Improving Security for Business Applications
11/10/2018 Stuart Moore
Enable apps to run on a more secure Operating System
Security best practice recommends an automated patching strategy, so that operating systems and applications are kept up to date with the latest security and hot fixes, while advising against running unsupported operating systems that no longer receive security fixes, for example, Windows XP and Server 2003 operating systems. If the line of business application or legacy application is incompatible with supported operating systems, IT is forced to continue running outdated operating systems that are vulnerable to attack. By enabling applications to run on modern, secure and supported operating systems that receive regular security patches, Administrators can improve the security within their organisation. Cloudhouse Containers complement anti-virus, firewalls and other traditional security products that have been deployed to protect corporate applications and data by enabling Administrators to continue to adhere to the latest security best practices by deploying these applications onto Windows 10, Server 2012 R2 or 2016. Cloudhouse Containers provide other benefits and features that can help improve the security of the application and their runtimes.
Isolating Old Runtimes and Libraries
By default, Cloudhouse Containers isolate the runtimes included during packaging so that they are only used by the line of business application and will not conflict with versions used by other applications on the server, desktop or within the gold build. Examples of runtimes that can be isolated include msxml.dll, Java 1.4, .Net 2.0, 3.1.
To reduce the exposed vulnerabilities of the application, Containers can be configured to complement a customer's existing firewall products by adding an additional layer of isolation at the TCP/IP layer. Connections to and from components in the Container can be configured to block all traffic and only enable communication via specific ports or IP. During packaging, identify the ports or IP addresses that you want to establish Network controls for. Rules can then be assigned to the Container to offer additional protection for the application; this improves the security and simplifies the management because you don’t need to track which hosts require this protection.
Instructions on How to enable Network Isolation
Least Privilege Execution
Some applications request Administrator privileges unnecessarily, forcing the application to be installed and run under an account with local administrator privileges, for example, the application uses global objects instead of the recommended local objects or writing data to protected locations. Without changing the application source code Cloudhouse Containers can be configured to convert processes from a global to local context or redirect writes to non-system directories, thereby ensuring that the application runs in the Container with least privileges so that the application complies with security best practices.
Data Execution Prevention Opt-Out (DEP Opt-Out)
Windows operating systems have provided Data Execution Prevention (DEP) since Windows XP and Server 2003 in order to protect the operating system, applications and users from malicious code being embedded in data to perform buffer overflow style attacks. However, these operating systems permitted applications to opt-out. Modern operating systems like Windows 10, Server 2012 R2 and 2016 with advanced security features like Secure Boot or those running Microsoft's Enhanced Mitigation Experience Toolkit (EMET) tool can be configured with policies to enforce DEP, even if the application attempts to opt-out. If your line of business application uses Microsoft Visual Studio 2008 runtimes then the application will trigger DEP on environments that enforce it. Cloudhouse provide DEP Opt-Out mode for these old runtimes, while still benefiting from buffer overflow protection for all other applications on the machine, without having to configure and manage exclusion policies.
Instructions on How to opt-out of DEP
Create Malware Free Containers
Unlike Microsoft App-V and VMware ThinApp, Cloudhouse recommend installing anti-virus software on the packaging machine so that the resulting Containers are free from malware and viruses. The Auto Packager’s install capture process can manage differences in the presence of anti-virus software and will offer to retry files that are found to be in use. The vendor’s application files are not changed during the packaging processes, ensuring vendor signatures remain valid.
Deploy & Run Malware Free Containers
Containers are compatible with most anti-virus products on the market and because Cloudhouse does not change the application’s binaries in any way, packaged files are not viewed as malicious. Creating Containers in the presence of anti-virus software minimises the chances of a virus or viruses being included in a Container.
How do I know if I need Run1.exe?
Run1.exe, run2.exe are generated during the packaging process for use with Containers that will be converted into UWP applications (.AppX). These files may safely deleted from Containers if appx formats are not required; and can be regenerated if required at a later date.