Administrators are increasingly using XenApp-hosted web browsers as a security tool to protect endpoints from the evils that lurk when browsing the Internet. In this “inverted” security model, the endpoint is where the important data is located and the XenApp space is network isolated from the endpoint, disposable and auto-resetting to known good configurations.
By publishing web browsers specific to the web application, we can minimize the number of plugins required both on the user endpoint and on the hosted browser, each serving to reduce the attack surface, protecting the user’s trusted environment and data.
Web Browsers are the #1 most-published application group on XenApp, beating out even Notepad. This for a combination of reasons, including security, but ultimately this tool is needed simply to solve the challenge of delivering the diverse set of web applications with their numerous plugin requirements, without exposing the user data environment to unnecessary risk.
Join me and Eric Beiers for a webinar where we will discuss this execution scenario and propose tools that can help you, help your users, browse the web in peace. The webinar will be held twice on August 31, both sessions with live questions and answers. I look forward to seeing you on the call.
Register NOW for the August 31, 2016 webinar
Session 1: 9am EDT/3pm CEST Register now
Session 2: 11am PDT/2pm EDT Register now
The webinar will reference a paper that Eric, Kurt Roemer and I wrote on this topic. You can download the paper by clicking the image above or by navigating here.
To seed the webinar discussion, I have a few thoughts.
Payment Card Industry Data Security Standard (PCI DSS) is an active space for running XenApp and XenDesktop-hosted web browsers. Often, the endpoint computers are part of an already validated PCI DSS configuration and the customer requirement is to add web browsing. This creates a challenge because the auditor may not permit the validated endpoint computers to access the Internet and use of web browsers on the endpoint is verboten.
Using XenApp with hosted web browsers is often used to solve this, adding remote access to hosted browser via NetScaler Gateway and ICA Proxy for network separation; users are able to browse the web, but the endpoint computers still have no network access to the Internet. Only the screen/keyboard data travels between the web browser hosting XenApp systems and the very trusted fat endpoints.
Other places where hosted web browsers can assist is running specific web apps, which require plugins that the administrator really would prefer to not run on endpoint computers. They would also probably prefer to not run many of these hosted, but business needs make it necessary.
In the webinar, we will discuss how to publish with the minimal plugins possible, with address bars disabled when browsing, using disposable machines that reset to known good state when restarted. It is a powerful tool for solving web app delivery needs, let’s put it to use.