App Control pro Darin Bunker shows us how to to tighten security around Internet Explorer and how to take advantage of other security essentials like encryption and security certificates.

The Application Control Solution is a powerful tool in securing common areas of concern in the managed computer environment. Since this solution does provide a great deal of functionality, this document is provided to help explain some common questions and configurations.

The following topics will be addressed in this document:

• Installing ActiveX and Reducing Rights to Internet Explorer
• Using Security Certificates
• Configuring EFS Encryption

Installing ActiveX and Reducing Rights to Internet Explorer

A major benefit obtained by using Application Control Solution is the ability to reduce the rights of Internet Explorer (IE) when the user logged onto the machine has administrative privileges. When a user with administrative rights launches Internet Explorer, the process token, which provides the application with its privileges to the environment, is passed from the parent application (Windows Desktop) to the child application (Internet Explorer). When the Application Control Solution Agent has the "Limit Internet Explorer and Outlook Process Rights" policy enabled it will intercept the passing of the process token from parent to child and remove from that token the administrative privileges that generally are not needed for web browsing.

One of the biggest problems historically running Internet Explorer with administrative privileges is the installation of application components such as ActiveX controls. Inadvertent installation of unauthorized ActiveX components creates a breach of security for that machine. However, blocking the installation of ActiveX by reducing the administrative rights in the process token also creates a problem when users need to install trusted and necessary ActiveX components.

This section will describe the possible options available to address the need users have to install ActiveX components.

Option I - Disable Application Control

It is possible, but not recommended, to use the services applet to stop the "Altiris Application Control" service. By stopping this service you will disable the Application Control Agent from enforcing all policies configured on the machine, including that of reducing rights. After disabling the service close all Internet Explorer windows that are currently open and then re-open Internet Explorer. This will allow that instances of the application to obtain the process token with all privileges intact. After installing the ActiveX component restart the "Altiris Application Control" service.

This option is not recommended because once users know how to perform disabling of the service, there is a possibility that the service could be disabled permanently by the user and thereby losing the security provided by the solution.

Option II - Alternative Installation of ActiveX Components

When managing a more secure environment in which temporarily reducing security is not preferable, there is an alternative method using software delivery mechanisms to rollout ActiveX controls to client computers. Many producers of the ActiveX controls do provide independent install packages for implementation of their components. These independent installs can be configured and rolled-out to the environment to be installed independent of Internet Explorer.

Note: It is important to note that using this method does require more administrative resources to respond and react to user requests for ActiveX components.

Using Security Certificates

Security Certificates associated to executables can be used a filter for applying Application Actions with Application Control Solution. This functionality allows Application Control Policies to grant defined rights and privileges to all processes from a trusted resource based on the security certificate.

Signed File Filter for Adobe Systems, Incorporated.

Click to view.

File Inventory automatically retrieves digital certificates used to Code Sign applications discovered in the environment. Once retrieved certain attributes need to be extracted and stored as inventory data classes in human readable form. The process that performs this function is the "Extract Certificate Details" maintenance task. By default this task is run on a daily basis to process certificates whose details have not yet been extracted.

Extract Certificate Details schedule configuration page.

Click to view.

Configuring EFS Encryption for Altiris Application Control Solution

The Application Control Solution allows powerful functionality in providing security to system files and data by using the Encrypted File System (EFS) encryption. This ability to encrypt files is available using the built-in encryption functionality in Windows operating systems higher than Windows 2000.

Basically, EFS encryption uses a key to encrypt and then decrypt when necessary. In the Windows operating system a key is also necessary to ensure the data and/or files are appropriately encrypted. The key needs to be obtained from a trusted certification authority. If no Trusted Certification Authority exists the computer can generate its own certificate that is self-signed. The following steps will help walk through the configuration of the active directory domain to provide certificates for domain members.

• Domain Setup
• Client Certificate Setup
• Manually Encrypting a File
• Allowing Other Users to Access Encrypted Files
• Removing File Encryption

Domain Setup

Since individual computers need certificates to use EFS functionality, a Certificate Authority can be configured to automatically provide certificates to domain members. This section will provide a few pointers and general information concerning configurations on the domain controller to provide Certificate Authority services.

