AppSense%20Application%20Manager%20Administration%20Guide

Application Manager

Administration Guide

Guide

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE ii

Notice

The information contained in this document ("the Material") is believed to be accurate at the time of printing, but no representation or warranty is given (express or implied) as to its accuracy, completeness or correctness. AppSense Limited, its associated companies and the publisher accept no liability whatsoever for any direct, indirect or consequential loss or damage arising in any way from any use of or reliance placed on this Material for any purpose.

Copyright in the whole and every part of this manual belongs to AppSense Limited ("the Owner") and may not be used, sold, transferred, copied or reproduced in whole or in part in any manner or form or in or on any media to any person other than in accordance with the terms of the Owner's Agreement or otherwise without the prior written consent of the Owner.

Trademarks

AppSense and the AppSense logo are registered trademarks of AppSense Holdings Ltd. Microsoft, Windows and SQL Server are trademarks or registered trademarks of Microsoft Corporation. Fluent is a trademark of Microsoft Corporation and the Fluent user interface is licensed from Microsoft Corporation. Other brand or product names are trademarks or registered trademarks of their respective holders.

iii

Welcome viii

About this Document viii

Terms and Conventions viii

Feedback ix

Chapter 1 About Application Manager 1

Product Overview 1

Architecture 2

Components 2

Software Agent 3

Configuration 3

The Console 4

Key Benefits 7

Feature Summary 8

C O N T E N T S

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE CONTENTS iv

Chapter 2 Manage Configurations 10

Default Settings 10

Configuration 11

Configuration Elements 11

Rule Matching 12

Configuration Properties 15

Message Settings 15

Archiving 17

Save a Configuration 19

Import a Configuration 19

Export a Configuration 19

Tasks 20

Chapter 3 General Features 22

Trusted Owners 22

Trusted Applications 24

Extension Filtering 26

Options 26

Tasks 27

Chapter 4 Rules 29

Manage Rules 29

Group Rules 30

User Rules 30

Device Rules 30

Custom Rules 31

Scripted Rules 32

Security Level 35

Tasks 36

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE CONTENTS v

Chapter 5 Rule Items 40

Accessible Items 40

Prohibited Items 42

Trusted Vendors 43

Tasks 44

Chapter 6 Signature Group Management 46

Manage 46

Items 47

Tasks 48

Chapter 7 Application Network Access Control 51

About Application Network Access Control 51

Network Connection Items 52

Network Connection Group Management 52

Groups 53

Group Items 53

Tasks 55

Chapter 8 Endpoint Analysis 57

About Endpoint Analysis 57

Endpoint Management 59

Installed Applications 59

Application Usage Scans 59

Application Data 60

Data Files 61

Tasks 61

Chapter 9 Rules Analyzer 63

About Rules Analyzer 63

Endpoint Management 66

Data Acquisition 66

Data Files 66

Tasks 66

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE CONTENTS vi

Chapter 10 Auditing 68

Audit 68

Local Events 70

Chapter 11 Configuration Profiler 73

Report Type 73

Report Criteria 73

Report Output 74

Chapter 12 Best Practices 75

Use NTFS Security 76

Install Applications with an Administrative Account 76

Take Ownership of Applications Requested by Users 76

Selectively Disable Trusted Ownership 76

Use Signature Checking Selectively 76

Prohibit Access to System Applications 77

Use Folders to Simplify Configurations 77

Use Group Accounts in preference to User Accounts 77

Use Environment Variables for Generic Configurations 78

Audit Unauthorized Activity 78

Use Scripted Rules to Allow Items 78

Use Scripts to Query Information 78

Use Validated Scripts Only 78

Working With Streamed Applications 79

Avoid Whitelisting Websites 79

Control company network infrastructure 79

Configuring reverse DNS lookup entries 79

Add IP Addresses to prohibit network connection 79

When to run Installed Applications scan 79

Period to run Usage Scan 79

Order to run scans 79

Appendixes

Appendix A System Requirements 81

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE CONTENTS vii

Appendix B Working with Scripted Rules 82

About Scripted Rules 82

Writing a Script 82

Sample Scripts 83

Best Practices 84

Appendix C Application Network Access Control and Reverse DNS Lookup 86

Appendix D Licensing 87

About License Manager 88

Managing Licenses 89

Troubleshooting 90

Appendix E Streamed Applications 91

Citrix XenApp 91

Glossary 93

viii

W E L C O M E

This section includes the following:

About this Document

Terms and Conventions

Feedback

About this DocumentThis document shows how to install, setup and use the components of AppSense Application Manager. Application Manager provides protective measures such as blocking the execution of all unauthorized software and supplies you with extensive options for creating rules to manage production application usage.

Terms and ConventionsTable 3.1 on page viii shows the textual and formatting conventions used in this document:

Document Information

Document Version APAM80-04-280509-3

Publication number 3

Table 3.1 Document Conventions

Convention Use

Bold Highlights items you can select in Windows and the product interface, including nodes, menus items, dialog boxes and features.

Code Used for scripting samples and code strings.

Italic Highlights values you can enter in console text boxes and titles for other guides and Helps in the documentation set.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE WELCOMEFeedback

ix

FeedbackThe AppSense Documentation team aim to provide clear, accurate and high quality documentation to assist you in the installation, configuration and ongoing operation of AppSense products.

We are constantly striving to improve the documentation content and greatly value and appreciate any contribution you wish to make to enhance the detail of the content, based on your experiences with AppSense products.

Please feel welcome to send in your comments to the following email address and we will endeavor to incorporate these into future publications:

[email protected]

Thanks in advance,

The AppSense Documentation team

> Indicates the path of a menu option. For example, “Select File > Open" means "click the File menu, and then click Open."

Note — Highlights important points of the main text or provides supplementary information.

Tip — Offers additional techniques and help for users, to demonstrate the advantages and capabilities of the product.

Caution/Warning — Provides critical information relating to specific tasks or indicates important considerations or risks.

Further Information — Provides links to further information which include more detail about the topic, either in the current document or related sources.

Table 3.1 Document Conventions (continued)

Convention Use

mailto:[email protected]?subject=AppSense Documentation Feedback&body=<Please indicate the document title and the product version in your comments.>%0A%0A

1

1A b o u t A p p l i c a t i o n M a n a g e r

This section provides the following:

Product Overview

Architecture

The Console

Key Benefits

Feature Summary

Product OverviewThis document shows how to setup and use the components of AppSense Application Manager. Application Manager provides centralized management of corporate application control, eliminating unauthorized application usage and controlling application network access enterprise wide. Protective measures such as blocking the execution of all unauthorized software is provided and extensive options for creating rules to manage production application usage.

Application Manager is part of a closely integrated system of management components and can be centrally configured and deployed to desktops, servers and Terminal Servers throughout the enterprise using the AppSense Management Center.

For further information see the AppSense Management Center Administration Guide.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 1 ABOUT APPLICATION MANAGERArchitecture

2

ArchitectureThis section provides details on the archictecture of Application Manager and includes the following:

Components

Software Agent

Configuration

Figure 1.1 Application Manager Architecture

Components

Client Computer

Application Manager Console

Application Manager Agent

License

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 1 ABOUT APPLICATION MANAGERArchitecture

3

Software Agent

Application Manager is installed and run on endpoints using a lightweight Agent. In Standalone mode the Agent is installed directly onto the local computer. In Enterprise mode, the Agent is stored in the AppSense Management Console.

Agents are constructed as Windows Installer MSI packages which allows them to be distributed using any third-party deployment system which supports the MSI format.

Since the Agents are installed and stored locally they continue to operate when endpoints such as notebooks and Tablet PCs are disconnected or offline.

Configuration

Application Manager Configuration files contain the rule settings for securing your system. The Agent checks the configuration rules to determine the action to take when intercepting file execution requests.

Configurations are stored locally in the All Users profile and are protected by NTFS security. In standalone mode, configuration changes are written directly to the registry from the Application Manager Console. In centralized management mode, configurations are stored in the AppSense Management Center database, and distributed in MSI format using the AppSense Management Console.

Configurations can also be exported and imported to and from MSI file format using the Application Manager Console which is useful for creating templates or distributing configurations using third party deployment systems.

After creating or modifying a configuration you must save the configuration with the latest settings to ensure that they are implemented.

For further information about deploying AppSense software, refer to the AppSense Management Center Administration Guide.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 1 ABOUT APPLICATION MANAGERThe Console

4

The ConsoleThe Application Manager Console launches when the link is selected in the Start > All Programs > AppSense menu.

Figure 1.2 Application Manager Console


5

Application Menu

The Application Menu provides options for managing configurations including create new, open existing, save, import and export configurations and Print.

The Preferences option allows you to modify the console skin and select whether to display the introductory splash screen.

APPLICATION MENU OPTIONS

Option Description

New Creates a new default configuration which is locked for editing.

Open Opens an existing configuration from one of the following locations:Live configuration on this computerConfiguration from the Management CenterConfiguration file on a local or network drive: Application Manager Package Files format (aamp).

Note A live configuration is located on a computer which has an Application Manager Agent installed and running.

Save Saves the configuration in one of the following states:Save and continue editing - save the configuration and keep it locked and open for editing, you will not be able to deploy the configuration while it is locked.Save and unlock - save the configuration and unlock it ready for deployment. The current configuration closes and a new default configuration opens.Unlock without saving - unlock the configuration without saving changes. The current configuration closes and a new default configuration opens.

Save As Saves the configuration with a new name to one of the following locations:Live configuration on this computerConfiguration in the Management CenterConfiguration file on a local or network drive: Application Manager Package Files format (aamp).

Note A live configuration is located on a computer which has a Application Manager Agent installed and running.Warning If using Microsoft Vista operating system with UAC enabled you must ensure that you open the console with Administrator privileges.

Import & Export Imports a configuration from MSI format, usually legacy configurations which have been exported and saved from legacy consoles.Exports a configuration to MSI format.

Exit Closes the Console. You are prompted to save any changes you have made to the current configuration.

Preferences Launches the Console Preferences dialog box which includes:Skin – Modify the console skin color schemeOpen last configuration by default – Deselected by default.Show splash screen on startup


6

Quick Access Toolbar

The Quick Access Toolbar provides quick functionality for managing the configuration setup, such as Save, Save and Unlock, Undo, Redo, and navigation to previously and next displayed views.

QUICK ACCESS TOOLBAR OPTIONS

Ribbon Pages

Ribbon Pages include buttons for performing common actions arranged in ribbon groups according to the area of the Console to which the actions relate. For example, the Home ribbon page includes all common tasks, such as Cut, Paste and Copy, Help, AppSense website and Support links.

Split ribbon buttons contain multiple options and are indicated by an arrow just below the button. Click the arrow to display and select the list of options, or simply click the button for the default action.

Help

The Home ribbon page includes a Help button which launches the Help for the product and displays the topic relating to the current area of the console in view. A smaller icon for launching the Help displays at the far right of the console, level with the ribbon page tabs, for convenience when the Home ribbon page is not in view. You can also click F1 to launch the Help topic for the current view.

Option Description

SaveSaves changes to the configuration. The configuration will remain locked if opened from the Appsense Management Center.

Save and unlockSaves changes and unlocks the configuration. These changes can now be deployed from the Management Center.

UndoClears the action history. Up to 20 previous actions are listed. Select the point at which you want to clear the actions. The action selected and all proceeding actions are undone.

RedoRe-applies the cleared action history. Up to 20 cleared actions are listed. Select the point at which you want to redo the actions. The action selected and all subsequent actions are redone.

BackNavigates back through the views visited in this session.

ForwardNavigate forward through the views visited this session.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 1 ABOUT APPLICATION MANAGERKey Benefits

7

Navigation Pane

The Navigation Pane consists of the navigation tree and navigation buttons. The navigation tree is the area for managing nodes of the configuration. The navigation buttons allow you to view the different areas of the console.

Work Area

The Work Area provides the main area for managing the settings of the configuration and product. The contents of the work area vary according to the selected nodes in the navigation tree and the selected navigation buttons. Sometimes the work area is split into two panes. For example, one pane can provide a summary of the settings in the other pane.

Additional Console Features

Shortcut Menu — right-click shortcuts are available in the navigation tree and some areas of the Console.

Drag and Drop — this feature is available in some nodes of the navigation tree.

Cut/Copy/Paste — these actions can be performed using the buttons in the Home ribbon page, shortcut menu options and also using keyboard shortcuts.

Recommended minimum screen resolution for the console is 1024 x 768 pixels.

Key BenefitsThis section provides key benefits of using AppSense Application Manager, they are as follows:

Protects against malicious code.

Controls role based application usage.

Protects out of the box against all unauthorized application usage.

Stops unauthorized device license usage.

Applys time restrictions on when applications can or cannot be run.

Controls network access from within applications.

Controls network access based on location.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 1 ABOUT APPLICATION MANAGERFeature Summary

8

Feature SummaryApplication Manager provides the following key features for application control:

Trusted Ownership

By default, only application files owned by an Administrator or the local System are allowed to execute. Trusted Ownership is determined by reading the NTFS permissions of each file which attempts to run. Application Manager automatically blocks any file where ownership cannot be established, such as files located on non-NTFS drives, removable storage devices, or network locations. These files can optionally be allowed to run either by specifying them as Accessible Items or by configuring a Self-Authorizing User rule. The Trusted Owner list can be configured to suit each environment.

User, Group, Device and Custom Rules

Extend application accessibility by applying rules based on username, group membership, computer or connecting device, and combinations of these. Accessible and Prohibited Items, and Trusted Vendors can be specified in each rule, and are applied to a user session based on the environment in which the user operates.

Scripted Rules

Scripted Rules allow administrators to apply Accessible Items, Prohibited Items and Trusted Vendors to users based on the outcome of a VBScript. The VBScript can be run for each individual user session or run once per computer.

Trusted Vendors

Allow authentic applications to run which have digital certificates signed by trusted sources, and which are otherwise prohibited by Trusted Ownership checking. Define a list of Trusted Vendor certificates for each User, Group, Device, Custom and Scripted Rule of the configuration.

Trusted Applications

Allow authorized applications to run files which are normally prohibited. Authorized applications are designated as Trusted Applications (parent processes) which are assigned specific prohibited files as Trusted Content (child processes). Trusted Content is allowed to run only as the child process of a Trusted Application parent process.

Add certain files and file types as Trusted Content. Extend this trust to folders and drives to allow files in these locations to run as Trusted Content of the Trusted Applications.

Application Network Access Control

Block access to certain web applications and normal applications based on the outcome of rules processing. Application Manager has the ability to manage access based on the location of the requester, for example if they are connecting via VPN or directly to the network.

Digital Signatures

SHA-1 signature checks may be applied to any number of application control rules, providing enhanced security where NTFS permissions are weak or non-existent, or for applications on non-NTFS formatted drives. A digital signature wizard allows easy creation and maintenance of large digital signature lists.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 1 ABOUT APPLICATION MANAGERFeature Summary

9

EndPoint Analysis

Allows an Administrator to browse to any endpoint and retrieve a list of applications that have been installed on that endpoint. Search for any executable files and add them to the configuration.

Application Manager records which applications are started and by whom. The recording of data is started and stopped by the administrator.

End Point Analysis is on demand and inactive by default.

