I’ve been playing around with VMware’s new ThinApp via their acquisition of Thinstall back on Jan 15th. It is quite an interesting tool for application virtualization and very powerful (once you get under the covers with it a bit). On the surface it is very easy to create quick and small virtual applications but can stumble a bit on large complex applications like DB dependent apps, etc.
There are some interesting ramifications and questions out there around application virtualization. From an IT Operations perspective it would seem there is a pretty powerful argument to virtualize and distribute applications like this rather than have to install and maintain them on every users PC or laptop. For example you can create a virtual app (say Microsoft Outlook or a CRM client), put it on a network share and simply send out a link for the application executable to all your users (it is usually just a single file). The application can be centrally maintained and updated, execution rights can be constrained via Active Directory rights, etc. and there is no host installation or client required at all.. meaning you can maintain locked down desktops much easier since ThinApp virtualized apps run in user mode only, no admin rights to the local system are required.
From an IT security perspective there are few angles to consider though.. some good, some bad.
From the good perspective there is the fact that the virtualized apps run in user mode only and cannot exceed the security rights of the user running it nor can it damage the system it is running on since the virtual application is completely self contained. From the UG:
Because ThinApp runs in user mode, it has the same rights and permissions as any other application a specific user has. ThinApp cannot exceed the security rights of the user account it is running in because it has no device drivers or components running in kernel mode.
From the bad perspective since there is no installation or client required and everything the app may do is sandboxed, how will a system administrator know and react to the running of unauthorized or dangerous applications on their users systems? What if a user gets ahold of someone’s virtualized FTP client app, runs it on their normally locked down system and copies some sensitive files to an external location? Under normal circumstances they may not have had the rights to install an FTP client to their local machine but since ThinApp virtualized apps do not require any administrator rights to execute it suddenly becomes very simple to do something like this.. and believe me, building and distributing small apps like an FTP client is remarkably easy to do with ThinApp, many would be small enough to email for that matter.
I would be curious if there are any similiar or differing opinions out there on this? Don’t get me wrong.. I really like the idea of application virtualization and think it has some real tangible benefits once you get your hands around it.. I just wonder if there might be some potential security holes around it?