It is theoretically possible to prevent applications from running by using group policies to control which applications are allowed to run. In practice, it's very difficult to establish and properly maintain.
Warning: Some people believe that providing access only to a single application (through published applications with Presentation Server, or by specifying a single application to run with RDP) provides some measure of security. Sadly, it does not. Even if you've set up the terminal server not to display a desktop but only display a single application, shutting down the connection when that application is closed, you must still secure the server. Any reasonably astute user will quickly learn that Ctrl–Alt–Esc will launch Windows Security in their session, and, ironically enough, Windows Security is a huge back door to the system because it leads directly to the Task Manager and thus to Run.
First, the group policies controlling application execution for Windows 2000 Server are many and all over the place. You can't just enable User Configuration/Administrative Templates/System/Run Only Allowed Windows Applications (or, in the same location, Don't Run Specified Windows Applications). That setting leaves the machine wide open to any application not launched from Explorer. To lock down a terminal server using group policies, you must enable and configure 32 user and computer settings. It is possible to do. It is also time–consuming and easy to skip a step while doing it. And, of course, using these policies requires that you use Active Directory if you want to easily apply these settings across the domain.
Second, these group policies do not prevent a user from launching an application through other means, such as emailing an application to themselves or using the Web toolbar in word to connect to network shares – even those on restricted drives. For example, Microsoft recommends restricting user drive access to drives A–D. When enabled, this policy will indeed keep users out of these drives. However, if there are any shared folders on these restricted drives the user will be able to see, connect to, and open files on them. And I circumvented my inability to install applications by emailing myself the executable and running it. You could disallow all but a few applications, but that requires knowing ahead of time exactly what applications users can and can't use – and making sure that they don't change the name of an application to a permitted one.
Third, these policies are available mainly for user configuration, not server configuration. In other words, it's not possible to configure software security based on the computer used to launch the terminal session. That is, if you'd like one application set available within a private office and another application set for terminals located in a hallway open to the public, group policies offer no way of making that happen.
What about the Software Restriction Policies available in Win2K3 Server and Windows XP? At first, SRPs appear to be identical to Simplify Lockdown: they prevent applications from running if those applications are on a restricted list (or, alternatively, not on the allowed list). By creating rules for users and computers you can prevent unwanted applications from executing – even viruses. So long as an application's location does not change (for path rules) or its hash signature does not change (for hash rules) it will be prevented from launching from any part of Windows or a Windows application.
You can identify applications by their path, hash (which identifies the application by a combination of relevant information, such as creation date and application name), associated certificate or the Internet Zone from which they'd be launched. Like Simplify Lockdown, SRPs check an application against an internal database of acceptable applications. Because they work independently of any launching tools, SRPs are more effective at restricting applications than the group policies described above. If a user tries to launch a prohibited application, then they'll see a dialog box like the one below.
However, although SRPs are an improvement over previous versions of group policies they still have their failings. Like other group policies, they apply only to either the terminal servers themselves or the people logging into them – you can't restrict applications within a terminal session based on what terminal someone's using to connect to the server. SRPs also do not remove disallowed icons from a user's desktop; they just display an error message like the one shown below if a user tries to run a disallowed application. This means that disallowed applications are a Help Desk call waiting to happen. For that matter, it's pretty easy to completely lock yourself out of a terminal server using SRPs, if you disallow all applications and force the SRPs to apply to administrators. (If you do and aren't in a Win2K3 domain that would allow you to override the settings from the domain level, boot into Safe Mode, remove the too – restrictive setting, reboot twice, and you're back.)
If you have ever talked about managing servers to John Byrne, CEO of triCerat, you have undoubtedly heard him talk about "tools talking to tools". This idea, flows from the concept that no one developer can ever know what you (or your customer) really needs. So, by building tools that are open and extensible, you can allow others to build upon this with new tools.
Simplify Resources, which is a key component of the Simplify Suite (providing system monitoring, resource management, and lockdown protection), provides an open interface that can be exploited by using WMI (Windows Management Instrumentation). VARS and Enterprises can use this tool to extend the functionality of the suite. One example of using this WMI information is visible within the suite; the system monitor obtains all its information via WMI. One really neat way that you could use this information is to create a web based version of the monitor – allowing the appropriate individuals to remotely view detailed system status information using only a browser. Another use is to feed information from resources into another monitoring or recording tool.
