Video Screencast Help

Virtual Application Container Sercurity

Created: 07 Jan 2013 | 1 comment

I've been searching the forums for this answer and haven't found anything yet.

When creating a virtual application with Altiris can I control what access the application has to the local host resources?

I've read articles on here about the two layers created when deploying an SVS to a client. The read and Read/Write directories which are used to store things like settings and configs. But what I'd like to know is if I virtualize an incompatible application like IE6 for use on a Windows 7 host, can I lock it down so that the Virtual IE6 application has no access to resources outside of the two create directories. I want to prevent something from the Virtual IE6 application accessing host resources. 

I'm assuming if I virtualized something like MS Word that it would have the ability to open files beyond the Read and Read/Write directories so I could edit and create documents throughout my local machine and network, but can I lock it down so the only places it can read and write are the two directory sublayers the SVS creates?

Thanks for the help.

Comments 1 CommentJump to latest comment

svallmen's picture

No, SWV is about visibility of files and registry entries, but not about access rights, which is controlled through ACLs in Windows, for virtualized apps just the same as for any others.

In principle, it was possible to delete resources (files and registry keys) residing in the base in your application layer (a delete entry is created there) and thus hide resources from the layered application, but doing this for any and all resources, leaving out those the layered app requires to function, and keeping this current, will be quite unmanageable. So, this method might work for you if you can pinpoint resources to exclude to some view locations and your app does not need those entire locations (e.g. it is usually problematic to remove "My Documents" or "Application Data" like this, as these are standard locations most applications in Windows depend on, not to mention WINDOWS or SYSTEM32).

What you relay need for the scenario given is a virtual machine, not a virtual app.

In SWV,  any changes made by a virtualized app are written to its writable layer. For apps like MS Word to modify documents and write the documents into the base, the layer needs exclude entries, either for the file extensions used by the app or for folders used to keep documents.

Therefore, if your concern is not access, but protection from modification, SWV will do just fine, if configured correctly.