The Altiris Application Control Solution is a soon-to-be released product that's creating a lot of buzz in the beta community. Here's a sneak peak from Darin Bunker, an Altiris test engineer who's paid to beat on new products and see what they're made of.

Table of Contents

• Application Control Solution Overview
• Basic Solution Install Information
  • Server Installation
  • Application Control Agents
  • Application Filter Configurations
  • Application Actions
  • Application Control Policies
• Solution Management and Wizards
• Conclusion

Application Control Solution Overview

The overall computer environment continues to evolve to help both management and end-users with functionality to achieve business objectives. However, when adding new functionality to applications and systems, there is the possibility that those enhancements could be exploited by unauthorized parties. Altiris in conjunction with one of their partners have developed a solution to address common security risks. Application Control Solution has been developed to provide enhanced security capabilities to address common issues with the overall security environment of the computers within the network.

Application Control Solution Home Console

Click to view.

The Application Control Solution provides the ability for administrators to completely control which applications are executed on their managed machines. Default lists are maintained by the solution as White and Black lists which allow the computer to either run the process or deny execution. This capability is further enhanced by allowing administrators to restrict specific files from being open, read or written too.

A common issue in managed computer environments is the need of specific users to run as administrators on their laptop or desktops. The operating system assigns processes (applications) their security token, which detail the privileges that the process can perform within the system, by the authentication and authorization of the user logging on. This means that if malicious code is executed with any process it will also have the same rights as the logged on user. A common area where this is constantly seen as a problem is with Internet Explorer when visiting sites where Malware, Adware and other malicious code could be executed. To combat this problem Application Control Solution enables administrators to select processes/executables and restrict the administrative rights of a single process. This means that as the process loads, the Application Control Agent will intercept the request and remove the Windows Privileges from the Security Token before allowing it to continue loading. This functionality also provides the administrators with the ability to elevate rights of a single process to allow computers to run as a standard user with user privileges but provide one process, needed for specific administrator tasks, to have administrative rights.

Since Application Control Solution works at the kernel level it provides the ability to detect and modify processes before completing the loading of the executable. This level of application control also allows for applying rules to every process in the overall environment. To give administrators more control of securing sensitive files on the user computers Application Control Solution provides the functionality to implement Encrypting File System (EFS) to defined processes. This means that Application Control can create policies that will encrypt any file created by extension or for a specific MIME type.

Additionally, the Application Control Solution also gives administrators the option of isolating a suspicious process into an SVS Isolation Layer. This capability means that every file created or system configuration change made by that process will be captured into the SVS layer.

Basic Solution Install Information

The following sections describe the process and components of implementing Application Control Solution.

Server Installation

Like all other Altiris solutions, an automated installation is available via the Notification Server installation utility. This installation will include all components necessary for the solution. Additionally, if required the install can be performed via MSI packages.

Application Control Agents

In order to begin collecting data as to what executables and processes are running in the overall environment to allow for configuration of Application Control policies, the agents must be deployed as part of the first steps of Application Control configuration. The client agents work as the collectors and enforcers of the policies defined by administrators in the solution console.

Application Filter Configurations

The client-side File Inventory Agent provides the server with a hash of all processes/executables running in the environment. The server then compiles a list of all the processes running for all machines configured with the Application Control Solution. This list becomes part of the File Filter Configuration. The Application Filters are the main component in targeting specific Application Actions to specific executables. There are three types of Application Filters: Application Context, Dynamic Filters and Inventory Filters.

Application Actions

Application Actions are the rule sets to be applied to identified processes. The Application Control Solution allows for a wide range of options for restricting and control processing of executables in the environment.

To provide the functionality of enforcing certain application actions, it is necessary to provide in-process support. In-process actions are those actions where the Application Control Agent has inserted a DLL object into the process order when loading the executable into memory to act as filter for the actions of the executable. If the executable attempts to perform an activity that is governed by an application Action then the in-process Application Control DLL will intercept this activity and enforce the appropriate action defined in the policy.

