[THIN] Re: Only allow specified apps.

  • From: "Jeff Durbin" <techlists@xxxxxxxxxxxxx>
  • To: <thin@xxxxxxxxxxxxx>
  • Date: Tue, 9 Dec 2003 20:43:16 +1300

I never said AppSec was simple-minded. I'm saying that "Run only" is
worthless withour AppSec. AppSec without "run only" is basic in that you
then allow all users to run the same set of apps. But when you combine the
two, you get true per-user or per-group app restriction. The two combined
are excellent, especially given the price: free.

-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Mack, Rick
Sent: 7 December 2003 10:27 PM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: Only allow specified apps.


Hi Jeff,

Agreed, appsec is pretty simple-minded.

If you want real security, then a 3rd party product for desktop lockdown is
just about mandatory.

The other alternative is Windows server 2003 and software restriction
policies.

Regards,

Rick

Ulrich Mack
rmack@xxxxxxxxxxxxxx
Volante Systems
18 Heussler Terrace, Milton 4064
Queensland Australia
tel +61 7 32467704



-----Original Message-----
From: Jeff Durbin [mailto:techlists@xxxxxxxxxxxxx] 
Sent: Saturday, 6 December 2003 1:02 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Only allow specified apps.


I must not have made myself clear. What I'm saying is, "Run only" is
inadequate to prevent users from running unauthorized apps. If, for example,
your list of approved apps is:

Winword.exe
Excel.exe
Calc.exe
Outlook.exe

  a user simply has to email himself CMD.EXE and rename it CALC.EXE. He
clicks it, and then has a command prompt. From that command prompt, he can
then run any program he wants, because when you start another program from
the command prompt, it doesn't care about the "Run only" list. Once they get
a command prompt, anything goes.
  You might say, "But I set the policy setting that disables the command
prompt." Fine. Just email yourself CMD.EXE from NT4 rather than 2000. When
you set the policy setting to disable the command prompt, that simply sets a
registry value:

   HKCU\Software\Policies\Microsoft\Windows\System\DisableCMD = 1

  When you run CMD.EXE from Win2K forward, it will check this registry value
before it starts. If it's set to 1, it respects the setting and refuses to
run. NT4's CMD.EXE, however, doesn't check for the setting, and runs
happily, despite the setting.
  Once you add AppSec into the equation, it's a whole different ball game.
The applications a user can run are the intersection of the "Run only" list
for that user and the applications that are allowed by appsec (which are
tied to a path on the disk, rather than just a filename).  
  
Jeff Durbin

-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Monahan, Thomas
Sent: 6 December 2003 12:42 AM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: Only allow specified apps.


It runs, ( if you check the process it is there), however the user doesn't
see a thing as it is hidden. So they couldn't interact with the command
prompt. They would have batch file all the commands they wanted to run, I
would say.

Regards,
Thomas

> -----Original Message-----
> From: Jeff Durbin [SMTP:techlists@xxxxxxxxxxxxx]
> Sent: 04 December 2003 19:32
> To:   thin@xxxxxxxxxxxxx
> Subject:      [THIN] Re: Only allow specified apps.
> 
> Yeah, they'll get around it. When you block CMD using policy, it's 
> just a registry value that gets set. When you run 2000 or 2003's 
> CMD.EXE, it looks for that registry value and respects its setting. 
> NT's CMD.EXE doesn't look for the value, so it will always run. Try it 
> yourself.
> 
>       -----Original Message-----
>       From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]
> On Behalf Of Robert Barrett
>       Sent: 5 December 2003 4:27 AM
>       To: 'thin@xxxxxxxxxxxxx'
>       Subject: [THIN] Re: Only allow specified apps.
>       
>       
>       I will look into it further then, especially if it has been found to