What is available from the Simplify Resources WMI interface, you ask? The interface provides 4 classes of "read-only" information: System, Session, Application, and Managed Application.
The System class provides server level information important to understanding how the server is running. Some of the information is identical to information you could obtain by pulling from the Microsoft WMI interface – but these are included so you should only need to pull from one place. But the value of the class is the resources specific elements. For example, you not only get a CPU usage counter, you can view the CPU use by how well behaved the applications using that CPU are.
The Session class provides resource usage information on a per session basis. While the Microsoft or Citrix WMI interface provides a list of users and some performance counters, they do not provide information on all key system performance counters on a per session basis. This class brings all resource performance counters available on that level.
The Applications and Managed Applications classes provide full resource usage counters on a per application basis. The Managed Applications class is nothing more than a filtered subset of the Applications list – showing only those applications that are interesting in that they are the non "well behaved" applications.
As WMI works remotely, pulling this information from multiple servers from the farm allows you to view server usage at the farm, server, session, and application level.
At briForum 2005, I showed examples of how easily you can use a scripting language or Visual Basic to access this WMI information. I coded examples showing performance both in a stand-alone GUI and via a web interface. Code snippets from that session are available if you would like to see some examples of how to implement a tool that interfaces to the Resources WMI interface, Learn more about the Simplify Resources® component of Simplify Suite Download Simplify Suite
Many businesses are using, or evaluating, virtual Operating Systems in their server centers. Whether used for server consolidation, redundancy, or flexibility, the benefits are too great to ignore. And yet little is known about the performance aspects of these virtual environments; even less is known about proper tuning for user experience.
The majority of consolidation projects today are focusing on replacing a number of existing underutilized systems with a more modern server using virtualization. The "conventional wisdom" in the field is to keep the number of virtual machines per server low and incorporate only servers that have low resource utilization.
This paper looks at the two leading "virtual machine" architectures, from Microsoft and VMware. In the paper, tests are described and results published that provide insight into how these systems perform under scale.
Experience in the related field of Terminal Servers provides guidance in steps that can be taken that will allow an enterprise to use more resource intense virtual machines in their deployments. Tests results are included in this paper that make use of triCerat Simplify Resources, which should be considered in virtual environments to provide virtual server performance that can nearly rival that of 'real' server hardware.
Simplify Suite continues to evolve. The next major release, scheduled for the first half of 2006, will include many new features and functionality. triCerat will also be offering a 64 bit version of the Suite for those customers using Windows Server x64 Edition.
Some of the new features include filtering and searching of Owners and Objects, import and export of objects, the ability to group objects together, and previewing triShellTM desktops without having to log in. The Simplify Monitor window will be get an updated look and feel. The Simplify Console will include the ability to delegate permissions, so that not all users of the Simplify Console will be able to access all functions. In addition, the Simplify Database framework will be updated to include failover options.
One of the major functions of the new Simplify Suite will be the ability to manage Citrix ICA Published Applications. There will be a new technology called Dynamic Session Routing, which will allow you to route user sessions to different servers in your farm based on a current load value for the server (generated and monitored through our Simplify Resources technology). Last, but not the least, version 4.5 of the Simplify Suite will include the latest ScrewDrivers® v4 technology from triCerat.
Customers who have purchased the Simplify Suite with triCare will enjoy a free upgrade to the new release. triCare is one of the ways that we show our commitment to you, the customer, so please don't hesitate to provide us with feedback that will help us continue our software evolution. We make your job easier.
New documentations covering Simplify Suite v4, ScrewDrivers v3 and Simplify Resources is available on the Support page. Here you'll find online help to technical questions, available in multiple formats. These are updated on a regular basis, so be sure to keep this link as a reference.
The Definitive Guide To Windows Server 2003 Terminal Services Updated Edition Chapter 3: Load Balancing and Session Directory
This chapter will cover the basics of terminal server hardware configuration and the native Microsoft Network Load Balancing (NLB) service. It will introduce you to a new feature of WS2K3 – Session Directory. In addition, it will explore terminal server sizing and a new concept in terminal server design–using virtual machines to host terminal services.