Auditing

Events are raised by Application Manager according to the default Event Filtering configuration and audited directly to a local file log or the Windows Event Log. Alternatively, events can be forwarded for auditing to the AppSense Management Center via the Client Communications Agent (CCA). The Application Manager audit event reports available in the Management Center can also be used to provide details of current application usage across the enterprise. For more information, see the AppSense Management Center Administrator Guide and Help.

Windows Scripting Host Validation

All Windows Scripting Host (WSH) scripts, such as VBS, are validated against configuration rules. This ensures that users can only invoke authorized scripts, eliminating the risk of introducing WSH scripts that contain viruses or malicious code.

10

2M a n a g e C o n f i g u r a t i o n s

This section provides details on Application Manager Configurations and includes the following:

Default Settings

Configuration

Configuration Properties

Save a Configuration

Import a Configuration

Export a Configuration

Tasks

Default SettingsOn installation Application Manager has a configuration loaded with the following default settings:

Group Rules

BUILTIN\Administrators - Unrestricted

Everyone - Restricted

Trusted Owners Group

Administrators Group

System Account

Trusted Installer

Computer Administrator

Default Restrictions

Make local drives accessible by default

Ignore restrictions during logon

Allow cmd.exe for batch files

Extract self-extracting ZIP files

Validate MSI packages

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 2 MANAGE CONFIGURATIONSConfiguration

11

Validate Windows Script Host (WSH) scripts

Validate Registry files


msiexec.exe can run any .exe or .dll

ConfigurationThe Application Manager configuration is installed on managed devices and serves as a policy checklist for the Application Manager Agent to assess how to handle file execution requests. When a file is executed, Application Manager intercepts the request and performs a check with the configuration to find a matching rule that indicates the appropriate action to take.

Other default policies specified in a configuration are also applied, for example, event filtering or handling for specific file extension types as well as general policies such as default rules, auditing rules and how message notifications are displayed.

This section includes:

Configuration Elements

Rule Matching

Configuration Elements

The Application Manager console provides configuration settings in the following key areas:

Rules

Library

Rules

Rule nodes provide default settings for handling file executions and specific settings which apply to particular users, groups or devices:

Group, User, Device, Custom and Scripted Rules

Allow you to specify Security Level settings that specify restrictions which apply to users, groups or devices matching the rule. Custom rules target combinations of particular users or groups operating on specific collections of devices. Scripted rules allow administrators to apply Accessible Items and Prohibited Items to users based on the outcome of a VBScript. The VBScript can be run for each individual user session or run once per computer.

Accessible / Prohibited Items — Sub-node lists within each rule which you can populate and maintain with specific files, folders, drives and digital signatures to provide an additional level of granularity for controlling file execution requests.

For example, items which Trusted Ownership checking normally prohibits can be made accessible for the users or devices targeted in the rule. Likewise, files which would normally be accessible can be prohibited.

Trusted Vendors — A sub-node list in each rule which you can populate with digital certificates issued by trusted sources. Files which fail Trusted Ownership checking are checked for the presence of digital certificates and allowed to run when a match is made with the Trusted Vendors list.


12

For example, a highly restricted user might be prohibited under normal rule conditions from introducing executable files on the system but may be required to download and run software updates from a particular source, from time to time. If the downloaded file includes a digital certificate which matches a certificate in the Trusted Vendors list, the file is allowed to run.

Library

Library nodes provide the following:

Signature Group Management

The Signature Group Management node allows you to apply digital signatures to files or collections of files including the running child processes spawned by applications. Signature group collections can be added to the accessible and prohibited items lists in a rule.

Network Connection Group Management

The Network Connection Group Management node allows you to create groups in the Network Connection Group List and add network connections for the groups. The network connections can be anything from network shares to corporate web applications.

Rule Matching

Rule matching takes place when Application Manager intercepts a file execution request and checks the configuration policy to determine whether a file is allowed to run.

Applying Rule Policies

The most lenient security policy is applied to a user profile which is affected by more than one rule. For example, a user who matches both a User Rule assigned the Restricted security level and also a group rule which assigns the Self-Authorizing security level, is granted self-authorizing privileges for all decisions and application use.

Matching Files and Rules

The Application Manager agent applies rules by making a suitable match for the file type.


13

Figure 2.1 Rule Matching Priorities

Matching is based on a three stage approach which considers security, matching order and policy decisions:

1. Security:

Is the user restricted?

Is ownership of the executable item trusted?

Where is the executable located?

2. Matching:

Does the executable match a signature?

Does the executable match an Accessible or Prohibited item?

3. Policy:

Is Trusted Ownership checking enabled?

Is there a timed exception?

Is there an Application Limit?


14

Trusted Ownership Checking

During the rule matching process, Trusted Ownership checking is performed on files, folders and drives to ensure that ownership of the items is matched with the list of trusted owners specified in the default rule configuration.

For example, if a match is made between the file you wish to run and an accessible item, an additional security check ensures that the file ownership is also matched with the Trusted Owners list. If a genuine file has been tampered with or a file which is a security threat has been renamed to resemble an accessible file, trusted ownership checking identifies the irregularity and prevents the file execution.

Trusted ownership checking is not necessary for items with digital signatures as these cannot be imitated.

Checking Trusted Applications

Trusted Application matching takes place when a file is prohibited by a rule or fails Trusted Ownership checking. Application Manager checks the process tree of the prohibited file for a running parent application which is an authorized application and matches a Trusted Application. If a match is found, the file is allowed to run.

Trusted Vendors

Trusted Vendor matching takes place when a file is prohibited by failing Trusted Ownership checking and Trusted Application checking.

Application Manager queries each file execution to detect the presence of a Digital Certificate. If the file has a valid digital certificate and the signer matches an entry in the Trusted Vendor list, the file is allowed to run, and overrides any Trusted Ownership check.


15

Configuration Properties

This section details the Configuration Properties and includes the following:

Message Settings

Archiving

Message Settings

Use the Message Settings options in General Features ribbon page > Configuration Properties ribbon group to configure settings for messages issued to users. You can set up messages for situations where access is denied, application limits have been exceeded and for self authorization. Time limits for application behaviour can be specified with warning and denied messages.

Message Box Variables

The message box caption and text may contain user and system-wide environment variables, and include the following environment variables shown in Table 2.1. Environment variables are not expanded during testing.

ReferenceReference

Access Denied

Displays when the user is denied access to an unauthorized application.

Message

%USERNAME% is not authorized to execute %Executablename%.

Application Limits Exceeded

Displays when the user is denied access to an application that has reached an application limit.

Message

%USERNAME% has exceeded the application limit for %ExecutableName%.

Table 2.1 End User Messages Environment Variables

Environment Variable Description

%ExecutableName% Expands to the name of the prohibited application.

%FullPathName% Expands to the full path of the prohibited application.

%DirectoryName% Expands to the directory where the prohibited application is located.


16

Time Limits

The Warning Message displays when the user is denied access to an application that has a Timed Exception applied that is not valid at the requested time.

The Denied Message displays when an application has a Timed Exception applied that has now expired and the application is still running.

Display an initial warning message

Select to display an initial warning message to the user when an application has exceeded time limits. typically, this gives the user time to save their work and close the application.

Close application

Select to send a close message to the application. When most applications receive a close message they automatically give the user a chance to save their work.

Terminate application

Select to terminate the application. Typically this is used after the application has been sent a close message but has failed to terminate.

Wait

Specify the number of seconds to wait between each of the selected termination options. For example, if the user selects all three of the termination options and then selects 20 seconds, the warning message will be displayed, followed 20 seconds later by the close message and finally the application terminates after a further 20 seconds.

Warning Message

Displays when the user is denied access to an application that has a Timed Exception applied and that is not valid at the requested time.

Message

%USERNAME% is no longer permitted to run %ExecutableName%. Please save all work and shut down this application immediately

Denied Message

An application has a Time Limit applied that has now expired and the application is still running.

Message

%USERNAME% is not permitted to run %ExecutableName% at this time.

Self-Authorization

The Message displays when a self-authorizing user attempts to run a prohibited application and the file requires a user decision to run.

The Response displays when a self-authorizing user allows a DLL file that another application uses and the application may need to be restarted.


17

Message

%ExecutableName% cannot run without your authorization. This action may be logged.

Response

%ExecutableName% is now authorized. Applications using this file may need to be restarted.

Archiving

Archiving is an optional function allows you to copy any denied executables into a secure folder.

ReferenceReference

Use archiving

Select to switch on the archiving function.

Global Properties

Do not archive administrator owned files

Select to prevent Application Manager from adding administrator owned files to the archive.

Do not archive if the file already exists

Select to prevent Application Manager from adding files to the archive which already exist in the archive, especially if the archive resides on the network.

Use anonymous archiving

Select to prevent Application Manager from adding any user names to the archive. For example, if a user runs a downloaded file from the $Home drive, the owner of the file is that user and also the archived filename contains the user’s name as part of the path from which it was executed. If Anonymous archiving is selected, the owner of the file is changed to SYSTEM and any references to the user name are replaced with anonymous.

Total Limit

The maximum size in MB that the archive is allowed to reach before archiving stops. If When a user’s archive is full allow the oldest files to be overwritten is selected, files are overwritten.

Click the Test button to preview the message box.

A limit setting of zero (0) is interpreted as no limit.


18

User Limit

The maximum size in MB that a single user archive is allowed to reach before files are overwritten. For example, if an archive path is specified as C:\archive\%username%, every user on the system has a separate archive under the C:\archive directory. It is this user archive that is subject to the user limit. The User Limit should not exceed the Total Limit.

File Options

Only archive files less than _Mb

Limits the size of the files that are copied to the archive. This is particularly useful if a network archive is specified since copying large files to a network location is a potentially time consuming operation.

When a user’s archive is full allow the oldest files to be overwritten

Select to allow Application Manager to overwrite the oldest files in the archive in cases where the archive size has reached either the Total limit or the User limit.

Folders

Archive Folder

The list of folder paths to which archive files are copied.

Archiving attempts to write to the first listed folder, if unsuccessful an attempt is made to archive to the next folder, if there is one in the list. This process continues until the folder list is empty or the archive action succeeds.

Browse

Browse to the location where you want the archive to exist.

Add

Add an archive location to the list. The archive may contain environment variables. For example, %SYSTEMDRIVE%\Archive\%USERNAME% is expanded when Application Manager attempts to archive the file. Each user has a personal archive.

Move Up

Moves the selected archive up the list of available archives. The order of the archive list is important as Application Manager attempts to copy the file to the first archive in the list. If this copy fails, Application Manager continues to make attempts to copy the file to the next archive location until it is successful.

A limit setting of zero (0) is interpreted as no limit.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 2 MANAGE CONFIGURATIONSSave a Configuration

19

Move Down

Moves the selected archive down the list of available archives. The order of the archive list is important as Application Manager attempts to copy the file to the first archive in the list. If this copy fails, Application Manager continues to make attempts to copy the file to the next archive location until it is successful.

Save a ConfigurationWhen changes are made to a configuration you have the following options:

Save - to save and continue editing.

Save and Unlock this configuration – the configuration is saved and unlocked and can now be edited by other users.

Unlock only, do not save – reverts the configuration to the original state and unlocks the configuration for editing by other users.

Save As

Live configuration on this computer

To replace/update the configuration on the local computer with the currently open configuration.

Configuration in Management Center

To save the configuration in the package store on the selected Management Server.

Configuration file on local or network drive

To Save the configuration to a file on a local or network drive.

Import a Configuration

Configurations can be imported in to Application Manager.

1. Click the Application Menu button.

2. Click Import & Export. The Import & Export Options display.

3. Click Import Configuration from MSI. The Open dialog box displays.

4. Navigate to the location of the MSI, select it and click Open.

Export a ConfigurationConfigurations can be exported from Application Manager.


2. Click Import & Export. The Import & Export Options display.

3. Click Export Configuration as MSI. The Save As dialog box displays.

4. Navigate to the location to where you want to save the MSI, click Save.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 2 MANAGE CONFIGURATIONSTasks

20

TasksThis section includes the following tasks:

CREATE A CONFIGURATION

1. Launch the Application Manager console from the Start menu.


3. Click New.

A new configuration displays and automatically provides the following protection by default:

Applications not stored on local hard drives are prohibited. For example, applications on network drives and removable media are prohibited.

Applications that are not owned by the administrator are prohibited. For example, any applications copied onto the computers hard drives by a non-administrator are prohibited.

All administrators can run any applications.

TEST A CONFIGURATION

1. Log on as the Administrator.

2. Start AppSense Application Manager.

3. In the navigation tree, navigate to Rules > User.

4. Click the Add Rule ribbon button in the Rules ribbon page > Manage group and select User Rule.

The Add User Rule dialog box displays.

5. Click Browse.

The Active Directory Select Users dialog box displays.

6. Click Advanced.

7. Click Find Now. The Search results display in the bottom part of the dialog box.

8. Scroll down to locate the test user, select and click OK.

The Select Users dialog box re-displays with the test user displayed in the object name.

You must save a new configuration before the default settings are implemented.

You must have a test user set up before proceeding with this task.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 2 MANAGE CONFIGURATIONSTasks

21

9. Click OK.

The User rule work area displays the newly created test user.

10. Log off as the Administrator.

11. Log on as the test user to see Application Manager working.

The test account should not be one of the Trusted Owners in the configuration.

22

3G e n e r a l F e a t u r e s

This section provides details on the general features of Application Manager and includes the following:

Trusted Owners


Extension Filtering

Options

Tasks

Trusted OwnersDuring the rule matching process, Trusted Ownership checking is performed on files, folders and drives to ensure that ownership of the items is matched with the list of trusted owners specified in the default rule configuration.

For example, if a match is made between the file you want to run and an accessible item, an additional security check ensures that the file ownership is also matched with the Trusted Owners list. If a genuine file has been tampered with or a file which is a security threat has been renamed to resemble an accessible file, trusted ownership checking identifies the irregularity and prevents the file execution.

Trusted ownership checking is not necessary for items with digital signatures as these cannot be imitated.

The list of Trusted Owners is maintained in the General Features ribbon page > Default Restrictions group > Trusted Owners . Application Manager trusts all local administrators and SYSTEM owned applications by default and you can extend this list to include other users or groups. You can also designate certain Trusted Applications, such as antivirus applications, to be permitted to execute files which would otherwise be prohibited from running.

When using Application Manager for the first time, we recommend you use the default settings. To avoid complex customizations do not extend the Trusted Owners list or change any default settings.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 3 GENERAL FEATURESTrusted Owners

23

FILE OVERWRITE AND RENAME

When the option Change a file's ownership when it is overwritten or renamed is selected, Application Manager selectively changes the NTFS file ownership of executable files when they are overwritten or renamed.

Attempts by a user who is not a Trusted Owner to overwrite a file which is accessible due to Trusted Ownership or an Accessible Item rule, could constitute a security threat if the file contents have changed. Application Manager changes the ownership of an overwritten file to the user performing the action, making the file untrusted and ensuring that the system is secure.

Likewise, attempts to rename a prohibited file to the name of an accessible item could also constitute a security threat. Application Manager also changes the ownership of these files to the user who performs the rename action and ensures the file remains untrusted.

