Working with Altiris Application Control Solution 6.0 - Part II - Basic Installation
If you read part 1 of this series, you know folks are getting very excited about this unique new security offering from Altiris. In this document, Darin walks you through the finer points (and gives you a leg up on the rougher parts) of the installation.
Table of Contents
- Application Control Solution Overview
- Solution Architecture
- Application Control Setup
- Conclusion
Application Control Solution Overview
The Application Control Solution provides the ability for administrators to control many aspects of the local security environment on a computer. By using various Application Filters and Application Actions, administrators can define an environment that will restrict those activities that cause confusion and delay in business activities. This document will provide an overview of the basic installation and configuration of the solution.
Solution Architecture
Application Control Solution architecture consists of a server administrative console, server web services, and two client agents.
Server:
- Web console available via Altiris Notification Console
- Web service used to upload file inventory hashs and download configuration information to clients. Web service console is available at http://hostname/Altiris/msoft/agent/clientitemmanager.asmx.
Client
- File Inventory Agent (AltirisFileInvAgentUtil.exe). This agent is distributed to the clients to identify and collect executable or processes running on the machine.
- Application Control Agent (AltirisACSvc.exe). This agent is used to enforce the Application Security Policies.
- Application Control Kernel Driver (AltirisACDrv.sys). This driver is used to interface with the Kernel which provides the ability to pause processes at the kernel level when implementing the defined policies.
- In-Process DLL (AltirisACactioni.dll). The Application Control Agent uses a dll which is inserted into the process of targeted executables to enforce in-process policies such as implementing automatic EFS Encryption.
Application Control Setup
The following sections will walk through the process of setting up and configuring Application Control Solution.
Server Installation
The installation of Application Control Solution contains the following files:
- Altiris_MSoftCommon.exe
- Altiris_FileInventory.exe
- Altiris_ApplicationControl.exe
- Altiris_ReportApplicationControl.exe
- Altiris_DocAppControl.exe
Like all other Altiris solutions, an automated installation will be available via the Notification Server installation utility, however, should installation be required by using the solution installation files, it should be noted that the order listed above is the required sequence for executing those packages during installation.
Note: If a manual installation of the solution was required it is important to restart the Altiris Service after installation. This step is performed automatically if running the installation from the Notification Server Console installation utility.
Application Control Agents Rollout
The first step to obtaining process information from the clients is to rollout the agents. It is important to rollout the agents in a specific order. The first agent that should be deployed is the File Inventory Agent, followed by the Application Control Agent.
File Inventory Agent Rollout
The File Inventory Agent is responsible for logging the processes running on a machine and initiating uploading of that information to the server. Once a process is initiated on the computer, the Application Control kernel driver notifies the Application Control Agent that a new process is about to be started. The File Inventory Agent receives the information from the Application Control Service and then takes the executable file and generates a hash and logs that information in the FileHashCache.db file located locally on the machine in the Program Files\Altiris\Altiris Agent\Agents\FileInventory path.
Note: When first installed on a computer there could be slight performance decrease as the File Inventory Agent processes all the existing processes running on the system and stores the details in the local FileHashCache.db. However, it should be noted that the File Inventory Agent only generates the hash if it hasn't seen that process before or as soon as it sees the process executing in memory.
Note: Also, rebooting the machine after agent installation is not enforced or necessary for the agents to work but might be a good idea.
Rolling the Agent out to the environment is the same process as rolling other Altiris solution agents. The screenshot above displays those options provided.
Note: Even though the File Inventory Agent needs to be deployed first into the environment, it cannot begin collecting data until the Application Control Agent is installed. The Application Control Agent is the service that receives the events from the kernel driver and then initiates the File Inventory agent to identify the process.
Application Control Agent Rollout
The Application Control Agent is the service that enforces the policies defined by the solution on the machine. This agent is responsible for identifying the processes to be executed before they are loaded into OS memory and apply any policy is has received for the server for that process.
Rolling the Agent out to the environment is the same process as rolling other Altiris solution agents. The screenshot below displays those options provided.
Application Filters
Three Application Filters have been designed to allow flexible configurations to applying Application Actions: Application Context, Dynamic Filters and Inventory Filters.
Application Context
Application Context filters provide the ability to identify those processes that are related to critical system processes or being executed in the context of the user. This provides better support for the filters to only apply enhanced security to those processes not part of maintaining the stability of the operating system. There are three default types of context filters:
- Interactive Users
- Services Application
- System and Services Application
Dynamic Filters
For the Application Control Agent, Dynamic filters refer to the agent dynamically identifying the process during execution as an executable that should be processed by the agent. The Dynamic filters are pre-populated with standard files that will be used most often in the environments, applications like Internet Explorer, Microsoft Office (Word, Excel, etc.), Windows Media Player, Chat programs, etc. Dynamic Filters can also be definable. Default Dynamic Filters include:
- Instant Messaging Applications
- Internet Browsers
- Mail Clients
- Media Players
- MS Office Suite
- Signed Applications
Inventory Filters
Inventory Filters are compiled for the complete list of executables running in the environment. This filter type is most often used to apply a policy to the general environment.
Note: It is possible to create a dynamic filter that will allow for applying an Application Action against just that specific process. For example, if required a dynamic filter could be created for notepad.exe and then a policy could be used to execute an Application Action against that filter.
