Improving Security for Business Applications

Enable apps to run on a more secure Operating System

Security best practice recommends an automated patching strategy, so that operating systems and applications are kept up to date with the latest security and hot fixes, while advising against running unsupported operating systems that no longer receive security fixes, for example, Windows XP and Server 2003 operating systems. If the line of business application or legacy application is incompatible with supported  operating systems, IT is forced to continue running outdated operating systems that are vulnerable to attack. By enabling applications to run on modern, secure and supported operating systems that receive regular security patches, Administrators can improve the security within their organisation. Cloudhouse Containers complement anti-virus, firewalls and other traditional security products that have been deployed to protect corporate applications and data by enabling Administrators to continue to adhere to the latest security best practices by deploying these applications onto Windows 10, Server 2012 R2 or 2016. Cloudhouse Containers provide other benefits and features that can help improve  the security of the application and their runtimes.

Isolating Old Runtimes and Libraries

By default, Cloudhouse Containers isolate the runtimes included during  packaging so that they are only used by the line of business application and will not conflict with versions used by other applications on the server, desktop or within the gold build. Examples of runtimes that can be isolated include msxml.dll, Java 1.4, .Net 2.0, 3.1.

Network Isolation

To reduce the exposed vulnerabilities of the application, Containers can  be configured to complement a customer's existing firewall products by adding an additional layer of isolation at the TCP/IP layer. Connections to and from components in the Container can be configured to block all traffic and only enable communication via specific ports or IP. During packaging, identify the ports or IP addresses that you want to  establish Network controls for. Rules can then be assigned to the Container to offer additional protection for the application; this improves the security and simplifies the management because you don’t need to track which hosts require this protection.

Instructions on How to enable Network Isolation

Least Privilege Execution

Some applications request Administrator privileges unnecessarily, forcing the application to be installed and run under an account with local  administrator privileges, for example, the application uses global objects instead of the recommended local objects or writing data to  protected locations. Without changing the application source code Cloudhouse Containers can be configured to convert processes from a global to local context or redirect writes to non-system directories, thereby ensuring that the application runs in the Container with least privileges so that the application complies with security best  practices.

Instructions on How to convert a process from global to a local process (LocalMappedObjectShim)

Data Execution Prevention Opt-Out (DEP Opt-Out) 

Windows operating systems have provided Data Execution Prevention (DEP) since Windows XP and Server 2003 in order to protect the operating system, applications and users from malicious code being embedded in data to perform buffer overflow style attacks. However, these operating systems  permitted applications to opt-out. Modern operating systems like Windows 10, Server 2012 R2 and 2016 with advanced security features like Secure Boot or those running Microsoft's Enhanced Mitigation Experience Toolkit (EMET) tool can be configured with policies to enforce DEP, even if the application attempts to opt-out. If your line of business application uses Microsoft Visual Studio 2008 runtimes then the application will trigger DEP on environments that enforce it. Cloudhouse provide DEP Opt-Out mode for these old runtimes, while still benefiting from buffer overflow protection for all other applications on the machine, without having to configure and manage exclusion policies.

Instructions on How to opt-out of DEP  

Create Malware Free Containers

Unlike Microsoft App-V and VMware ThinApp, Cloudhouse recommend installing anti-virus software on the packaging machine so that the resulting Containers are free from malware and viruses. The Auto Packager’s install capture process can manage differences in the presence of anti-virus software and will offer to retry files that are found to be in use. The vendor’s application files are not changed during the  packaging processes, ensuring vendor signatures remain valid.

References: App-V Sequencer Requirements, ThinApp Packaging Requirements

Deploy & Run Malware Free Containers

Containers are compatible with most anti-virus products on the market and because Cloudhouse does not change the application’s binaries in any way, packaged files are not viewed as malicious. Creating Containers in the  presence of anti-virus software minimises the chances of a virus or viruses being included in a Container. 

Success

Some anti-virus software may flag run1.exe, run2.exe etc in the Container as suspicious because the files are unsigned (they are generated at packaging time) and they are designed to run other programs. Customers can choose to remove the file from the Container if it is not required, or have the files whitelisted once their Security team have confirmed it is safe.

How do I know if I need Run1.exe?

Run1.exe, run2.exe are generated during the packaging process for use with Containers that will be converted into UWP applications (.AppX). These files may safely deleted from Containers if appx formats are not required; and can be regenerated if required at a later date.

Was this article helpful?

Can't find what you're looking for?

Contact Support