Application Control Solution 6.0 -- Tips and Tricks, Part II
Darin Bunker shares more ways to secure your environment using Altiris' new Application Control Solution. The tips include ways to harden rights on NS Console servers, registry edits for the client side, and a handful of handy tips and techniques to round out the collection.
The Application Control Solution is a powerful tool in securing common areas of concern in the managed computer environment. Since this solution does provide a great deal of functionality, this document is provided to help explain some common questions and configurations.
The following topics will be addressed in this document:
- Reducing Process Rights on NS Console Servers
- Registry Edits for Client-Side Agent
- Troubleshooting Techniques
- Overall Application Control Policy Configurations
- Error Log Usage and Entries
Reducing Process Rights on NS Console Servers
The reduction of rights is a powerful configuration tool for machines that are generally logged-on as administrators, such as servers. Generally, the Notification Server (NS) is only used for running the console when installing or updating existing solutions. Since the NS console is administered via Internet Explorer, it is possible that the rights for the browser process could be reduced by Application Control Solution.
Reducing the rights of Internet Explorer on the NS Console does create an issue when attempting to install or update Altiris solutions. Since the installation process requires writing to the system files and registry, the installation will fail.
To eliminate issues with the NS Console and limiting the rights of web-browsing it is recommended that Application Control be disabled via the Application Control console pages, solution administration (install and/or updates) completed and the policy re-enabled. All other web browsing on the NS Server should be limited during this time since the protection offered by Application Control Solution will not be enforced for this period.
Use this console page to disable the policy of limiting Internet Explorer while working on the NS Server.
Registry Edits for Client-Side Agent
This section will provide details on the registry location of the Application Control Policies that are currently configured on a managed machine.
When an Application Control Policy is configured and implemented into the managed environment, that policy is downloaded to the client machines and stored in the system registry. Only valid and current policies are located in the registry, meaning that if a policy is disabled or deleted at the server then those registry entries are deleted from the registry on the client machine. The Altiris Agent process is responsible for updating and maintaining the registry information.
The registry location for the policies is: "HKLM\SOFTWARE\Altiris\Altiris Agent\ApplicationControlAgent\ApplicationControlPolicy
\Servers\ServerName\Policies"
Screenshot example displaying the Application Control Policies for a given machine. This computer has ten policies currently active.
Note: By default the general installation will install two policies automatically: Deny Blacklist Execution and Allow Whitelist Execution.
As part of troubleshooting whether or not a policy is being enforced, checking the registry should be conducted and compared with other machines to ensure that the policies exist and are correctly configured.
After working with a product there are lessons learned that can be compiled and documented to help analyze and solve future issues that arise. This section will focus on helping administrators and help desk technicians by providing a quick checklist of areas to look at when troubleshooting. The following list does not detail specific issues but rather provide areas to review to confirm components and files are configured appropriately:
- File Inventory Agent is installed. There are two areas to check for the installation of the agent. First look in the Add/Remove Programs applet to verify installation. Second, right click on the Altiris Icon in the Systray and select "Altiris Agent Details" to confirm that File Inventory Agent is listed in the Installed Agents grid.
- Application Control Agent is installed. There are two areas to check for the installation of the agent. First look in the Add/Remove Programs applet to verify installation. Second, right click on the Altiris Icon in the Systray and select "Altiris Agent Details" to confirm that Application Control Agent is listed in the Installed Agents grid.
- Application Control system driver is installed. If Application Control Policies are not being enforced for any reason, confirm that the Application Control Driver (AltirisACDrv.sys) is present on the machine. Generally the driver is located at "\Program Files\Altiris\Altiris Agent\Agents\ApplicationControl\".
- Client policies are located in the registry. All current policies to be enforced are located in the registry. If for any reason a policy is not being enforced check the following registry location to all configured policies: "HKLM\SOFTWARE\Altiris\Altiris Agent\ApplicationControlAgent\ApplicationControlPolicy\Servers \ServerName\Policies"
- Altiris Log Entries. Check the Altiris Error Log on the client machine to confirm errors and warnings. Application Control uploads logging information with either AltirisACSvc.exe or AltirisACAction32.dll.
