Administrators are used to the idea, that running applications under Application Streaming will permit poorly written applications to run in a multi-user terminal services environment. For example, if the application wants to write to the \Windows directory, no problem; the application will believe that it wrote there and later if it reads the same stuff, it will see what it put there and generally, the application will work. What is less known is that that Application Streaming and XenApp publishing can be used to reduce the rights of the application at execution so that it has a reduced chance of hurting the machine.
Privilege vs. Isolation
Isolation and “privilege” are different things. Running the application “isolated” does not mean that the application can’t do powerful things. An administrator privilege ISOLATED application CAN still perform privileged operations such as adding new users to the machine, marking them as administrators and adding them to the remote desktop group where the evil doer can then remotely login, as a non-isolated administrator and easily do evil things.
Not a problem for XenApp hosted execution
To be clear, none of this is important for XenApp hosted execution. Here, the user is already a user and stripping power from the user to get them to user power is a “nop” because they were a “user” to start with. This discussion of “privilege” reduction is more of a Windows XP client side, or hosted desktop statement where “admin” power users are the norm. On Windows XP, unless you’re very good at locking down the machine the end user will be running as an “Administrator” and this is not desired. How can you make this happen as little as possible? How can you get MOST of the applications to run with the least privilege possible?
Brain damaged applications
Some applications even CHECK to see if they are admins and refuse to run if they are not. Awesome! If you can’t figure out how to code it, demand admin rights machine wide! You can easily hit a situation where 90% of your desktop applications will run fine without admin rights, yet you have no choice but to make the user a full blown administrator because some small subset of the applications demand admin rights; or perhaps, even really need them.
What about the “normal” applications that don’t need admin rights, or at least don’t need admin rights when run under isolation? It would sure help if we could at least make the “all powerful” user be a “lowly user” for the purposes of the majority of application execution, even if the user is really an administrator. You can, and XenApp makes this easy. First, some history.
Go back in time and take a look at this 2006 technet article from Microsoft on Least User Access and a description of the DropMyRights utility by Michael Howard. Excellent stuff and here is a related set of blogs from Aaron Margolis of Microsoft who seems to have a passion for running apps as a user! The output of this early work was a command line utility called DropMyRights which would duplicate the user’s logon token, strip the powerful rights – and then use the modified token to launch the application. Good stuff. As an example, here is the .BAT file I used to use to launch MS Outlook.
- dropmyrights “%PROGFILES%\Microsoft Office\OFFICE11\OUTLOOK.EXE”
The idea of running apps on forced user privilege on Windows XP was not unique to App Streaming, but we did wrap pretty GUI around it and wrapped application publishing around it to make it easy to use – and then we didn’t tell anyone it was there. To be fair, most of the usage was server side, so it wasn’t as important, but hosted desktops are changing this.
The XenApp publishing system makes this dropping of user rights accessible via easy to use GUI.
Access Management Console
Here’s the AMC screen that controls this setting. Notice that this “stripping of rights” is controlled in the AMC – not in the streaming profiler. Could it be controlled in the profiler? Sure. Both of these tools are nice GUIs which could accomplish the same goal, so yes, it could be controlled in the profiler, but it isn’t. One could even make a really good argument that it is in the wrong place and SHOULD be in the profiler because this is where the admin is that knows more about the application. I would agree, but it wouldn’t matter, it’s still in the publishing console whether or not this seems like the right place.
When I wrote the draft for this post, I did it in a place without internet access, so I couldn’t easily check the default. I wrote that SURELY! the default is that we strip the rights before launching the app. Surely, Shirley, what ever you call it, the default is the other way; by default, the launch leaves the user’s token alone and launches the app using what ever power the user has according to logon. If you CHECK the box, then the Access Management Console tells the Citrix IMA to tell the Citrix Web Interface to tell PNAgent to tell the Streaming Client that it should strip power from the user for the purposes of running this stream to client application. Where the application will permit it, You should set the checkbox.
XenApp server side, it won’t change anything;XenApp Client side, it will ensure that the application is launched using a user token that has “lower power”. Lower power is better…
Here are some other writings on Application Streaming related to this:
- Enhancing the Security of Application Streamingfor Desktops
Citrix Systems Product Architect – Application Streaming