Michael Bilodeau Senior SDET Microsoft Corporation VIR310

Microsoft Desktop Optimization Pack

What the Desktop Optimization Pack Provides 1 Provide immediate ROI Regular updates Faster upgrade cycle, separate from Windows® Minimal deployment effort 2 Deliver end-to-end solutions Run out of the box Integrate with existing management solutions 3 Lower Desktop TCO >95% of MDOP customers are (very) satisfied *1 $70-$80 net cost savings per PC per year using MDOP *2

*1, Microsoft MDOP customer study. Base: Current MDOP customer n=108, non-MDOP customer n=367

*2, MDOP ROI Analysis by Wipro

Session Objectives

Learn how to securely deploy App-V Learn about App-V attack surface to understand configuration implications

Overview

Review security enhancements in 4.5

Server Security Client Security Internet Scenarios Management Components Sequencer Security Troubleshooting

Security Enhancements in 4.5

First Microsoft branded release Followed Security Development Lifecycle (SDL) Secure by Default Kerberos support Certificate based server authentication Support Internet facing scenarios

Overview of Attack Surface

How do you know you can trust the server you are attached to?

How do you prevent attackers from modifying packages?

What about shared systems like Terminal Servers?

What about Man In-The-Middle attacks?

App-V Server Security

Secure all Server components in your deployment One common scenario App-V Management Server for Publishing Web Server for Icons and OSDs Web Server for package streaming SQL DB to support App-V Management Server

Publishing vs. Streaming

Application Publishing Configures client to display applications the user is set up to use Exposed to user via file associations and shortcuts Application Streaming Delivers application binaries to the client May also include execution of scripts We need to secure BOTH!

Publishing Step

OSD’s & Icons

Web Server Windows ACL’s SQL DB

XML

App-V Management Server

Service Ticket Certificate

App-V Client

Streaming Step

Web Server Application streams securely from Web Server

Service Ticket Certificate

App-V Client App Virt Cache

Review of Mitigations

RTSPS between server and client to ensure integrity of publishing information Client verifies server certificate trusted IPsec secures traffic between DB and server HTTPS between client and web server to ensure integrity of all package files Windows ACL’s prevent modification of package files on web server

Identifying Trusted Servers

Certificate Provisioning Internal or External Certificate Authority?

How will certificates be deployed?

Certificate Requirements Clients need to trust root CA Certificate must be valid Must contain correct Enhanced Key Usage (EKU) Server Authentication (OID 1.3.6.1.5.5.7.3.1) Certificate FQDN must match the server on which it’s installed

Set Certificate ACL

App-V Server runs as NetworkService Private key ACL’d for Administrators/System Give NetworkService access to private key Use WinHttpCertCfg.exe for Windows 2003 Use MMC Certificate snap-in for Windows 2008

App-V Client Security

Shared caches are locked down OSD cache update from publishing refresh allowed Administrators allowed to add/change applications ACLs on shared cache files to prevent changes Set Up ASR/OSR/ISR to use SSL connections E.g.HKLM/Software/Microsoft/SoftGrid/4.5/Client/ Configuration/ApplicationSourceRoot=“https://sgdf .microsoft.com” Locked down access to log file

Configuring App-V to use Enhanced Security

Configure IIS for Secure Streaming

Certificate requirements Configure IIS to support Kerberos auth Register Service Principal Name (SPN) Setspn.exe – A HTTPS/FQDN Directory browsing enabled Set MIME types .OSD=TXT .SFT=Binary

App-V Internet Facing Scenarios

Clients roam between Intranet/Internet No VPN Required Scenarios Hosting App-V in the DMZ Using Internet Security and Acceleration (ISA)

App-V Server and IIS Server in DMZ

Internal Network

Firewall

DMZ

Firewall Microsoft Application Virtualization Data Store ODBC TCP 1433 Active Directory Domain Controller DNS Kerberos LDAP SMB/CIFS over IPSec Application Virtualization Management Server IIS Server Package Content Server Firewall RTSPS HTTPS Internet App-V Clients Firewall

App-V Servers Behind ISA

DMZ Application Virtualization Management Server IIS Server SQL Active Directory Domain Controller Package Content Server

RTSPS HTTPS

Firewall (Optional) ISA Servers

RTSPS HTTPS

Firewall (Optional) Internet Microsoft Application Virtualization Clients

ISA and App-V

Internal Network

Package Content Servers

DMZ IIS Servers

HTTPS

Firewall (Optional) ISA Server

HTTPS

Firewall (Optional) Internet App-V Clients

Configuring App-V Administration

Application Virtualization Management Console

HTTPS

Application Virtualization Management Service Application Virtualization Management Server

