Using the “Security Descriptors” within the App-V 4.5 Sequencer.

Using Security Descriptors
When using the new App-V 4.5 sequencer, Security Descriptors are switched on by default.

But what is this security Descriptors function in the first place? How does it work? And is it of any use at all? In this article I will answer those questions.

What are Security Descriptors?
One of the big Advantages of SoftGrid always was that users could work with their applications like if they had Full Control rights. This was a huge advantage especially in Terminal Server environments where administrators usually put a lot of effort in getting applications to work on one hand and securing the Terminal Server environment on the other hand.

By enabling Security Descriptors during sequencing an application (switched on by default), permissions on the windows file system are “pulled into the bubble” (not the registry, thanks for the heads-up by Brian Kelly).  The sequencer always captures security descriptors during sequencing, but only with the Enforce Security Descriptors setting checked, the client enforces them on the file system drive at runtime.

So if a users group on the Sequencer had read rights on the D:\APP-X folder, these rights are stored in the Virtual Environment. Once streamed and run on the client, the user cannot edit in this particularly folder. In this manner you can set permissions on parts of the Virtual Environment and secure parts of being modified by a user.

How does it Work?
Like I mentioned before the enforcement of Security Descriptors is switched on by default. You can find the check box on the new Deployment tab of the Sequencer’s SFT-editor:

sec1

So if the check box is switched on the permissions are stored inside the virtual environment.

What’s the use?
Good question! Like I mentioned above, one of the biggest advantages of SoftGrid always was that users had sort of Full Control rights within their virtual environment. The advantage especially for Terminal server environments was huge.

I don’t see the advantage of switching the “Enforce Security Descriptors” setting on by default. I can imagine this option can be useful with some applications which need to have certain restricted permissions on parts of the virtual file system. For instance, some (badly written) applications need to have restrictions on parts of the virtual file system to ensure that settings don’t get corrupted or that .PKG files don’t grow excessively.

Because this situation only applies to some applications it is my opinion that the Security Descriptors should not be switched on for every application but just for the applications where you’re facing a problem that can be solved by using Security Descriptor Enforcement.

How to switch the enforcement off by default?
This is not too difficult. The first step is to create a default.sprj (if you do not already have one):  Launch the Sequencer, go to the tools menu and select options. On the options screen go to exclusion items and click on “Save As Default”.

sec2.jpg

I know this is a weird place for saving default settings. Don’t bother and just browse to the program directory of the Sequencer (by default  C:\Program Files\Microsoft Application Virtualization Sequencer) and open the default.sprj file. This is an XML file. Besides a lot of other settings, you can also set the Security Descriptors option in this file. Just set the value of the “UseSecurityDescriptors” option to “No” and you’re done.  

sec3.jpg