Login using your eBook credentials and select The Definitive Guide to Windows Server 2003 Terminal Services – Updated Edition to access chapter 3 today!
Upcoming Chapter! Chapter 4 will cover the techniques and tools used to administer and manage Terminal Servers and the user sessions on them. From common tasks of configuring user profiles to advanced techniques for managing servers within a load-balanced cluster, this chapter is sure to provide a number of useful tips for Terminal Services administration.
Use Simplify Suite to Save and Restore Microsoft Outlook settings
This procedure is especially helpful when making use of Mandatory profiles, but will also work with Local profiles as well.
All steps are done under the Registry tab on the right side of the Simplify Console®. The "Object Names" are only suggestions and can be changed if desired.
Section A is needed so that general Outlook settings such as window arrangement, menu options, and toolbar customization can be saved/restored. Section B is needed so that more specific information like a user's identification, initials, and mail server settings can be saved/restored. Section C is needed for items that are not stored in the registry such as signature files. Section C will require the use or creation of a central share.
A) Create a new registry object named "MS Office S/R".
1. Set the operation to Save/Restore (this is the default setting). 2. Set the Registry Hive to HKEY_CURRENT_USER 3. Set the Registry Key to Software\Microsoft\Office 4. Make sure the Scope is Entire key and all subkeys. 5. Apply the changes.
B) Create a new registry object named "Outlook Settings S/R"
1. Set the operation to Save/Restore (this is the default setting). 2. Set the Registry Hive to HKEY_CURRENT_USER. 3. Set the Registry Key to Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles 4. Make sure the Scope is Entire key and all subkeys. 5. Apply the changes.
C) Create a new registry object named "Outlook Redirects"
1. Set the operation to Set Value. 2. Set the Registry Hive to HKEY_CURRENT_USER. 3. Set the Registry Key to Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders 4. Set the Scope to 'Only the following values'. Add these three values by right–clicking in the white area and selecting New–>Expandable String Value (Expandable provides the ability to use Environment Variables):
a. Name: AppData – Data:\\Server\Share\%Username%\AppData b. Name: Local AppData – Data:\\Server\Share\%Username%\Local AppData c. Name: Local Settings – Data:\\Server\Share\%Username%\Local Settings
5. Apply the changes.
After the three objects have been added, assign all three to each user, group, or other level of the Active Directory where you want them to apply.
Simplify Suite v4.0.13 This release includes fixes and enhancements that solve problems reported by customers since the release of version 4.0.12.41.
------------------------------------------------------------ Simplify Suite v4.0.13.42 Change History ------------------------------------------------------------ Added– clicking on active item in triShell taskbar minimizes the window by default Fixed– taskbar buttons in triShell don't change when the window title changes Fixed– flashing taskbar icons Changed– Application object instance count limit has new radio button for default of "No Limit" Fixed– issue with escape characters in Owner Names Fixed– DLL Monitoring does not catch DLL's that always rebase to the same address Changed– Application object Trust List configuration was reworded for clarity Fixed– winlogon.exe crash due to handle leak in RegSetNotify.dll Fixed– miscellaneous GUI bugs Complete listing of the Simplify Suite v4 Change History
The Customer: Brainerd Public School District of Minnesota is one of the largest school districts in the area. Nearly 7300 students and 1000 faculty and staff members comprise their thirteen schools. As with most public educational facilities, budget cuts constantly create setbacks with technology, affecting Quality of Service (QoS) delivered to the teachers and students.
The Challenge: Brainerd initially operated 2 different networks of Macs and PCs. With only 4 technicians for the whole district, Brainerd constantly faced difficulties supporting a large network and at the same time keeping Total Cost of Operation (TCO) down. There simply wasn't enough time to physically touch and update every single machine and help all users. Additionally, the district covers nearly thirty miles and driving across town to fix a printer is costly and time consuming.
In response to the school's growing technological needs, Brainerd rolled out a Terminal Server 2000 lab. Students have access to a standardized curriculum dispersed through TS. MS 2003 Office is the main productivity suite while other curriculum is predominantly web–based apps. They standardized on having 1 mandatory profile and have everyone login the same way.