ODBC Secured with IPSec

SQL Server Active Directory Domain Controller

Configuring Secure Administration

Use HTTPS between the Management Console and the Management Web Service IPsec policies between Management Web Service and SQL DB Management Web Service must be “Trusted for Delegation” If Management Web Service is installed with account that has write access to AD, we will do this for you

Trusted for Delegation

App-V Sequencer Security

Sequence on isolated/locked down systems Sequencer captures NTFS permissions (ACLs) By default package set up instructing client to enforce ACLs Anti-Virus Scans Scan workstation before starting Sequencer Disable anti-virus and anti-malware software before monitoring Re-enable and re-scan after monitoring (but before saving package)

Remove OSD File Type Association

User with Administrator privileges can add applications Installation of the client sets FTA to open .OSD files with App-V Remove the HKEY_CLASSES_ROOT keys for .OSD and SoftGrid.OSD.File

Logon script or post-installation script Add .OSD to Outlook blacklist

Anti-Virus on App-V Client

Shared caches are locked down Use real time monitoring to detect and remediate issues in user volumes Exclude sftfs.fsd (the read only cache)

Upgrading from SoftGrid 4.2

Upgrade maintains 4.2 settings Set up certificate and enable RTSPS Remove RTSP port Review client ACLs on cache objects Review client permissions for adding/updating applications Repackage applications with ACLs enabled

Troubleshooting

“The target principal name is incorrect” Make sure the App-V Server FQDN is correct “The received certificate has expired” Have system in place to order and set up new certs before old one expires “The revocation function was unable to check revocation because the revocation server was offline” Revoked certificate or expired CRL

Troubleshooting

Failing to grant NetworkService access to private key

Summary

Only as secure as your weakest link Protect packages from tampering During creation and transit On shared systems like Terminal Servers Verifying that servers are trusted Prepare for PKI requirements Use SSL channels Consider security before changing defaults

Resources

www.microsoft.com/teched Sessions On-Demand & Community www.microsoft.com/learning Microsoft Certification & Training Resources http://microsoft.com/technet Resources for IT Professionals http://microsoft.com/msdn Resources for Developers www.microsoft.com/learning Microsoft Certification and Training Resources

Where to Find More Information

App-V Documentation http://technet.microsoft.com/en-us/library/cc843848.aspx

App-V White Papers http://technet.microsoft.com/en-us/appvirtualization/cc843994.aspx

App-V TechNet Forums http://social.technet.microsoft.com/Forums/en-US/category/appvirtualization HTTP Publishing in App-V http://blogs.msdn.com/johnsheehan/archive/2009/03/24/http-publishing-in-app-v-part-1.aspx

Security Configuration Roles http://www.microsoft.com/downloads/details.aspx?FamilyID=63d33346-b864-4284-8c5f dce80c451e83&DisplayLang=en ISA SDK http://www.microsoft.com/downloads/details.aspx?FamilyID=16682c4f-7645-4279-97e4 9a0c73c5162e&DisplayLang=en

Other Resources

Website for Microsoft Desktop Optimization Pack for Software Assurance http://www.windowsvista.com/optimizeddesktop Microsoft Application Virtualization Home Page http://www.microsoft.com/systemcenter/appv/default.mspx

Microsoft Application Virtualization TechCenter http://technet.microsoft.com/en-us/appvirtualization/default.aspx

Microsoft Application Virtualization Blog http://blogs.technet.com/softgrid/default.aspx

Microsoft Application Virtualization Case Studies http://www.microsoft.com/casestudies/search.aspx?ProTaxID=3369 Gartner: Quantifying the Value of Microsoft's Desktop Optimization Pack http://mediaproducts.gartner.com/reprints/microsoft/vol4/article6/article6.html

Recent App-V News

App-V 4.5 Cumulative Update1 (CU1) Available March 2009

Provides compatibility with Windows 7 Beta Provides ability to sequence .NET Framework 3.5 and earlier on Windows XP SP2 Includes all updates since 4.5 RTM release Available now via Microsoft Volume Licensing, MSDN and TechNet

App-V 4.6

Available H1 CY2010

Broaden our Windows platform and application coverage   Enable App-V to recognize and run 64-bit applications Enable App-V to run on 64-bit Windows Operating Systems Windows 7, Vista and XP Windows Server 2008 and 2008 R2 (App-V for TS) Easily prepare Virtual Applications  Improved Sequencer UI  Enable App-V to sequence true 64-bit applications Further expand our global coverage  Enable virtualization of non-English applications in 13 additional languages  Enable localization of App-V management UI’s in 12 additional languages.

Complete an evaluation on CommNet and enter to win!

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.