The following list details the available Application Actions:

• Deny File Access (In-Process). This action allows administrators to deny users the ability to run specific file types or write to specific file types. For example, the Deny File Access action could be used in an Application Control Policy to deny users the right to run file sharing programs like Gnutella. Even though the application could be installed on the computer, when the user attempts to run the application the kernel driver before loading would identify the process and terminate the action.
• Deny Execute. When a call is made to the kernel to begin the process of launching an application, the Application Control system driver alerts the Application Control Service concerning the event, which can provide the ability to send a call back to the kernel to stop execution of the application. This Application Action can be defined for those applications that administrators do not want running in the environment.
• Deny Windows Hooking (In-Process). The most common "Windows Hooking" problem is the unauthorized use of key loggers on a computer. Deny Windows Hooking uses in-process functionality to identify when unauthorized applications are attempting to collect data from other applications trying to use global windows hooks. Additionally, this Application Action also protects against applications from injecting arbitrary code into existing valid processes. This functionality provides administrators a line of defense against Malware programs that attempt to obtain unauthorized information from computers in the environment.
• Encrypt Application Files (In-Process). The Application Control Solutions takes advantage of the built-in Windows Encrypting File System (EFS). This application action will provide the ability to automatically encrypt files for a user for a specific file type or MIME type. Administrators can either enforce encryption for any specific file folder path or anywhere on the computers file system.
• Messages. The Application Control Agent provides the ability to inform the user of what actions have been applied by the agent. These messages can be configured to display the dynamic file information such as process name, path or ID. Standard messages are pre-populated for ease of use.
• Process Rights. This Application Action will enable the reduction or elevation of process rights for a specific process. There are 39 configurable process rights that can be adjusted to meet security requirements. The Application Control Solution provides a pre-populated set of Administrative rights to be reduced.
• Quarantine. The Quarantine Application Action is provided to quarantine a file by moving it to the default agent quarantine path. This Application Action works by identifying executables that should be quarantined and moves those files to that defined path to protect the system from execution of Malware/Adware type of executables.
• SVS Layers. This Application Action utilizes the SVS API functionality to encapsulate any process into an SVS Isolation or Application Layer. This action will put any file created or configuration change created by a process into a layer.

Application Control Policies

Once filters have been defined and Application Actions configured, the last step is to create policies to enforce the actions to the filters. Essentially the Application Control Policy consists of at least one Application Filter and one Application Action. Application Filters can be configured to include or excluded defined filters, which allows for easy configuration.

Multiple Application Actions can be assigned to a single Application Control Policy. This means that each policy can affect many actions against the same Application Filter or process. Messages sent to users to inform them of the actions of the Application Control Agent are also assigned in the Application Actions settings of the policy. Additional configuration can be defined for any child process created by the process being modified. By default the child process will be subject to the same policy as the parent process.

Solution Management and Wizards

In providing ease of use to administrators a "Manage Applications" console page has been included in the solution. This page provides the details of processes inventoried in the environment as well as includes an "Application Control Wizard" that uses templates to quickly create Application Control Policies. The following list details the options available via the wizard:

• Automate Document Encryption
• Blank Application Control Policy
• Deny Application Execution
• Elevate Process Rights
• Prevent Hooking Windows
• Quarantine Application
• Restrict Application Read and Write File Access Policy
• Restrict Process Rights
• Run Application in Read-Only Mode
• Run Application in SVS Layer

Manage Applications console page.

Click to view.

Conclusion

The Application Control Solution is a extremely powerful and useful tool in securing the laptops, desktops and servers in a computer environment. As the Application Actions described above are used in conjunction with each other in Application Control Policies, a barrier is placed between those activities that are sanctioned and Malware/Adware and other suspicious programs lurking to exploit vulnerabilities within the computer system. By taking advantage of the securing techniques with Application Control Solution, a more stable and efficient computer environment will help the overall organization focus their time and resources on meeting their business demands and objectives.

For more detail regarding Application Control Solution refer to "Working with Altiris Application Control Solution 6.0 - Part II - Basic Installation".