VMware Horizon Community
pieterheijms
Enthusiast
Enthusiast

Application blocking all files except some files (including DFS)

Hi,

We are going to implement Dynamic Environment Manager.

What we want is the following:

- Block all applications and exe files (also program files and windows)

- Only allow specific files, we choose.

How can we implement our policy?

We also use DFS and map the Homefolder on the DFS to H-drive and all .exe files can be started from the H-drive. How can I block the H-drive? I tried to block \\domain\dfs and H:\ but that didn't work.

Two other questions:

- does it slow down my environment if I have 400 block rules?

- Is there a log file where I can see which blocks did happen? So I can anlyse if there are attacks / if people try to start applications?

Greetings,

Pieter

5 Replies
DEMdev
VMware Employee
VMware Employee

Hi Pieter,

When you enable application blocking in DEM, all executables apart from the ones in the Program Files and Windows folders are blocked by default, so executables on the H: drive or a UNC path will be blocked.

You can add additional block configuration to limit which executables from Program Files and Windows can be launched by your users.

does it slow down my environment if I have 400 block rules?

To be honest, we did not really optimize for scenarios with hundreds of rules, but I just did a test with 1000 block rules without any noticeable effect (neither in processing that configuration, nor in launching allowed/blocked executables.) But, as always: please validate this in your own environment.

Is there a log file where I can see which blocks did happen?

At logoff, the DEM agent logs application blocking statistics to its log file:

2020-06-10 10:00:16.854 [INFO ] Application blocking statistics:

2020-06-10 10:00:16.854 [INFO ]    Blocked C:\Program Files\Block Me\0001.exe 1 time

2020-06-10 10:00:16.854 [INFO ]    Blocked C:\Program Files\Block Me\0999.exe 2 times

We can also log application blocking events to the Windows event log:

pastedImage_10.png

pieterheijms
Enthusiast
Enthusiast

Hi Arnout,

Thank you for you answer!

We enabled blocking, but the H-drive isn't blocked, I can start all .exe files from the H-drive. The user in de AD has a home folder H: with path \\domain\dfs\<username> configured. In DEM we configured Folder Redirection, remote path H:\ and redirected all folders.

Our log level was set to low, so I didn't saw the blocks in the log.

Are there plans to intergrate all application blocks into a log in DEM? We used iVanti Workspace control and there you have a complete overview in a log in the console. Is VMware also planning a overview in DEM where all blocks of all users are logged?

Another question, were can I find best practices for configuring DEM?

Grtz,

Pieter

Reply
0 Kudos
DEMdev
VMware Employee
VMware Employee

Hi Pieter,

We enabled blocking, but the H-drive isn't blocked, I can start all .exe files from the H-drive. The user in de AD has a home folder H: with path \\domain\dfs\<username> configured. In DEM we configured Folder Redirection, remote path H:\ and redirected all folders.

In your application blocking configuration, do you have any additional allow settings configured?

I just did a quick test on a standalone RDSH VM, with a DEM drive mapping setting that maps H:\ to a sub folder of Program Files, and enabling application blocking (just the global setting, without any additional config.)

My test user can launch executables from Program Files just fine, but when trying to do the same via H:\, it's blocked:

pastedImage_9.png

Event log shows the same:

pastedImage_10.png

as does the log file:

2020-06-11 14:00:55.510 [INFO ]    Blocked \Device\Mup\2012R2\C$\Program Files\Tools\TreeSizeFree.exe 1 time

We don't have any plans for "central overview" features, as that does not really fit DEM's architectural approach. Your best bet here would be to use some log aggregator that can consume Windows event logs.

pieterheijms
Enthusiast
Enthusiast

Hi,

In your application blocking configuration, do you have any additional allow settings configured?

I just did a quick test on a standalone RDSH VM, with a DEM drive mapping setting that maps H:\ to a sub folder of Program Files, and enabling application blocking (just the global setting, without any additional config.)

My test user can launch executables from Program Files just fine, but when trying to do the same via H:\, it's blocked:

No, I only enabled application blocking (default).

1.PNG

Start from the H-drive works (from all other servers not).

2.PNG

I think this is because we use Folder Rediction and in de AD the Home folder parameter.

3.JPG

4.JPG

We don't have any plans for "central overview" features, as that does not really fit DEM's architectural approach. Your best bet here would be to use some log aggregator that can consume Windows event logs.

Thanks!

Reply
0 Kudos
DEMdev
VMware Employee
VMware Employee

Thank you for the additional detail, Pieter, I'll see if I can repro this.