FOR

If you are already an AppSense user you will appreciate the improvements that come with version 4.0. If you have lost all hope of having any semblance of control over that concoction of applications spread throughout the corporate network, then AppSense will make sense to you. Comprising three independent subsystems to provide a flexible and scalable solution, AppSense at its most basic is an application access control tool, but with extremely impressive deployment and auditing facilities. The ease and flexibility of operation keeps the network administrators happy, while the control over user applications will keep management happy. It is best to depict the subsystems in a table to show where they reside in the overall architecture.

As you can see, the AppSense and Auditing Agents function without a server, as once deployed they receive their configuration information from the local registry. This cuts down on delays, as the Agents do not have to contact network servers every time they need to retrieve configuration information. The Deployment Agent does need to rely on a server though, to provide initial installation and configuration of the AppSense and Auditing Agents, as well as ongoing maintenance by detecting and downloading software and configuration updates.

Trigger-happy users though may not be overly impressed, especially when one considers some of the new application control features in version 4.0, and I will mention four that we can all immediately relate to. The validation of individual Windows scripting host (WSH) scripts such as VBS, ensures that unauthorized scripts will not run. This eliminates the threat posed by WSH viruses without compromising the use of scripts for legitimate purposes. Then, the ability to disable the DOS command prompt without affecting the operation of batch files considerably enhances security.

One feature I really like is the ability to detect self-extracting ZIP files and extract them safely with AppSense's own, built in, ZIP extractor. This includes the ability to extract password-protected ZIP files and supports all levels of ZIP file compression. The fourth control feature I will mention involves time-restricting applications, whereby applications can be restricted to certain hours of the day, on hourly boundaries and on particular days of the week. Furthermore, applications can be terminated when a timed exception expires. Flexibility and scalability are apparent when you realize that AppSense supports any number of administrative consoles and can be configured to have several Deployment Servers, especially useful for minimizing distribution traffic in a WAN based environment.

Seamless integration and flexible deployment are vital components for today's complex network topologies and AppSense's extensible architecture facilitates the integration of possible future AppSense components and any new products. Centralized storage of AppSense and other product configurations, and Agent software for deployment to client machines, comes with the Deployment Datastore. The Deployment Manager, an administrative console, enables computers to be grouped together for software and configuration distribution purposes. A really useful component residing on the client machines is the Deployment Agent, which facilitates the 'pulling' of software installation and configuration updates from a Deployment Server. The most important thing for an administrator to grasp is that AppSense software doesn't need to be installed directly onto every computer. The AppSense Configuration Manager and Deployment Manager can be used respectively to configure and deploy the AppSense Agent software to computers throughout the enterprise from a single centralized location.

While AppSense can be used from the simplest to the more complex scenarios, its main raison d'être is to prevent users from introducing unauthorized applications and content like hacking tools and unlicensed software into a system. Acting as an effective interception mechanism, AppSense resides partly in the Windows NT kernel, and in doing so it can reliably intercept every request to execute an application, regardless of the source of the initiating request. It will intercept attempts to launch applications from Windows Explorer, DOS consoles and VB macros. This is possible because it is not a user-level solution that has to rely on rigid desktop policies or on extreme measures such as replacing the Windows shell and disabling useful tools. Instead it opts for transparency, plying its trade without having to rely on firewall or NT policies to function effectively. It therefore complements existing NT security policies, such as domain level security and NTFS, resulting in an overall strengthening of NT security.

To elaborate, firewalls can be configured to block certain file types from entering the network, but, if a particular blocked file has its file extension changed or is embedded within another file, it can then be emailed inside the organization, completely bypassing the firewall security. Again, while Windows NT profiles and policies can be used to restrict each user's desktop and remove unwanted features from the Explorer desktop shell, this merely provides an initial layer of security. It cannot really be relied upon as the sole method of restricting access to applications, as most users will circumvent the restrictions with relative ease.

As the AppSense literature itself points out, there are many ways to invoke an application without using the Explorer shell, especially through Microsoft Office applications, which are not beholden to NT policies. For example, a single line of VBA code in a Word document can be used to launch another application, such as a command prompt. Hyperlinks can also be used to quickly create links to applications, which will launch the linked application when selected. Observant users will discover these loopholes that provide them with simple mechanisms to launch another application. Again, as AppSense itself highlights, once a user manages to launch a command prompt, or any other program with a simple mechanism for launching applications, such as the file manager, the ability to launch other applications without policy restrictions becomes even easier.

SC On-Line
SC Magazine
www.scmagazine.com