Application security redux: It’s All about the Apps (Part 6)

by [Published on 6 July 2016 / Last Updated on 6 July 2016]

In this article we’ll wrap up the discussion on restricting what users can do with allowed applications as we touch on a new feature that has been added in Windows 10: the ability to control apps in Windows 10 mobile devices via the CSP.

If you would like to read the other parts in this article series please go to:

Introduction

In this article series, we got started in Part 1 with a broad overview of application security, some of the different types of application security issues, and coding defects, as well as types of app vulnerabilities. In Part 2, we started with a look at how to protect applications from tampering or access and also take a closer look at the special case of mobile applications. In Part 3, we discussed how you can block undesirable applications and restrict what users are able to do with the apps that you do allow them to use.

In Part 4, we started to explore Microsoft’s AppLocker, and in Part 5, we delved into the use of PowerShell to configure and manage AppLocker

This time, in Part 6, we’re going to wrap up the discussion on our next-to-last topic of restricting what users can and can’t do with allowed applications, with an overview of the new ability to control apps in Windows 10 mobile devices, in particular doing so via the CSP that was added to AppLocker in Windows 10 and/or Microsoft Intune. Then next time, we’ll move to the last bullet point in our list and address encryption and protection of the data that is created, gathered or stored by applications.

Controlling mobile apps

In today’s mobile world, it’s not only – or even mostly – desktop and laptop applications that IT pros have to be concerned about. Mobile apps running on a variety of platforms, including Windows, Apple iOS, Android and more, are being used by employees in a Bring-Your-Own-Device environment to access their company networks. This can present a real security risk when those mobile apps aren’t under your control.

That’s why Mobile Device Management (MDM) solutions are such an important element of enterprise security now. With MDM, you can control configuration settings and enforce company policies on smart phones and tablets. Many MDM solutions can support devices running on all the major mobile operating systems. Mobile Application Management (MAM) is a subcategory of MDM and allows you to whitelist or blacklist specific applications.

Microsoft MDM and MAM solutions

Microsoft has positioned Intune as its cloud-based mobile device management service. While Intune offers a number of features including email and document protection, what we’re interested in here is the ability to manage and control Office mobile apps. The company has obviously recognized the importance of application-layer protection in a multi-platform mobile business environment and is working to address that need.

InTune advantages

Sometimes you don’t want to completely block the use of an app or completely prevent a user from accessing the data created with it; you just want to control exactly what users can do with those files, and in particular you want to prevent them from sharing the data with unauthorized persons. With Intune, you can use Microsoft’s rights management technology to restrict the use of data that’s accessed with those apps, so that users can be prevented from copying, pasting, forwarding, or modifying email messages and Office documents. Many enterprise users are familiar with Rights Management Services (RMS) on their desktop and laptop applications. The nice thing about Intune is that it extends this control capability to some other line-of-business applications.

Then there are those times when you do want to completely block a particular app, either because it presents a security threat or because it’s a time-waster that reduces productivity (or both). Intune has you covered there, too. You can also configure it to deny specified applications that you don’t want your users to use, and you can prevent their use of specific web-based apps by blocking the applicable URL addresses from being accessed on a mobile device. On the other hand, if you have specific applications that you do want users to use, you can push those apps to their devices rather than relying on them to initiate the installation process.

And you can go a step further. Intune will not only allow you to prevent specific apps from being installed, it will also provide you with the ability to selectively wipe managed apps and their related data when a device is lost or stolen or the user leaves the organization or for whatever other reason, you want to remove the app from users’ devices.

The bad news is that not all apps can be managed with Intune. The good news is that Intune app management is not limited to just Microsoft mobile apps. Intune App Wrapping tool is available for both iOS and Android apps. This is the means by which your in-house devs can wrap your custom line-of-business applications so that you can manage them with the MAM policies, which greatly simplifies management of those apps.

There are some prerequisites for using the tool and creating managed applications; for iOS apps you’ll need an Apple Developer account and a distribution certificate, and the device will need to be running the 7.01 or later version of iOS. Wrapped apps for Android require version 4.0 or later and the app has to be an Android application package (.apk file extension) that’s not encrypted. Note that the wrapping tool only works on your custom apps that your in-house devs created or that were created for your organization – in other words, you can’t use it to wrap and manage Play Store apps.

Intune is part of Microsoft’s Enterprise Mobility Suite, its cloud-based collection of mobile management services, which also includes Azure Rights Management and Azure Active Directory Premium for enterprise-level security and control of mobile assets.

AppLocker CSP for Windows 10 Mobile

Whereas Intune has broader applicability to manage Apple and Android devices as well as those based on Microsoft operating systems, if your devices are running Windows 10 Mobile, you have a new option for blocking those pesky unwanted apps. AppLocker and the AppLocker Configuration Service Provider (CSP) specifies which applications are allowed or blocked.

For example, there are many apps in the Windows Store that you might not want your users to install on the devices they’ll be using on your network and to access your resources. You can block access to the Store for Windows Mobile 10 devices with AppLocker.

You do this by creating a rule that will block the packaged apps that you want to block, by name. In case you’re not familiar with the term, packaged apps are the same thing as Windows Universal apps, which are built on the UWP (Universal Windows Platform) that can run on both the Windows 10 desktop/laptop client operating system and on Windows 10 Mobile, the version that runs on Windows smart phones and “phablets” (tablet-sized phones). This is part of the “One Windows” initiative carried forth by Satya Nadella soon after he assumed the position of CEO.

The advantage, for our purposes, is that you can block the whole app with just one AppLocker rule. With non-packaged (traditional) applications, each file in the app can have a unique identity so you would need to have multiple rules to deal with them.

You use publisher rules to block packaged apps, for which you need to provide the publisher name, package name and package version. You might be wondering what about unsigned apps and how AppLocker would identity them. Well, it’s actually not an issue because Windows doesn’t support unsigned packaged apps. That means all of the packaged apps you would be running will in fact be signed by the publisher.

Note that the rule will be applied to installation of the packaged app as well as executing it, because the package installer file shares the same publisher information as the executable program file for the app. You can create exceptions as with other AppLocker rules, and you can apply the rules to specified users and/or groups.

Creating an AppLocker rule for a packaged app is done using the Group Policy Management Console (GPMC) or the local security policy snap-in if you want to apply AppLocker rules only on the local machine. As with other AppLocker rules (as we discussed in the previous installment in this series), when you create the new rule, you specify whether to allow or deny the app and which user(s) and/or group(s) it will apply to.

The AppLocker rule creation wizard provides you with the options to create rules that refer to either an already installed packaged app or you can reference a packaged app installer as the basis for your rule. In the former case, you control which users or groups can run the app, and in the latter case you control which users or groups can install the app. You can also exclude particular files from the rule’s effects by using the Exceptions option in the wizard. For the step-by-step instructions on how to create an AppLocker rule for packaged apps, see this TechNet article.

Summary

In this sixth installment of our series on application security for a new business model, we covered the ability to use Microsoft’s Intune service to manage and block mobile apps and how you can control or block the usage of packaged Windows Universal apps in Windows 10 and Windows 10 Mobile with AppLocker. This wraps up the topic of controlling what users can do with apps. Next time, in Part 7, we’ll move on to the subject of encryption and protection of the data that’s generated by applications on the desktop and via mobile devices.

If you would like to read the other parts in this article series please go to:

See Also


The Author — Deb Shinder

Deb Shinder avatar

Debra Littlejohn Shinder, MCSE, MVP (Security) is a technology consultant, trainer and writer who has authored a number of books on computer operating systems, networking, and security.