About Cyndi.Meinke

This author has not yet filled in any details.
So far Cyndi.Meinke has created 2 blog entries.

Application Virtualization – The UAC Panacea?

2017-07-27T00:01:08+00:00 January 18th, 2012|Uncategorized|

…with contributions from Aaron Gierak, Voltaire Toledo, and Jeremy Pavlov.

The User Account Control (UAC) Challenge

It is commonly known that in XP you have to give end users Administrator privileges in order to do even the most simple routine tasks; like changing the system clock, plugging in a USB drive, running a defrag, updating software, or even running security products.  Of course you can use the RunAs command, but that still requires having an Administrator password – which defeats the security purpose of a limited user account.  And just when we thought moving to Windows 7 would eliminate this security privilege nightmare, enter UAC…

User Account Control (UAC) is a technology aimed to improve the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorizes an increase or elevation.  In this way, only applications trusted by the user may receive administrative privileges, and malware should be kept from compromising the operating system.  In other words, a user account may have Administrator privileges assigned to it, but the applications that the user runs do not inherit those privileges unless they are approved beforehand, or the user explicitly authorizes it.

It is possible to turn off UAC while installing software, and re-enable it at a later time.  However, this is not recommended since File & Registry Virtualization is only active when UAC is turned on – and if UAC is switched off, user settings and configuration files may be installed to an unintended location (i.e. a system directory rather than a user-specific directory).  Also Internet Explorer 7’s “Protected Mode” – whereby the browser runs in a sandbox with lower privileges than the standard user – relies on UAC; and will not function if UAC is disabled.

The Application Virtualization Question

So is application virtualization the solution?  If a virtualized package runs at the kernel level, does it eliminate having to give an XP user Administrator rights?  When you repackage an application that you have been running in XP – in order to port to Win7 – does the app skate by UAC in a way that allows you to keep UAC turned on?

By default, UAC virtualizes requests for protected resources to provide compatibility with applications not developed for UAC.  This is important because many applications written for Windows XP and earlier operating systems assume that the user has administrative privileges and attempt to write to protected resources such as the Program Files or System folders.  The first time an application makes a change to a virtualized resource, Windows copies the folder or registry key to the location within the user’s profile.  Then, the change is made to the user’s copy of that resource.  UAC virtualization is designed to allow already-installed applications to run successfully with standard user privileges, even if they store temporary files or logs in a protected folder.

Installs, Upgrades, and Updates

Many of the problems with UAC come from application installs or upgrades/updates where a new driver or an action that requires UAC acceptance is needed.  With application virtualization – especially a tool like Symantec’s Workspace Streaming where you package from the kernel level – you can bundle the drivers *inside* the virtual app.  As a result, nothing would ever be required of the end-user since nothing is ever “installed”. 

Secondary Executions

However, another issue that bumps against UAC is what we commonly call the “Secondary Execution Event”, where a loaded executable decides to make a call on its own (outside of the one that the app designer intended).  For instance, if a permitted/intended executable launched, and then it calls out to the manufacturer for an updated version, or the latest driver, that is not pre-bundled in the package.  Examples of this are the Juniper VPN agent or the MS Security Center executable.

Panacea or Pariah?

The good news is that application virtualization absolutely does address UAC and elevation features by isolating areas that normally prevent non-elevated users from writing to them by creating a virtual HKLM registry hive, Windows and Program Files.  Virtualizing applications also mitigates potential conflicts in a shared session environment like Remote Desktop Servers or XenApp.

However, is application virtualization the silver bullet to fix all elevation and UAC issues?  The answer is “it depends”.  If the application explicitly requires elevated privileges within its manifest, then it will always present a UAC prompt.  In addition, if the application attempts to make a system change like a driver installation or some kind of self-updating feature, it will force Windows 7 to prompt you for elevation.  These challenges can be further addressed with tools such as AppSense Application Manager, or Viewfinity Privilege Management (which elevate a user’s privilege on a per-executable basis), or SystemGuard (which can elevate privileges to write to the registry).

The bottom line is that application virtualization brings many advantages.  In addition to extending the life of legacy applications, reducing deployment costs, and reducing user downtime caused by install/uninstall issues and application conflicts, many UAC issues can be mitigated with application virtualization, especially when coupled with effective use of user virtualization tools.

 

Next installment – Application Streaming…

 

Application Strategy in the New Enterprise…

2017-07-27T00:01:08+00:00 December 14th, 2011|Uncategorized|

Why is the right application strategy important?

Whether it is physical or virtual, the endpoint device won’t matter if you can’t get to your data; and it’s through applications that you get to your critical data.  But management of applications can be an administrative burden.  How can you take applications administration to the next level?

 The right application virtualization tool will:

  • Decrease your time to market by 20-40%
  • Decrease your software license spend by 30-50%
  • Reduce or eliminate your need to rewrite legacy applications
  • Allow central management of all your apps
  • Increase Software license management and compliance

For example, in the common case of having to reset a hung application, the average cost of a help desk ticket to reset an app is $345 without an application virtualization tool.  With the proper tool, an app reset can be done in 18 seconds; virtually eliminating that cost.  This has a two-fold benefit – decreased end user downtime, and decreased IT support costs.  But just having a tool to handle these situations does not — by itself — solve all your problems; you must have a strategy.

The right application strategy requires a 3-pronged approach

To arrive at an optimized virtual user-centric experience requires a three-part strategic focus that encompasses the following:

  1. Desktop Strategy
  2. Application Strategy
  3. User Strategy 

Each of these pieces is equally important.  While in some cases you can have an application strategy without a desktop strategy, you should never have a desktop strategy without an application strategy.  From this perspective, it becomes clear that an application strategy can actually be more important than a desktop strategy.  

How it can go wrong

My thoughts based on what I see from a sales and trending perspective:

  • Over time, server virtualization created such a positive ROI for both capex and opex, that it was assumed that desktop virtualization would be another no-brainer to implement.  Companies who have embarked on VDI pilots and initiatives have quickly become disillusioned; realizing that the same efficiencies that were gained at the server level do not necessarily apply at the desktop. Eventually, they are forced to rethink their strategy.
  • Companies that embark on Win7 migrations – and do not take the time to make a strategic decision about how they will manage their applications – may become disillusioned as well, as they are feeling the pain of long cycles to virtualize their applications for a new OS and new endpoint device.  And in addition to the long cycles to prepare the applications, there are the inevitable challenges with legacy apps and conflicting apps.
  • Aging infrastructures and desktop devices create projects driven by choosing an “endpoint strategy” (translated as endpoint device only) where the only thing taken into consideration is the device.  Their whole strategy is around making decisions about thin client, zero client, fat client, etc.; all without thinking about the delivery method or the user profile.

Overall, as companies make strategic decisions about their Virtual Desktop Strategy, there can be tunnel vision about the desktop piece as the only strategic piece, with applications and users being an afterthought.

How to make it right

Herein lies my mission:  To educate those embarking on a VDI initiative about the importance of choosing the right application strategy.