Security Advisor

Virtualization Done Differently

Microsoft's SoftGrid Application Virtualization makes managing applications more secure.

• By Joern Wettern
• 02/01/2008

Microsoft SoftGrid Application Virtualization (SAV), which the company purchased from Softricity, takes a different approach. It creates virtual instances of specific applications that make them more manageable and more secure.

Playing in a Sandbox
SAV's goal is to let you run apps without having to install them first, and without any permanent impact on the client computer. Apps run in a virtual sandbox where they're isolated from the rest of the computer. The apps still appear and function just like regular, locally installed programs, and users can create and store all documents locally or on a file share.

There are numerous advantages to this strategy. You know how difficult it can be to maintain multiple apps and application suites across a large number of computers. Some programs require users to have admin privileges because they insist on writing to a system folder or registry key. Incompatibilities among programs present another problem, as does the license tracking. SAV nicely resolves all of these issues by giving each program its own independent sandbox where it's isolated from other programs and the OS.

SAV does this by making the apps available from a server so they don't need to be installed and patched on each computer. Because they each remain in their separate environment, no one needs local admin privileges to use them. Programs also run independently of each other, thus eliminating nasty interactions or incompatibilities. You can even centrally assign applications to specific users to track usage for licensing- monitoring purposes.

Microsoft touts such management enhancements as the main advantage of SAV, but there are important security benefits, too. Because your users can't make any permanent modifications to the program files, they're immune to virus infections. App patching is a single procedure you can perform centrally instead of on each client computer. This greatly reduces the time it takes you to eliminate vulnerabilities. As a result, you can spend more time keeping the client OSes up to date. Best of all, your users no longer need local administrative privileges just to run one or two programs.

Making the Magic Work
SAV's promise may sound like magic, but there's solid technology behind it that makes it work. There are three components involved: the SAV Sequencer, the SAV Server and the SAV Client. Creating an app package for your users begins with the Sequencer. This component runs on a reference computer, which mirrors a typical client computer.

The Sequencer monitors an application's installation process and tracks all files the installation creates, any changes it makes to OS files and registry entries and any other system modifications. It also detects any changes or access to system files while you're using the program.

Once you've finished the installation and are ready to use the application, the Sequencer combines all these settings, including copies of the created files, into an app package (see Figure 1). It copies this package onto the SAV Server. From there, you use a management console to moderate permissions for using the application, as well as customizing applications as needed.

[Click on image for larger view.]

Figure 1. The SoftGrid Application Virtualization management console lets you customize and assign packages.

The real workhorse of this entire process is the SAV Client. This component runs on client computers and creates the shortcuts and menu items you've previously defined on the server. When a user clicks on one of them to start a program, the SAV Client starts downloading the app from the server. To conserve bandwidth, it only downloads the files needed at any given time. If an application needs a previously unused file like a DLL, the client will fetch it as needed.

Once the application is running, the SAV Client makes it believe it's actually installed on the computer. The client monitors all access to files and other resources and transparently redirects the application to its virtual environment so the local OS remains unaffected.

Whenever you have to patch an application, you can use the Sequencer to monitor this process on the reference computer and patch the application package. The next time a user starts the application, the SAV Client will automatically download and use the patched version.

Getting Virtual
Microsoft doesn't list SAV in its regular product catalog. It's available now only to customers with a Software Assurance (SA) subscription. If you've purchased SA, you can get an add-on license that lets you use SAV.

You may still have to look hard for it, though. SAV is hidden deep inside the Microsoft Desktop Optimization Pack (MDOP), which SA customers can download. (The MDOP also contains other useful tools for software inventory, Group Policy management, system recovery and error monitoring.)

Make sure you look for Microsoft Application Virtualization (MAV), as Microsoft is dropping the SoftGrid name. MAV version 4.5 will not only have a slightly different name, it will look more like other Microsoft apps, scale better and sport a number of additional features and improvements to make it more usable. It's scheduled for release in the third quarter of this year and the public 4.5 beta version is available for download at http://connect.microsoft.com (registration is required).

If you don't have an SA agreement, keep an eye on Microsoft Application Virtualization to see when Microsoft will make it more widely available.