VMTN
Blogs
Twitter
Facebook
YoutubeHow to Package a NON-Executable File Such as a Document or Spreadsheet
Recently on the ThinApp Communities portal, VMware Community member "CookieMe" asked a question which sparked my interest. ThinApp has the ability to package an app and assign Active Directory Security Groups to the package in order to limit who can use them. Essentially, CookieMe was asking, "Can I prevent Users A from attaching a file from the 'Bookkeeping' share to an email and sending it to someone?" To put this in other words, can ThinApp be used to restrict a document, spreadsheet, presentation, or other non-executable file from also 'walking off' a company's network? Absolutely!
Some Things to Note:
- First and foremost ThinApp is an Application Virtualization solution ONLY and NOT a security product, even though it can be used to enhance other security solutions within a network environment.
- This will NOT prevent someone from copying the ThinApp package off the network or zipping and emailing it off the network. It will only lock the ThinApp package to the security group(s) defined, and when a ThinApp package cannot authenticate to it's respective group, the package cannot be opened.
The above dully noted, in this procedure, we show how to make a ThinApp Package which contains a non-executable file.
Creating an Non-Executable Package:
- Create an Empty ThinApp Project.
- In ThinApp, do a prescan.
NOTE: In Advanced Scan Settings, uncheck all but one option such as HKCU or HKLM. - Immediately do a postscan without changing or installing anything.
- Go ahead and select CMD.EXE as your Entry Point.
- Use WRITECOPY as the Default File System Isolation setting.
- Save the project (don't build).
- Edit the project and create a folder called %DRIVE_C% in the project as well as any sub-folders (i.e. I will be using a "Docs" folder).
- Create an ##ATTRIBUTES.INI file in the %DRIVE_C% folder and set the folder isolation level to FULL.
NOTE: I typically copy an existing one from the %SystemRoot% folder and modify as necessary. - You may wish to modify the ##ATTRIBUTES.INI files in the %DESKTOP% and %PERSONAL% folders as well in order to prevent users from saving the document out to their Desktop or My Documents folders - thus circumventing your work here.
- You may also wish to make the same modification to the SPOOL folder as well. However, it should be noted doing so will break the app's ability to print this document/spreadsheet/presentation/etc.!!
NOTE: If you wish to disable printing, using a Build Option of DisablePrinting=1 will do the trick!
On a side note, for additional lockdowns, use DisableCutPaste=1 to disable copy/paste functionality outside the virtual bubble. This comes with a DisableCutPastMsg=(message) as well so you can replace whatever is copied with your message! - Place non-executable files such as documents, spreadsheets, and presentations in the "Docs" folder (or whatever you have named the folder).
- Edit the PACKAGE.INI file
- Ensure DirectoryIsolationMode is set to WriteCopy.
[Isolation]
DirectoryIsolationMode=WriteCopy - Modify the CMD.EXE Entry point to look similar to the following.
NOTE: This will be different for your document which is the data container vs. any other additional documents which are just regular entry points. - Save the PACKAGE.INI modifications.
- Build the ThinApp Project by running BUILD.BAT and TEST to ensure it works as it should.
- Once you've tested the app successfully on multiple systems, edit the PACKAGE.INI file again and enable the PermittedGroups value and add the Security Groups to the PermittedGroups={security groups) value.
NOTE: You can add Local Security Groups and/or Domain Security Groups. You can either type in the names of the groups separated by a semicolon or add the group's SID values separated by a semicolon. See the ThinApp Online Documentation for additional assistance on the PermittedGroups Build Option.
For Data Container
[My Document Test.exe]
Source=%Drive_C%\Docs\My Document.doc
ReadOnlyData=bin\Package.ro.tvr
WorkingDirectory=%Drive_C%\Docs
For Regular Entry Points
[My Document Test.exe]
Source=%Drive_C%\Docs\My Document.doc
Shortcut=(Primary Data Container Name Here.DAT)
WorkingDirectory=%Drive_C%\Docs
NOTE: WorkingDirectory may not be needed for these depending upon your apps.
Recommendation: You can also use Bob Carter's ThinApp File System Isolation Viewer 1.8. Below is a screenshot of the above project through the ThinApp File System Isolation Viewer.
Green folders are set to FULL Isolation, Yellow folders are set to WRITECOPY Isolation, and Red folders are set to MERGED Isolation.
You should now have a BIN folder with a ThinApp package containing your document which only opens the non-executable file for users of the permitted security groups!
One last thing to note here...the above procedure will only work through native Windows shell associations so in my example above, I will need an application natively registered which can open a DOC file (I say "registered" as, in my example, it could either be a natively installed DOC reader or a ThinApp'ed DOC reader registered to the user or system via THINREG.EXE or a ThinApp MSI). Technically you could also use AppLink to link this parent app to a child app containing a DOC reader as well. Either way, the DOC reader application will be launched through the above ThinApp package and open the packaged document.
Updated article to modify end note.
Posted by: Dean Flaming | February 04, 2010 at 12:30 PM
Hi, looks nice, but saving the doc file again goes to the sandbox which is readable by the user in %appdata%. Just Browse and copy over the file from the VFS to the Desktop. So an encrypted sandbox is needed here - or ?
Posted by: DrG | December 29, 2010 at 02:47 PM
@DrG - This is true, and here I remind everyone ThinApp is an Application Virtualization product, not a security product.
Additionally, other ThinApp features can come into play here such as wiping the sandbox on exit or only allowing the ThinApp package to run from authorized systems as they may help in achieving the desired results.
While this article was more to show some possibilities around ThinApp, don't forget there may be other ways outside of ThinApp which may better accomplish the desired results. In this scenario, such as locking the file to read-only for all users and not allowing email attachments or using other tools such as Adobe Pro to create a secure PDF (password, print, copy/paste protected document) may be a more suitable solution.
The point here is, using ThinApp in conjunction with other solutions may help in obtaining the desired results in very unique situations and this is very much an example of the many ways in which it might be used.
Posted by: Dean Flaming | December 30, 2010 at 09:18 AM