Using Microsoft AppLocker to manage application experience on Amazon AppStream 2.0
Customers are using Amazon AppStream 2.0 with application control software and policies to manage the streaming of desktop applications to their end users. Customers use the application control software and policies with the clipboard, file transfer, local print permissions, and VPC security groups to provide the right level of integration, control resource access, and manage the application experience. By default, AppStream 2.0 allows users or applications to start any executable on the instance, beyond what is specified in the image application catalog. This is useful when your application relies on another application as part of the workflow, but you don’t want the user to be able to start that dependent application directly. For example, your application starts the browser to provide help instructions from the application vendor’s website, but you don’t want the user to start the browser directly. In some situations, you may want to control which applications can be launched on the streaming instances. Microsoft AppLocker is an application control software that uses control policies to explicitly enable or disable which applications a user can run. In this blog, I walk you through how to implement AppLocker within your image.
- An AppStream 2.0 image builder in the running state
- An AppStream 2.0 Stack associated to a Fleet in the stopped state
You can read more about setting up AppStream 2.0 in the getting started guide.
Configure your AppLocker application control policies
In this step, we connect to the running image builder, launch the local security policy utility, and configure the AppLocker application control policies. The AppLocker application control policies will allow the AppStream 2.0 agents and we will use Mozilla FireFox as the demo application.
Note: If you use Active Directory for your image builder and fleet, you can configure the AppLocker application control policies via Group Policy. To do so, create a new GPO, or modify an existing one, then follow from step 3.
- Connect to your running image builder as the administrator user.
- Once connected, open the Start Menu and enter in secpol.msc.
- Expand the following: Application Control Policies > AppLocker.
- Choose Configure rule enforcement.
- In the AppLocker Properties dialog box, select the check box next to Configured in the Executable rules section, then choose OK.
Note: The rules will not be enforced until the AppLocker Windows service is started in a later step.
- Choose Executable Rules.
- In the right panel, right-click in the white space and choose Create Default Rules to create the Microsoft recommended default rules.
Note: The Microsoft recommended default rules automatically allow everything in the Windows and Program Files directories. You must scope these down based on your user’s needs.
- Select the rule with the name (Default Rule) All files located in the Program Files folder then select Action from the toolbar, and choose Delete. This rule is overly broad and will be replaced in later steps with the folders of the software the user can run.
- Select Action, Create New Rule….
- If the Before You Begin dialog box appears, choose Next, otherwise skip this step.
- The default values for the Permissions dialog box are sufficient. Choose Next to continue.
- On the Conditions dialog box, select Path, then choose Next.
- On the Path dialog box, choose Browse Folders, then navigate to the Mozilla Firefox directory located in C:\Program Files (x86)\Mozilla Firefox. Once selected, choose OK. Then choose Create.
- AppStream 2.0 requires specific allow rules to enable successful operation. Repeat steps 8 through 13 to build the rules as documented in the Application Access section of the Data Protection topic in the Amazon AppStream 2.0 Administration Guide.
Note: To prevent users from launching the Windows Command Prompt or Windows PowerShell, modify the (Default Rule) All files located in the Windows folder rule to exclude the Command Prompt executable and PowerShell directories. Using a deny rule may prevent image builders and fleet streaming instances from being provisioned.
Configure AppLocker to start automatically
In this step, we enable AppLocker on the image builder, and configure it to start automatically. By default, the Windows service that manages AppLocker, Application Identity, isn’t running and is configured to only start manually. When the Application Identity service isn’t running, the rules aren’t in effect. You can use Group Policy to start the service on Active Directory domain joined instances, or configure the service to start automatically using an elevated command prompt. You can learn more by reading Configure the Application Identity service on the Microsoft AppLocker overview.
- Open the Windows Start Menu, and right-click on Command Prompt, then choose Run as Administrator.
- In the elevated command prompt, execute the following command to start the Application Identity Windows service:
net start appidsvc
- In the elevated command prompt, execute the following command:
sc.exe config appidsvc start= auto
The Application Identity Windows service should now be running, and configured to automatically start on the image builder and fleet streaming instances. If you switch to a non-administrator user, you should see that the rules are taking effect, only allowing the applications that were specified by the AppLocker rules to run.
Create the AppStream 2.0 image
In this step, we create the AppStream 2.0 image that allows to run Firefox, apply it to a fleet, then test using a streaming URL.
- From the Image Builder desktop as an administrator user, launch Image Assistant.
- Select Add App, then specify the application the user should be able to launch from Application Catalog. For our image, use Mozilla FireFox.
Note: The only applications that must be specified are the ones the user needs to directly launch. If the application starts another application, the additional application does not need to be specified in Image Assistant. The application must be included in an AppLocker allow rule.
- Repeat step 2 for each additional application the user should be able to launch from the AppStream 2.0 application catalog.
- For testing, repeat step 2 with an application that is not allowed by the AppLocker rules. For example, you can specify Internet Explorer.
- Continue to create the AppStream 2.0 image as you normally would.
Update a stopped fleet with the newly created AppStream 2.0 image and test with a streaming URL
In this step, we update the stopped fleet with the newly created AppStream 2.0 image, start the fleet, and then stream using a streaming URL.
- In the AppStream 2.0 Management Console navigation pane, select Fleets
- Select the stopped fleet you want to have the newly created image, then choose Actions, Edit.
- Select the newly created image from the Name dropdown, then choose Update Fleet.
- Select Actions, then choose Start.
- Once the fleet reaches the running state, switch to the Stacks tab
- Select the stack associated with the fleet updated previously, then choose Actions, Create streaming URL.
- Enter in a username, then choose Get URL.
- Choose Copy Link to copy the streaming URL to your clipboard.
- In a new tab, or using a private browsing option, navigate to the URL.
- Try launching the application that is not allowed by the AppLocker policy. You should receive an error message that the application is blocked by the administrator.
In this blog, we deployed resources in an AWS account that may incur charges. To clean up these resources, complete the following steps:
- Stop and delete the image builder used to create the image
- Stop and delete the fleet used to test the created image
- Delete the created image
In this blog, we used AppLocker to create an allow list of applications that the user can run on the AppStream 2.0 instance. Using AppLocker alongside the clipboard, file transfer, local print permissions, and VPC security groups enables you to closely manage the application experience your users have, providing them exactly the access and resources they need.