Improving Security for Business Applications

Enable apps to run on a more secure Operating System

Security  best practice recommends an automated patching strategy, so that  operating systems, and applications are kept up to date with the latest  security and hot fixes, while advising against running unsupported  operating systems that no longer receive security fixes, for example  Windows XP and Server 2003 operating systems. If the line of business  application, or legacy application, is incompatible with supported  operating systems, IT is forced to continue running outdated operating  systems that are vulnerable to attack. By enabling applications to run  on modern, secure, and supported operating systems that receive regular  security patches, Administrators can improve the security within their  organisation. Cloudhouse Containers complement anti-virus, firewalls and  other traditional security products that have been deployed to protect  corporate applications, and data, by enabling Administrators to continue  to adhere to the latest security best practices, by deploying these  applications onto Windows 10, Server 2012 R2 or 2016. Cloudhouse  Containers provide other benefits, and features, that can help improve  the security of the application, and their runtimes.

Isolating Old Runtimes and Libraries

By  default, Cloudhouse Containers isolate the runtimes included during  packaging, so that they are only used by the line of business  application, and will not conflict with versions used by other  applications on the server, desktop or within the gold build. Examples  of runtimes that can be isolated include msxml.dll, Java 1.4, .Net 2.0,  3.1.

Network Isolation

To  reduce the exposed vulnerabilities of the application, Containers can  be configured to complement a customer's existing firewall products, by  adding an additional layer of isolation at the TCP/IP layer. Connections  to, and from, components in the Container can be configured to block  all traffic and only enable communication via specific ports or IP.  During packaging, identify the ports, or IP addresses that you want to  establish Network controls for. Rules can then be assigned to the  Container to offer additional protection for the application; this  improves the security and simplifies the management because you don’t  need to track which hosts require this protection.

Instructions on How to enable Network Isolation

Least Privilege Execution

Some  applications request Administrator privileges unnecessarily, forcing  the application to be installed and run under an account with local  administrator privileges; for example, the application uses global  objects instead of the recommended local objects, or writing data to  protected locations. Without changing the application source code,  Cloudhouse Containers can be configured to convert processes from a  global to local context, or redirect writes to non-system directories  thereby ensuring that the application runs in the Container with least  privileges so that the application complies with security best  practices.

Instructions on How to convert a process from global to a local process (LocalMappedObjectShim)

Data Execution Prevention Opt-Out (DEP Opt-Out) 

Windows  operating systems have provided Data Execution Prevention (DEP) since  Windows XP and Server 2003 in order to protect the operating system,  applications, and users from malicious code being embedded in data to  perform buffer overflow style attacks. However these operating systems  permitted applications to opt-out. Modern operating systems like Windows  10, Server 2012 R2 and 2016 with advanced security features like Secure  Boot, or those running Microsoft's Enhanced Mitigation Experience  Toolkit (EMET) tool can be configured with policies to enforce DEP even  if the application attempts to opt out. If your line of business  application uses Microsoft Visual Studio 2008 runtime then the  application will trigger DEP on environments that enforce it. Cloudhouse  provide DEP Opt-Out mode for these old runtimes, while still benefiting  from buffer overflow protection, without having to configure exclusion  policies.

Instructions on How to opt-out of DEP  

Create Malware Free Containers

Unlike  Microsoft App-V and VMware ThinApp, Cloudhouse recommend installing  anti-virus software on the packaging machine so that the resulting  Containers are free from malware and viruses. The Auto Packager’s  install capture process can manage differences in the presence of  anti-virus software, and will offer to retry files that are found to be  in-use. The vendor’s application files are not changed during the  packaging processes, ensuring vendor signatures remain valid.

References: App-V Sequencer Requirements, ThinApp Packaging Requirements

Deploy & Run Malware Free Containers

Containers  are compatible with most anti-virus products on the market, and because  Cloudhouse does not change the application’s binaries in any way,  packaged files are not viewed as malicious. Creating Containers in the  presence of anti-virus software, minimises the chances of a virus, or  viruses, being included in a Container. If anti-virus software does flag  a Container as suspicious then it can be safely whitelisted once the  Security team have validated that the Container is virus free.

Was this article helpful?

Can't find what you're looking for?

Contact Support