Improve OS security and application compatibility
| Executive Summary:|
Use Microsoft Application Virtualization’s (App-V's) SystemGuard, MSI utility, and Sequencer to deploy virtual applications seamlessly in secured environments, protecting the integrity of desktops and terminal servers.
Virtualization products such as VMware Workstation and Microsoft’s Hyper-V help IT professionals create virtual instances of desktop or server OSs. IT pros and enthusiasts use such technology to create sandboxed environments in which to test software, or for provisioning multiple servers on a single hardware device, thus isolating changes and protecting the core OS configuration. Although virtualization changed the way IT pros test software and deploy servers, these technologies aren’t easily implemented by the average end user.
If you want to test a new application in a virtual environment, you must first deploy a virtual machine (VM) and install an OS before you can load the application. In the case of Windows OSs, you might also need to purchase an additional license.
Application virtualization isn’t a new technology, but it really started gaining ground with Microsoft’s 2006 purchase of SoftGrid from Softricity. SoftGrid has since been renamed Microsoft Application Virtualization (App-V) and is available as part of Microsoft Desktop Optimization Pack (MDOP).
Application virtualization lets software run in a virtualization layer, without the overhead associated with a VM. Microsoft’s App-V client, which comes in varieties for desktops and terminal servers, uses a technology called SystemGuard to sandbox changes that an application would usually make to the registry, file system, and other OS components, and intercepts requests between the application and the virtualized resources. In addition, SystemGuard also isolates virtualized applications from each other.
App-V includes an optional server component that allows the App-V client to stream virtual applications on demand from a server, and run the applications offline (i.e., when disconnected from the server) if necessary. IT departments can sequence programs once and stream them to desktops and terminal servers without having to test for application conflicts. When a program is updated on the App-V server, changes can be streamed automatically to clients. All these factors lead to reduced support, deployment, and patching costs. (For more information about streaming and sequencing in App-V, see the sidebar "App-V Streaming and Sequencing.")
Application Virtualization and Security
Secure desktops are often less flexible because users must depend on the IT department to provision and configure software. You need to consider this trade-off when weighing the pros and cons of securing your desktops, especially in environments in which users have had autonomy over their own PCs.
Application virtualization reduces the flexibility trade-off for least-privilege security implementations by letting users install applications on demand without any special system rights, while simultaneously isolating applications from one another and the OS. You can quickly sequence applications and provision them to users through Microsoft Installer (MSI) or the SoftGrid Client Management Console, which supports streamed applications from an App-V server or local installation packages.
Sequencing an Application and Creating an MSI Package
To illustrate how to sequence an application and create an MSI package, let’s sequence Adobe Acrobat Reader 8.0 for virtualization on Windows XP so that it can run without a streaming server. We’ll need two machines: one to sequence Acrobat Reader and create an MSI package, and one to install the SoftGrid client. You can’t run the client and sequencer on the same machine. For illustration purposes, let’s assume both machines are running XP.
You can download Acrobat Reader 8.0 from www.adobe.com/products/acrobat/readstep2.html?type=distrib. You can download the necessary App-V (SoftGrid) components from support.microsoft.com/kb/941408. These components include the following:
- SoftGrid Sequencer 126.96.36.199 (softgrid_sequencer_setup_188.8.131.52)
- SoftGrid Client for Windows Desktops 184.108.40.206 (softgrid_wd_setup_220.127.116.11)
- SoftGrid MSI Utility 18.104.22.168 (MSI_Utility_22.214.171.124)
To sequence an application for App-V, you need a freshly installed version of XP on which to sequence Acrobat Reader. App-V Sequencer works by monitoring the installation process and taking before and after snapshots of the reference machine. Once XP is installed, complete the following steps before loading the Sequencer:
- Turn off any anti-malware or antivirus applications, including Windows Defender.
- Disable automatic defragmentation and Automatic Updates.