Overwrite and rename actions are both audited.

WHITE LISTS

If you prefer to use a white list approach where nothing is allowed to run by default, clear the Make local drives accessible by default check box in the General Features ribbon page > Default Restrictions group > Options. To make items accessible add them to the Accessible Items folder of a configuration node.

TRUSTED OWNERSHIP CHECKING

To ignore Trusted Ownership for individual files do one of the following:

Clear the Trust. Ownership check box in the Accessible Items sub-nodes:

Assign self-authorization status to users and devices to allow the user to decide whether or not to allow a file to run.

Set the Self-Authorizing security level for a rule in the Group Rules, User Rules, Device Rules and Custom Rules nodes.

Trusted Applications override restrictions resulting from matches with Prohibited Items.

Trusted Vendors override restrictions resulting from Trusted Ownership checking.

ReferenceReference

Configure Trusted Ownership settings.

Properties

Enable Trusted Ownership checking

Select to switch on Trusted Ownership checking. Selected by default.

If you use a White List approach, ensure that you allow important system files to run, by adding a Group Rule for the Everyone group in which all of the relevant files or folders have been added to Accessible Items. Otherwise, many crucial executable files and DLLs such as those which are stored in the system32 directory can be prevented from running and adversely affect correct system functioning.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 3 GENERAL FEATURESTrusted Applications

24

Change the ownership of a file when it is overwritten or renamed

Select to change the ownership of any trusted accessible file which is overwritten by an untrusted user, who is not in the Trusted Owners List.

Trusted Owners

Textual SID

The Textual Security Identifier of the Trusted Owner. For example, S-1-5-32-544.

Add Trusted Owner

Launches the Add Trusted Owners dialog box. Enter or Browse to select an Account to add to the Trusted Owner list.

Trusted ApplicationsTrusted Applications are files which are authorized by Application Manager configuration rules and are permitted to execute specified files which are normally prohbited.

Once an application is designated as a Trusted Application, you can add, as Trusted Content, those files and file types which are normally prohibited, and run them as child processes of the specified Trusted Applications. You can also add folders and drives as Trusted Content to allow Trusted Applications to run prohibited files in those locations.

Trusted Application matching takes place when a file is prohibited by a rule or fails Trusted Ownership checking. Application Manager checks the process tree of the prohibited file for a running parent application which is an authorized application and matches a Trusted Application. If a match is found, the file is allowed to run.

ReferenceReference

Options

Configure Trusted Application settings.

Disable Trusted Applications checking

Select to switch off Trusted Applications checking.

Check all denied requests

Select to perform Trusted Application matching both on files prohibited by Trusted Ownership checking and files prohibited by configuration rules.

When a prohibited file is renamed by an untrusted user, in an attempt to bypass a prohibited item rule, the ownership is changed to the untrusted user. Once the ownership has changed, Trusted Ownership checking then prevents the file from being executed.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 3 GENERAL FEATURESTrusted Applications

25

Only check requests denied by Trusted Ownership

Select to perform Trusted Application matching only on files prohibited specifically by Trusted Ownership checking.

Configuration > Application

Add File

Launches the File Selection dialog box. Enter or Browse to select the file you want to add.

Includes Replace with environment variables option, which is selected by default. This option replaces the file and filepath entered with the environment variables.

Add Signature

Launches the File Selection dialog box. Enter or Browse to select the file you want to add.

The digital signature of the selected application is added to the list under the Signatures heading.

Configuration > Trusted Content

Add File

Launches the File Selection dialog box. Enter or Browse to select the file you want to add. This file will be allowed to run as a child process of the selected trusted application.


Add Folder

Launches the Folder Selection dialog box. Enter or Browse to select the folder you want to add. This allows application files in this folder to be allowed to run as child processes of the selected trusted application.

Includes Recurse subdirectories option, which is selected by default. This option indicates whether the subdirectories of the folder are included.


Add Drive

Launches the Add Drive dialog box. Enter a drive letter to allow application files in this location ro run as child processes of the selected trusted application.

All child processes of the selected trusted application which are normally prohibited, are trusted when launched by this application.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 3 GENERAL FEATURESExtension Filtering

26

Extension FilteringApply Application Manager rules to specific file extensions.

ReferenceReference

Enable extension filtering

Select to switch on extension checking.

Properties

Exclude files with extensions in the list below

Select to ensure that Application Manager rules do not apply to the file types listed in the Extensions list.

Only check files with extensions in the list below

Select to ensure that Application Manager rules apply only to the file types in the Extensions list. All other file types are allowed to execute normally.

Extensions

A list of file extensions to filter. You can Add to and Delete from the list.

OptionsThe Options in the General Features ribbon tab > Default Restrictions group provide general Application Manager settings to apply to all application and process execution requests.

The Options are divided in to two sections:

General Features - all options are selected by default.

Validation - all options are selected by default with the exception of Validate System processes.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 3 GENERAL FEATURESTasks

27


TESTING TRUSTED OWNERSHIP

1. Introduce one or more applications using a test user account. For more details see Test a Configuration.

2. Copy one or more applications to the user’s home drive or another suitable location, such as calc.exe from the System32 folder or copy a file from a CD.

3. Attempt to run a copied file.

The application is prohibited because the files are owned by the test user and not a member of the Trusted Owners list.

TESTING TRUSTED APPLICATIONS

1. Create a rule in the User Rules node which applies to a test user account.

2. Add calc.exe to Prohibited Items.

3. Save the configuration.

4. Run calc.exe.

Calc is blocked and an error notification is displayed.

5. Add to Accessible Items, a VBS file containing the following script sample which attempts to launch calc.exe:

set objShell = CreateObject ("Wscript.Shell")

objShell.Run "calc.exe"

6. Add to Trusted Applications, wscript.exe which is the process that hosts VBScripts.

7. Add calc.exe to the Trusted Content for wscript.exe.


9. Run VBScript file.

calc.exe is allowed to run.

TESTING PROHIBITED MEDIA

1. Attempt to run an application directly from a CD-ROM, DVD-ROM or floppy disk.

The applications are prohibited because you are trying to run an application from removable media.

You can verify the ownership of a file by viewing the Properties using Windows Explorer.

Copying the files to the hard disk does not bypass the security as the files are prohibited by the Trusted Ownership rule.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 3 GENERAL FEATURESTasks

28

TESTING NETWORK FILES

1. Attempt to run an application from a network share or mapped drive.

This action is not permitted because the network files are prohibited.

Copying the files to the local hard disk does not bypass the security as the files are prohibited by the Trusted Ownership rule.

29

4R u l e s

This section provides details on Rules in Application Manager and includes the following:

Manage Rules

Security Level

Tasks

Manage RulesRule nodes allow you to create rules targeting specific users, groups and devices and assign security level policies, resource access and resource restrictions which apply to the users, groups and devices matching the rules.

Rule nodes provide Security Level settings for specifying the levels of restrictions to execute files.

Rule nodes also provide a further layer of granularity for controlling application use with Accessible Items, Prohibited Items and Trusted Vendors for specifying lists of files, folders, drives and signature groups which are allowed or prevented from running.

To display all Rules in the configuration click on Rules in the navigation tree. A summary displays with all rules listed under the rule type. The security level assigned to each rule is seen and can also be amended.

Select to add a rule to one of the following:

Group - Launches the Add Group Rule dialog box. Enter or Browse to select an Account.

User - Launches the Add User Rule dialog box. Enter or Browse to select an Account.

Device

Custom

Scripted

To remove a rule, select a rule and click Remove Rule. A confirmation message displays, click Yes to confirm the removal.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 4 RULESManage Rules

30

This section includes the following:

Group Rules

User Rules

Device Rules

Custom Rules

Scripted Rules

Group Rules

The Group rules node allows you to match security control rules with specific user groups within the enterprise.

The Group summary displays the group name, Textual Security Identifier (SID) and Security Level of the rule.

To add a group rule click Add Rule in the Rules ribbon page > Manage group. The Add Group Rule dialog box displays. Enter or Browse to select an Account.

To remove a group rule, select a rule and click Remove Rule in the Rules ribbon page > Manage group. A confirmation message displays, click Yes to confirm the removal.

You can also add items to the Accessible Items node, Prohibited Items node or the Trusted Vendors node in each group rule node, see the Rule Items chapter for more details.

User Rules

The User rules node allows you to match security control rules with specific users within the enterprise.

The User summary displays the User, Textual Security Identifier (SID) and Security Level of the rule.

To add a user rule click Add Rule in the Rules ribbon page > Manage group. The Add User Rule dialog box displays. Enter or Browse to select an Account.

To remove a user rule, select a rule and click Remove Rule in the Rules ribbon page > Manage group. A confirmation message displays, click Yes to confirm the removal.

You can also add items to the Accessible Items node, Prohibited Items node or the Trusted Vendors node in each user rule node, see the Rule Items chapter for more details.

Device Rules

The Device rules node allows you to match security control rules with specific devices within the enterprise. Device rules can apply the rule settings either to the device hosting the Application Manager agent and configuration or to devices connecting through terminal services to the host.

For example, a configuration rule can allow certain applications to run on a server but prohibit the application from running when launched by users operating from specific devices listed in the rule as connecting devices to the host server.

The Device summary displays the Rule Name and the Security Level.


31

To add a device rule click Add Rule in the Rules ribbon page > Manage group.

To remove a device rule, select a rule and click Remove Rule in the Rules ribbon page > Manage group. A confirmation message displays, click Yes to confirm the removal.

You can also add items to the Accessible Items node, Prohibited Items node or the Trusted Vendors node in each device rule node, see the Rule Items chapter for more details.

ReferenceReference

Devices

Hostname/IP Address

Devices are added to a rule by hostname or IP address.

Device Type > Computer

Select if the device is hosting the Application Manager agent and configuration.

Device Type > Connecting Device

Select if the device is connecting through terminal services to the computer hosting the Application Manager agent and configuration.

Custom Rules

The Custom rule node allows you to match security control settings with combinations of specific users or groups and devices within the enterprise. The rule can apply settings to devices hosting the Application Manager agent and configuration or to devices connecting through terminal services to the host.

For example, a rule that targets computer IP address 192.168.0.2 as a connecting device and domain\user, allows you to apply security controls when the specific user logs on from the specified device through terminal services to the computer hosting the Application Manager agent and configuration.

When entering an IP address under a Device the following formats are valid:

The address must be standard IPV4 dotted quad notation. For example, 127.0.0.1The address can replace zero or more of the sections with a wildcard or a range.A wildcard is an asterisk (*) character and must be the only character in the section. For example, 127.*.0.1.An address range is denoted by two numbers separated by an asterisk (*) character. The numbers must be in the range 0-255. The first number must be lower than the second number. For example, 127.0.0.1-255. You can combine the two numbers. For example, 128-128.0.*.30-125.


32

The Custom summary displays the Rule Name, User/Group Name and the Security Level.

To add a custom rule click Add Rule in the Rules ribbon page > Manage group.

To remove a custom rule, select a rule and click Remove Rule in the Rules ribbon page > Manage group. A confirmation message displays, click Yes to confirm the removal.

You can also add items to the Accessible Items node, Prohibited Items node or the Trusted Vendors node in each custom rule node. See the Rule Items chapter for more details.

ReferenceReference

Devices

Hostname/IP Address

Devices are added to a rule by hostname or IP address.

Device Type > Computer

Select if the device is hosting the Application Manager agent and configuration.

Device Type > Connecting Device

Select if the device is connecting through terminal services to the computer hosting the Application Manager agent and configuration.

Scripted Rules

The Scripted rules node allows you to create rules based on custom VB Scripts which run whenever a user logs on. The success or failure of a VB Script determines whethere the Security Level settings, Accessible Items and Prohibited Items, which are part of the rule, apply to the user.

Scripted rules can take advantage of any interface accessible via VB Script, such as COM and WMI, and allow the administrator to define Application Manager policy based on any computer, user, registry, file or system property. Scripted rules also allow intergration with the other third party solutions, such as Microsoft Active Directory and Citrix advanced Access.

Scripted rules can run for each new session in the context of the user or in the context of the SYSTEM. Alternatively, Scripted Rules can run once per computer and the result is applied to all user sessions.

Scripted rules are re-evaluated when a new configuration is deployed to the computer.

When entering an IP address under a Custom rule the following formats are valid:

The address must be standard IPV4 dotted quad notation. For example, 127.0.0.1The address can replace zero or more of the sections with a wildcard or a range.A wildcard is an asterisk (*) character and must be the only character in the section. For example, 127.*.0.1.An address range is denoted by two numbers separated by an asterisk (*) character. The numbers must be in the range 0-255. The first number must be lower than the second number. For example, 127.0.0.1-255. You can combine the two numbers. For example, 128-128.0.*.30-125.


33

Scripts run when the Application Manager Agent starts up or when the configuration changes.

For more information about creating and using scripts, see Working with Scripted Rules in the Appendixes.

The Scripted summary displays the Rule Name, Entry Function, Run Script - frequency and by whom and the Security Level.

Rules ribbon page > Manage group provides you with the following options to manage Scripted rules:

Add Rule - see Add a Scriptable Rule on page 36 in the Tasks section.

Remove Rule - select a rule and click Remove Rule, a confirmation message displays, click Yes to confirm the removal.

Edit Script - displays the Scripted Rule dialog box > Script tab.

Script Options - displays the Scripted Rule dialog box > Options tab.

You can also add items to the Accessible Items node, Prohibited Items node or the Trusted Vendors node in each scripted rule node, see the Rule Items chapter for more details.

ReferenceReference

Scripted Rule > Script

To display this dialog box, select a Scripted Rule and do one of the following:

In the Scripted Rule work area in the Current Script section click on Click here to edit the script.

Click the Edit Script ribbon button.

Right-click to display the context menu, select Edit Script.

The script editor allows you to write the rule VB Script functions and specify the main function.

Entry Function

The main function which is called when the script runs and evaluates the outcome of the rule.

Export

Launches the Save As dialog box which allows you to save the script in VBS format.

Import

Launches the Open dialog box which allows you to open an existing VB Script from another location.


34

Scripted Rule > Options

To display this dialog box, select a Scripted Rule and do one of the following:

In the Scripted Rule work area in the Current Script section click on Click here to edit the script and click on the Options tab.

Click the Script Options ribbon button.

Right-click to display the context menu, select Script Options.

The script options allow you to specify settings for the script execution and timing.

Execution

Select one of the following:

Run script once per logon session as the logged on user.

The script runs for each user logging on. Settings are only applied for the duration of the user session.

Run script once per logon session as the SYSTEM user.

The script runs with SYSTEM account permissions once for each user logging on. Settings are only applied for the duration of the user session.

Run script once per computer as the SYSTEM user.

The script runs with SYSTEM account permissions once at computer startup. Settings are applied to all user sessions until the computer restarts, the Application Manager agent restarts or there is a configuration change.

Timing > Wait for logon to complete

Select to prevent the script from running until user logon is complete.

Timing > Wait for <n>seconds before script timeout

Allows you specify the number of seconds to allow a script to continue running before the script times out. A setting of zero (0) seconds prevents the script timeout. If a timeout occurs the result is fail and settings cannot be applied.

