Application Security Tool (AppSec.exe)

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

Windows NT has the RestrictRun registry key where you can list the programs that NT Explorer will allow to be run. I have never used it because it is easily cirumvented by running the restricted commands from the command shell. It has some value in a kiosk environment or where the users are naive. It also has the drawback that it is a registry hack (with all that is implied in registry hacks).

The same registry solution would work in Windows 2000 but the Windows 2000 Server Resource Kit includes an Application Security utility, AppSec.exe, which restricts the access of users to a predefined set of applications. Much easier to use and more comprehensive. AppSec increases security by preventing the user from running an executable file even through the command line, or from within another application. The Application Security tool provides a simple GUI interface for adding and removing permitted applications to the list. You enter fully qualified names. AppSec uses the full path name and only the named executable in the designated location can be run. This prevents users from running other versions of the same executable file from alternate locations. Makes it harder to get around AppSec .

AppSec has a niffty capability which makes it interesting even if you aren't interested in restricting applications. It has a tracking feature, which allows administrators to track the executable files required for a permitted set of actions merely by performing those actions as a user would. This feature enables the administrator to discover applications which are being invoked from other applications (for example, Word invoked by Microsoft Outlook for editing of mail).

Less than wonderful features:

  • AppSec settings apply to the computer; there is no per user configuration.
  • AppSec Tool can only be used to restrict 32-bit applications.
    When AppSec is enabled, users are restricted from running any 16-bit applications. To allow users to run all 16-bit applications, the administrator can add ntvdm.exe to the authorized list of applications.
  • AppSec restriction is named based.
    It is unsophisticated. It does not compare CRCs. This leaves the possibility of malicious users introducing Trojans by replacing legitimate programs. Be careful of NTFS permissions to prevent this.
  • AppSec restricts only executable files, not DLLs.

The Application Security Utility has obvious value in kiosk environments on workstations. Microsoft documentation focuses on applying restrictions in a Terminal Services Application Server deployment. See the Windows 2000 Server Resource Kit for more documentation. To install the Application Security utility:

  • Install the Resource Kit.
  • Open a command window and run Instappsec.exe .

Featured Links