Michael Bilodeau Senior SDET Microsoft Corporation VIR310 Microsoft Desktop Optimization Pack What the Desktop Optimization Pack Provides Provide immediate ROI Regular updates Faster upgrade cycle, separate from.
Download ReportTranscript Michael Bilodeau Senior SDET Microsoft Corporation VIR310 Microsoft Desktop Optimization Pack What the Desktop Optimization Pack Provides Provide immediate ROI Regular updates Faster upgrade cycle, separate from.
Michael Bilodeau Senior SDET Microsoft Corporation VIR310
Microsoft Desktop Optimization Pack
What the Desktop Optimization Pack Provides 1 Provide immediate ROI Regular updates Faster upgrade cycle, separate from Windows® Minimal deployment effort 2 Deliver end-to-end solutions Run out of the box Integrate with existing management solutions 3 Lower Desktop TCO >95% of MDOP customers are (very) satisfied *1 $70-$80 net cost savings per PC per year using MDOP *2
*1, Microsoft MDOP customer study. Base: Current MDOP customer n=108, non-MDOP customer n=367
*2, MDOP ROI Analysis by Wipro
Session Objectives
Learn how to securely deploy App-V Learn about App-V attack surface to understand configuration implications
Overview
Review security enhancements in 4.5
Server Security Client Security Internet Scenarios Management Components Sequencer Security Troubleshooting
Security Enhancements in 4.5
First Microsoft branded release Followed Security Development Lifecycle (SDL) Secure by Default Kerberos support Certificate based server authentication Support Internet facing scenarios
Overview of Attack Surface
How do you know you can trust the server you are attached to?
How do you prevent attackers from modifying packages?
What about shared systems like Terminal Servers?
What about Man In-The-Middle attacks?
App-V Server Security
Secure all Server components in your deployment One common scenario App-V Management Server for Publishing Web Server for Icons and OSDs Web Server for package streaming SQL DB to support App-V Management Server
Publishing vs. Streaming
Application Publishing Configures client to display applications the user is set up to use Exposed to user via file associations and shortcuts Application Streaming Delivers application binaries to the client May also include execution of scripts We need to secure BOTH!
Publishing Step
OSD’s & Icons
Web Server Windows ACL’s SQL DB
XML
App-V Management Server
Service Ticket Certificate
App-V Client
Streaming Step
Web Server Application streams securely from Web Server
Service Ticket Certificate
App-V Client App Virt Cache
Review of Mitigations
RTSPS between server and client to ensure integrity of publishing information Client verifies server certificate trusted IPsec secures traffic between DB and server HTTPS between client and web server to ensure integrity of all package files Windows ACL’s prevent modification of package files on web server
Identifying Trusted Servers
Certificate Provisioning Internal or External Certificate Authority?
How will certificates be deployed?
Certificate Requirements Clients need to trust root CA Certificate must be valid Must contain correct Enhanced Key Usage (EKU) Server Authentication (OID 1.3.6.1.5.5.7.3.1) Certificate FQDN must match the server on which it’s installed
Set Certificate ACL
App-V Server runs as NetworkService Private key ACL’d for Administrators/System Give NetworkService access to private key Use WinHttpCertCfg.exe for Windows 2003 Use MMC Certificate snap-in for Windows 2008
App-V Client Security
Shared caches are locked down OSD cache update from publishing refresh allowed Administrators allowed to add/change applications ACLs on shared cache files to prevent changes Set Up ASR/OSR/ISR to use SSL connections E.g.HKLM/Software/Microsoft/SoftGrid/4.5/Client/ Configuration/ApplicationSourceRoot=“https://sgdf .microsoft.com” Locked down access to log file
Configuring App-V to use Enhanced Security
Configure IIS for Secure Streaming
Certificate requirements Configure IIS to support Kerberos auth Register Service Principal Name (SPN) Setspn.exe – A HTTPS/FQDN Directory browsing enabled Set MIME types .OSD=TXT .SFT=Binary
App-V Internet Facing Scenarios
Clients roam between Intranet/Internet No VPN Required Scenarios Hosting App-V in the DMZ Using Internet Security and Acceleration (ISA)
App-V Server and IIS Server in DMZ
Internal Network
Firewall
DMZ
Firewall Microsoft Application Virtualization Data Store ODBC TCP 1433 Active Directory Domain Controller DNS Kerberos LDAP SMB/CIFS over IPSec Application Virtualization Management Server IIS Server Package Content Server Firewall RTSPS HTTPS Internet App-V Clients Firewall
App-V Servers Behind ISA
DMZ Application Virtualization Management Server IIS Server SQL Active Directory Domain Controller Package Content Server
RTSPS HTTPS
Firewall (Optional) ISA Servers
RTSPS HTTPS
Firewall (Optional) Internet Microsoft Application Virtualization Clients
ISA and App-V
Internal Network
Package Content Servers
DMZ IIS Servers
HTTPS
Firewall (Optional) ISA Server
HTTPS