Running scripts as the SYSTEM user can cause serious damage to your computer and should only be enabled by experienced script authors.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 4 RULESSecurity Level

35

Security LevelApply security levels to control whether the user, group and devices specified in a rule are fully restricted by Application Manager rules, unrestricted, audited only or granted self-authorization status entitling the user decide whether to run an application. Self-authorized users can be audited by raising events in the Auditing component and the Windows Event Log.

To set the Security Level, select the required node and do one of the following:

Click and drag the slider to the required level, in the rule node work area in the Security Level section.

Click the ribbon button for the required level in the Rules ribbon page > Security Level group.

RESTRICTED

Select to restrict users, groups, and devices in the rule to run only authorized applications. These include files owned by members of the Trusted Owners list and files listed in the Accessible Items node.

SELF-AUTHORIZE

Select to prompt users, groups and devices in the rule to decide whether to allow execute requests for each unauthorized file. Unauthorized files either do not belong to the Trusted Owners list or are not specified in the Accessible Items list of a given rule.

A Self-authorizing user prompt includes the following options:

Remember my decision for this session only - The authorization decision is upheld only for the current session. The user is prompted again for an authroization decision when attempting to run an application in any future sessions.

Remember my decisions permanently - The user decision is upheld for all future sessions.

Allow - Allows the application to run.

Block - Blocks the application from running.

AUDIT ONLY

Select to permit all actions but log and audit events for monitoring purposes, according to the policy settings in Auditing.

If neither of these options are selected, the decision is upheld only for the current instance the user is attempting to run. The Self-authorization prompt is reissued for any future attempts to run instances of the application.

When a DLL file is allowed to run, a message notifies the user that the application which uses the DLL may need to be restarted. The default message which displays can be modified in the General Features ribbon page > Configuration Properties group > Message Settings.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 4 RULESTasks

36

UNRESTRICTED

Select to permit all actions without even logging or auditing.

TasksThe following are common tasks that are performed for Application Manager Rules:

TESTING SELF-AUTHORIZATION

1. Create a rule in the User Rules node which applies to a test user account that is not a member of a group which belongs to the Trusted Owners list. For more details see Test a Configuration.

2. Set the security control level to Self-Authorizing to allow the test user to self-authroize applications to run.


4. Run the Registry Editor.

The application is prohibited and a message box displays with a prompt for a decision to allow the file to run and informing that the action will be logged.

ADD A SCRIPTABLE RULE

1. Navigate to the Scripted rules node in the navigation tree.

2. Create a new rule. Click Add Rule on the Rules ribbon page > Manage group and select Scripted Rule.

A new rule is added to the All Scripted Rules work area.

3. Select the created rule in the All Scripted Rules work area and click Edit Script on the Rules ribbon page > Manage goup.

The Scripted Rule dialog box displays.

4. To enter a script do one of the following:

Type the script.

Open an existing script in a script editor and copy/cut the content and paste.

Click Import to import an existing script.

5. Select the correct Entry Function.

6. Click OK to save the script.

The All Scripted Rules work area displays.

For script examples see Working with Scripted Rules in the Appendixes.


37

CREATE A CONFIGURATION TO CONTROL MICROSOFT OFFICE LICENSES IN A TERMINAL SERVER ENVIRONMENT

This task demonstrates how to set up an Application Manager configuration to enforce the Microsoft Office License Policy on Terminal Server. An administrator can specify which machines can connect to the Terminal Server and run Microsoft Office. Terminal Server Office licenses correspond with the amount of machines that could connect to the terminal server, therefore, every machine in the organization that can connect would need a license. By creating a rule, where to run any of the Microsoft Office applications, depends on whether the machine connecting is allowed or not, licenses would only be required for those machines which are explicitly allowed.

The task is made up of 3 individual steps, Application Manager is installed on the Terminal Server and that is where the task is to be performed.

Step 1

Create a Signature Group for Office applications.

1. Navigate to Signature Group Management in the navigation tree.

2. Select Add Group in the Signature Groups ribbon page > Manage group.

A new Group node is added under the Signature Group Management node on the navigation tree.

3. Highlight the Group, right-click to display the context menu, select Rename and enter a name, for example Office Applications.

4. Select Launch Signature Wizard in the Signature Groups ribbon page > Items group.

The Application Manager Signature Wizard displays.

5. Click Next to display the Search Method screen.

6. Select Search folders. Click Next.

The Searching folders screen displays.

7. Enter the Office folder location. Alternatively, select the ellipsis (...) to display the Browse

For Folder dialog box to locate the folder.

8. Select Include subfolders and click Next.

9. Review the list of files and click Next.

10. The signatures are generated, once complete, click Next.

11. Click Finish to exit the wizard.

The Signatures are listed in the Group Items in the Signature Group Management work area.

Step 2

Setup a Device Rule to prohibit connecting devices.

1. Navigate to the Device node in the navigation tree.

2. Select Add Rule in the Rules ribbon page > Manage group.

A new Rule is created in the All Device Rules work area.


38

3. Click on the Rule and enter a name.

4. Select the new Rule.

The Device Rule work area displays.

5. Select Add Client Device.

The Client Device Selection dialog box displays.

6. Enter the machines you want to prohibit. Alternatively, select Browse to perform an Active

Directory search for the required machines.

7. Click OK.

The selected machines are listed in Devices on the Device Rule work area.

8. Select Connecting Device as the Device Type.

9. Select Prohibited Items for the new Device Rule in the navigation tree.

10. Select Add Item in the Rule Items ribbon page > Accessible & Prohibited Items group.

11. Select Prohibited > Signature Group.

The Select Signature Group dialog box displays.

12. Select the previously created Office Application Signature Group and click OK.

The Signature Group is added to the Prohibited Items.

Step 3

Add devices that are allowed to run Office applications on the Terminal Server.

1. Navigate to the Device node in the navigation tree.

2. Select Add Rule in the Rules ribbon page > Manage group.

A new Rule is created in the All Device Rules work area.

3. Click on the Rule and enter a name.

4. Select the new Rule.

The Device Rule work area displays.

5. Select Add Client Device.

The Client Device Selection dialog box displays.

6. Enter the machines for which you want to allow access. Alternatively, select Browse to perform an Active Directory search for the required machines.

7. Click OK.

The selected machines are listed in Devices on the Device Rule work area.

To prohibit all machines, enter the asterisk (*) wildcard.


39

8. Select Connecting Device as the Device Type.

9. Select Accessible Items for the new Device Rule in the navigation tree.

10. Select Add Item in the Rule Items ribbon page > Accessible & Prohibited Items group.

11. Select Accessible > Signature Group.


12. Select the previously created Office Application Signature Group and click OK.

The Signature Group is added to the Accessible Items.

40

5R u l e I t e m s

This section provides details on Rule Items and includes the following:

Accessible Items

Prohibited Items

Trusted Vendors

Tasks

Accessible ItemsAccessible Item nodes are sub-nodes automatically created in any Rule node when you create a new rule. They allow you to add Items to which the groups, users and devices specified in the rule are granted access.

Items you can add are as follows:

Files

Folders

If you add a network file or folder path you must use the UNC name, as the Application Manager Agent ignores any paths that are configured where the Drive letter is not a local fixed disk. The user can access the network application through a network mapped drive letter as the path is converted to UNC format before validating it against the configuration settings.

To automatically apply environment variables select Replace with Environment Variables in the File or Folder Selection dialog box. This makes the paths more generic for applying on different machines. Wildcards support provides an additional level of control for specifying generic file paths.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 5 RULE ITEMSAccessible Items

41

Drives

Signature Items

Signature Groups

Network Connections

Network Connection Groups

To add an Item select the Accessible Items node and click the Add Item ribbon button on the Rule Items ribbon page > Accessible & Prohibited Items group, select Accessible, then select the type of accessible item you want to add.

To remove an Item select the Item you want to remove in the Accessible Items node, click the Remove Item ribbon button on the Rule Items ribbon page > Accessible & Prohibited Items group.

When using the default option, which trusts all locally installed Trusted Owner applications, you only need to add any applications that run directly from network locations including mapped network shares and DFS shares.

Application Manager includes support for adding items on Citrix client mapped drives. You can add items by specifying paths using the following format: \\client\C$\<item name>.

Application Manager drag and drop functionality can be used to add files, folders, drives and signature groups from Windows Explorer or copy or move items between Accessible Items or Prohibited Items nodes in each of the main configuration nodes.

If you have changed the default options to use a white list approach, you should also add any locally installed applications that you want users to run.

We recommend you use signatures instead of file paths on client mapped drives as this offers high security.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 5 RULE ITEMSProhibited Items

42

Accessible Items and Trusted Ownership

By default Trusted Ownership checking is enabled, therefore an application must always pass trusted ownership checking if it is enabled, even if the application is an accessible item. Although trusted ownership checking can be disabled comletely, this is not recommended. However, if you need to provide a user with access to an executable file that is not owned by a trusted user then you can disable the trusted ownership check on individual accessible items - select the item, and clear the Trusted Ownership check box in the Accessible Items work area. The Trust.Ownership column shows the status of trusted ownership checking for each accessible item.

Access Times

You can apply specific access times to Accessible Items.

Select an Accessible Item in the Accessible Items work area and click the Access Limits ribbon button. The Access Times dialog box dsiplays.

Application Limits

The number of instances of an application that are permitted to run can be set using the Application Limits. This feature can be enabled or disabled.

Prohibited ItemsProhibited Item nodes are sub-nodes automatically created in any Rule node when you create a new rule. They allow you to add Items to which the groups, users and devices specified in the rule are refused access.

Items you can add are as follows:

Files

Folders

Drives

Signature Items

Signature Groups

Network Connections

Network Connection Groups

If you add a network file or folder path you must use the UNC name, as the Application Manager Agent ignores any paths that are configured where the Drive letter is not a local fixed disk. The user can access the network application through a network mapped drive letter as the path is converted to UNC format before validating it against the configuration settings.

To automatically apply environment variables select Replace with Environment Variables in the File or Folder Selection dialog box. This makes the paths more generic for applying on different machines. Wildcards support provides an additional level of control for specifying generic file paths.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 5 RULE ITEMSTrusted Vendors

43

To add an Item select the Prohibited Items node and click the Add Item ribbon button on the Rule Items ribbon page > Accessible & Prohibited Items group, select Prohibited, then select the type of prohibited item you want to add.

To remove an Item select the Item you want to remove in the Prohibited Items node, click the Remove Item ribbon button on the Rule Items ribbon page > Accessible & Prohibited Items group.

If you are using the default option, which trusts all locally installed Trusted Owner applications, you only need to add specific applications that you do not want users to run. For instance, you may add administrative tools, such as management and registry editing tools.

You do not need to use this list to prohibit applications that are not owned by an administrator, as they are blocked by trusted ownership checking.

Application Manager drag and drop functionality can be used to add files, folders, drives and signature groups from Windows Explorer or copy or move items between the Accessible Items node and Prohibited Items nodes in each of the main configuration nodes.

Trusted VendorsThe Trusted Vendors sub-node is available in each Application Manager rule node, for listing valid digital certificates. Files which fail Trusted Ownership checking but contain digital certificates, signed by trusted sources that match digital certificates listed in Trusted Vendors, are allowed to run.

Select the Add ribbon button in the Rule Items ribbon page > Trusted Vendors group to add digital certificates from files, select from file-based certificate stores or import file-based certificate stores into the Trusted Vendors node.

Advanced options allow you specify parameters for validating a certificate by ignoring or allowing specific attributes, the certificate must be valid for the rule to be applicable, but there are different levels of validation with which you can configure a certificate. A test option helps to validate the certificate based on the options you have selected and, where relevant, dependent on connectivity with the appropriate Certification Authority.

Changing the settings in Advanced Options in the Rule Items ribbon page > Trusted Vendors group could reduce the level of security required to validate a certificate and present a security risk.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 5 RULE ITEMSTasks

44


ADD AN ACCESSIBLE ITEM

This test allows all users access to an application on a network share.

1. Select the Accessible Items node in Rules > Group > Everyone.

2. Click the Add Item ribbon button in the Rule Items ribbon page > Accessible & Prohibited Items and click Accessible.

3. Select File. The File Selection dialog box displays. Enter or Browse for an application.

The selected application is listed in the Accessible Items work area.

4. Test that users can run the application.

5. Test that the Trusted Ownership rule prohibits users from copying files elsewhere to the local hard disk and running the copies.

ADD A PROHIBITED ITEM

This test prevents all users accessing an application on a network share.

1. Select the Prohibited Items node in Rules > Group > Everyone.

2. Click the Add Item ribbon button in the Rule Items ribbon page > Accessible & Prohibited Items and select Prohibited.

3. Select File. The File Selection dialog box displays. Enter or Browse for an application, for example, regedit.exe.

The selected application is listed in the Prohibited Items work area.

4. Attempt to run the selected application.

The application is prohibited and a message box displays with the notification that the application is not authorized

ADD A TRUSTED CERTIFICATE TO A TRUSTED VENDOR

1. Select the Trusted Vendors node in Rules > Group > Everyone.

2. Click the Add ribbon button in the Rule Items ribbon page > Trusted Vendors group and select From Signed File.

The Open dialog box displays.

3. Navigate to a file which has a certificate and click Open.

The selected file is listed in the Trusted Vendors work area.

You can check whether a file has a digital certificate by displaying the Properties dialog box. A file has a digital certificate if there is a Digital Signatures tab in which you can view details of the certificate including, signer information, advanced settings and an option to display the certificate.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 5 RULE ITEMSTasks

45

USE DIGITAL SIGNATURES TO ALLOW FILES ON NON-NTFS FORMATTED DRIVES TO RUN

1. In the navigation tree, navigate to Accessible Items in the target Rule node.

2. Click Add Item in the Rule Items ribbon page > Accessible & Prohibited Items group. Select Accessible and then Signature Item.

The Select Accessible Signature File dialog box displays.

3. Browse to the target file located on a non-NTFS drive.

4. Select the file and click Open to create a digital signature for the file.

5. The file is added to the Accessible Items list.

6. Save the configuration to confirm your settings.

Trusted Ownership is disabled by default to allow the file to run.

46

6S i g n a t u r e G r o u p M a n a g e m e n t

This section provides details on Signature Group Management and includes the following:

Manage

Items

Tasks

ManageThe Signature Group Management node allows you to create groups of application types which you can populate with digitally signed applications. Using the Wizard or a manual approach, you can scan directories and folders for installed applications and apply digital signatures. You can also examine a running process and locate all the executable files used by that process and then apply digital signatures to those files. Files are added to groups which you can later add to the accessible and prohibited files of User and Group rules

To add a Signature Group click Add Group in the Signature Groups ribbon page > Manage group.

To remove a Signature Group, select a Group in the Signature Group Management work area and click Remove Group in the Signature Groups ribbon page > Manage group. A confirmation message displays, click Yes to confirm the removal.

Once a Signature Group has Items you can conduct a full group re-scan to ensure all signatures are still accurate, select the Rescan Group ribbon button.

Any associated Group Items are deleted with the Group.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 6 SIGNATURE GROUP MANAGEMENTItems

47

ReferenceReference


Groups

The user defined name for a group of digitally signed files. For example, Windows XP SP2 Signatures, or, Microsoft Office Signatures.