- FileHashCache.db File. Delete the FileHashCache.db file and reboot. If Application Control Policies are not being enforced, is it possible to delete the local store of identified processes running on the machine to force the File Inventory Agent to rebuild the list. The FileHashCache.db file is located in the Program Files directory under the sub-folder of Altiris.
- Uninstall Application Control. As a last resort to troubleshooting the Application Control Solution, uninstalling Application Control on the client machine will help in removing any issues that could be caused by the solution.
Overall Application Control Policy Configurations
Maintaining a secure environment is an on-going process since threats and vulnerabilities are constantly being discovered with existing and new products. To ensure secure computing it is important to incorporate multiple aspects of the Application Control Solution into the overall environment.
When the Application Control Solution is implemented into an environment, the File Inventory Agent immediately gathers all the processes and executables currently running. The information gathered by the agents is uploaded to the NS server to allow for defining Application Control Policies. This process is on-going since when a new executable is found it is processed and also sent up to the server. The gathering of this data is critical in allowing for a key concept of the Application Control Solution to work, the use of the Whitelist and Blacklist. These two lists are used to define the executables in the environment as either acceptable to run or should be restricted from execution. Also, the default Application Control Policies "Allow Whitelist Execution" and "Deny Blacklist Execution" should be enabled in the environment to enforce this concept. However, this task is an on-going process since the File Inventory Agent is constantly updating the server with any new executables that are being discovered in the environment and therefore critical to maintaining security.
For critical systems and servers where key applications have already been installed and configured, additional changes to those systems are not expected during the course of normal daily processing. With these systems, to provide enhanced security against unauthorized changes, it would be important to enable "Deny Windows Hooking" Application Action in the context of Interactive User processes, to provide security that no unauthorized processes will run on those machines. The "Deny Windows Hooking" Application Action is used to stop any process from running that will attempt to eavesdrop on the communication of other applications running on the same system. When configured in the context of the Interactive Users, this Application Action will only restrict those processes that are launched with user rights and privileges.
Including the context of "Interactive Users" in the Application Filters will only enforce this policy to those processes launched by users.
In many cases it is difficult to classify some executables as either with the Whitelist or Blacklist when a complete understanding of the executable is not known. For those processes that administrators are not sure of, placing them into an SVS Isolation Layer will provide the option of deactivating or deleting the actions and activities performed by that executable using SVS functionality.
Using multiple Application Control Policies together allows for a powerful mechanism for enhancing security. As administrators of the Application Control Solution configure and adjust Application Actions and Policies they will refine desired results and tighten security required for a more productive and efficient environment.
The Application Control Solution uses the standard Altiris Agent logging for warnings and errors with the components of the software. Additionally, Application Control Solution allows for various levels of logging. By setting a registry key, the logging level can be defined to either provide basic information to the log or comprehensive detail with the actions performed by the solution. The maximum logging level is generally used for troubleshooting issues with policies being enforced.
The registry location for defining the logging level is identified as the following:
| Registry Path: | "HKLM\Software\Altiris\eXpress\Event Logging\LogFile\" |
| Key Name: | Severity |
| Key Type: | REG_DWORD |
| Key Value: | Defined in table below. |
| Logging Level | Dec. Value | Hex Value |
|---|---|---|
| Errors | 1 | 0x00000001 |
| Warnings | 2 | 0x00000002 |
| Errors and Warnings | 3 | 0x00000003 |
| Informational | 4 | 0x00000004 |
| Trace | 8 | 0x00000008 |
| All Logging | 255 | 0x000000FF |
Possible key values for registry key "Severity". contained in this table
When examining the Altiris Agent logs, generally located at the file path: "C:\Program Files\Altiris\Altiris Agent\Logs", the following modules could be logging messages:
- AltirisACSvc.exe
- AltirisACAction32.dll
Note: By setting the logging value to maximum logging (255), the quantity of details logged will cause the logs to cycle more frequently. Currently, the Altiris logs maintain 20 separate log files that are cycled. This means that the oldest log files are erased when new logging needs to be saved. This does create a problem when trying to retrieve log details over an extended period of time. Therefore, the logging level needs to be reviewed to ensure that logging details are maintained for your specific requirements.
Note: The registry entry (severity) detailed in this section is the registry entry used for many other Altiris solutions and products.