App-V 5.0 Security Considerations
This topic contains a brief overview of the accounts and groups, log files, and other security-related considerations for App-V 5.0.
App-V 5.0 is not a security product and does not provide any guarantees for a secure environment.
PackageStoreAccessControl (PSAC) feature has been deprecated
Effective as of June, 2014, the PackageStoreAccessControl (PSAC) feature that was introduced in Microsoft Application Virtualization (App-V) 5.0 Service Pack 2 (SP2) has been deprecated in both single-user and multi-user environments.
General security considerations
Understand the security risks. The most serious risk to App-V 5.0 is that its functionality could be hijacked by an unauthorized user who could then reconfigure key data on App-V 5.0 clients. The loss of App-V 5.0 functionality for a short period of time due to a denial-of-service attack would not generally have a catastrophic impact.
Physically secure your computers. Security is incomplete without physical security. Anyone with physical access to an App-V 5.0 server could potentially attack the entire client base. Any potential physical attacks must be considered high risk and mitigated appropriately. App-V 5.0 servers should be stored in a physically secure server room with controlled access. Secure these computers when administrators are not physically present by having the operating system lock the computer, or by using a secured screen saver.
Apply the most recent security updates to all computers. To stay informed about the latest updates for operating systems, Microsoft SQL Server, and App-V 5.0, subscribe to the Security Notification service (http://go.microsoft.com/fwlink/p/?LinkId=28819).
Use strong passwords or pass phrases. Always use strong passwords with 15 or more characters for all App-V 5.0 and App-V 5.0 administrator accounts. Never use blank passwords. For more information about password concepts, see the “Account Passwords and Policies” white paper on TechNet (http://go.microsoft.com/fwlink/p/?LinkId=30009).
Accounts and groups in App-V 5.0
A best practice for user account management is to create domain global groups and add user accounts to them. Then, add the domain global accounts to the necessary App-V 5.0 local groups on the App-V 5.0 servers.
App-V client computer accounts that need to connect to the publishing server must be part of the publishing server’s Users local group. By default, all computers in the domain are part of the Authorized Users group, which is part of the Users local group.
App-V 5.0 server security
No groups are created automatically during App-V 5.0 Setup. You should create the following Active Directory Domain Services global groups to manage App-V 5.0 server operations.
App-V Management Admin group
Used to manage the App-V 5.0 management server. This group is created during the App-V 5.0 Management Server installation.
There is no method to create the group using the management console after you have completed the installation.
Database read/write for Management Service account
Provides read/write access to the management database. This account should be created during the App-V 5.0 management database installation.
App-V Management Service install admin account
This is only required if management database is being installed separately from the service.
Provides public access to schema-version table in management database. This account should be created during the App-V 5.0 management database installation.
App-V Reporting Service install admin account
This is only required if reporting database is being installed separately from the service.
Public access to schema-version table in reporting database. This account should be created during the App-V 5.0 reporting database installation.
Consider the following additional information:
Access to the package shares - If a share exists on the same computer as the management Server, the Network service requires read access to the share. In addition, each App-V client computer must have read access to the package share.
In previous versions of App-V, package share was referred to as content share.
Registering publishing servers with Management Server - A publishing server must be registered with the Management server. For example, it must be added to the database, so that the Publishing server machine accounts are able to call into the Management service API.
App-V 5.0 package security
The following will help you plan how to ensure that virtualized packages are secure.
- If an application installer applies an access control list (ACL) to a file or directory, then that ACL is not persisted in the package. When the package is deployed, if the file or directory is modified by a user it will either inherit the ACL in the %userprofile% or inherit the ACL of the target computer’s directory. The former case occurs if the file or directory does not exist in a virtual file system location; the latter case occurs if the file or directory exists in a virtual file system location, for example %windir%.
App-V 5.0 log files
During App-V 5.0 Setup, setup log files are created in the %temp% folder of the installing user.