ItemsSignature groups can be populated with digitally signed application files, known as Group Items.

To add a Group Item, select the Group to which you want to add items in the Signature Group Management work area and do one of the following:

ADD ITEM

You can manually locate executable files and applications to digitally sign and add to a group. To do this follow the following instructions:

1. Click the Add Item ribbon button in the Signature Groups ribbon page > Items group.


2. Navigate to the file you want to add as a Group Item.

3. Click Open.

A digital signature is added to the file and the file is added to the Group Items in the Signature Group Management work area.

LAUNCH SIGNATURE WIZARD

You can use the Signature Wizard to create Group Items in the following ways:

Search Folders - choose a folder to search for files.

Examine a running process - find the executable file used by one of the processes running on the computer.

To remove a Group Item, select an Item in the Signature Group Management work area and click Remove Item in the Signature Groups ribbon page > Items group. A confirmation message displays, click Yes to confirm the removal.

You can re-scan the group items at any time to make sure the signature is still accurate and has not changed, select a Group Item in the Signature Group Management work area and click the Rescan Signature ribbon button in the Signature Groups ribbon page > Items group.

If you want to examine a specific process, make sure the relevant application is running before launching the Signature Wizard.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 6 SIGNATURE GROUP MANAGEMENTTasks

48

ReferenceReference


Group Items > Signature File

File to which a signature is applied.

Group Items > Description

Obtained from the file resources and describes the file to which a signature is applied. For example, system32\sol.exe is described as Solitaire Game Applet.

Group Items > File Version

Obtained from the file resources and provides the version of the digitally signed file.


CREATE A SIGNATURE GROUP

1. In the navigation tree, navigate to Library > Signature Group Management.

2. Click Add Group in the Signature Groups ribbon page > Manage group.

A New Group node is added under the Signature Group Management node on the navigation tree.

3. To rename the group, highlight the Group, right-click to display the context menu, select Rename and type in the new name.

EXAMINING A RUNNING PROCESS

This procedure shows how to examine a running process for executable files used by that process, digitally sign and add the files to a group.


2. Select an existing group or create a new group in the Signature Group Management work area, to which to add any found files in the examination process.

3. Click the Launch Signature Wizard ribbon button.

The Application Manager Signature Wizard dialog box displays.

4. Click Next. The Search Method dialog box displays.

5. Select Examine a running process. Click Next.

The Examine a running process dialog box displays.

If you wish to examine a specific process, make sure you have launched the relevant application before proceeding.


49

6. Select a process and click Next.

The Review Files dialog box displays the list of executable files used by the selected running process.

7. Click Next to generate digital signatures for the list of files.

The number of generated signatures displays.

8. Click Next to complete the Wizard.

9. Click Finish to Exit.

The files are listed in Group Items under the relevant Group in the Signature Group Management work area.

ADDING FILES TO A GROUP

This procedure shows how to manually locate executable files and applications to digitally sign and add to a group:


2. Select an existing group or create a new group in the Signature Group Management work area to which to manually add files.

3. Click the Add Item ribbon button.


4. Locate the required files. Click Open.

A digital signature is added to the file and the file is added to the Group Items list.

USE DIGITAL SIGNATURES TO ALLOW FILES ON NON-NTFS FORMATTED DRIVES TO RUN

This procedure shows how to allow files on non-NTFS formatted drives to run using digital signatures. By default Application Manager blocks applications on non-NTFS formatted drives as file ownership cannot be determined for these files.


2. Click Add Item in the Rule Items ribbon page > Accessible & Prohibited Items group. Select Accessible and then Signature Group.


3. Select the Group and click OK.

The Signature Group is added to the Accessible Items work area.

An alternative method is as follows:


2. Click Add Item in the Rule Items ribbon page > Accessible & Prohibited Items group. Select Accessible and then Signature Item.

The Select Accessible Signature File dialog box displays.



50

3. Browse to the target file located on a non-NTFS drive.

4. Select the file and click Open to create a digital signature for the file.

5. The file is added to the Accessible Items list.



51

7A p p l i c a t i o n N e t w o r k A c c e s s C o n t r o l

This section provides details on Application Network Access Control and includes the following:

About Application Network Access Control

Network Connection Items

Network Connection Group Management

Tasks

About Application Network Access ControlApplication Network Access Control provides the ability to control outbound network connections by IP Address, Host name, URL, UNC or Port, based on the outcome of the rules processing. For example, access based on location of requestor - connecting through VPN or directly to network.

Application Network Access Control is designed to control access within a company network infrastructure. This control is achieved by intercepting application requests made through the WINSOCK layer. For example, HTTP, FTP and RDP. In Application Manager access to these resources are controlled by adding a Network Connection Item.

Network Connection Items can be created individually or as part of a Network Connection Group.

Network Connection Groups and Items can be applied to any Rule in Accessible Items to allow access or in Prohibited Items to deny access.

Application Manager will intercept and block network access if requests are made to prohibited network resources. The execution of applications is not controlled.

Access is allowed to all network resources until actively prohibited.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 7 APPLICATION NETWORK ACCESS CONTROLNetwork Connection Items

52

Network Connection ItemsNetwork Connection Items can be created for any network resource and can be added to a configuration in the following ways:

Directly to a Rule.

Adding single Network Connection Items to Accessible and Prohibited Item lists are advantageous when a more granular level of control is required, or when only a few items are required. However, using this method could prove time consuming.

Assign to a Network Connection Group.

Duplicate Network Connection Items are not allowed in the same Network Connection Group.

Network Connection Items can be cut, copied or dragged and dropped between rules. There are no default Network Connection Items in a configuration.

Application Network Access Control best practices can be found in the Best Practices chapter in the Application Network Access Control section.

For details on working with AppSense Application Manager and Streamed Applications refer to the Streamed Applications appendix.

For further information refer to Add a Network Connection Item directly to a Rule in the Tasks section.

For further information refer to the Group Items section in Network Connection Group Management.

The full path of the Network Connection Item cannot exceed 400 characters.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 7 APPLICATION NETWORK ACCESS CONTROLNetwork Connection Group Management

53

Network Connection Group ManagementNetwork Connection Group Management is located in the Library node in the navigation tree. The Network Connection Group Management work area is split into 2 areas:

Groups

Group Items

Groups

Network Connection Groups can be created to group multiple generic Network Connection Items. Managed centrally, they can be named and re-named easily. The Groups can then be applied to any Rule.

Once a Group has been created, Group Items can be added.

Group Items

Network Connection Group Items can be created and added to any Group. Select any existing Group to display the list of Group Items.

The options available for Group Items are as follows:

Add Item - Displays the Network Connection Details dialog box.

Edit Network Connection - Displays the Network Connection Details dialog box for the selected item. Make the required amendments. Click OK to save and close the dialog box.

Remove Item - Remove a selected item. A confirmation message box displays, click Yes to confirm removal.

ReferenceReference

Network Connection Details

Connection Type

Select one of the following connection types:

IP ADDRESS

Select to control access to a specific IP Address.

If the Group Name is amended, it automatically updates in any Rule where the Group is applied.

Multiple entries for the same resource name are not allowed in any one list.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 7 APPLICATION NETWORK ACCESS CONTROLNetwork Connection Group Management

54

NETWORK SHARE

Select to control access to UNC paths. The prefix \\ is added to the Host field.

HOST NAME

Select to control access to a specific Host Name.

Connection Options

Host

The IP Address or Host Name for the network connection. This depends on the type of connection selected. The wildcards ? and * can be used. Additionally, ranges can be used for IP Addresses, which are indicated by use of a hyphen (-).

An IP Address must be in IP4 octal format. For example, n.n.n.n

If Network Share is selected as the connection type, the \\ prefix is required.

Port

The port number of the network connection. This can be used in combination with IP Address or Host Name to control access to a specific port. Ranges and comma separated values are allowed as a part of the port number.

The combined number of characters for all three fields, Host, Port and Path must not exceed 400.

The full path for the target resource can be entered in Host.

Example:

Enter http://server1.company.local:80/resource1/ in Host.

Move focus away from Host and the path is automatically split into the separate connectionm options:

http:// is removed from the Host field and server1.company.local remains.

: is removed and 80 is moved to Port.

/resource1/ is moved to Path.

This allows a full path to be copied and pasted with ease.

Click Common Ports to display a list of commonly used ports. Select as many ports as required.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 7 APPLICATION NETWORK ACCESS CONTROLTasks

55

Path

The path of the network connection. The wildcards ? and * can be used. To use wildcards in the Path, Text contains wildcard characters must be selected.

Text contains wildcard characters

Select to use the characters ? and * as wildcards in the Path. If not selected, ? and * will be treated as URL delimiters.

Include subdirectories

Only applicable if the connection type Network Share is selected. Select to include subdirectories in the rules processing.

Description

Enter a meaningful description to describe the network connection.

TasksThe following are common tasks that are performed in Application Network Access Control:

ADD A NETWORK CONNECTION ITEM DIRECTLY TO A RULE

Network Items can be added to any Accessible Items or Prohibited Items node.

1. Navigate to the required node, for example, Prohibited Items for a specific user group.

2. Select Add Item > Prohibited (or Accessible) > Network Connection Item on the Rule Items ribbon page > Accessible & Prohibited Items group.

The Network Connection Details dialog box displays.

3. Create the Network Connection Item.

Example: A Network Connection Item is set up for an IP Address. The Network Connection Item is assigned to Prohibited Items, in a Group Rule. The group members of that rule, will not have access to any network resources with that IP Address.

EDIT A NETWORK CONNECTION DIRECTLY IN A RULE

1. Navigate to the Rule node in the navigation tree where the Network Connection Item to be amended is located.

The relevant work area displays.

2. Click on the Network Connection Item to be amended, listed under Network Connections.

3. Select Edit Network Connections on the Rule Items ribbon page > Accessible & Prohibited Items group.


The Path is only relevant for controlling HTTP and FTP connections.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 7 APPLICATION NETWORK ACCESS CONTROLTasks

56

4. Make the required amendments.

5. Click OK to save the changes and close the dialog box.

CREATE A NETWORK CONNECTION GROUP

1. Navigate to the Network Connection Group Management node.

2. Select Add Group on the Network Connection Groups ribbon page > Manage Group.

A New Network Connection Group node is added under the Network Connection Group Management node on the navigation tree.

3. To rename the group, highlight the Group, right-click to display the context menu, select Rename and type in the new name.

ASSIGN A NETWORK CONNECTION ITEM TO A NETWORK CONNECTION GROUP

1. Navigate to the Network Connection Group Management node.

2. Click on the Network Connection Group, to which to add the Network Connection Item, in the navigation tree.

3. Select Add Item on the Network Connection Groups ribbon page > Items group.


4. Create the network item. Once completed, click OK.

The item displays under Group Items in the work area.

EDIT A NETWORK CONNECTION ITEM IN A NETWORK CONNECTION GROUP

Once created, Network Connection Items are easily amended.

1. Navigate to relevant Network Connection Group in the navigation tree.

The Network Connection Group Management work area displays.

2. Click on the Network Connection Item to be amended, listed under Group Items.

3. Select Edit Network Connections on the Network Connection Groups ribbon page > Items group.


4. Make the required amendments.

5. Click OK to save the changes and close the dialog box.

57

8E n d p o i n t A n a l y s i s

This section provides details on Endpoint Analysis and includes the following:

About Endpoint Analysis

Endpoint Management

Installed Applications

Application Usage Scans

Application Data

Data Files

Tasks

About Endpoint AnalysisSelect the Endpoint Analysis navigation button.

Endpoint Analysis allows you to scan single or multiple endpoints, to provide a list of applications that are present and that have run on that endpoint and helps to simplify the creation of an appropriate AM configuration. Endpoint Analysis is available on demand and inactive by default.

Endpoint Analysis is made up of two parts:

Endpoint Scans

Installed Applications - Retrieves a list of programs that are present on an endpoint.

Application Usage - Records the usage of applications on an endpoint.

Data Analysis - Analysis of endpoint data and imports into the AM configuration.

Endpoint Scans

The first step is to add Endpoints to the configuration.

Adding an endpoint

Browse Deployment Group - Displays the Select Management Server dialog box

Browse Domain/Workgroup - Displays the Active Directory Select Computers dialog box.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 8 ENDPOINT ANALYSISAbout Endpoint Analysis

58

The Endpoint Analysis work area displays a list of all Endpoints added to the configuration. For each endpoint the following are shown:

The percentage complete of the Installed Applications Scan.

Whether the Application Usage Scan is On or Off.

Retrieving Application data

There are two scans that can be performed in order to retrieve application data for selected Endpoints:

Installed Applications - Select an Endpoint on which to run the scan. Alternatively, you can select Run Scan for all Endpoints. A list of all installed applications is retrieved and displayed in the Installed Applications work area.

Application Usage - Select an Endpoint on which to start recording. A list of all running applications is recorded until the time when you click Stop Application Usage Scan. The list is saved as an XML file and a new node created for each file under the Recorded Data node for that Endpoint.

Removing an Endpoint

To remove an endpoint or multiple endpoints, highlight the required endpoints under the Endpoints node in the navigation tree and select Remove Endpoint in the Endpoint Analysis Ribbon page > Endpoint Management group.

Data Analysis

All the collected data can be seen in either the Installed Applications or Recorded Data work area for the selected Endpoint.

You can show any associated files which the application has loaded and also digital certificates (if the file has been signed).

Adding files to the configuration

You can add any of the applications or associated files or certificates to the configuration by dragging and dropping.

If you drag and drop files into any of the Accessible or Prohibited Items lists they are dropped in as files:

If files are placed in Accessible Items, any associated loaded files are automatically included.

If files are placed in Prohibited Items, any associated loaded files are not included, only the main application executable.

You can drag and drop into Signature Groups. When a file is dropped over the Signature Groups node the available signature groups are displayed. You can then select which group or groups to which to add the files. The file is then converted to a signature and added to the selected signature group or groups.

The endpoint data is gathered in real time and does not affect the rules processing.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 8 ENDPOINT ANALYSISEndpoint Management

59

To add a certificate to any of the Trusted Vendors you can either drag and drop a file to the Trusted Vendors node, if any certificates exist for that file they are added or you can select Show Digital Certificates to display the Certificates dialog box and then drag and drop from that window into the configuration.

Endpoint ManagementYou can add and remove endpoints from the configuration.

You can add an endpoint by one of the following methods:

Browse Deployment Group - Displays the Select Management Server dialog box

Browse Domain/Workgroup - Displays the Active Directory Select Computers dialog box.

For futher information see Adding an Endpoint by Domain/Workgroup in the Tasks section.

To remove an endpoint, highlight the required endpoint and select Remove Endpoint in the Endpoint Analysis Ribbon page > Endpoint Management group.

Installed ApplicationsTo retrieve a list of applications that are installed on an endpoint do one of the following:

Run Endpoint Scan - Select the endpoint in the navigation tree for which to run a scan. All installed applications display in the Installed Applications work area.

An Endpoint Status dialog box displays while the scan is completing.

For further details see Running an Endpoint Installed Applications Scan in the Tasks section.

Run Scan for all Endpoints - to scan all endpoints listed in the navigation tree. Click on an endpoint to display the list of installed applications in the Installed Applications work area.