Application Actions
Application Actions are the rules that are enforced to defined processes. To provide the functionality of enforcing certain Application Actions, it is necessary to provide in-process support. In-process actions are those actions where the Application Control Agent has inserted a DLL object into the process order when loading the executable into memory to act as filter for the actions of the executable. If the executable attempts to perform an activity that is governed by an application Action then the in-process Application Control DLL will intercept this activity and enforce the appropriate action defined in the policy.
The following list will be described in this document:
- Deny File Access (In-Process)
- Deny Execute
- Deny Windows Hooking (In-Process)
- Encrypt Application Files (In-Process)
- Messages
- Process Rights
- Quarantine
- SVS Layers
Deny File Access
This Application Action allows administrators to define specific files that can be denied execution on targeted machines. This action also can enforce denying users the ability to run specific file types or write to specific file types.
Deny Execute
Using the Application Control kernel driver to review all processes before execution, the Application Control Solution provides the ability to restrict defined applications and processes from executing in the environment. This restriction occurs before memory is even allocated to the process for loading.
Deny Windows Hooking
The most common "Windows Hooking" problem is the unauthorized use of key loggers on a computer. Windows Hooking is a Windows API function (SetWindowsHookEx) that allows applications to intercept communications and data between other applications running on the same machine. Deny Windows Hooking uses in-process functionality to identify when unauthorized applications are attempting to collect data from other applications, like key logging, trying to use global windows hooks.
Deny Windows Hooking also protects against shatter attacks. A shatter attack is a programming technique that takes advantage of a design flaw in Windows's message-passing system whereby arbitrary code can be injected into any other running application in the same session that makes use of a message loop. This could result in an attacker gaining control of a system by elevating their privileges.
Note: Deny Windows Hooking only works on application level windows hooking applications. Kernel level driver based windows hooking will not be captured by the Deny Windows Hooking Application Action. This means that not all Key Loggers will be denied execution with this one Application Action.
Encrypt Application Files
This Application Action provides the ability to automatically encrypt all files for a user for a specific file type or MIME type. This functionality allows administrators to establish encryption for every file produced by an application on a machine for a specific file type such as ".xls" or MIME type "Excel Spreadsheet". For greater control the administrator can also define either encryption for just a specific file folder path or for the entire file system.
Note: Using the built-in EFS encryption available in Windows XP and Windows 2003 Server, allows for encryption if the domain has been configured to allow for encryption. When sending an encrypted file to a user outside of the domain, the encryption must be removed in order for them to access it.
Note: The following message box appears when saving an EFS encrypted file to a external device such as a USB key.
Note: Additionally, the encryption can be removed from a file by right clicking on the file, selecting properties and clicking on the advanced button to get the screen below. Un-checking the "Encrypt contents to secure data" will remove the EFS encryption.
Note: Also, the encryption mechanism from the File Encryption Application Action is only initiated when creating new files and does not affect existing unencrypted files. Therefore, when creating a file by using the "New" menu option by right-clicking in Windows Explorer, which means the newly created file will not be encrypted when opening and saving that file. To ensure encryption of files, all new documents should be initiated from the application associated to the file type.
Messages
The Messages Action is used to inform the user of the actions applied to their environment. This action includes the following variables that can be displayed to the user:
- {0} Process Name
- {1} Process Path
- {2} The Complete Case Sensitive Process Path
- {3} Process ID
Process Rights
This Application Action will enable the reduction or elevation of process rights for a specific process. There are 39 configurable process rights that can be adjusted to meet security requirements. The Application Control Solution provides a pre-populated set of Administrative rights to be reduced.
This allows for easy configuration of this policy against those application targeted by Malware, Adware and other malicious programs.
To adjust the Windows privileges, click on the link provided to open the Find Resource window below:
Quarantine
This Application Action works by identifying executables that should be quarantined and moves those files to that defined path to protect the system from execution of Malware/Adware type of executables.
SVS Layer
This Application Action utilizes the SVS API functionality to encapsulate any process into an SVS Isolation or Application Layer. This action will put any file created or configuration change created by a process into a layer.
The difference between the isolation layer and application is that an isolation layer can only be seen by the process associated with it. This means that no other process will be aware of the files being created in the isolation layer. The application layer is standard SVS application layers.
When creating Application Control SVS layers, two options are available: Isolation, Application.
Application Control Policies
Once filters have been defined and Application Actions configured, the last step is to create policies to enforce the actions to the filters. The following screen displays the options to processing Application Control Policies:
Application Filters can be defined under the heading "Applications to control" as either Must include, Include or Exclude, which allows for easy configuration.
Multiple Application Actions can be assigned to a single policy. This means that each policy can affect many actions against the same file filter or process. Messages are also assigned in the Application Actions settings. Additional configuration can be defined for any child process created by the process being modified. By default the child process will be subject to the same policy as the parent.
Policy Enforcement allows for definition of the order in which policies will be applied. The lower number policies will be applied first. The "Continue enforcing policies after enforcing this policy" is required if all other policies in a lower priority should be processed after this.
Note: If many policies have the same priority then there is a random order to which policy will be applied first.
Conclusion
Installation for Application Control Solution is a simple process and configuration is flexible, yet powerful. Following the guidelines listed in this document will help establish Application Control Policies that enforce a more secure environment.
For more detail regarding Application Control Solution refer to "Working with Altiris Application Control Solution 6.0 - Part I - Overview".