Cogenesis Logo

National IT Support for your business (Sydney, Brisbane, Melbourne, Perth)

National Local Call: 1300 88 35 99
Level 13, 155 Castlereagh St, Sydney, NSW 2000

articles

Implementing AppLocker Control on RDS

A Remote Desktop Server, by nature, is an all-inclusive approach to providing users a Standard Operating Environment. Applications, printers and other resources are available for all users on the server.  However this causes some concerns, particularly in the application space.  AppLocker provides a method to restrict access to applications from certain users or groups.

In this example, the application being targeted is Adobe Creative Cloud on a Windows 2012 R2 Remote Desktop Server.  Creative Cloud is a subscription-based service and as such, not all users on the target RDS have the required subscription to use the product.  However, there are a number of processes that run for every single user logged in to the RDS:-

Processes

Obviously on a multi-user server this will quickly lead to CPU and memory bloat for absolutely no reason, consider the majority of users do not use the application anyway.

The solution in this case is to implement AppLocker via Group Policy to block the Creative Cloud application for any user that does not need it. But first, there are a few caveats that need to be addressed.

  • AppLocker is a computer policy and it is best applied to a computer.  Consider changing the security filtering of your policy to apply to the target machine (more on this below)
  • DENY policies always overrule ALLOW policies. For example, denying Domain Users and attempting to allow AdobeCC-AllowedUsers will result in all users being denied anyway. As such, populate your security groups with users you intent to deny access to, rather than allow.
  • Do your research in to the application(s) you intend to block. Is blocking a single executable enough, or do you need to block whole folders? Do other processes spawn from this executable and how will that impact users?

These points will be illustrated below. Now on to the configuration.

The AppLocker GPO itself is quite simple and with the above caveats in mind the implementation is straightforward.

  • Create yourself a GPO.  As mentioned above, consideration of the intended target computer should be given. In this example, the Security Filtering has been changed from Authenticated Users to AUS-RD02, the name of the Remote Desktop Server.

SecurityFiltering

  • Turn on the Application Identity service via the GPO. Application Identity may not be used depending on how you target applications, but it won’t hurt to have it on. This service is used to discover parameters of the program such as the publisher, version etc. If it’s not running on the target computer, the details of the application can’t be retrieved. This is particularly important if you choose to target Publishers (eg blocking all Adobe products) or Versions (preventing groups from using particular versions of an application). This can be done via Computer Configuration/Policies/Windows Settings/Security Settings/System Services

ApplicationIdentity

  • The next step is to configure your rule enforcement. There are two options for the various categories, either to enforce rules or to audit.  Enforcement would strictly apply your rules, restricting user access to the applications, while Audit will monitor and report (used for testing). Configure these options under Computer Configuration/Policies/Windows Settings/Security Settings/Application Control Policies/AppLocker and right click the AppLocker icon and select Properties.

    AppLocker Properties

  • Next step, configure some executable rules. You’ll note there are some defaults already applied. These are to ensure that all users can access sections such as Program Files and that Administrators have access to all files. Leave these in place unless you have a specific reason not to. For this example will focus on configuring a DENY rule, applying to a specific AD Security Group called APP-AdobeCCDeny and covering the entire Adobe Creative Cloud Program Files folder.  You’ll note that there is a few options on how to apply this (Publisher, Path and File Hash). This will only cover File Path.

Select the Executable Rule tab and right click and choose Create New Rule.

Select your action. We want to DENY and then choose the security group to apply this to:

createrule1

Select Path as the primary condition and press Next. At this prompt you’ll need to fill in the path – keep in mind that appropriate variables should be used, as the program you want to block can’t be selected by choosing Browse as it is likely not installed on the domain controller or computer you are working from to generate the policy.

createrule2

NOTE: %PROGRAMFILES% covers both Program Files and Program Files (x86).  In this example, we are choose to apply the rule to Program Files (x86)\Adobe\Adobe Creative Cloud\* which will include all files and subfolders.

Press Next through the exceptions unless required. NOTE that exceptions are for excluding files or folders from the rule rather than users or groups. Next specify a name for the rule and click Create.

createrule3

The final step is to apply the GPO to the target Orginsational Unit, such as the OU containing the Remote Desktop Server.

The settings will only take effect once users log off and back on again, and the result should be that anyone in the DENY user group receives the following error when they try to access the program:

blocked

All other users should still be able to use the program.  You’ll note that for blocked users, any background processes that run from that folder or have dependencies on executables that run from that folder will also fail to run.  In this example, the result is a much cleaner and leaner user profile.

processes-after

Installing HP tools for ESXi Hosts (the easy way) – updated 2016/17

Since the split of HP into server business (HPE) and desktop/printer business (HP) some of the Syntax for installing and managing HP tools on ESXi has changed