Application Usage ScansApplication Manager can record which applications are being or have been run on selected endpoints. The Application Usage Scan will detect applications in use that have not been installed using Windows Installer technology and therefore not detected on the Installed Applications Scan, for example, Firefox or Shareware.

You can make the Endpoint Status dialog box transparent by clicking and dragging the Transparency slider.

The Installed Applications Scan detects applications that have been installed using Windows Installer technology.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 8 ENDPOINT ANALYSISApplication Data

60

To start recording, select the Endpoint you want to scan and click Start Application Usage Scan on the Endpoint Analysis ribbon page > Application Usage Scans group.

To stop recording, select the Endpoint being scanned and click Stop Application Usage Scan on the Endpoint Analysis ribbon page > Application Usage group.

When the recording has been stopped, the File dialog box displays. Enter a name to save the file. The files are saved in xml format and a new node is created for each xml file in the navigation tree under the Recorded Data node of the selected Endpoint.

To delete any of the xml files select Delete File on the Endpoint Analysis ribbon page > Application Usage Scans group.

Application DataThe application data can be seen in detail for both the Installed Applications Scan and the Application Usage Scan.

You can select to display the associated loaded files or the digital certificates.

Show Loaded Files - displays the Loaded Files dialog box. Drag and Drop any of the files to add to the configuration.

Show Digital Certificates - displays the Certificates dialog box. Drag and Drop any of the certificates to add to any of the Trusted Vendors node in the configuration.

Make sure that the selected endpoint is connected. In order for a connection to be made you have to have the following installed on the target endpoint:

Application Manager Agent

Application Manager License

Access to admin share

- To test access - Open Windows Explorer, in the Address bar enter: \\<computer name>\C$ if you can see the files the share is working.

We recommend you run the Application Usage Scan for a minimum of 5 days, or a period over which the user would perform all their normal activities in their role, to ensure all applications are captured.

For further details, see Running an Application Usage Scan in the Tasks section.

On occasion a duplicate certificate will be present, for example:

Calc.exe loads Msvcrt.dll, Ntdll.dll and Msutil.dll

Calc.exe is signed with ’Microsoft Certificate A’ and Ntdll.dll is also signed with ’Microsoft Certificate A’

Refer to the Signed File column to clearly identify which file has been signed with which certificate.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 8 ENDPOINT ANALYSISData Files

61

Data FilesYou can select to Import or Export the data gathered by either the Installed Applications Scan or the Application Usage Scan.

Import - displays the Import dialog box. Locate the xml file you want to import and click Open.

Export - displays the Export dialog box. Navigate to the folder to export to and enter the file name and click Save.

TasksThe following tasks are provided to help with EndPoint Analysis:

ADDING AN ENDPOINT BY DOMAIN/WORKGROUP

1. Select the Endpoint Analysis navigation button.

The Endpoint Analysis navigation tree displays.

2. Click Add Endpoint in the Endpoint Analysis ribbon page > Endpoint Management group and select Browse Domain/Workgroup.

The Active Directory Select Computers dialog box displays.

3. Enter the name of the computer you want to add as the endpoint in Enter the object names to select box.

Alternatively, click Advanced and then click Find Now. Select the required computer from the Search results and click OK.

4. Click OK.

A new node with the name of the selected computer is added to the navigation tree under the Endpoints node .

RUNNING AN ENDPOINT INSTALLED APPLICATIONS SCAN

1. In the navigation tree, navigate to the Endpoint that you want to scan.

2. Click Run Endpoint Scan in the Endpoint Analysis ribbon page > Installed Applications group.

The Endpoint Status dialog box displays.

You can increase/decrease the transparency by clicking and dragging the Transparency slider, this allows you to see the console to continue work while the scan is taking place.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 8 ENDPOINT ANALYSISTasks

62

3. Once the scan is complete the Installed Applications node under the selected Endpoint is populated with the data, seen in the Installed Applications work area.

RUNNING AN APPLICATION USAGE SCAN

1. In the navigation tree, navigate to the Endpoint that you want to scan.

2. Click Start Application Usage Scan in the Endpoint Analysis ribbon page > Application Usage group.

Notice in the Endpoint Summary section in the work area, the status changes from Not recording to Recording and the light changes from red to green.

3. To stop the recording, click Stop Application Usage Scan in the Endpoint Analysis ribbon page > Application Usage group.

The File dialog box displays.

4. Enter a file name and click OK to save the file.

The file is saved in xml format and a new node is created with the file name under the Recorded Data node for the selected Endpoint.

ADDING EPA DATA TO A CONFIGURATION

Refer to the Adding files to the configuration section.

The work area displays the Endpoint Summary, the endpoint needs to be showing as Connected in order to proceed with the scan.

63

9R u l e s A n a l y z e r

This section provides details on Application Manager Rules Analyzer and includes the following:

About Rules Analyzer

Endpoint Management

Data Acquisition

Data Files

Tasks

About Rules AnalyzerRules Analyzer allows you to troubleshoot the behavior of AppSense Application Manager, either locally or remotely, by creating and analyzing AppSense Application Manager log files.

When you first configure Application Manager, you may find that Application Manager allows files that you intended to deny or denies files that you intended to allow.

Rules Analyzer helps you to examine exactly which rules are applied by Application Manager and identify any inconsistencies or inaccuracies in your configuration settings when processing a request. You can then make appropriate changes to the configuration using the Application Manager console.

This section includes:

FEATURE SUMMARY

The Rules Analyzer console allows you to diagnose Application Manager problems by connecting directly to computers controlled by Application Manager, and includes:

Creating Log Files – You can create log files on computers controlled by Application Manager.

Examining Log Files – You can retrieve and examine log files to view the requests processed by Application Manager. In particular you can see which rules were applied to each request and whether the request was allowed or denied.

Anonymous logging - This means that user names are not written to the log file. User names appear as Unknown\Anonymous. Navigate to the Endpoints node in the navigation tree and select Anonymous Logging checkbox in the work area.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 9 RULES ANALYZERAbout Rules Analyzer

64

GETTING STARTED

The Rules Analyzer console is used to create Application Manager log files and to retrieve and examine the log files.

A computer node allows you to control logging on a specific computer and to retrieve log files from that computer. Below each computer node is a node for each retrieved log file.

You can view a summary page, view all requests or view the requests for a specific user. You can restrict the view to the denied or the allowed requests. Within the analysis panel you can navigate to a specific request and view the full details of that request, including which rules were applied by Application Manager.

Users must be logged on with an account that allows read and write access to the registry of any machine for which you wish to generate logs using Rules Analyzer, and read and write access to the local registry of the machine on which the management console operates.

Testing whether the endpoint has Admin share rights

Open Explorer and in the Address Bar enter \\<computername>\c$ and press Enter. If you can browse the folders you have access rights, if not, you will be prompted for user credentials which will allow access.

Testing whether you have remote Registry access

Open the Registry Editor dialog box (Start > Run > Regedit). Select File > Connect Network Registry, this displays the Active Directory Select Computers dialog box. Locate the machine and click OK. If you can see the Registry Keys, you have access.

CHECKLIST

You must have the following to use Rules Analyzer:

Application Manager Agent installed on endpoint.

License installed on endpoint.

Application Manager configuration installed on the endpoint.

Admin share rights to endpoint.

ReferenceReference

Log File Contents Summary

The Summary page displays when you select a log file node in the navigation tree.

On remote computers running Microsoft Vista, File Sharing and the Remote Registry Service are disabled by default and must be enabled to ensure the Rules Analyzer can create or access log files.

Start the Remote Registry Service in Start > Control Panel > Administrative Tools > Services.Turn on File Sharing in Start > Control Panel > Network and Sharing Center.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 9 RULES ANALYZERAbout Rules Analyzer

65

It shows the number of requests processed by Application Manager. The top row of the table shows the total number of requests for all users. The remaining rows show the number of requests for each user. The Total column shows the total number of requests, allowed and denied. The Allowed/Denied column shows the number of allowed or denied requests.

Click on any Total link to display the Log File Contents Request List.

Log File Contents Request List

The Request List page displays a list of Application Manager requests when you click a Total link in the Summary page.

The requests are listed in the order in which they were processed by Application Manager.

Each request displays a green tick or red cross indicating to indicate whether the request was allowed or denied.

Click on a request link to display the Log File Contents Request Details.

Log File Contents Request Details

The Request Detail page displays details of a particular request when you click a request in the Request List page.

The Request Detail page displays each rule applied by Application Manager manager in processing the request. The rules are listed in the order applied. The last rule in the list determines the final result – allow or deny. The rule information includes links which, when selected, display popup messages providing explanations explanation for the rule item.

To export the log file in XML format select the Export ribbon button.

You can select View the requests by processing time on the Summary page to display a Request List page showing requests sorted with the longest running request first.

Use the Return link at the top of the page to navigate to the previous page and the Summary link to return to the Summary page. The Back button on the console toolbar is for navigating the navigation tree.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 9 RULES ANALYZEREndpoint Management

66

Endpoint ManagementAdd and remove endpoints to navigation tree. See Add an Endpoint on page 66 in the Tasks section.

Data AcquisitionStart and stop logging on endpoints. See Create and retrieve a log file on page 66 in the Tasks section.

Data FilesImport, Export or delete a data file. Data files are in XML format and can be opened and imported into Rules Analyzer nodes or saved and exported out.

TasksThis section shows how to perform common tasks using Rules Analyzer, and includes:

ADD AN ENDPOINT

1. Select the Rules Analyzer navigation button.

The Rules Analyzer navigation tree displays.

2. Click the Add Endpoint button on the Rules Analyzer ribbon page > Endpoint Management group.

3. Select either Browse Deployment Group or Browse Domain/Workgroup depending on the location of the endpoint you want to add.

Browse Deployment Group displays the Select Management Server dialog box.

Browse Domain/Workgroup displays the Active Directory Select Computers dialog box.

Locate the required endpoint and click OK.

4. A new node is created for the selected endpoint under the Endpoints node in the navigation tree.

CREATE AND RETRIEVE A LOG FILE

1. Locate and highlight the endpoint you want to analyze in the navigation tree.

2. Click the Start Logging button on the Rules Analyzer ribbon page > Data Acquisition group.

3. When you want to stop logging, click the Stop Logging button on the Rules Analyzer ribbon page > Data Acquisition group.

4. Enter a name for the retrieved log file. The log file is retrieved and saved locally as a new node.

On remote computers running the Microsoft Vista operating system, File Sharing and the Remote Registry Service are disabled by default and must be enabled to ensure the Rules Analyzer can create or access log files.

Stat the Remote Registry service in Start > Control Panel > Administrative Tools > Services.Turn on File Sharing in Start > Control Panel > Network and Sharing Center.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 9 RULES ANALYZERTasks

67

ANALYZE A LOG FILE

To analyze a log file, select the log file node. The first page shown in the analysis work area is the summary page. You navigate inside the analysis panel by following links. Use the Return link at the top of the page to go back to the previous page.

VIEW THE REQUESTS FOR A SPECIFIC USER

To view the requests for a specific user click one of the links in the table on the summary page. You can click in the Total column to see all the requests for the user and you can click in the Allowed column or the Denied column to see only the allowed or denied requests.

FIND REQUESTS THAT TAKE A LONG TIME

To find requests that take a long time click View the requests by processing time on the summary page.

This shows the requests sorted, with the longest running request first. The processing time shown is the elapsed time taken by the AppSense Application Manager agent to process the request.

68

1 0A u d i t i n g

This section provides details on AppSense Application Manager Auditing and includes the following:

Audit

Local Events

AuditAuditing allows you to define rules for the capture of auditing information, includes rules about where event data is stored for logging to a local file and the application event log, and includes a filter for specifying the events you wish to capture in the log.

Local Auditing allows you to specify whether to log events in the Windows Application Event Log or to a custom AppSense Event Log. Events can be written to a local file in CSV or XML format.

By default, the log file is located at

%SYSTEMDRIVE%\AppSenseLogs\Auditing\ApplicationManagerEvents_%COMPUTERNAME%.csv (or .xml)

An alternative location can be configured for the log file. In this mode auditing also includes an event filter to log only specific events.

In Enterprise installations, events can be forwarded to the AppSense Management Center via the Client Communications Agent (CCA). When using this method for auditing, event data storage and filtering is configured through the AppSense Management Console. For more information see the AppSense Management Center Administration Guide.

ReferenceReference

Summary

The following allows you to configure the event logging:

Send events to the Application Event Log

Select whether to send events to the Application Event log.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 10 AUDITINGAudit

69

Send events to the AppSense Event Log

Select whether to send events to the AppSense Event log.

Make events anonymous

Specify whether events are to be anonymous. If, Yes, the computer name and user name is omitted from all events. Anonymous logging also searches the file path for any instances where a directory matches the username and replaces the directory name with the string USERNAME.

Send events to local file log

Select whether to send events to the local file log. If Yes, the events are sent to the local log file as specified in the Text box.

Text box

The path for the local log file. The default is %SYSTEMDRIVE%\AppSenseLogs\Auditing\ApplicationManagerEvents_%COMPUTERNAME%

Local file log format

Specify whether the event log is to be saved in XML format or CSV format.

You can only send the events to the Application Event Log or the AppSense Event Log.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 10 AUDITINGLocal Events

70

Local EventsThe Event filter table is a comprehensive list of all events and is used to select the events you wish to audit. You can sort the table numerically by ID number, or alphabetically by Event Name or Event Description. Selected events are highlighted in bold. Click Toggle to change the states between selected and cleared.

9001, 9007 and 9014 events are disabled by default as they can generate excessive event data on busy endpoints. We recommend these events are only used for troubleshooting purposes, and only for short periods of times.

A warning displays at the top right of the Event filter list if you select a high volume events - some event IDs such as 9001, 9007 and 9014 can generate a very high volume of events on busy endpoints.

Table 10.1 Application Manager Events List

Event ID Event Name Event Description Event Log Type

9000 Denied Execution Prohibited execution request. Warning

9001† Allowed Execution Allowed execution request. Information

9002 Overwrite Changed Owner

Overwrite of an allowed executable. Warning

9003 Rename Changed Owner

Rename of a prohibited executable. Warning

9004 Application Limit Denial

Application limit denial. Warning

9005 Time Limit Denial Time limit denial. Warning

9006 Self-Authorization Self-authorization decision by user. Warning

9007 Self-Authorized allow Self-authorization execution request. Warning

9009 Scripted Rule Timeout Script execution timed out. Warning

9010 Scripted Rule Fail Script failed to complete. Warning

9011 Scripted Rule Success Script completed successfully Information

9012 Trusted Vendor Denial Digital Certificate failed Trusted Vendor check. Warning


71

System Events

The following are non-configurable system events:

ReferenceReference

Local Event Filter

Log Locally

Select the events to log locally.

Toggle Selected

Select any number of events from one to all. Toggle to switch the Log Locally check box between being selected and cleared.

9013 Network Item denied Prohibited Network Item request. Warning

9014 Network Item allowed Allowed Network Item request. Information

9015‡ Application Started An allowed application started running. Information

9095 Not configured AppSense Application Manager has not been configured.

Warning

9099 Agent not licensed AppSense Application Manager is not licensed.

Error

† Multiple 9001 events could be generated by a single request for an application due to the way in which Windows responds to execution requests. Therefore, we recommend you use event 9015 to accurately audit how many times an application has been run by a user.

