The 8th of September marked the anniversary of Citrix purchasing Norskale – now Workspace Environment Management (WEM) – and to celebrate I wanted to share a preview of our new Application Security feature.
For now, many of you will know WEM as a toolset to improve the performance of your XenApp servers and the configuration of the User Environment. This is about to change, as we’ve been busy behind the scenes, and I’m pleased to announce the launch of the public preview of WEM Application Security. Before we get into some of the details I want to share a story from my early IT career with you.
In May 2000 I found myself working at my first multinational company based out of London, in a time before 3G Data networks and the closest thing to a smartphone was the rather large Nokia Communicator or a Palm Pilot. The only source of news came from the TV, Radio or the daily papers. No surprise then that we hadn’t heard about the problems heading our way from the Philippines.
One of the Desktop Publishing (DTP) team had received an email from a trusted contact and opened the attachment, which looked just like a normal word document with a suitably tempting title to pique his interest. Being a member of the DTP team, our victim had direct read/write access to the network share, containing all of the firms accumulated JPEG files. The ILOVEYOU worm proceeded to destroy many thousands of these accumulated images.
Calls to the helpdesk started before I even arrived at the office, and the team were still working to find the root cause for the corrupted files. As a junior employee I was dispatched to fetch the DLT tape backups from our offsite location to begin to restore the files. Before I could leave a second batch of support calls started arriving. We were now email spamming all of our external contacts and the mail servers had begun to fail under the cascading effect of the worm.
As you can imagine, this was the start of a series of long nights, picking up the pieces and shoring up our security.
Back to the Present
Things have moved on since the days of the ILOVEYOU and ANNA KOURNIKOVA worms: attacks are increasingly financially motivated and the tools available to attackers are increasing in sophistication. They do share something with the latest generation of ransomware, like WANNACRY: they exploit vulnerabilities and the level of trust granted to a user.
Application whitelisting isn’t a new concept but it is one often overlooked due to its perceived complexity. At the basic level, it’s a fairly simple concept: deny the ability for any application to launch and run on the OS unless an administrator has explicitly allowed it.
As I said: simple, right? Well maybe not – here are just a few things you need to consider:
- Who is going to maintain that list of trusted applications?
- What do you do when you patch or update those applications and the version, file hashing or certificates change?
- Will there be a resource overhead if you implement these checks?
- How much will a good application whitelist solution cost you?
NIST (National Institute of Standards and Technology U.S Department of Commerce) believe application whitelisting should be a part of any enterprises technology stack, and they have provided a helpful guide for things you should consider when implementing your own solution. NIST encourages you to consider what your needs are and whether a solution built into the Operating System will fulfil them.
Microsoft introduced AppLocker in Windows 7 and it has been a part of every OS release, both desktop and server, ever since. It’s powerful (and best of all, free); however it does have some issues that make it difficult for people to adopt in an enterprise setting. Here are a few:
- You have to create each rule one at a time
- You have to assign the rules to a user or group when you create them
- You cannot easily search the rules once they have been created to change or modify them
- They are deployed using GPOs making targeting an additional consideration
What can Citrix offer today?
For years XenApp has provided an alternative approach to application whitelisting. Delivering applications and desktops from locked down hosting servers, reducing the number of endpoints you as an administrator need to secure and maintain. Add to this model one of the Citrix provisioning solutions (MCS, PVS or App Layers) and you now only need to secure your gold image.
This of course works fantastically, as long as you secure the hosting server, preventing it from being compromised. Bringing us back to application whitelisting and introducing WEM Application Security as way to easily create, deploy and maintain your AppLocker rules.
WEM Application Security, powered by Microsoft AppLocker, will let you harness the capabilities of Windows to protect itself, providing an active layer to prevent the threat from both getting in and spreading. By allowing administrators to be prescriptive about the applications, scripts, installers, packaged applications and even DLLs that can be run, based upon the File, Folder, Publisher or File Hashing, you will be able to design a multi layered defence from attack.
WEM already enabled you to lock down a user’s ability to interact with the desktop, restricting access to browsing the file system and removing access to tools like the CMD prompt or Regedit. However, these were blanket level controls only, applying to all users equally. WEM Application Security allows you to create granular Allow or Deny rules for individuals or groups of users.
To wrap up Citrix recommends as part of our Common Criteria that application whitelisting is implemented on all of your XenApp servers, limiting execution to only the entitled user and the published application. With WEM Application Security we hope to make this task easier for you.
Let me give you a quick tour: