5 Replies Latest reply on Jun 11, 2020 11:21 AM by DEMdev

    Application blocking all files except some files (including DFS)

    pieterheijms Novice

      Hi,

       

      We are going to implement Dynamic Environment Manager.

       

      What we want is the following:

      - Block all applications and exe files (also program files and windows)

      - Only allow specific files, we choose.

       

      How can we implement our policy?

       

      We also use DFS and map the Homefolder on the DFS to H-drive and all .exe files can be started from the H-drive. How can I block the H-drive? I tried to block \\domain\dfs and H:\ but that didn't work.

       

      Two other questions:

      - does it slow down my environment if I have 400 block rules?

      - Is there a log file where I can see which blocks did happen? So I can anlyse if there are attacks / if people try to start applications?

       

      Greetings,

      Pieter

        • 1. Re: Application blocking all files except some files (including DFS)
          DEMdev Master
          VMware Employees

          Hi Pieter,

           

          When you enable application blocking in DEM, all executables apart from the ones in the Program Files and Windows folders are blocked by default, so executables on the H: drive or a UNC path will be blocked.

          You can add additional block configuration to limit which executables from Program Files and Windows can be launched by your users.

          does it slow down my environment if I have 400 block rules?

          To be honest, we did not really optimize for scenarios with hundreds of rules, but I just did a test with 1000 block rules without any noticeable effect (neither in processing that configuration, nor in launching allowed/blocked executables.) But, as always: please validate this in your own environment.

          Is there a log file where I can see which blocks did happen?

          At logoff, the DEM agent logs application blocking statistics to its log file:

          2020-06-10 10:00:16.854 [INFO ] Application blocking statistics:
          2020-06-10 10:00:16.854 [INFO ]    Blocked C:\Program Files\Block Me\0001.exe 1 time
          2020-06-10 10:00:16.854 [INFO ]    Blocked C:\Program Files\Block Me\0999.exe 2 times
          

           

          We can also log application blocking events to the Windows event log:

          1 person found this helpful
          • 2. Re: Application blocking all files except some files (including DFS)
            pieterheijms Novice

            Hi Arnout,

             

            Thank you for you answer!

             

            We enabled blocking, but the H-drive isn't blocked, I can start all .exe files from the H-drive. The user in de AD has a home folder H: with path \\domain\dfs\<username> configured. In DEM we configured Folder Redirection, remote path H:\ and redirected all folders.

             

            Our log level was set to low, so I didn't saw the blocks in the log.

             

            Are there plans to intergrate all application blocks into a log in DEM? We used iVanti Workspace control and there you have a complete overview in a log in the console. Is VMware also planning a overview in DEM where all blocks of all users are logged?

             

            Another question, were can I find best practices for configuring DEM?

             

            Grtz,

            Pieter

            • 3. Re: Application blocking all files except some files (including DFS)
              DEMdev Master
              VMware Employees

              Hi Pieter,

              We enabled blocking, but the H-drive isn't blocked, I can start all .exe files from the H-drive. The user in de AD has a home folder H: with path \\domain\dfs\<username> configured. In DEM we configured Folder Redirection, remote path H:\ and redirected all folders.

              In your application blocking configuration, do you have any additional allow settings configured?

               

              I just did a quick test on a standalone RDSH VM, with a DEM drive mapping setting that maps H:\ to a sub folder of Program Files, and enabling application blocking (just the global setting, without any additional config.)

              My test user can launch executables from Program Files just fine, but when trying to do the same via H:\, it's blocked:

              Event log shows the same:

              as does the log file:

              2020-06-11 14:00:55.510 [INFO ]    Blocked \Device\Mup\2012R2\C$\Program Files\Tools\TreeSizeFree.exe 1 time
              

               

               

              We don't have any plans for "central overview" features, as that does not really fit DEM's architectural approach. Your best bet here would be to use some log aggregator that can consume Windows event logs.

              1 person found this helpful
              • 4. Re: Application blocking all files except some files (including DFS)
                pieterheijms Novice

                Hi,

                 

                In your application blocking configuration, do you have any additional allow settings configured?

                 

                I just did a quick test on a standalone RDSH VM, with a DEM drive mapping setting that maps H:\ to a sub folder of Program Files, and enabling application blocking (just the global setting, without any additional config.)

                My test user can launch executables from Program Files just fine, but when trying to do the same via H:\, it's blocked:

                 

                No, I only enabled application blocking (default).

                1.PNG

                 

                Start from the H-drive works (from all other servers not).

                2.PNG

                 

                I think this is because we use Folder Rediction and in de AD the Home folder parameter.

                3.JPG

                 

                4.JPG

                We don't have any plans for "central overview" features, as that does not really fit DEM's architectural approach. Your best bet here would be to use some log aggregator that can consume Windows event logs.

                 

                Thanks!

                • 5. Re: Application blocking all files except some files (including DFS)
                  DEMdev Master
                  VMware Employees

                  Thank you for the additional detail, Pieter, I'll see if I can repro this.