Firewall (Optional) Internet App-V Clients
Configuring App-V Administration
Application Virtualization Management Console
HTTPS
Application Virtualization Management Service Application Virtualization Management Server
ODBC Secured with IPSec
SQL Server Active Directory Domain Controller
Configuring Secure Administration
Use HTTPS between the Management Console and the Management Web Service IPsec policies between Management Web Service and SQL DB Management Web Service must be “Trusted for Delegation” If Management Web Service is installed with account that has write access to AD, we will do this for you
Trusted for Delegation
App-V Sequencer Security
Sequence on isolated/locked down systems Sequencer captures NTFS permissions (ACLs) By default package set up instructing client to enforce ACLs Anti-Virus Scans Scan workstation before starting Sequencer Disable anti-virus and anti-malware software before monitoring Re-enable and re-scan after monitoring (but before saving package)
Remove OSD File Type Association
User with Administrator privileges can add applications Installation of the client sets FTA to open .OSD files with App-V Remove the HKEY_CLASSES_ROOT keys for .OSD and SoftGrid.OSD.File
Logon script or post-installation script Add .OSD to Outlook blacklist
Anti-Virus on App-V Client
Shared caches are locked down Use real time monitoring to detect and remediate issues in user volumes Exclude sftfs.fsd (the read only cache)
Upgrading from SoftGrid 4.2
Upgrade maintains 4.2 settings Set up certificate and enable RTSPS Remove RTSP port Review client ACLs on cache objects Review client permissions for adding/updating applications Repackage applications with ACLs enabled
Troubleshooting
“The target principal name is incorrect” Make sure the App-V Server FQDN is correct “The received certificate has expired” Have system in place to order and set up new certs before old one expires “The revocation function was unable to check revocation because the revocation server was offline” Revoked certificate or expired CRL
Troubleshooting
Failing to grant NetworkService access to private key
Summary
Only as secure as your weakest link Protect packages from tampering During creation and transit On shared systems like Terminal Servers Verifying that servers are trusted Prepare for PKI requirements Use SSL channels Consider security before changing defaults
Resources
www.microsoft.com/teched Sessions On-Demand & Community www.microsoft.com/learning Microsoft Certification & Training Resources http://microsoft.com/technet Resources for IT Professionals http://microsoft.com/msdn Resources for Developers www.microsoft.com/learning Microsoft Certification and Training Resources
Where to Find More Information
App-V Documentation http://technet.microsoft.com/en-us/library/cc843848.aspx
App-V White Papers http://technet.microsoft.com/en-us/appvirtualization/cc843994.aspx
App-V TechNet Forums http://social.technet.microsoft.com/Forums/en-US/category/appvirtualization HTTP Publishing in App-V http://blogs.msdn.com/johnsheehan/archive/2009/03/24/http-publishing-in-app-v-part-1.aspx
Security Configuration Roles http://www.microsoft.com/downloads/details.aspx?FamilyID=63d33346-b864-4284-8c5f dce80c451e83&DisplayLang=en ISA SDK http://www.microsoft.com/downloads/details.aspx?FamilyID=16682c4f-7645-4279-97e4 9a0c73c5162e&DisplayLang=en
Other Resources
Website for Microsoft Desktop Optimization Pack for Software Assurance http://www.windowsvista.com/optimizeddesktop Microsoft Application Virtualization Home Page http://www.microsoft.com/systemcenter/appv/default.mspx
Microsoft Application Virtualization TechCenter http://technet.microsoft.com/en-us/appvirtualization/default.aspx
Microsoft Application Virtualization Blog http://blogs.technet.com/softgrid/default.aspx
Microsoft Application Virtualization Case Studies http://www.microsoft.com/casestudies/search.aspx?ProTaxID=3369 Gartner: Quantifying the Value of Microsoft's Desktop Optimization Pack http://mediaproducts.gartner.com/reprints/microsoft/vol4/article6/article6.html
Recent App-V News
App-V 4.5 Cumulative Update1 (CU1) Available March 2009
Provides compatibility with Windows 7 Beta Provides ability to sequence .NET Framework 3.5 and earlier on Windows XP SP2 Includes all updates since 4.5 RTM release Available now via Microsoft Volume Licensing, MSDN and TechNet
App-V 4.6
Available H1 CY2010
Broaden our Windows platform and application coverage Enable App-V to recognize and run 64-bit applications Enable App-V to run on 64-bit Windows Operating Systems Windows 7, Vista and XP Windows Server 2008 and 2008 R2 (App-V for TS) Easily prepare Virtual Applications Improved Sequencer UI Enable App-V to sequence true 64-bit applications Further expand our global coverage Enable virtualization of non-English applications in 13 additional languages Enable localization of App-V management UI’s in 12 additional languages.
Complete an evaluation on CommNet and enter to win!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.