Hi,
We are going to implement Dynamic Environment Manager.
What we want is the following:
- Block all applications and exe files (also program files and windows)
- Only allow specific files, we choose.
How can we implement our policy?
We also use DFS and map the Homefolder on the DFS to H-drive and all .exe files can be started from the H-drive. How can I block the H-drive? I tried to block \\domain\dfs and H:\ but that didn't work.
Two other questions:
- does it slow down my environment if I have 400 block rules?
- Is there a log file where I can see which blocks did happen? So I can anlyse if there are attacks / if people try to start applications?
Greetings,
Pieter
Hi Pieter,
When you enable application blocking in DEM, all executables apart from the ones in the Program Files and Windows folders are blocked by default, so executables on the H: drive or a UNC path will be blocked.
You can add additional block configuration to limit which executables from Program Files and Windows can be launched by your users.
does it slow down my environment if I have 400 block rules?
To be honest, we did not really optimize for scenarios with hundreds of rules, but I just did a test with 1000 block rules without any noticeable effect (neither in processing that configuration, nor in launching allowed/blocked executables.) But, as always: please validate this in your own environment.
Is there a log file where I can see which blocks did happen?
At logoff, the DEM agent logs application blocking statistics to its log file:
2020-06-10 10:00:16.854 [INFO ] Application blocking statistics:
2020-06-10 10:00:16.854 [INFO ] Blocked C:\Program Files\Block Me\0001.exe 1 time
2020-06-10 10:00:16.854 [INFO ] Blocked C:\Program Files\Block Me\0999.exe 2 times
We can also log application blocking events to the Windows event log:
Hi Arnout,
Thank you for you answer!
We enabled blocking, but the H-drive isn't blocked, I can start all .exe files from the H-drive. The user in de AD has a home folder H: with path \\domain\dfs\<username> configured. In DEM we configured Folder Redirection, remote path H:\ and redirected all folders.
Our log level was set to low, so I didn't saw the blocks in the log.
Are there plans to intergrate all application blocks into a log in DEM? We used iVanti Workspace control and there you have a complete overview in a log in the console. Is VMware also planning a overview in DEM where all blocks of all users are logged?
Another question, were can I find best practices for configuring DEM?
Grtz,
Pieter
Hi Pieter,
We enabled blocking, but the H-drive isn't blocked, I can start all .exe files from the H-drive. The user in de AD has a home folder H: with path \\domain\dfs\<username> configured. In DEM we configured Folder Redirection, remote path H:\ and redirected all folders.
In your application blocking configuration, do you have any additional allow settings configured?
I just did a quick test on a standalone RDSH VM, with a DEM drive mapping setting that maps H:\ to a sub folder of Program Files, and enabling application blocking (just the global setting, without any additional config.)
My test user can launch executables from Program Files just fine, but when trying to do the same via H:\, it's blocked:
Event log shows the same:
as does the log file:
2020-06-11 14:00:55.510 [INFO ] Blocked \Device\Mup\2012R2\C$\Program Files\Tools\TreeSizeFree.exe 1 time
We don't have any plans for "central overview" features, as that does not really fit DEM's architectural approach. Your best bet here would be to use some log aggregator that can consume Windows event logs.
Hi,
In your application blocking configuration, do you have any additional allow settings configured?
I just did a quick test on a standalone RDSH VM, with a DEM drive mapping setting that maps H:\ to a sub folder of Program Files, and enabling application blocking (just the global setting, without any additional config.)
My test user can launch executables from Program Files just fine, but when trying to do the same via H:\, it's blocked:
No, I only enabled application blocking (default).
Start from the H-drive works (from all other servers not).
I think this is because we use Folder Rediction and in de AD the Home folder parameter.
We don't have any plans for "central overview" features, as that does not really fit DEM's architectural approach. Your best bet here would be to use some log aggregator that can consume Windows event logs.
Thanks!
Thank you for the additional detail, Pieter, I'll see if I can repro this.