- Create a partition with the driver letter Q, with enough space to install the Acrobat Reader 8.0 binaries.
Next, log on as Administrator and follow the instructions to install SoftGrid Sequencer from the self-extracting package. After the Sequencer is installed, you’re ready to sequence Acrobat Reader as follows:
- To run SoftGrid Sequencer, select All Programs, Softricity from XP’s Start menu.
- Select File, New Package in the SoftGrid Sequencer application.
- In the New Package dialog box, select Yes to use the wizard to guide you through the sequencing process.
- Click Next on the Package Configuration wizard’s welcome screen.
- Under Suite Name, enter Acrobat Reader 8 and click Next. The Server URL information isn’t important in this case, because you aren’t streaming the application to the client.
- XP is already added to the list of Selected Operating Systems because it’s the only supported OS in our example. Click Finish to continue.
- Click Next on the Installation wizard’s welcome screen.
- Click Next on the Sequencing Parameters screen to accept the default settings. The Monitor installation dialog box that Figure 1 shows will appear.
- Make sure the Acrobat Reader installer package is ready to go and click Begin Monitoring. The Monitor installation dialog box will minimize automatically. Launch the Acrobat Reader installer and follow through a standard installation, but change the destination folder to the Q drive and simplify the path to make it an 8.3 directory name as Figure 2 shows.
- Once Acrobat Reader is done installing, launch Acrobat from the new desktop shortcut and accept the license agreement. On the Beyond Abode Reader screen, click Do not show at startup and close the window.
- Because SoftGrid or another software distribution system will be used to manage application updates, you can disable Acrobat’s automatic updater. In the Acrobat Reader application window, select Check for Updates from the Help menu. After Reader is done checking for updates, click Preferences in the Adobe Updater dialog box. Clear the Automatically check for Adobe updates check box and click OK. Click Cancel in the Adobe Updater dialog box and close Acrobat Reader.
- Maximize the SoftGrid Sequencer window and click Stop Monitoring.
- Create a folder (e.g., called Acrobat Reader) on the desktop in which to save the new package. Select the folder in the Browse for Folder dialog box and click OK.
- After a few seconds, the wizard will tell you that monitoring is finished; click Next.
- You can now add files to the virtual file system (VFS). Leave the default files selected, as Figure 3 shows, and click Finish.
- Click Next to bypass the Application wizard’s welcome screen.
- Because the monitoring process has successfully detected the appropriate file extensions and shortcuts for Acrobat Reader, you can click Next in the Configure Applications dialog box.
- Select Acrobat Reader 8 in the Launch Applications dialog box, and click Launch to optimize the application for streaming. Close Adobe Reader and click Next in the Launch Applications dialog box. Adobe Reader will then be sequenced by App-V. Click Finish when sequencing has completed, close the SoftGrid Sequencer window, and save the project as acrobatreader.sprj to the Acrobat Reader folder on the desktop.
- Install the MSI Utility; on the final screen, make sure Launch MSI Utility is selected, and click Finish.
- Click Browse in the MSI Utility window and select the acrobatreader.sprj SoftGrid project file from the Acrobat Reader folder on the desktop, as Figure 4 shows. Click Package to continue.
- You should see a pop-up window indicating that the MSI package was successfully generated. Click OK and close the MSI Utility.
Installing the Client
Log on to your second XP machine as Administrator and install the SoftGrid Client for Windows Desktops from the command line to enable support for MSI deployment of virtualized applications:
- Double-click the self-extracting executable for the SoftGrid client and unzip the contents to C:\softgrid.