> be that way, I was going only by the documentation (should know 
> better). I don't know if it makes a difference but as you have said we 
> do have the command prompt blocked entirely and we are only running 
> 2000 or 2003 Ts boxes and XP SP1 clients (other than CE embedded 
> thin).  Will they still find a way around that?  I am curious now.  I 
> am still going to try to get Appsec to work.
> 
>   _____
> 
>       From: Jeff Durbin [mailto:techlists@xxxxxxxxxxxxx] 
>       Sent: Wednesday, December 03, 2003 8:02 PM
>       To: thin@xxxxxxxxxxxxx
>       Subject: [THIN] Re: Only allow specified apps.
>       
>       
>         I think you'll find that using "Run only" by itself will be 
> inadequate. All it does is require that an app that's executed from 
> Explorer (and only from Explorer, not a DOS box) be listed in the "run 
> only" list. So, for example, let's say that you allow winword.exe. All 
> I have to do is rename my CMD.EXE to winword.exe, and it will run. (I 
> know, there's a policy setting that can stop CMD, but that doesn't 
> stop *NT4's
> CMD*.) Used by itself, it's pretty pathetic.
>         AppSec blocks all apps except the ones listed in it's apps list, 
> and those apps don't have to be on the TS itself. I've allowed apps on 
> a network share using AppSec. The beauty of it is that it will only 
> allow the apps *at the specified path* run. Therefore, you allow only 
> Winword.exe in your "run only" list. Then, you tell AppSec that 
> non-admins can run c:\program files\Microsoft 
> Office\Office10\winword.exe. With that combination, Winword, at the 
> specified location, is the only app that a non-admin will run.
>         I promise you that if you use "run only" by itself, you'll still 
> have the problem. Add AppSec and you'll solve it.
>        
>       JD
> 
>               -----Original Message-----
>               From: thin-bounce@xxxxxxxxxxxxx
[mailto:thin-bounce@xxxxxxxxxxxxx] 
> On Behalf Of Robert Barrett
>               Sent: 4 December 2003 11:08 AM
>               To: 'thin@xxxxxxxxxxxxx'
>               Subject: [THIN] Re: Only allow specified apps.
>               
>               
>               Thanks.  I have it running using "Run only...", not sure
what I was 
> doing wrong the first time but it works now.  I decided against Appsec 
> because it apparently requires that the app being blocked reside on 
> the TS box, most of these kids run games and stuff from their home 
> directory.
> 
>   _____
> 
>               From: Jeff Durbin [mailto:techlists@xxxxxxxxxxxxx] 
>               Sent: Wednesday, December 03, 2003 12:04 PM
>               To: thin@xxxxxxxxxxxxx
>               Subject: [THIN] Re: Only allow specified apps.
>               
>               
>               I've used "Run only allowed windows apps" and AppSec many
times. 
> This combination can give you true control over what apps a user can 
> run. Be aware that the list of apps referenced in the URL is not 
> required. For example, USRLOGON.CMD isn't required for USRLOGON.CMD to 
> run during login. Also, when you first run AppSec, it has a list of 
> apps already loaded. I normally delete them all and start adding only 
> the application executables that I need. I normally add CTXLOAD.EXE as 
> well, but that's only because it was required to fix a failure of the 
> clipboard mapping mechanism the first time I tried using AppSec. Of 
> course, you have to add the names of any executables referenced during 
> login, but that would only be if you were using Kix or VB login 
> scripts, for example.
>                
>               Jeff Durbin
> 
>                       -----Original Message-----
>                       From: thin-bounce@xxxxxxxxxxxxx
[mailto:thin-bounce@xxxxxxxxxxxxx] 
> On Behalf Of Jim Kenzig http://thethin.net
>                       Sent: 2 December 2003 5:10 AM
>                       To: thin@xxxxxxxxxxxxx
>                       Subject: [THIN] Re: Only allow specified apps.
>                       
>                       
>                       By the way when using appsec use the dos name for
specifying file 
> location if you have problems.
>                       Jim
>                        
> 
>                       -----Original Message-----
>                       From: thin-bounce@xxxxxxxxxxxxx 
> [mailto:thin-bounce@xxxxxxxxxxxxx]On Behalf Of Jim Kenzig 
> http://thethin.net
>                       Sent: Monday, December 01, 2003 11:06 AM
>                       To: thin@xxxxxxxxxxxxx
>                       Subject: [THIN] Re: Only allow specified apps.
>                       
>                       
>                       Use appsec.exe  and see
<http://thethin.net/archive3.cfm?id=81940> 
> for a list.
>                        
>                       Jim Kenzig
>                       <http://thethin.net>
>                       <http://spamguerilla.com>
>                       <http://www.kenzig.com>
>                       <http://ondemandaccess.com>
>                       <http://worldofasp.com>
>                        
> 
>                       -----Original Message-----
>                       From: thin-bounce@xxxxxxxxxxxxx 
> [mailto:thin-bounce@xxxxxxxxxxxxx]On Behalf Of Robert Barrett
>                       Sent: Monday, December 01, 2003 10:51 AM
>                       To: 'thin@xxxxxxxxxxxxx'
>                       Subject: [THIN] Only allow specified apps.
>                       
>                       
> 
>                       Hello all,
> 
>                       I am an admin in a school division and anyone else
> can attest to that comes with a whole bunch of users (high school) 
> playing all sorts of games trying to congest the network to the point 
> of choking. Anyway enough griping, has anyone gotten the GPO setting 
> that only allows certain Windows exe's to run working?  I am trying to 
> only allow them to run what is necessary to run for educational 
> purposes, I can make the list myself (of course if someone has a basic 
> list to start I'd take it :-)). If not a GPO does anyone have any 
> other ideas as to how to do this?  TIA
> 
>                       Robert Barrett MCSE, CCA, A+ 
>                       Enterprise Administrator 
>                       Fort Vermilion School Division 
>                       <http://www.fvsd.ab.ca> 
>                       robertb@xxxxxxxxxx
> 