‡ We recommend you use event 9015 to accurately audit how many times an application has been run by a user and not event 9001.

Table 10.2 Application Manager System Events

Event ID Event Name Event Description

8000 Service Started Application Manager Agent: Service Started.

8001 Service Stopped Application Manager Agent: Service stopped.

8095 No Configuration found Application Manager cannot find a valid configuration.

8099 Invalid License Application Manager software is not licensed.

Table 10.1 Application Manager Events List

Event ID Event Name Event Description Event Log Type


72

Event Filtering

Select to display the Event Filtering dialog box.

File Event Filtering

Enable event filtering

Select to enable event filtering. Enabled by default.

File and Event ID’s

Select the files to audit for each event. You can add or delete files from the list.

73

1 1C o n f i g u r a t i o n P r o f i l e r

This section provides on the Configuration Profiler and includes the following:

Report Type

Report Criteria

Report Output

Report TypeThe configuration profiler allows administrators to report on configurations stored locally or in the central database. General reports are produced to assist auditing and compliance such as Sarbanes Oxley or HIPAA. Custom reports can be produced for specific users applications and devices to assist troubleshooting of large configurations.

The configuration profiler is a basic reporting tool that can be used to generate quick reports based on the details of a loaded product configuration. The report can be generated in the following ways:

Complete Report - Produces a report which Includes all aspects of the configuration.

Report based on specific criteria - Produces a report which is based on the specified criteria as selected in the Report Criteria section.

Report CriteriaUse the criteria to specify what is to be included in the report.

Enter the value to match for any of the following:

User

Group

File

Folder

Network Connection

Device

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 11 CONFIGURATION PROFILERReport Output

74

Report OutputThe report output is produced in sections and sub-sections.

In the preview window you can change the following:

Paper

Size

Watermarks

The option to Save the report in various formats for example, PDF and Print the report is also available from this preview view.

75

1 2B e s t P r a c t i c e s

This section provides information about best practices for managing you Application Manager configuration and includes the following:

General Application Manager

Use NTFS Security

Install Applications with an Administrative Account

Take Ownership of Applications Requested by Users

Selectively Disable Trusted Ownership

Use Signature Checking Selectively

Prohibit Access to System Applications

Use Folders to Simplify Configurations

Use Group Accounts in preference to User Accounts

Use Environment Variables for Generic Configurations

Audit Unauthorized Activity

Scripted Rules

Use Scripted Rules to Allow Items

Use Scripts to Query Information

Use Validated Scripts Only

Application Network Access Control

Working With Streamed Applications

Avoid Whitelisting Websites

Control company network infrastructure

Configuring reverse DNS lookup entries

Endpoint Analysis

When to run Installed Applications scan

Period to run Usage Scan

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 12 BEST PRACTICESUse NTFS Security

76

Order to run scans

Use NTFS SecurityApplication Manager provides optimum protection when used in conjunction with NTFS file system security. Trusted Ownership interrogates the owner of all application files, and ensures that only applications installed or files introduced by a trusted user is allowed to run. A Trusted user is an administrator or System account, by default. With this single check, Application Manager prevents all user-introduced applications from running and prevent the biggest potential threat to system integrity and stability.

Use NTFS security to lock down all authorized applications and system files, where possible to prevent end users from deleting or overwriting important application and system files.

Install Applications with an Administrative AccountAvoid installing applications or copying application files onto a system with a non-administrative user account, as this results in the applications being blocked by Trusted Ownership checking.

In addition, install all ActiveX components, that users may require, with an administrative account.

Take Ownership of Applications Requested by UsersWhere possible, an administrator should either install or take ownership of any applications requested by users. Do not simply add these files as accessible items and disable trusted ownership Trusted Ownership checking. Taking administrative ownership of all application files provides a more secure solution.

Selectively Disable Trusted OwnershipOnly disable Trusted Ownership checking as a last resort. It should be possible to disable Trusted Ownership checking on individual files or folders, rather than turning off Trusted Ownership checking completely. The only scenario where Trusted Ownership should need to be disabled on a file is where application files, such as DLLs, are copied during logon processing or created in real-time. Where possible, try to avoid this behavior, especially if alternative strategies are available that can keep ownership of application files with the administrator.

Use Signature Checking SelectivelyIf you have to disable Trusted Ownership checking on an application file, this is an ideal situation to force a signature check of the file. This ensures that if the file is modified by a user, Application Manager detects the signature change and prevents the application from launching.

Although you can use a white list approach and create a rule that uses signature checking for each and every application file, this creates extensive rules that can become difficult to manage and maintain.

By default, all applications on non-NTFS formatted drives are not trusted and execution requests are blocked. It is highly recommended to use digital signatures for files on non-NTFS formatted drives by adding the signatures to the Accessible Items list to allow applications to run.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 12 BEST PRACTICESProhibit Access to System Applications

77

Signature checking can be used in a more effective way by securing application files that cannot be protected by the default Trusted Ownership checking. The combination of generic Trusted Ownership checks with specific signature checks as necessary provides a secure, but easily maintainable solution.

TO PERFORM DIGITAL SIGNATURE CHECKING ON A FILE

1. Highlight the Signature Group Management node.

2. Click the Add Group ribbon button to create a new group with the name Calc.

3. Click the Add Item ribbon button. The Open dialog displays.

4. Locate the Calc.exe file in the Windows System32 folder and click Open.

A digital signature is added to the file and the file is added to the group items list.

5. Add a new User Rule for a test user and highlight the Accessible Items list.

6. Click the Add Item ribbon button. The Select Signature Groups dialog box displays.

7. Select the Calc group.

8. Click OK.


10. Log on as a non-administrative user and copy calc.exe from system32 into a temp directory. This will change the ownership of the file to the user, who is not a trusted user. Normally, the user would be unable to execute this copied application, but as the signature of the copied application matches the stored signature in the configuration, the executable is allowed to run.

11. Log in as an administrator and delete the copy of calc.exe from the temp directory.

12. Create a copy of Notepad.exe from the original in system32 into the temp directory and rename the Notepad.exe copy to calc.exe.

13. Log on as the user again, and attempt to run Notepad.exe.

The executable is not allowed to run because the signature of the executable does not match the stored signature in the configuration.

Prohibit Access to System ApplicationsUse Prohibited Items to restrict access to system applications, such as registry editing tools (regedit.exe and regedt32.exe), and any other tools that a user could misuse to find or exploit weaknesses in system security.

Use Folders to Simplify ConfigurationsWhere multiple files are located in a single folder, try to use folders in Prohibited Items and Accessible Items to simplify the configuration. This maintains a concise configuration that is easier to manage.

Use Group Accounts in preference to User AccountsWhere possible, use Windows groups when configuring exceptions and overrides, as groups are easier to maintain than individual user accounts. Only specify user accounts where an appropriate group does not exist.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 12 BEST PRACTICESUse Environment Variables for Generic Configurations

78

Use Environment Variables for Generic ConfigurationsAll drive, folder and file paths in Application Manager can be defined in terms of environment variables. For instance, after adding a file from the system32 directory, right-click on the file path and select Replace with Environment Variables. This replaces the Windows directory with the generic environment variable %SystemRoot%.

Environment variables enable you to deploy generic configurations to workstations or servers with minor configuration variations, such as a different system drive letters or Windows installation directory names.

Audit Unauthorized ActivityWe recommend you create an Auditing configuration that logs events to application event logs each time users try to execute prohibited applications.

Although Application Manager deters the majority of users, effective auditing can pinpoint those users who continually attempt to run prohibited applications. In particular, any attempts by users to run applications that pose a security risk, such as password crackers, need to be identified.

Use Scripted Rules to Allow ItemsSince Scripted rules do not apply settings until the script is complete, use scripted rules for allowing items in the Accessible Items list rather than prohibiting items in the Prohibited Items list.

We recommend Application Manager blocks an item until the scripted rule allows the item to run. Otherwise, your system can be exposed to challenges in any of the following scenarios:

Depending on how you set up the rule, your settings may not be enforced until after the user logon is complete.

In the event that the scripted rule times out, the rule settings do not apply.

In the event that the Scripted Rule fails to complete because of an error in the script, the rule settings do not apply.

Use Scripts to Query InformationWe recommend you use scripts only to query information, not perform tasks or activities.

Use Validated Scripts OnlyRunning scripts can cause serious damage to your system and should only be created and enabled by authors with experience of scripting using VBScript.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE 12 BEST PRACTICESWorking With Streamed Applications

79

Working With Streamed ApplicationsFor details on working streamed applications refer to the Streamed Applications appendix.

Avoid Whitelisting WebsitesAllow access to all network resources and prohibit specific network resources to which to block access. Rather than, prohibiting all network resources and making specific network resources accessible.

Control company network infrastructureApplication Network Access Control is designed to control company network infrastructure and is not a recommended web filtering tool.

Configuring reverse DNS lookup entriesIf using the engineering keys to configure reverse DNS lookup entries only add IP Addresses that are within the company network infrastructure to the relevant engineering key.

Add IP Addresses to prohibit network connectionWhen prohibiting a network connection, add a Host Name and an IP Address to fully prohibit.

When to run Installed Applications scanRun the Installed Applications scan in low usage times to help prevent any possible delays, for example, out of hours or when users have logged off.

Period to run Usage ScanYou should record user data for a minimum of 5 days to ensure all applications are captured.

Order to run scansRun the Installed Applications scan first to produce an initial list of installed applications and then run the Usage scan so that the results can be checked against the installed applications list to see if any applications are missing.

For further information on the use of reverse DNS lookups in Application Network Access Control refer to the Appendix Application Network Access Control and Reverse DNS Lookup.

If you shutdown while an Application Usage Scan is taking place, the scan will carry on from when it stopped once the machine is restarted.

80

A P P E N D I X E S

This section provides additional or supporting information about topics covered in the Guide and includes:

System Requirements

Working with Scripted Rules

Licensing

Application Network Access Control and Reverse DNS Lookup

Streamed Applications

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE A SYSTEM REQUIREMENTS 81

AS y s t e m R e q u i r e m e n t s

This appendix provides details on the System Requirements for AppSense Application Manager.

Supported Operating Systems

The following 32-bit and 64-bit Operating Systems are supported:

Microsoft Windows XP SP2

Microsoft Windows Server 2003 SP1 (including Terminal Services)

Microsoft Windows Vista

Microsoft Windows Server 2008 (including Terminal Services)

Supported Technologies

Citrix XenApp

Citrix XenDesktop

Installed Components

The following components are installed as part of the AppSense Management Suite Installer:

Windows Installer 3.1 Redistributable (v2)

Microsoft Core XML Services (MSXML) 6.0

Microsoft .NET Framework 2.0 Redistributable Package

Microsoft Visual C++ 2005 SP1 Redistributable package

For details on working with AppSense Application Manager and Streamed Applications refer to the Streamed Applications appendix.

82

BW o r k i n g w i t h S c r i p t e d R u l e s

This section provides details about creating the scripts used in scripted rules and includes a sample, the following are covered:

About Scripted Rules

Writing a Script

Sample Scripts

Best Practices

About Scripted RulesScripted Rules allow the administrator to base configuration rules on any conditions, not just users, groups and devices. Scripts are written in VBScript, and allow access to any information accessible via COM, WMI, or any other scripting interfaces available to VBScript.

A script must return a True value to enforce rule settings, which include Security Level, Accessible Items, Prohibited Items and Trusted Vendors.

Scripts can run:

For every user that logs on as the user or as SYSTEM.

Once per computer. Rule settings are enforced for all users.

At agent startup.

Whenever there is a configuration change.

Writing a ScriptEach script is run within a hosted script engine allowing greater control over the script execution providing a high degree of input and output control.

No VBS file is used.

No separate process is spawned.

A script must be written as a function. The script can contain many functions, but a main start function must be specified. The start function is run by the Application Manager agent. Other functions can be called by the start function.

The start function must return a True value for the script to pass and apply the rule settings. Otherwise, the start function returns False, by default, and the rule does not apply.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE B WORKING WITH SCRIPTED RULESSample Scripts

83

The AMScriptRule COM object is built into the scripting engine and provides access to the following methods:

strUsername = AMScriptRule.UserName

strUserdomain = AMScriptRule.UserDomain

strSessionid = AMScriptRule.SessionID

strStationname = AMScriptRule.WinStation

The AMScriptRule COM object also includes the following methods:

strLog = AMScriptRule.Log "My Log Statement"

Allows you to output logging strings to the agent log file for use with debugging scripted rules.

strEnvironmentvar = AMScriptRule.ExpandEnvironment ("%MyEnvironmentVariables%")

Expands environment variables of the user running the script.

Sample ScriptsThe following are sample scripts:

SCRIPTABLE RULE TO DETERMINE IF A USER IS A MEMBER OF A CERTAIN OU

The following sample script shows the main components of a script and demonstrates how to access information about the username of the user logging on to the system, and match with a specific domain and organizational unit:

Function MyScript()'Get the username of the user logging in (also works when running as SYSTEM)strUserName = AMScriptRule.UserName

'Get the domain of the user logging in (also works when running as SYSTEM)strUserDomain = AMScriptRule.UserDomain

'Look up user environment variables (when running as SYSTEM, only SYSTEM variables are available)strClientName = AMScriptRule.ExpandEnvironment ("%ClientName%")

'Log the outputAMScriptRule.Log strUserName & " logged in on " & strClientName'Check if the user is a member of the domainIf strUserdomain = "MyDomain" Then

'If so, see if the user is in the MyOU OUSet objOU = GetObject ("LDAP://ou=MyOU,dc=MyDomain,dc=com")

The Microsoft standard in this instance means that WinStation returns the value of the name of the Terminal Services Session, which is determined by the type of session with typical values being ’Console’ or ’RDP-Tcp#34’, instead of the Window Station name which is typically WinSta0.

Using WScript. shell to expand environment variables only returns SYSTEM variables.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE B WORKING WITH SCRIPTED RULESBest Practices

84

objOU.Filter = Array("user")For Each objUser In objOU

'Check if there is a match with the user logging on If objUser.sAMAccountName = strUserName Then'if there is, then set the function to TrueMyScript = True

End IfNext

End If

'Unless there is a username match, the function defaults to FalseEnd Function

SCRIPTABLE RULE TO DETERMINE IF AN AAC FILTER HAS BEEN PASSED.

The following script demonstrates how to control the applications to which a user has access.

Function ScriptedRule()’Name of Filter scan expected to passExpectedFilter = "FWALL"

’Get Server NameSet objNTinfo = CreateObject ("WinNTSystemInfo")ServerName = lcase (objNTInfo.ComputerName)

’Set initial return valueScriptedRule = False’Create MetaFrame Session ObjectSet MFSession = Createobject ("MetaFrameCOM.MetaFrameSession")

’Initialize the session filters for this sessionFor Each x in MFSession.SmartAccessFilters

’return true if our filter is foundIf x = ExpectedFilter Then

ScriptedRule=True

AMScriptRule.Log "SmartAccessFilter match found."

