With the release of Windows 8, Microsoft introduced the Windows 8 App Store, a portal for installing homogenous applications on the RT desktop. As well as providing a seamless experience for Microsoft to push their desktop products direct to consumers, the Windows Store includes many applications from 3rd party vendors.
Getting an application published in the store involves a testing and accreditation process, and only applications which satisfy Microsoft guidelines are shown. This provides an element of security around the applications users are installing, but given that the store is accessible to corporate users as well as consumers, the functionality of those applications may not be desirable for a corporate desktop. Just because an application meets certain standards in coding and implementation, does not mitigate the fact that it may violate IT policies on application usage.
So there is a clear requirement for extending application usage policies to Windows Store Apps.
There are two main use cases for applying policy to restrict the use of Store Apps:
Windows 8 comes pre-installed with various RT applications which may not adhere to company policy. Microsoft Skydrive allows any Windows 8 user to sign into or create a Skydrive account which grants access to a private cloud. Unless you have a corporate need for cloud storage, you probably don’t want users having an unrestricted way of seeping documents through the company firewall.
There are also applications which showcase Windows 8 as a social media hub, integrating Facebook, Twitter and Windows Live Messenger. This makes social networking a lot easier, but may be an unwanted distraction.
There is a significant drive by Microsoft to get developers building Store Apps, and new applications are appearing daily. Amongst these are instant messaging apps, cloud storage apps, and a wide selection of games. Each pose different challenges for the Enterprise and IT, from avoiding unnecessary distractions to maintaining a secure perimeter. There is also the risk that bad applications may soon find their way into the store. You have to recognise that it is a high value target for hacktivists and cybercriminals.
So ensuring that only corporate approved, trustworthy and authentic apps can be run by desktop users is of paramount importance when planning a migration to Windows 8.
Microsoft bolstered the security features of Windows 8, which has been touted as the most secure OS they have ever released. One of the additions was extending AppLocker with support for ‘Packaged Apps’. However, the implementation remains the same, and with it the challenges of supporting AppLocker in an enterprise environment.
Taking into account the easy access to Store Apps that Windows 8 gives, and the risks this poses to IT, it makes sense to add policy control over the installation and running of Windows Store Apps. Leveraging flexible firewall style rules, IT can apply combinations of whitelist, blacklist and monitoring rules that govern which applications can and cannot be installed or executed by users. Blocking rules will prevent the installation of any blacklisted Packaged Apps, and for pre-installed Apps, will prevent them from being used.
By implementing this type of granular, flexible management of Windows 8 Store Apps across Windows 8 and Windows Server 2012 rollouts, organisations can ensure that only authorised applications can be installed and executed by users in Enterprise environments