What you now need to do is below

First put your host in maintenance mode then ssh to your ESXi host

cd \tmp

wget http://vibsdepot.hpe.com/hpe/oct2016/esxi-550-bundles/hpe-HPUtil-esxi5.5-bundle-2.6-12.zip

wget http://vibsdepot.hpe.com/hpe/oct2016/esxi-550-bundles/hpe-esxi5.5uX-bundle-2.6.0-22.zip

wget http://vibsdepot.hpe.com/hpe/oct2016/esxi-550-bundles/ams-esxi5.5-bundle-10.5.0-13.zip

wget http://vibsdepot.hpe.com/hpe/oct2016/esxi-550-bundles/hpe-nmi-esxi5.5-bundle-2.4.16.zip

 

Click Here To Read More

Deploying Office 365 on Remote Desktop Server

Gone are the days where simply inserting a Microsoft Office DVD and running the setup executable was sufficient for installing Microsoft Office on a Remote Desktop Server. With many organisations switching to the flexible Office 365 model, Microsoft was released the Office Deployment Tool to facilitate installing multi-user, per-user licensed editions of Office.

ODT1

Click Here To Read More

Windows Server 2012 R2 Asynchronous Credits

We recently came across an issue with several new Windows 2012 R2 boxes in a particularly organisation having mysterious file save errors and mapped drive disconnects.

clip_image001

error2

Click Here To Read More

Server has a weak, ephemeral Diffie-Hellman public key

 

If you are using Google chrome or Firefox you may have noticed you receive an error informing of a  “weak ephemeral Diffie-Hellman public key” This is Will occur if you are using any version of chrome later than 45 and Firefox version 39 . This was put in place to prevent the Logjam vulnerability though in most instances it cripples the need to access multiple internal devices and servers using https. In this example I am using Dell OpenManage.

Click Here To Read More

Adobe Acrobat Reader DC, Unable to “save as” for PDF file

 

We have recently encountered an issue with multiple people not being able to save a PDF file while in a Remote desktop environment, this may also apply to individual machines.

If you have noticed the following symptom:

– When saving as you get a white box with no content inside

Before reinstalling Adobe Acrobat Reader DC, please try the solutions below.

Click Here To Read More

Is a NUC for you?

 

Quite recently a new device has hit the market and has transformed the portability of the  PC to new levels.

The NUC or better known as Next Unit of Computing is a small form factor PC which was originally designed by Intel.Other vendors such as Gigabyte have released their own spin on the NUC called a Gigabyte BRIX with alternate designs and features and specifications reaching for a different target audience looking for higher specifications.

The most known configuration for a NUC is a bare bone Kit. This kit consists of a case, either made of a combination of Aluminium and plastic or plastic with a motherboard measuring 10.16 cm x 10.6cm  a power supply and also a VESA Mounting plate which can be used to mount the NUC to monitors, TV’s etc.

Click Here To Read More

SSD vs HDD Is it time to upgrade?

 

Ever since the consumer availability of the Solid state drive, people have been wary of what it had to offer as there was concerns raised over pricing and reliability.

It is now 2016 and the Solid state drive is steadily becoming the default replacement for all laptops and  desktops from Medium to high end builds due to its versatility of having no moving parts and the performance benefits listed below.

Click Here To Read More

Exchange In-place (On-Premises) v Online (Cloud) Archiving

 

This article will look at the benefits of Microsoft archiving solutions for Exchange, both in-place and online. The volume of data created, stored and transferred via email is growing and thankfully we have come a long way from using PST files that where prone to corruption and were very limited in capacity and functionality.

While mailboxes nowadays have the ability to store much more capacity, even 50 GB within Office 365, organizations still seek archiving functionality for multiple reasons…

– Storage space shortage

– Mailbox performance

– Reducing storage costs (using slower disks for historical email)

– Operational expense reduction

– Improving user experience

– Improving search performance of mailbox

– Reduction of local (laptop or RDS storage for caching)

Click Here To Read More

The business case for Hosted Exchange

A large amount of organizations have been moving to hosted email solutions. Hosted exchange can be considered a relatively tried and tested way to push services to the cloud, and this, as well as the complexities and costs of managing email systems internally has contributed to the popularity of this cloud service. There are many paths one can take to move to a hosted exchange platform; Microsoft Office 365, Google, your service provider, ISP solutions and cloud service providers all offer varying hosted email services.

Hosted Exchange is a remotely managed 3rd party vendor provided solution to a business’s email needs charged on a monthly per mailbox / user fee. It negates the need to have your own exchange server and the maintenance that goes with it. Different offerings will have different feature sets such as mailbox size, archiving option, additional storage, and discovery and management tools. It is important to note that we are not looking at POP style email solutions which is limited in the way of collaboration and security, and generally stores mail to your local workstation; which is not adequate for any business that relies on email as a key part of communication.
Because of licensing costs, and the fact that managing an exchange server for a small organization can take as much time (or even more) than a larger organization, smaller organization will see most cost benefit from their existing solutions. However, large enterprises, who often have to manage multiple exchange servers, with the added overhead of clustering and redundancy resulting in addition hardware and expert staff have also been migrating to hosted exchange platforms, completely reducing complexities while maintaining redundancy and increasing uptime and potentially security.

Click Here To Read More

Get a free IT consultation today

Contact Us Today - IT Consulting Sydney

simply complete your details below and a consultant will get right back to you

Or feel free to call us on
1300 88 35 99