End IfNext

End Function

Best PracticesThe following are recommended as best practices for creating and running scripted rules:

Use Scripted Rules to Allow Items

Since Scripted rules do not apply settings until the script is complete, use scripted rules for allowing items in the Accessible Items list rather than prohibiting items in the Prohibited Items list.

We recommend Application Manager blocks an item until the scripted rule allows the item to run. Otherwise, your system can be exposed to challenges in any of the following scenarios:

Depending on how you set up the rule, your settings may not be enforced until after the user logon is complete.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE B WORKING WITH SCRIPTED RULESBest Practices

85

In the event that the scripted rule times out, the rule settings do not apply.

In the event that the Scripted Rule fails to complete because of an error in the script, the rule settings do not apply.

Use Scripts to Query Information

We recommend you use scripts only to query information, not perform tasks or activities.

Use Validated Scripts Only

Running scripts can cause serious damage to your system and should only be created and enabled by authors with experience of scripting using VBScript.

86

CA p p l i c a t i o n N e t w o r k A c c e s s C o n t r o l a n d

R e v e r s e D N S L o o k u p

This appendix provides details on extending Application Network Access Contol to use reverse DNS lookups.

The Application Network Access Control feature can use reverse DNS lookups when evaluating Network Connection rules. The feature is turned off by default, as the time it takes to retrieve this information from DNS servers, may degrade the performance of network applications.

Enabling this feature ensures the network rules are more effective, in situations when users or applications make requests for network resources, using IP addresses when the configuration is based upon host names.

The reverse DNS lookups can be enabled by configuring a set of engineering keys.

For further information refer to the AppSense Application Manager Engineering Keys Guide.

This feature requires an administrator to enable and configure Reverse DNS Zones on the DNS servers.

87

DL i c e n s i n g

The AppSense Management Suite Licensing Console allows you to create and manage AppSense product licenses.

This section provides details about using the console, and includes the following:

About License Manager

Managing Licenses

Troubleshooting

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE D LICENSINGAbout License Manager

88

About License ManagerAppSense Management Suite Licensing Console allows you to manage individual AppSense product licenses, full Management Suite licenses and evaluation licenses for computers operating in Standalone mode.

The console allows you to:

Manage licenses for single products, the AppSense Management Suite or Evaluation licenses.

Export license packages to MSI file format for saving to the AppSense Management Center or other computers which can be remotely accessed.

Import and manage licenses from MSI file format.

An installation requires one of the license codes shown in Table D.1:

For information about Enterprise license management and deployment, see the AppSense Management Center Administration Guide.

We recommend using the Management Center Enterprise Licensing for Enterprise installations.

Table D.1 AppSense License Types

License Description Activate

AppSense Management Suite

Full Suite license. Requires activation using the activation code sent from AppSense Ltd. with the license code.

Application Manager Single product license.Requires activation using the activation code sent from AppSense with the license code.

Evaluation Full Suite or single product licenses. Evaluation licenses are availabe during the first installation of the product and do not require activation. They are valid for 21 days.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE D LICENSINGManaging Licenses

89

Managing LicensesThe following procedures show how to add and activate a new license and import and export licenses to Microsoft Windows Installer files (*.msi) file for distribution to other computers or to backup a set of licenses.

ADD AND ACTIVATE A LICENSE

1. Click Add to create a new entry in the license grid and enter the license code in the License Code entry box.

You can manually enter each digit or copy and paste the license straight in to the entry box.

When a license entry is highlighted, a description displays in the lower portion of the console and includes the following details:

License Code

License State: Not Activated, Valid, Invalid

Expiry Date

Description – indicates the number of days remaining.

A license remains invalid until a code is entered in the Activation Code column. Evaluation licenses do not require activation.

2. Click Activate to enter the activation code by entering each digit manually or copy and paste the activation code directly in to the Activation Code entry box, and click Enter.

The description in the grid view updates with the license information as do the details about the license validation status and, where relevant, the expiry date, in the lower portion of the console.

Once a license is active, the icon changes to indicate the current license state.


TO IMPORT A LICENSE FILE

1. Click Import to display the file Open dialog box and navigate to the location of the license MSI file.

2. Click Open to load the license file in the Management Suite Licensing Console.

TO EXPORT A LICENSE FILE

1. Click Export to display the file Save As dialog box and browse to the location for saving the license MSI file.

2. Provide a name for the file and click Save to save the file.

You can copy this file to any network location and load the file in the Management Suite Licensing Console or in Management Center Enterprise Licensing.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE D LICENSINGTroubleshooting

90

Troubleshooting

I received an AppSense license, what do I do?

If you have received an AppSense product license, from AppSense, you can load the license by launching the Management Suite Licensing Console on your client computer and entering the license code and activation code.

Enter the product license exactly as received. Once a license has been successfully entered, the system updates the description details stating the products and duration for which the license is valid.

I have entered an AppSense license, but it is for evaluation, what does this mean?

If you are trying an AppSense product before purchasing, the product installs with an option to automatically install an evaluation license. Evaluation licenses are limited to 21 days, during which time you can familiarise yourself with the product.

Once the expiry date has been reached, contact AppSense to obtain a full license to continue using the product.

I have entered an AppSense license, but it says it is not activated, why?

AppSense licenses require activation, apart from evaluation licenses, before they can be used. Activation codes are provided by AppSense. Activate a license by entering the activation code.

For more information, see Managing Licenses.

I have tried to enter an AppSense license, but it says it is invalid, what can I do?

Check that the license code has been typed correctly. Check it is a license code and not an activation code that has been entered.

If you are still sure you have entered the license correctly but it is not accepted, contact AppSense support.

91

ES t r e a m e d A p p l i c a t i o n s

This section provides details on how to allow Application Manager to work with applications provisioned via the following streaming technologies:

Citrix XenApp

Citrix XenAppTo set up Citrix XenApp streaming applications to work with certain elements of Application Manager you need to specify certain exclusions, as follows:

1. Navigate to Citrix Streaming Profiler for Windows.

2. Open the Application Profile.

3. Highlight the relevant Target and select the Edit menu.

4. Select Target Properties.

The Target Properties screen displays.

5. Select Rules.

The Rules work area displays on the right hand side.

6. Click Add in the Rules work area.

The New Rule Select Action and Objects dialog box displays.

7. In the Action section leave the default setting as Ignore.

8. In the Object section select Named Objects and click Next.

The New Rule Select Objects dialog box displays.

9. Select Some Named Objects and click Add.

The Choose Named Object dialog box displays.

10. Add \??\pipe\Appsense* and click OK.

This displays in Named Objects on the New Rule Select Objects dialog box.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE E STREAMED APPLICATIONSCitrix XenApp

92

11. Click Next to display the New Rule Name Rule dialog box.

12. Enter a name for the rule or accept the default and click Finish.

13. Click OK.

The Target Properties screen re-displays and the Ignore all named objects rule is now listed in the work area on the right hand side.

14. Save the Profile.

15. Repeat for each Application Profile as required.

93

G L O S S A R Y

AAC

Accessible Items

Agent

Application Limit

Audit Only

CCA

Configuration

Configuration File

Configuration Profiler

Console

Deploy

Digital Signature

Event

Node

OU

Prohibited Items

Rule

Security Level

Security Identifier

Self-Authorizing User

SID

Time Limits


Trusted Ownership

Trusted Vendors

Wildcards

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE GLOSSARY AACConfiguration File

94

AAC

Citrix Advanced Access Control.

Accessible Items

Accessible Items are files, folders, drives or digitally signed files or groups of files in an Application Manager configuration Rule which are allowed to run when file execution requests are matched with the rule security settings and would otherwise be prohibited by other configuration settings.

See also: Prohibited Items and Trusted Vendors

Agent

A proactive software component which implements the product configuration rules. For example, the Application Manager Agent is software that runs as a Windows service to validate execute requests according to the rules in the configuration installed on a computer.

Application Limit

Application Limits specify the number of instances of an application a user can run. An application limit can be applied to an item in the Accessible Items node.

Audit Only

Security Level assigned to users, groups or devices in an Application Manager Rule which audits events according to the Auditing Configuration without applying the rule. Used for passive monitoring in evaluations to assess application usage on the host environment.

CCA

Client Communications Agent. Installed on computers operating in an Enterprise installation to provide a link between the product agent running on a managed computer and the AppSense Management Center.

The CCA sends event data generated by the product agents to the Management Server and also polls the Management Server to manage the download and installation for software configuration, agent and package updates.

The CCA can be downloaded and installed directly on managed machines from the Management Server website.

Configuration

The Application Manager configuration consists of lists of files/folders that you have decided should be Accessible Items, Prohibited Items and Trusted Vendors. The configuration also contains optional settings and text to be displayed to the user. A configuration is created and managed using the Application Manager Console and used by the Application Manager Agent and is saved in Application Manager Package Files (*.aamp). The agent uses the configuration settings to determine whether or not an execute request is to be denied.

Configuration File

An Application Manager configuration exported from the Console and saved to Windows Installer .MSI file format. The file can be installed on any computer and the configurations rules

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE GLOSSARY CONFIGURATION PROFILERProhibited Items

95

applied when an Application Manager Agent is present and running as a service on the computer.

Configuration Profiler

Generates reports detailing the current settings in the Configuration. Filtering options allow you to query settings affecting specific users or groups, devices, and files or folders.

Console

AppSense Application Manager software interface.

Deploy

To deliver a configuration or AppSense software component to one or more computers, which can include the local machine.

Digital Signature

Application Manager uses the SHA-1 algorithm for applying a digital signature to uniquely identify files.

The signature can be used as a security measure when adding files as Accessible Items, Prohibited Items and Trusted Vendors.

Signatures can also be used for allowing applications on non-NTFS formatted drives to run, which Application Manager would otherwise block by default. Add the digital signatures to the Accessible Items list and disable trusted ownership checking for the individual files. Signature Group Management provides easier administration for large groups of signatures.

Accessible Items with digital signatures can be used to verify that the file which the user is attempting to run is actually the file permitted by the administrator.

Prohibited Items with digital signatures can be used to ensure the file is always prevented from executing, even when the user renames the file.

Event

An Event is generated by Application Manager to report file execution requests, overwrites or renames and Self-Authorizing User decisions. The event number indicates the outcome of the request. Events are logged according to the method set up in the Auditing node.

Node

A node is a term used in the Application Manager Console to represent a branch in the navigation tree.

OU

Organizational Unit. A container that holds users and computers in Active Directory.

Prohibited Items

Prohibited items are files, folders, drives or digitally signed files or groups of files specified in an Application Manager Rule which are not allowed to run when file execution requests are

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE GLOSSARY RULETime Limits

96

matched with the rule security settings and would otherwise be allowed by other Configuration settings.

See also: Accessible Items and Trusted Vendors

Rule

A Configuration rule assigns a Security Level to the specified users or groups, devices and combinations of these and contains control lists for Accessible Items, Prohibited Items and Trusted Vendors. Application Manager intercepts kernel level file execution requests and matches these with the configuration rules to implement security controls.

Security Level

Application Manager configuration Rule settings include security levels which specify how to manage requests to run unauthorized applications by the users, groups or devices which a rule matches.

Restricted — Only authorized applications can run. These include files owned by members of the Trusted Owners list and files listed in Accessible Items, Trusted Vendors and Trusted Applications.

Self-Authorizing — Users are prompted for decisions about blocking or running unauthorized files on the host device.

Audit only — All actions are permitted but events are logged and audited, for monitoring purposes.

Unrestricted — All actions are permitted without event logging or auditing.

Security Identifier

(SID) A data structure of variable length that identifies user, group, and computer accounts. Every account on a network is issued a unique SID when the account is first created. Internal processes in Windows refer to an accounts SID rather than the accounts user or group name. Likewise Application Manager also refers to a user or group SID unless the SID could not be found when added to the configuration.

Self-Authorizing User

User, group or device granted control to choose whether to block or run an unauthorized application on the host computer. The Self-authorizing Security Level can be assigned in an Application Manager Rule to match a file execute request for users, groups or devices.

SID

See Security Identifier.

Time Limits

Settings applied to entries in the Accessible Items and Prohibited Items nodes of an Application Manager Rule which determine day and time ranges when the controls apply.

For example, an entry in the Prohibited Items node of a rule can restrict use of the local web browser to users except between the hours of 12pm and 2pm on specific days of the week.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE GLOSSARY TRUSTED APPLICATIONSWildcards

97


Trusted Applications are files which are authorized to run by the Application Manager configuration and can execute files which are normally prohibited. Trusted Applications are designated in the Default Rules and include specified Trusted Content which includes files normally prohibited but allowed when run executed as a child process of the associated Trusted Application.

For example, essential applications, such as antivirus update software is usually allowed to run but can also depend on being able to run particular downloaded executables, which are normally prohibited, to perform an update. The antivirus software is added to the rules as a Trusted Application, and the downloaded executable prohibited file which the antivirus needs to run, is added as Trusted Content of the Trusted Application.

Add certain files and file types as Trusted Content. Extend this trust to folders and drives to allow files in these locations to run as Trusted Content of the Trusted Applications. Trusted Application matching takes place when a file is prohibited by a rule or fails Trusted Ownership checking.

Trusted Ownership

Trusted Ownership checking is a secure method Application Manager uses to prevent users running unauthorized applications is. On NTFS formatted drives, files have owners and Application Manager is configured, by default, to only allow files to be executed if the file owner is a member of the Trusted Owners list. If a user tries to run a file that is not owned by a trusted owner, the execute request is denied and a message notifies the user. Any files downloaded from the internet or received in e-mail are owned by the user, so those files are not permitted to run unless ownership is held by members of the trusted owner list.

By default, Application Manager blocks execution requests for all applications on non-NTFS formatted drives.

Trusted Vendors

Trusted Vendors are digital certificates signed by trusted sources. Trusted Vendor checking allows applications which fail Trusted Ownership checking to match digital certificates with the Trusted Vendors list.

A list of Trusted Vendors can be defined for each User, Group, Device, Custom and Scripted Rule of the configuration.

Application Manager queries each file execution which fails Trusted Ownership checking to detect the presence of a digital certificate. If the file has a digital certificate which is signed by a certificate authority matching a valid entry in the Trusted Vendor list, the file is allowed to run.

Trusted Vendor matching takes place when a file is prohibited by failing Trusted Ownership checking and Trusted Application checking.

Wildcards

Both the asterisk (*) and question mark (?) characters can be used in a file or folder path in the Application Manager Console. The asterisk represents one or more characters, excluding the back slash (\) character, whilst the question mark wildcard represents one character, excluding the forward slash (/) character. Both of the wildcard characters can be used in any part of a file path, including the drive letter for local paths.

APPSENSE APPLICATION MANAGER ADMINISTRATION GUIDE GLOSSARY WILDCARDSWildcards

98

For example, c:\sample path\test?\*.exe, matches all files with the .exe extension that existed in the folders c:\sample path\test1, c:\sample path\test2, ... c:\sample path\testn, etc. But since the question mark can only replace one character, it does not match c:\sample path\test100. The only limitation imposed by Application Manager on the use of wildcards is that the asterisk cannot be used to match more than one subdirectory.

Date post:	02-Apr-2015
Category:	Documents
Upload:	joris-hermans
View:	986 times
Download:	1 times

AppSense%20Application%20Manager%20Administration%20Guide

Documents