- Open a command prompt from the Start menu’s Run box and issue the following command:
- Follow through a standard installation, clicking Next to bypass the Desktop Configuration Server screen. Restart the machine after the installation completes.
msiexec /i c:\softgrid\softgrid-wd-setup.msi msideployment=true
Installing a Virtual Application as an Administrator
Copy the Acrobat Reader folder from the desktop of the sequencer machine to the C drive of the client machine. Double-click the acrobatreader.msi package and follow the installation instructions. A shortcut will appear on the desktop for Acrobat Reader, as if the program were installed locally. Double-click the shortcut to open the application and you’ll notice the SoftGrid client icon appear in the system tray. If you open My Computer, you’ll notice that the SoftGrid client added a Q drive, and there’s no trace of Acrobat Reader in Program Files on the C drive.
Installing a Virtual Application as a Standard User
Installing a virtual application under SoftGrid as a standard user without a back-end server to stream the application is a bit more cumbersome, because you can’t just run the MSI package that the MSI Utility generates. However, you can use an MSI database editor such as Microsoft’s Orca utility to remove the installation restrictions for non-administrative users. Then, you can use the SoftGrid Client Management Console to install a virtual application as a standard user. To illustrate this process, let’s remove the Acrobat Reader virtual application and reinstall it while logged on as a standard user.
- While you’re still logged on as Administrator, start the Microsoft Management Console (MMC) SoftGrid Client Management snap-in from the Control Panel Administrative Tools applet.
- Select Applications in the left-hand pane under SoftGrid on local host. Right-click Acrobat Reader in the right-hand pane, select Delete from the menu, and click Yes to confirm.
- Right-click SoftGrid on local host in the left-hand pane and select Properties from the menu.
- Click the Permissions tab and select the Add applications, Delete applications, and Publish shortcuts check boxes, as Figure 5 shows. Click OK to continue.
- Close the MMC and log on as a standard user (i.e., a user without administrative rights).
- Open the MMC SoftGrid Client Management snap-in from Control Panel, right-click Applications in the left-hand pane, and select New Application from the menu. In the New Application dialog box, click Change Icon, then click Browse. Open acrobatreader Icons in the Acrobat Reader folder, select Adobe Reader 8 126.96.36.199 (or the appropriate version number), and click Open. The Acrobat Reader icon should appear in the Change Icon dialog box as the only available icon, as Figure 6 shows. Click OK to continue.
- Browse to the Acrobat Reader .osd file in the Acrobat Reader folder and click Open. Click Finish in the New Application dialog box.
- Select Applications again in the left-hand pane, right-click Adobe Reader in the right-hand pane, and select Import from the menu. In the Browse for Folder dialog box, browse to the Acrobat Reader folder and click OK.
- When the package is done importing, the Package Status setting in the right-hand pane should say Idle (100%). You might need to right-click in the pane and select Refresh to see the updated status.
- Right-click Acrobat Reader in the right-hand pane and select New Shortcut from the menu. Click Next in Step 1; select The Desktop and Programs in the Start Menu in Step 2. Click Next to continue. Leave Command Line Parameters blank in Step 3, and click Finish.
- Right-click Acrobat Reader again in the right-hand pane and select New Association from the menu. In Step 1, type pdf in the Extension box and click Next. Click Change Icon in the Step 2 dialog box. Browse for Adobe Acrobat Document in the acrobatreader Icons folder, and click OK. Click Finish to complete the wizard.
You should now be able to run the application by clicking the desktop shortcut or double-clicking a PDF file.
Application Virtualization Is the Future
Although application virtualization still isn’t a mainstream technology, the imminent release of App-V 4.5 promises changes that will further simplify deployment of the virtualization components, such as support for Microsoft Update and integration of the MSI Utility into the Sequencer application. The flexibility to install applications without compromising the security and configuration of the underlying OS is a benefit that both security specialists and system administrators will like.
Additional benefits, such as application streaming, lifecycle management, application conflict management, and virtualization of the user profile registry hive, will all lead to a more solid but flexible computing experience. Microsoft will likely include App-V’s SystemGuard technology as an integrated virtualization layer in a future version of Windows (read: Windows 7), which would be a big selling point. In the meantime, App-V is available to Software Assurance customers as part of MDOP.