locked
License Control RRS feed

  • Question

  • Hey Guys,

     

    Not sure about where to post this as it's a pretty broad query. I have a requirement to lock down APP-V applications which are deployed via the MSI generated during sequencing. Now, the way I need to lock it down is by restricting the shortcuts to only be available to a certain AD Group. In the non APP-V world this would be done through setting the permissions on the shortcut folder to the AD Group.

     

    I've looked at AppLocker which seems to be overly restrictive and I'm not sure it's what I need since the path for the shortcuts isn't there. Does anybody have any advise on a good way to go with this?

     

    Thanks,

    Rory


    • Moved by Aaron.ParkerModerator Tuesday, June 7, 2011 3:19 PM Related to management (From:App-V General Sequencing)
    Tuesday, June 7, 2011 2:15 PM

Answers

  • Hello,

    See a video of Applocker and App-V possibilites;

    http://technet.microsoft.com/en-us/windows/ee532032

    See howto build dynamic start-menus based on ACLs;

    http://blog.stealthpuppy.com/terminal-server/building-dynamic-start-menus-with-access-based-enumeration/

    If you wish to limit users what shortcuts they see - its probably the latter that would interest you the most.  


    /Znack
    • Marked as answer by RorymonMVP Wednesday, June 8, 2011 5:22 PM
    Tuesday, June 7, 2011 2:19 PM
  • If you are deploying via the MSI then the packages will be available globally (i.e. to anyone logging onto the machine), exactly the same applies if an application was installed instead.

    If a package is available globally, a user could work out the right SFTTRAY command to launch the application and bypass a shortcut, or could use an FTA to launch an application instead.

    You will need to restrict access to the executables which is what AppLocker will do. The link to my post on dynamic Start Menus, is really just for what you present to the user. To restrict access to an application you must work with a tool that will whitelist apps.

    AppLocker may be a bit complex, but based on your requirements, it will do what you are looking to achieve.



    This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.
    • Marked as answer by RorymonMVP Wednesday, June 8, 2011 5:22 PM
    Tuesday, June 7, 2011 3:24 PM
    Moderator
  • Hi Guys,

     

    Thanks for the replies. I think what we'll have to look at is either using Enforce Security Descriptors with the permissions set on the Installdir or possibly using AppLocker to lock the .exe. Either way it's locking down the application from being launched but the shortcut will remain. I think that's how it will have to be though, last chance saloon is that something can be worked out during deployment time.

     

    Thanks for the help

    • Marked as answer by RorymonMVP Wednesday, June 8, 2011 5:22 PM
    Wednesday, June 8, 2011 5:21 PM

All replies

  • Hello,

    See a video of Applocker and App-V possibilites;

    http://technet.microsoft.com/en-us/windows/ee532032

    See howto build dynamic start-menus based on ACLs;

    http://blog.stealthpuppy.com/terminal-server/building-dynamic-start-menus-with-access-based-enumeration/

    If you wish to limit users what shortcuts they see - its probably the latter that would interest you the most.  


    /Znack
    • Marked as answer by RorymonMVP Wednesday, June 8, 2011 5:22 PM
    Tuesday, June 7, 2011 2:19 PM
  • If you are deploying via the MSI then the packages will be available globally (i.e. to anyone logging onto the machine), exactly the same applies if an application was installed instead.

    If a package is available globally, a user could work out the right SFTTRAY command to launch the application and bypass a shortcut, or could use an FTA to launch an application instead.

    You will need to restrict access to the executables which is what AppLocker will do. The link to my post on dynamic Start Menus, is really just for what you present to the user. To restrict access to an application you must work with a tool that will whitelist apps.

    AppLocker may be a bit complex, but based on your requirements, it will do what you are looking to achieve.



    This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.
    • Marked as answer by RorymonMVP Wednesday, June 8, 2011 5:22 PM
    Tuesday, June 7, 2011 3:24 PM
    Moderator
  • Hi Guys,

     

    Thanks for the replies. I think what we'll have to look at is either using Enforce Security Descriptors with the permissions set on the Installdir or possibly using AppLocker to lock the .exe. Either way it's locking down the application from being launched but the shortcut will remain. I think that's how it will have to be though, last chance saloon is that something can be worked out during deployment time.

     

    Thanks for the help

    • Marked as answer by RorymonMVP Wednesday, June 8, 2011 5:22 PM
    Wednesday, June 8, 2011 5:21 PM