VMware Horizon Community
nielsgeursen
Enthusiast
Enthusiast
‎04-19-2018 06:10 AM

Application blocking

Hi All,

I have a challenge with application blocking within VMware UEM. The customer want to block user access to powershell and I would like to do this with Application Blocking. When adding the powershell.exe to the block list, powershell is blocked for the specific condition. However some of the logon scripts (GPO) are powershell based (because I didn't create the scripts I don't want to replace them yet). This files are of course blocked. So application blocking is working.

For a test I added the scripts to Logon Tasks in UEM (maybe UEM is not blocking itself). To bad powershell scripts are blocked as well even if they are added to the Logon Tasks.

So what we want to achieve.

-     Block all kinds of command line (CMD, Powershell)

-     Allow the execution of Logon Scripts from GPO or UEM

Can this be done with UEM or does anyone have a different solution which is maybe better?

Please let me know.

With kind regards,

Niels

Reply
0 Kudos
3 Replies
DEMdev
VMware Employee
VMware Employee
‎04-19-2018 06:53 AM

Hi nielsgeursen,

The only workaround I can think of isn't particularly secure, so I'm reluctant to describe it...

Does your customer want to block these executables to prevent their users from accidentally running stuff they should not, or is it meant to guard against intentional "abuse"?

Reply
0 Kudos
nielsgeursen
Enthusiast
Enthusiast
‎04-19-2018 07:07 AM

The customer wants to guard against intentional abuse. If you disable CMD via GPO you cannot start CMD however from powershell you still can start some CMD command (underneath the user context of course.)

What would be a nice to have in UEM is that scripts in this case a powershell script is not blocked in the Logon Tasks or Logoff Tasks even if powershell is blocked in Application Blocking.

Setting permission on Powershell could cause more harm then good.

Strange thing as well, if you block powershell via the GPO setting Don’t run specified Windows applications the powershell logon scripts will work. I am not sure if the logon scripts run under a different user context or that it has to do with timing from within GPO.

Reply
0 Kudos
DEMdev
VMware Employee
VMware Employee
‎04-19-2018 07:19 AM

Thank you for the clarification. I'm afraid we don't have anything to offer that allows PowerShell to run during logon but securely prevents it from running during the user's session.

I think your finding that disallowing PowerShell to run through the GPO setting still allows its use in logon scripts has indeed to do with timing. My possible workaround using UEM's application blocking would also be timing-based, but I'm afraid that can be circumvented by a sufficiently smart user...

Reply
0 Kudos