Citrix was also initially deployed for 80 secretaries that used a financial and student management application. "With 80 clients at $40 a client per year, we were looking at nearly $3200 a year alone on Citrix. And that was only for the administrative staff!" said Pam Dyson, Director of Media Technology of Brainerd Public School District.
Although this was a step in the right direction, the team realized they needed another management system if they were to move forward with TS. "Terminal Services alone is very frustrating. Load balancing 16 servers, re–initializing printers every time people login, and losing users' favorites are among many daily issues" remarked Dyson. "We also didn't want to use roaming profiles because of all the issues associated with it."
"Once I saw the differences and changes that had been made between Terminal Server 2000 and 2003, I knew that an application like triCerat would be the icing on the cake for us. Adding triCerat was going to help us do exactly what we needed."
Achieving Technology as well as Educational Goals: Brainerd Public School District initially deployed Simplify Suite on 900 of their 3700 units. Within a few months of roll–out, they've seen problems of the past eliminated. The ability to enable personalized user settings without roaming profiles, deploy secure desktops and print from any printer with any printer setting has decreased downtime within the district's network, considerably increasing performance and productivity.
"The frustration level went from everyone being upset and stressed with the technology for the first month of school before triCerat was deployed, to now looking at the wonderful transformation it's made on a daily basis for both the teachers and students."
Now, they're looking to roll–out triCerat to any new TS clients that are distributed throughout the district. "I know this is one of the best investments we've made because I've seen how the teachers and students struggled without triCerat compared to a regular TS environment. Now we can shadow a session and help a teacher work through a problem and instantly have a solution, without making the kids wait and waste valuable time. Our goal, with the help of triCerat is to have the ability to provide them a QoS that we've never been able to imagine before. It is truly a small price to pay."
It is a known fact that schools everywhere are in need of financial aid and constantly fighting against budget cuts. Public or private, every school yearns for better curriculum and smaller class sizes. Unfortunately, the maintenance and cost of technology hinders fulfillment of these goals. "With Simplify Suite running on our server farm, we are keeping the cost of technology down and making it possible to have those things for our students."
Brainerd Public School District is a shining example of the benefits of Day Zero Protection®, triCerat's proactive mechanism for reducing support and hardware costs, while improving performance and reliability of Terminal Services–based environments and ensuring QoS. Their investment in triCerat's Simplify Suite® has given them a stable platform for continued growth, helping them to achieve their educational goals as well as meeting the technology needs of the district.
This year's event, held in Mandalay Bay Resort and Casino, Las Vegas proved to be Citrix's most successful iForum. We thank all those who took the time to speak with us and learn more about our company. Joining as a Gold sponsor, triCerat had many things in store for the attendees. As a result, we've received a record number of attendees who visited our booth, scheduled meetings and watched our demo in the triCerat Briefing Room.
In addition, triCerat hosted a breakout session entitled "Extend and Enhance your Growing Citrix investment with triCerat's Simplify Suite" presented by John Byrne, CEO and Eric Musgrave, CTO. "The session was very interesting. I was really only familiar with ScrewDrivers, but after viewing the demo for Simplify Suite, I know those products will be a great solution for my environment and I am looking forward to testing." Sherry, Systems Engineer.
The show also provided the perfect venue to announce the new Simplify Suite® 4.5 and ScrewDrivers® v4. Simplify Suite v4.5 includes new features such as ICA published application management, dynamic session routing and server farm monitoring while ScrewDrivers v4 features faster printing, universal client support, batch printing subsystem and zero client footprint.
triCerat's "Complexity Sucks" t–shirts were also a big hit! Several hundreds were given away and you could see attendees wearing them everywhere. "This slogan will definitely stick for triCerat – it's perfect. I love it!" Cody, IT Consultant. Lastly, we congratulate the lucky winner of an Apple iPod as well as those who won poker chips. It was a truly exciting event! We thank you again and look forward to iForum 2006!
When: Thursday, December 1, 2005 Where: Tribeca Rooftop: www.tribec.com Agenda: triCerat is a Silver Sponsor! Join 200-300 executive level technology decision makers and experience the latest and greatest in emerging technologies.
