Appsec.exe: Application Security

Server-only: This tool is included in the Windows 2000 Server Resource Kit only.

See the Windows 2000 Resource Kit Release Notes (Readme.htm) for important information on this tool.

The Application Security tool is a GUI-based application that allows an administrator in a multi-user environment to restrict the access of ordinary users to a predefined set of applications on the network. Enabling application security using this tool will cause the system to reject any attempts by ordinary users to execute a program that they are not authorized to use.

Microsoft® Windows® 2000 Group Policy contains a feature that restricts user access to applications by hiding the Start Menu and Desktop icons. AppSec increases security by restricting file execution, preventing the user from running an executable file even through the command line, or from within another application. The AppSec tool should be used in conjunction with the Group Policy restrictions, to both disable and hide restricted programs.

AppSec restricts the file based on the full path name. Only the named executable in the designated location can be run. This prevents users from running other versions of the same executable file from alternate locations.

The Application Security tool provides a simple GUI interface for adding and removing permitted applications to the list. It also offers a "Tracking" feature, which allows the administrator to track the executable files required for a permitted set of actions merely by performing those actions as a user would. This feature enables the administrator to discover applications which are being invoked from other applications (for example, Microsoft® Word invoked by Microsoft® Outlook® for editing of mail).

Scenario

AppSec is typically used to restrict access to users on a Terminal Services Application Server deployment. This allows important tools to be available on the computer, or accessible on the network, for administrators, while managing the actual applications a user can run.

One of the common usage scenarios of this tool for Windows 2000 is deploying a Terminal Server-enabled computer for use by Internet users. When Internet Connector licensing is enabled, all Terminal Server client logons are to the same user, TsInternetUser. The administrator will probably want to use this tool to custom configure this server so that the users coming over the Internet are not given the standard Windows 2000 interface, but are restricted to running a limited set of applications.

Notes

The tool supports two security levels: Admin and non-admin. The Admin may always run any executable file even when AppSec security is enabled. All others will be restricted to only the allowed exe list.
The AppSec settings apply to the computer; there is no per user configuration.
When the Application Security tool is first enabled, users who are already logged to the Terminal Server before the AppSec.dll was loaded will not be affected, and will continue to be able to run applications not in the authorized list. In order to be restricted to the applications allowed by the tool, such users must first log off and log back on. This can be enforced by the administrator by stopping the session.
The tool only restricts applications invoked with the CreateProcess method. If a program is started using the NTCreateProcess method (which is rare), it can't be restricted using the Application Security Tool.
The Application Security tool can only be used to restrict 32-bit applications. By default when AppSec is enabled users are restricted from running any 16-bit applications. To allow users to run all 16-bit applications, the administrator can add ntvdm.exe to the authorized list of applications.
AppSec does no specific checking of the executable file; it restricts it only by name. If precautions are not taken, a malicious user could replace a valid executable file (for example: WinWord.exe) with a different file, renamed to WinWord. Windows 2000 Security must be used to prevent a user from replacing or renaming application files.
AppSec restricts only executable files, not DLLs.

Installing the Application Security Tool

The files required for the Application Security Tool are copied into the user-definable installation directory during Resource Kit setup. Before you use the tool, however, you must finish the installation with the following procedure.

To complete AppSec installation

Install the Resource Kit.
Open a command window, or click Start and then click Run.
Type Instappsec.exe, and then press Enter.

Files Required

Appsec.exe
Appsec.hlp
Appsec.dll
Appsec.cnt
Instappsec.exe