When we started writing Application Streaming, I figured isolating Microsoft Internet Explorer would be the “killer app”.  It hasn’t happened and I don’t fully understand why.  Don’t get me wrong, people are isolating the execution of Internet Explorer, it just hasn’t been a driving force like I expected it would be.  They are using it to run with specific addons for specific websites and to allow execution of conflicting addons.  These are nice silo leveling ideas, but they are nowhere near as interesting as some of the other uses.

Some customers I have spoken with note that they

  1. Didn’t know it was possible or
  2. Are running server side and users are really users, so it isn’t as important.

Back up a step – why would I want to stream and isolate a locally installed application like Internet Explorer?

Quick answer: To keep web evil-doers from writing executable or other content to the true machine.   Notice that this means that in “2” above, some of the benefit is lost if users are really users rather than users being adminstrators.  I mean, if they are really users, then they are comparitively safe anyway; there’s no need to protect writes to \windows\system32 if the user lacks rights to write there anyway.  A side note: I do all my web browsing on user privilege accounts…

Disclaimer: I have been well schooled by security experts.  Application Streaming should not be confused with a security product, like anti-virus. Okay – fair enough.  But if evil software writes to \windows\system32\importantfile.dll, wouldn’t it be nice if it didn’t really write to the “real” location?  I mean, just because I visisted a couple of illicit websites, by accident mind you!, why should my system get corrupted?  Wouldn’t an extra line of defense help?  I say extra defenses are good.

To be fair, the virus problems of a few years ago are much improved today and this provides less incentive to move to an isolated execution of a web browser, but it’s so easy.  It’s so easy, its local execution and it protects you from bad things.

Another use case: Stealth browsing

Combine isolated execution of Internet Explorer with automated scripts to blow away the “per-user” storage when you’re done and you’ve gone a good ways toward hiding the stuff you browsed to.  It turns out that due to some bugs in script processing, writing this blast-it-all script is harder than it should be.  Still, stick with me on the concept.

How do I “stream” Internet Explorer?

Good question: Answer, you don’t.  Well, you do a little bit.  Internet Explorer is run locally, so think AIE.  Any plug-ins or similar added to the profile are streamed in as needed, but the foundation of IE is run from the local machine (iexplore.exe), under isolation.    The trick is how to define a profile to provide Internet Explorer as a publishable application.  Some folks don’t know you can do this and its easy.  In the Streaming Profiler, at the wizard page where you can pick “quick install” or “advanced install”, go “advanced”, then click the box to run internet explorer as the “installer”.  This gives you the chance to run internet explorer under the profiler and when you’re done, you get a profile stored on a network server (application hub) that defines local machine Internet Explorer as a “publishable application”.

Here’s what it looks like:

On the next screen, tell the profiler to define local machine Internet Explorer as a “streamed” application.

Finally, you can control what happens to downloaded executable content.  That is, if the user downloads an “addon”, you can control whether that addon will be usable from inside the isolated sandbox.  This panel shown early in the profiling process controls this function.

When “enhanced security” is selected, the streaming client treats executable content inside the per-user isolation space as evil.  Consider that the user session (application) wrote a DLL to the isolated \windows\system32 space, or any other isolated space.  For all inquires from application land, the content will exist.

If you do a directory, it is there.  If you type it, it is there. If the Windows loader tries to run it, “file not found”.

This can be a real kick to mess with using an isolated command prompt, but the end result is that application attempts to update themselves, or application attempts to install evil addons can be administratively made to fail.  The operating system loader gets “file not found”, everyone else gets the real content.

Security disclaimer again

Just because downloaded and isolated executable content can be made to disappear for purposes of execution, does not mean that it will necessarily be un-runnable.  Should the the user download evil.exe and place it on their Desktop, it will really go to the desktop.  Then, user double clicks on the icon on the desktop, it will really run, it will run outside of isolation and it will pressumably, really do evil things!  Other “non-isolated” places include %TMP% and there is always an assuption that evil code will spy the isolated execution and then do evil things to get past it.  So, it’s not a security product…

It is also worth noting that with the default isolation rules, “everything” that the user can see is open to “read”. It would be useful to define rules for the execution target to mask access to data areas of the machine to prevent leakage and this can be done using the Streaming Profiler.   Security thoughts again, good evil software would get past this.  Worse for the good fun of this technology discussion, IE7 and Vista implementation of integrity levels have made most of this no longer relevant.   This last sentence intended as a high compliment to the Microsoft IE team.  A struggle they must have with this users are admins thing.

Back to this post: Streaming of IE does provide an interesting set of tools. I’d be curious to see IE implemented to discard all content after execution or other nice uses.  Keep in mind that adding the Desktop to the isolated space (set rules in Streaming Profiler) would be a good idea and it could even be a good idea to isolate the temp space.  You’re going to delete it anyway, so it doesn’t hurt to put it down a few levels.

If you get it going, do shoot me a line.

Joe Nord
Product Architect – Application Streaming and User Profile Manager
Citrix Systems, Fort Lauderdale, FL.