First, confirm that Certification Authority is installed on the domain controller. Next, open the configuration utility and confirm that the service is started. Then, check to see if "Basic EFS" policy exists in the "Policy Settings" folder.

Windows 2000 Active Directory Domain Controller. For Server 2003 the name of the "Policy Settings" folder has changed to "Policy Templates"

Click to view.

If the policy does not exist, right-click on the "Policy Settings" folder, select "New" and then "Certificate to Issue". From the selection box select "Basic EFS" and click "OK".

Click to view.

After configuring the Domain Controller by issuing the Certificate Template for EFS encryption, reboot both the Domain Controller and all domain members.

Client Certificate Setup

If the client machine is configured appropriately with the domain then the act of setting the EFS encryption on a system file will request and install a certificate from the Certificate Authority configured through the domain. The following steps will walk-through the confirmation of existing certificates and/or the requesting process for new certificates.

1. Open the Certificate Manager. Click "Start", "Run", type "certmgr.msc" and press enter.
2. Highlight the "Personal" folder.
3. Existing certificates will be located in the "Personal" folder under the sub-folder "Certificates". The certificates located in this folder will detail: "Issued To", "Issued By", "Expiration Date", "Intended Purposes" - which should say "Encrypting File System", "Friendly Name", and "Status".
4. To request a new certificate right click on either the "Personal" or "Certificates" folder and select "All Tasks", "Request New Certificate…"
   
   

   Click to view.

5. Click "Next" and then select "Basic EFS"
   
   

   Click to view.

6. Enter a "Friendly name" and "Description". Click Next.
   
   

   Click to view.

7. Review the certificate information and click "Finish".
   
   

   Click to view.

8. A message will be returned if the request is successful.
   
   

   Click to view.

Manually Encrypting a File

The built-in EFS encryption technology allows users to easily configure and manage encryption for files stored on the managed media of a computer. The following steps will walk through the process of manually configuring the encryption for a single file:

1. Open windows explorer and navigate to the file to be encrypted. Note that the file listed in the screenshot below is black.
   

   Click to view.

2. Select the file, right click and choose "Properties". On the "General" tab of the Properties window is a button labeled "Advanced". Click on Advanced.
   
   

   Click to view.

3. The "Advanced Attributes" window allows the user to check the "Encrypt contents to secure data" checkbox. Select this box and click "OK".
   
   

   Click to view.

4. Depending on the file and location of the file to be encrypted, a warning message may be displayed to inform the user of the importance of encrypting the file folder location. Select either option and click "OK"
   
   

   Click to view.

5. After enabling the encryption on the file, the color of the file listed in Windows Explorer will change to green.
   
   

   Click to view.

Allowing Other Users to Access Encrypted Files

Microsoft Windows EFS encryption is not configured to provide group policy functionality to access encrypted file. However, allowing other users to access the encrypted files can be configured through associating other user security certificates with the file to be configured. The following steps will walk through the process of allowing other users to access files encrypted using EFS:

1. Right click on the file to be configured for access permissions and select "Properties", then "Advanced". When the "Advanced Attributes" window is displayed select "Details" and click "OK".
   

   Click to view.

2. The encryption details will be displayed for the selected file. The screenshot below provides the details of those users who can access the file as well as a Data Recovery Agent who also has a certificate necessary to decrypt and access the file.
   
   

   Click to view.

3. To add a new user access to this encrypted file, click on "Add". In the screenshot below display those users to select from to add access. If the user to be granted access is not listed, click on "Find User…".
   
   

   Click to view.

4. The following screen allows searching capabilities to locate the user to be granted access to the file. Note: this searching screen will only provide users local to the machine or the domain that this computer is a part of.
   
   

   Click to view.

5. After granting access to the file in question the following window will be updated to confirm successful granting of access.
   
   

   Click to view.

Removing File Encryption

When necessary, the file encryption can be removed to provide the file to external parties. The encryption can be removed by a few different ways. The following list is a few options for encryption removal:

• Configuring File Properties. Right click on the file to be configured for access permissions and select "Properties", then "Advanced". Uncheck the "Encrypt contents to secure data" and click "OK".
  

  Click to view.

• Another way to remove the encryption is to copy the file to an external device such as a USB key or disk drive. When attempting to copy, the user will be informed that to complete the action the encryption will be lost.
  
  

  Click to view.