Block-IT (AAC) is an application access control module through which administrators can restrict the users’ access to program executables. Block-IT (AAC) delivers the following advantages:

• Guards against application spoofing
• Fights against virus infections
• Prevents users from executing unauthorized programs
• Grants access to applications by time and day
• Locks down the Terminal Server

Block-IT (AAC) conducts a two-phase security check whenever a user starts a program. First, the full path of the executable program is verified to ensure it is being loaded from its original installation location on disk. Second, the authenticity of the program executable is verified by comparing its run-time hash (i.e., fingerprint) to the original one stored in the management database. If either check fails, the user is simply denied access to the application and an “access denial” message is displayed on the screen as (figure 1).

Figure 1 - If the user attempts to execute an unauthorized application, an “access denial” message is displayed on the screen.

With Block-IT (AAC), program executables are organized into “file groups”, enabling administrators to grant or deny access to entire software suites, not just individual executables (figure 2). The file groups can be associated with all the Terminal Servers or a specific silo in the farm. Additional settings such as application termination, hash checking, and full path checking can also be configured at the file group level (more on this later). Finally, for each individual executable in the file group, a unique hash is computed and stored in the management database (figure 3). For informational purposes, a hash can be likened to a fingerprint; it is used to verify the authenticity of a program executable at start time.

Figure 2 - Program executables are organized into “file groups”, enabling administrators to grant or deny access to entire software suites, not just individual executables

Figure 3 - For each individual executable in the file group, a unique hash is computed and stored in the database.

 

As shown in figure 4, file groups are assigned to clients. Clients could be users, groups, OU’s, or physical devices. A client’s ability to execute the programs contained in a particular file group can be restricted by time and day. Moreover, each client can be assigned a different execution schedule for a given file group (figure 5).

Figure 4 - File groups are assigned to various clients such as users, groups, OU’s, or physical devices.

Figure 5 - The client’s ability to execute the applications contained in a file group can be restricted by time and day.

 

Hash and full path checking can be disabled for a particular file group. Disabling hash checking is often practical in the midst of a system-wide application update. For example, if an update to Microsoft Office is being installed to one Terminal Server at a time, hash checking can be temporarily disabled until the update has been installed to all the servers and the version of Microsoft Office has been made consistent across the entire farm. Once new hashes are computed for the updated program executables, only then can hash checking be re-enabled.

As well, full path checking can optionally be disabled for various purposes. For example, if the same application is installed to different target folders on different Terminal Servers, full path checking may fail depending on which Terminal Server the user happens to log on to. However, this particular scenario can be mitigated by maintaining multiple file groups for the same application, where each file group is associated with a particular target folder.

Block-IT (HAC) is a host access control module through which administrators can restrict the user’s access to IP-based network hosts using programs such as Internet Explorer and others. Block-IT (HAC) is rule-driven; it allows administrators to create access control rules and assign them to clients. Clients could be users, groups, OU’s, or physical devices.

Block-IT (HAC) operates at the network layer. It intercepts requests from applications to connect to particular IP addresses on a particular TCP ports. In response to a connection request, the Block-IT (HAC) filter makes a decision on whether to allow or deny a particular connection by parsing the in-memory access control rules table. In essence, Block-IT (HAC) is a per-session firewall.

Figure 6 shows an example of two host access rules, namely, The World (i.e., all IP addresses and all ports) and The Intranet (i.e., local subnet on 80/tcp and 443/tcp). In figure 7, “The World” and “The Intranet” rules have been assigned to the “All Employees” group and respectively marked allowed (green icon) and denied (red icon).

It’s important to note that the host access rules do not apply to all program executables running on the Terminal Server; they only apply to the ones specified by the administrator. (Figure 8). All other apps are not affected by the configured host access rules.

  
Figure 6 – An example of two host access rules.

Figure 7 – Host access rules can be assigned to clients such as users, groups, OU’s, or physical devices. Once assigned, host access rules can be marked as “allowed” or “denied”.

Figure 8 – Host access rules only apply to program executables specified by the administrator.

 

Figure 9 shows an example of a host access rule in which a URL is specified in the Host Name field and then resolved to multiple IP addresses. This indicates that the URL is actually being served up from multiple physical Internet hosts. Resolving an Internet name to physical host IP addresses is always recommended in order to reduce the overhead of the Block-IT (HAC) filter and to guarantee the proper enforcement of the rule. The Block-IT technical documentation discusses this in more detail.

Figure 9 – Host name resolution is always recommended as a performance optimization measure.

 

Figure 10 shows an example of a more complex host access rule in which a URL has been resolved to multiple physical host IP addresses. However, unlike the previous example, it is sometimes possible to optimize the rule further by performing reverse name resolution on the individual physical IP addresses obtained from the DNS lookup. If a common name pattern is identified (figure 11), a more generalized rule can optionally be substituted for the original rule as shown in figure 12. This is very useful whenever the actual number of physical hosts serving up a particular URL exceeds the number reported by the single DNS lookup operation. The Block-IT technical documentation discusses this in more detail.

Figure 10 – It is sometimes possible to optimize a rule further by performing reverse name resolution on the individual physical IP addresses obtained from the DNS lookup.

Figure 11 – If a common name pattern is identified, a more generalized rule can optionally be substituted for the original rule.

  

Figure 12 – Examples of generalized rules (i.e., *.microsoft.com or www*.microsoft.com). The first generalized rule was suggested by Block-IT, while the second one was the result of simple common sense.