***********************************************************
The information contained in this e-mail is intended only 
for the individual to whom it is addressed. It may contain 
privileged and confidential information. If you have 
received this message in error or there are any problems, 
please notify the sender immediately and delete the message 
from your computer. The unauthorised use, disclosure, 
copying or alteration of this message is forbidden. Neither United Utilities
PLC nor any of its subsidiaries will be 
liable for direct, special, indirect or consequential 
damage as a result of any virus being passed on, or arising from alteration
of the contents of this message by a third party.

United Utilities PLC (England and Wales No.2366616)
registered office: Dawson House, Great Sankey, 
Warrington, WA5 3LW.
***********************************************************

********************************************************
This Week's Sponsor - ThinPrint .Print Server Engine
Thinprint can help you save money, protect resources, 
simplify administration, save time and increase 
flexibility by solving all of your printing needs. http://www.thinprint.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm Domains currently for sale by The Kenzig Group
http://www.kenzig.com/serv01.htm New Site: Free Weblogs!
http://www.blogvortex.com
***********************************************************
For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

********************************************************
This Week's Sponsor - ThinPrint .Print Server Engine
Thinprint can help you save money, protect resources, 
simplify administration, save time and increase 
flexibility by solving all of your printing needs. http://www.thinprint.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm Domains currently for sale by The Kenzig Group
http://www.kenzig.com/serv01.htm New Site: Free Weblogs!
http://www.blogvortex.com
***********************************************************
For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
----------------------------------------------------------------------------
----------------------------------------
The information contained in this e-mail is confidential and may be subject
to legal professional privilege.  It is intended solely for the addressee.
If you receive this e-mail by mistake please promptly inform us by reply
e-mail and then delete the e-mail and destroy any printed copy.  You must
not disclose  or use in any way the information in the e-mail. There is no
warranty that this email or any attachment or message is error or virus
free. It may be a private communication, and if so, does not represent the
views of Volante Group Limited.

This message has been checked by SurfControl
********************************************************
This Week's Sponsor - ThinPrint .Print Server Engine
Thinprint can help you save money, protect resources, 
simplify administration, save time and increase 
flexibility by solving all of your printing needs. http://www.thinprint.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm Domains currently for sale by The Kenzig Group
http://www.kenzig.com/serv01.htm New Site: Free Weblogs!
http://www.blogvortex.com
***********************************************************
For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

********************************************************
This Week's Sponsor - RTO Software / TScale
What's keeping you from getting more from your terminal servers? Did you
know, in most cases, CPU Utilization IS NOT the single biggest
constraint to scaling up?! Get this free white paper to understand the
real constraints & how to overcome them. SAVE MONEY by scaling-up rather
than buying more servers.
http://www.rtosoft.com/Enter.asp?ID=147
*********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

Other related posts: