App-V Security

Installing the Client
Log on to your second XP machine as Administrator and install the SoftGrid Client for Windows Desktops from the command line to enable support for MSI deployment of virtualized applications:

1. Double-click the self-extracting executable for the SoftGrid client and unzip the contents to C:\softgrid.
2. Open a command prompt from the Start menu’s Run box and issue the following command:




msiexec /i c:\softgrid\softgrid-wd-setup.msi msideployment=true



3. Follow through a standard installation, clicking Next to bypass the Desktop Configuration Server screen. Restart the machine after the installation completes.

Installing a Virtual Application as an Administrator
Copy the Acrobat Reader folder from the desktop of the sequencer machine to the C drive of the client machine. Double-click the acrobatreader.msi package and follow the installation instructions. A shortcut will appear on the desktop for Acrobat Reader, as if the program were installed locally. Double-click the shortcut to open the application and you’ll notice the SoftGrid client icon appear in the system tray. If you open My Computer, you’ll notice that the SoftGrid client added a Q drive, and there’s no trace of Acrobat Reader in Program Files on the C drive.

Installing a Virtual Application as a Standard User
Installing a virtual application under SoftGrid as a standard user without a back-end server to stream the application is a bit more cumbersome, because you can’t just run the MSI package that the MSI Utility generates. However, you can use an MSI database editor such as Microsoft’s Orca utility to remove the installation restrictions for non-administrative users. Then, you can use the SoftGrid Client Management Console to install a virtual application as a standard user. To illustrate this process, let’s remove the Acrobat Reader virtual application and reinstall it while logged on as a standard user.

1. While you’re still logged on as Administrator, start the Microsoft Management Console (MMC) SoftGrid Client Management snap-in from the Control Panel Administrative Tools applet.
2. Select Applications in the left-hand pane under SoftGrid on local host. Right-click Acrobat Reader in the right-hand pane, select Delete from the menu, and click Yes to confirm.
3. Right-click SoftGrid on local host in the left-hand pane and select Properties from the menu.
4. Click the Permissions tab and select the Add applications, Delete applications, and Publish shortcuts check boxes, as Figure 5 shows. Click OK to continue.
5. Close the MMC and log on as a standard user (i.e., a user without administrative rights).
6. Open the MMC SoftGrid Client Management snap-in from Control Panel, right-click Applications in the left-hand pane, and select New Application from the menu. In the New Application dialog box, click Change Icon, then click Browse. Open acrobatreader Icons in the Acrobat Reader folder, select Adobe Reader 8 8.1.0.137 (or the appropriate version number), and click Open. The Acrobat Reader icon should appear in the Change Icon dialog box as the only available icon, as Figure 6 shows. Click OK to continue.
7. Browse to the Acrobat Reader .osd file in the Acrobat Reader folder and click Open. Click Finish in the New Application dialog box.
8. Select Applications again in the left-hand pane, right-click Adobe Reader in the right-hand pane, and select Import from the menu. In the Browse for Folder dialog box, browse to the Acrobat Reader folder and click OK.
9. When the package is done importing, the Package Status setting in the right-hand pane should say Idle (100%). You might need to right-click in the pane and select Refresh to see the updated status.
10. Right-click Acrobat Reader in the right-hand pane and select New Shortcut from the menu. Click Next in Step 1; select The Desktop and Programs in the Start Menu in Step 2. Click Next to continue. Leave Command Line Parameters blank in Step 3, and click Finish.
11. Right-click Acrobat Reader again in the right-hand pane and select New Association from the menu. In Step 1, type pdf in the Extension box and click Next. Click Change Icon in the Step 2 dialog box. Browse for Adobe Acrobat Document in the acrobatreader Icons folder, and click OK. Click Finish to complete the wizard.

You should now be able to run the application by clicking the desktop shortcut or double-clicking a PDF file.

Application Virtualization Is the Future
Although application virtualization still isn’t a mainstream technology, the imminent release of App-V 4.5 promises changes that will further simplify deployment of the virtualization components, such as support for Microsoft Update and integration of the MSI Utility into the Sequencer application. The flexibility to install applications without compromising the security and configuration of the underlying OS is a benefit that both security specialists and system administrators will like.

Additional benefits, such as application streaming, lifecycle management, application conflict management, and virtualization of the user profile registry hive, will all lead to a more solid but flexible computing experience. Microsoft will likely include App-V’s SystemGuard technology as an integrated virtualization layer in a future version of Windows (read: Windows 7), which would be a big selling point. In the meantime, App-V is available to Software Assurance customers as part of MDOP.