Improving Security for Business Applications
Enable apps to run on a more secure Operating System
Security best practice recommends an automated patching strategy, so that operating systems, and applications are kept up to date with the latest security and hot fixes, while advising against running unsupported operating systems that no longer receive security fixes, for example Windows XP and Server 2003 operating systems. If the line of business application, or legacy application, is incompatible with supported operating systems, IT is forced to continue running outdated operating systems that are vulnerable to attack. By enabling applications to run on modern, secure, and supported operating systems that receive regular security patches, Administrators can improve the security within their organisation. Cloudhouse Containers complement anti-virus, firewalls and other traditional security products that have been deployed to protect corporate applications, and data, by enabling Administrators to continue to adhere to the latest security best practices, by deploying these applications onto Windows 10, Server 2012 R2 or 2016. Cloudhouse Containers provide other benefits, and features, that can help improve the security of the application, and their runtimes.
Isolating Old Runtimes and Libraries
By default, Cloudhouse Containers isolate the runtimes included during packaging, so that they are only used by the line of business application, and will not conflict with versions used by other applications on the server, desktop or within the gold build. Examples of runtimes that can be isolated include msxml.dll, Java 1.4, .Net 2.0, 3.1.
To reduce the exposed vulnerabilities of the application, Containers can be configured to complement a customer's existing firewall products, by adding an additional layer of isolation at the TCP/IP layer. Connections to, and from, components in the Container can be configured to block all traffic and only enable communication via specific ports or IP. During packaging, identify the ports, or IP addresses that you want to establish Network controls for. Rules can then be assigned to the Container to offer additional protection for the application; this improves the security and simplifies the management because you don’t need to track which hosts require this protection.
Instructions on How to enable Network Isolation
Least Privilege Execution
Some applications request Administrator privileges unnecessarily, forcing the application to be installed and run under an account with local administrator privileges; for example, the application uses global objects instead of the recommended local objects, or writing data to protected locations. Without changing the application source code, Cloudhouse Containers can be configured to convert processes from a global to local context, or redirect writes to non-system directories thereby ensuring that the application runs in the Container with least privileges so that the application complies with security best practices.
Data Execution Prevention Opt-Out (DEP Opt-Out)
Windows operating systems have provided Data Execution Prevention (DEP) since Windows XP and Server 2003 in order to protect the operating system, applications, and users from malicious code being embedded in data to perform buffer overflow style attacks. However these operating systems permitted applications to opt-out. Modern operating systems like Windows 10, Server 2012 R2 and 2016 with advanced security features like Secure Boot, or those running Microsoft's Enhanced Mitigation Experience Toolkit (EMET) tool can be configured with policies to enforce DEP even if the application attempts to opt out. If your line of business application uses Microsoft Visual Studio 2008 runtime then the application will trigger DEP on environments that enforce it. Cloudhouse provide DEP Opt-Out mode for these old runtimes, while still benefiting from buffer overflow protection, without having to configure exclusion policies.
Instructions on How to opt-out of DEP
Create Malware Free Containers
Unlike Microsoft App-V and VMware ThinApp, Cloudhouse recommend installing anti-virus software on the packaging machine so that the resulting Containers are free from malware and viruses. The Auto Packager’s install capture process can manage differences in the presence of anti-virus software, and will offer to retry files that are found to be in-use. The vendor’s application files are not changed during the packaging processes, ensuring vendor signatures remain valid.
Deploy & Run Malware Free Containers
Containers are compatible with most anti-virus products on the market, and because Cloudhouse does not change the application’s binaries in any way, packaged files are not viewed as malicious. Creating Containers in the presence of anti-virus software, minimises the chances of a virus, or viruses, being included in a Container. If anti-virus software does flag a Container as suspicious then it can be safely whitelisted once the Security team have validated that the Container is virus free.