Jump to content
Welcome to our new Citrix community!
  • 0

WEM Application Security - Executable Rules not working


Franco König

Question

hi all

is in WEM - Application Security something what i must know, when i try to Deny the PowerShell.exe, it will not work. I have enabled the Process Application Security Rules, and have defined a Publisher Rule from Powershell.exe, but i can open the application without problems, it will not blocked. did i forget here something, or is something special needed on the workers for that?

 

regards

frank

Link to comment

9 answers to this question

Recommended Posts

  • 1

WEM will make sure that the App Identity Service is running at startup as part of its enablement of AppLocker


When you say "publisher rule", can you elaborate? How have you built the rule?

 

There is also a quirk with WEM on server OS where you need to set the rules to merge rather than replace (odd but true....)

https://support.citrix.com/article/CTX233578

 

Finally, one thing i typically do with AppLocker troubleshooting with WEM, is to create the equivalent rule in a GPO, if it works, import it into WEM using the import feature.

 

If it still doesn't work, leave it in GPO :5_smiley: and log a ticket with Citrix - more info they have, more they can improve it

 

J

  • Like 1
Link to comment
  • 1

Hi Alex,

 

Personally I believe that you should never bake any policy settings into a golden image. You can bake in app settings/changes, as long as it's documented. The reason you shouldn't include AppLocker policies in a golden image, is that they can prevent proper application install/modification also they can be dynamic, meaning that depending on the rule, policies have to be changed anyway once the non-persistent machine boots on the golden image. The only thing around AppLocker I would bake into the golden image, is the automatic startup of the Application Identity service.

 

Technically there is of course nothing preventing you from including AppLocker rules in your golden image.

If you have AppLocker rules baked into your golden image today, I would recommend you remove them and see if that resolves the issue you have. Also keep an eye on the Application Indentity service it should be always be running.

  • Like 1
Link to comment
  • 0

Hi,

 

No, you should never "bake" AppLocker/Application Securtiy rules in a golden image.

 

If the Application Identity Service is running, check the AppLocker event log in the Event Viewer here:

 

Application and Services Logs\Microsoft\Windows\AppLocker

 

In here you should at least see an event 8001 which indicates that the AppLocker/Application Security Rules have applied.

 

Also check that Application Security is enabled in WEM and that Executable Rule Enforcement is set to On - See attached screenshots 

2018-10-18 08_40_51-XenApp - Admin - Desktop Viewer.jpg

2018-10-18 08_41_35-XenApp - Admin - Desktop Viewer.jpg

Link to comment
  • 0

Hi Kasper,

 

Can you elaborate on why you should not have AppLocker rules left on a gold image? Does this apply to native AppLocker rules as well as WEM-managed AppLocker rules?

 

We are experiencing a slightly different issue. We are using native AppLocker rules in non-persistent VDI, and we are seeing the application of AppLocker rules fail in the middle of sessions, leaving the desktop and most applications unusable. My understanding was that AppLocker rules regenerate after every group policy update, but from what you're saying there may be more going on with regards to how AppLocker rules work, when it comes to cloned published desktops.

 

And would the solution be to just clear out the rules in C:\Windows\System32\AppLocker when sealing a gold image? We are going to experiment with that to see if that suffices, but this was the first I had heard of that potentially being a problem. Unfortunately deep issues with AppLocker such as this one seem to be poorly documented.

 

Thanks!

 

On 10/18/2018 at 1:44 AM, Kasper Johansen1709159522 said:

Hi,

 

No, you should never "bake" AppLocker/Application Securtiy rules in a golden image.

 

If the Application Identity Service is running, check the AppLocker event log in the Event Viewer here:

 

Application and Services Logs\Microsoft\Windows\AppLocker

 

In here you should at least see an event 8001 which indicates that the AppLocker/Application Security Rules have applied.

 

Also check that Application Security is enabled in WEM and that Executable Rule Enforcement is set to On - See attached screenshots 

2018-10-18 08_40_51-XenApp - Admin - Desktop Viewer.jpg

2018-10-18 08_41_35-XenApp - Admin - Desktop Viewer.jpg

 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...