Citrix App Streaming and Isolation of services in XenApp 6
App Streaming in Citrix XenApp 6.0 supports isolation of NT Services. It’s a big deal, fulfilling one of the last remaining big-ticket items in the isolation capabilities of the streaming system. How do you use it? Simple! Profile up an application which installs a service during it’s installation, publish the application to the user and when the streaming system brings the app to life, the service will be loaded under isolation and available to the application. But, there’s one step omitted.
As the admin, you must also mark the streaming source as “approved” or if you have crypto infrastructure, you can digitally sign the profile using a certificate chain trusted on the execution machine and the streaming system will know that the application and it’s service are “admin approved”. Lacking approval, the streaming client will, on-purpose, not load the service and instead leave you a hint in the event log noting that it politely declined to load a service for the given execution.
Run my services, but ONLY my services
Inquiries to customers over the last 4 years have produced a common theme. Customers all ask for isolation of services as a function they need for running their application set in a virtualized application environment. When faced with the concept of services being privileged, the response is, yeah, not a problem, I run privileged services all the time in my production environment – please run only the services that I tell you are okay.
In a programming perspective running services is easy. Services are “applications”, so you run them in the isolation space and it’s all done. If only it’s that easy…
Running the service and having it succeed means that the service needs privilege, which means that it must run on a different user token than does the application and the service needs to be “one service” to “many application” usage. Privileged execution then means separate isolation space for the service compared to the isolated applications and you can keep going on this for a long time. The eventual conclusion is that it is a difficult thing and this is why it has taken until version 6.0 to get this function into place.