
One of the big Advantages of SoftGrid always was that users could work with their applications like if they had Full Control rights. This was a huge advantage especially in Terminal Server environments where administrators usually put a lot of effort in getting applications to work on one hand and securing the Terminal Server environment on the other hand.

By enabling Security Descriptors during sequencing an application (switched on by default), permissions on the windows file system are “pulled into the bubble” (not the registry, thanks for the heads-up by Brian Kelly).  The sequencer always captures security descriptors during sequencing, but only with the Enforce Security Descriptors setting checked, the client enforces them on the file system drive at runtime.

So if a users group on the Sequencer had read rights on the D:\APP-X folder, these rights are stored in the Virtual Environment. Once streamed and run on the client, the user cannot edit in this particularly folder. In this manner you can set permissions on parts of the Virtual Environment and secure parts of being modified by a user.

How does it Work?
Like I mentioned before the enforcement of Security Descriptors is switched on by default. You can find the check box on the new Deployment tab of the Sequencer’s SFT-editor:

sec1

So if the check box is switched on the permissions are stored inside the virtual environment.

What’s the use?
Good question! Like I mentioned above, one of the biggest advantages of SoftGrid always was that users had sort of Full Control rights within their virtual environment. The advantage especially for Terminal server environments was huge.

I don’t see the advantage of switching the “Enforce Security Descriptors” setting on by default. I can imagine this option can be useful with some applications which need to have certain restricted permissions on parts of the virtual file system. For instance, some (badly written) applications need to have restrictions on parts of the virtual file system to ensure that settings don’t get corrupted or that .PKG files don’t grow excessively.

Because this situation only applies to some applications it is my opinion that the Security Descriptors should not be switched on for every application but just for the applications where you’re facing a problem that can be solved by using Security Descriptor Enforcement.

How to switch the enforcement off by default?
This is not too difficult. The first step is to create a default.sprj (if you do not already have one):  Launch the Sequencer, go to the tools menu and select options. On the options screen go to exclusion items and click on “Save As Default”.

sec2.jpg

I know this is a weird place for saving default settings. Don’t bother and just browse to the program directory of the Sequencer (by default  C:\Program Files\Microsoft Application Virtualization Sequencer) and open the default.sprj file. This is an XML file. Besides a lot of other settings, you can also set the Security Descriptors option in this file. Just set the value of the “UseSecurityDescriptors” option to “No” and you’re done.  

sec3.jpg

Hotfix Package 2 for App-V 4.5 available

The App-V Team Blog just posted the availability of Hotfix Package 2 for App-V 4.5. It fixes a couple of very specific issues with the App-V Client. It’s recommended to only request and install this hotfix if you are experiencing any of the following problems:

  • Empty virtual directories may become inaccessible. This behavior causes later file operations on that virtual directory to fail and to generate the following error message: “File Not Found”
  • When you try to run ArcGIS as a virtual application, ArcGIS may stop responding on some systems.
  • When you use Symantec Endpoint Protection, and the Application and Device Control feature is enabled, virtual applications may not start and may generate the following error message: “The application failed to initialize properly (0xc000007b)”
  • When you try to run SmarTerm Essentials as a virtual application, SmarTerm Essentials may not start because it cannot validate its license.

Request the Hotfix here: http://support.microsoft.com/?kbid=959834

 

SFT Encoder

It looks like App-V MVP Kalle Saunamäki has created another cool tool for App-V which is called SFT Encoder.

Now for the first time outside the SoftGrid/App-V Sequencer you can create your own packages!

By using SFT Encoder Express Edition you have the possibility to create simple App-V package by encoding directory structure of your choice into a fully functioning SFT file. SFT Encoder Express Edition generates associated OSD and SPRJ files for one executable out of the package, that you can then distribute from the Management Server to App-V clients.

SFT Encoder Express Edition can be used as quick and simple way of generating tools -type of packages out from the pre-existing directory structure for applications that do not need virtual registry entries etc.

Packages generated by SFT Encoder Express Edition are in SoftGrid 4.1/4.2 format.

It comes in 4 flavors:

  • Express Edition (free) for command-line driver package creation of simple App-V package including OSD and SPRJ files for one executable out of the package
  • Professional Edition for command-line driven advanced functionality of new package encoding and modification of existing packages
  • Enterprise Edition for advanced command-line and processing template -driven functionality of new package encoding and modification of existing packages
  • Server Edition for all the same functionality as in Enterprise Edition but for server -based and automated processing

Mire info on http://www.virtualapp.net/sft-encoder.html

Source: http://blogs.technet.com/virtualworld/archive/2009/01/19/sft-encoder-express-edition-the-simple-app-v-package-encoder.aspx

MED-V public beta available

Finally a public beta of MED-V is available. This product will be available through MDOP like App-V. With MED-V you are able to centrally build and manage Virtual Machines which then can be streamed to Desktops running Virtual PC and the MED-V client. There is also a set of policies which you can set on the Virtual Machines, called WorkSpaces within MED-V, like expiration dates and what type of interaction is allowed between the WorkSpace and physical client.

Go to https://connect.microsoft.com/site/sitehome.aspx?SiteID=665, register and download the software.

MVP for another year!

I received the great news last week that I have been re-elected as an Microsoft Valuable Professional (MVP) for App-V/SoftGrid. I am pretty excited about this and hope my efforts are appreciated within the App-V community.

I also want to point out that my enthusiasm and drive are largely influenced by the great people I work with at Login Consultants, like, amongst others, Jan van der Elst, Ment van der Plas, Falko Graefe and Jan Willem Roks when it relates to App-V.