diff --git a/windows/application-management/app-v/revision-heidi/appv-security-considerations.md b/windows/application-management/app-v/revision-heidi/appv-security-considerations.md new file mode 100644 index 0000000000..a8fb09e7b9 --- /dev/null +++ b/windows/application-management/app-v/revision-heidi/appv-security-considerations.md @@ -0,0 +1,140 @@ +--- +title: App-V Security Considerations (Windows 10) +description: App-V Security Considerations +author: MaggiePucciEvans +ms.pagetype: mdop, appcompat, virtualization +ms.mktglfcycl: deploy +ms.sitesec: library +ms.prod: w10 +ms.date: 04/19/2017 +--- +# App-V security considerations + +>Applies to Windows 10, version 1607. + +This topic contains a brief overview of the accounts and groups, log files, and other security-related considerations for Microsoft Application Virtualization (App-V). + +>[!IMPORTANT] +>App-V is not a security product and does not provide any guarantees for a secure environment. + +## PackageStoreAccessControl (PSAC) feature has been deprecated + +Effective as of June, 2014, the PackageStoreAccessControl (PSAC) feature that was introduced in Microsoft Application Virtualization (App-V) 5.0 Service Pack 2 (SP2) has been deprecated in both single-user and multi-user environments. + +## General security considerations + +**Understand the security risks.** The most serious risk to App-V is that its functionality could be hijacked by an unauthorized user who could then reconfigure key data on App-V clients. The loss of App-V functionality for a short period of time due to a denial-of-service attack would not generally have a catastrophic impact. + +**Physically secure your computers**. Security is incomplete without physical security. Anyone with physical access to an App-V server could potentially attack the entire client base. Any potential physical attacks must be considered high risk and mitigated appropriately. App-V servers should be stored in a physically secure server room with controlled access. Secure these computers when administrators are not physically present by having the operating system lock the computer, or by using a secured screen saver. + +**Apply the most recent security updates to all computers**. To stay informed about the latest updates for operating systems, Microsoft SQL Server, and App-V, see the [Microsoft Security TechCenter](https://technet.microsoft.com/en-us/security/bb291012). + +**Use strong passwords or pass phrases**. Always use strong passwords with 15 or more characters for all App-V and App-V administrator accounts. Never use blank passwords. For more information about password concepts, see [Password Policy](https://technet.microsoft.com/library/hh994572.aspx). + +## Accounts and groups in App-V + +A best practice for user account management is to create domain global groups and add user accounts to them. Then, add the domain global accounts to the necessary App-V local groups on the App-V servers. + +>[!NOTE] +>App-V client computer accounts that need to connect to the publishing server must be part of the publishing server’s **Users** local group. By default, all computers in the domain are part of the **Authorized Users** group, which is part of the **Users** local group. + + + +### App-V server security + +No groups are created automatically during App-V Setup. You should create the following Active Directory Domain Services global groups to manage App-V server operations. + +
Group name | +Details | +
---|---|
App-V Management Admin group |
+Used to manage the App-V management server. This group is created during the App-V Management Server installation. +
+Important
+
+There is no method to create the group using the management console after you have completed the installation. +
+
+ |
+
Database read/write for Management Service account |
+Provides read/write access to the management database. This account should be created during the App-V management database installation. |
+
App-V Management Service install admin account +
+Note
+
+This is only required if management database is being installed separately from the service. +
+
+ |
+Provides public access to schema-version table in management database. This account should be created during the App-V management database installation. |
+
App-V Reporting Service install admin account +
+Note
+
+This is only required if reporting database is being installed separately from the service. +
+
+ |
+Public access to schema-version table in reporting database. This account should be created during the App-V reporting database installation. |
+