20
AppStream Implementation
Introduction
- AppStream is an application virtualisation and streaming service from AWS. It is currently being used as a solution for BCP remote access to on-premise desktops. It can be used with access from the Internet or from the corporate network so other application virtualisation options are possible. For example, access to internal applications where we don’t want to install software on end user’s computers due to software complexity or security concerns around network connectivity that has to be opened to allow the application to work.
Limits
AppStream service limits are quite low by default. Current (requested) limits for an account in ap-southeast-1 are:
Service: AppStream 2.0
Region: Asia Pacific (Singapore)
Limit name: Streaming Instances (stream.standard.medium)
New limit value: 750
Service: AppStream 2.0
Region: Asia Pacific (Singapore)
Limit name: Streaming Instances (stream.standard.large)
New limit value: 250
Launching an Image Builder instance
- To package an application in AppStream you need to create and launch an Image Builder instance, test the application and then create an image which can be used in an AppStream fleet.
Steps:
- Navigate to AppStream service
- Click on Images and then the ImageBuilder tab.
- Click on “Launch Image Builder”
- If you are creating a new image from scratch then select the most recent “AppStream-WinServer2019-MM-DD-YYYY” image.
- If you are modifying an existing image then change “All Images” to “Private” and select the appropriate image to update.
- Use the following settings:
Name = Portfolio_Application_Builder
Tags: Add Portfolio tag
Instance Type: Select the appropriate instance, stream.standard.medium is ideal for BCP_AppStream
VPC = YourVpc
Subnet: either is ok
Security group = appstream-security-group
Wait for the image builder status to become “Running” (takes roughly 20 minutes).
Click on Actions, Create streaming URL and copy the URL to a new tab/window to connect to the Image Builder instance.
Note: stop the instance when it is not in use to reduce costs.
Upgrading a Fleet
Need to look at this, how do we test and then upgrade fleet image version without causing interruption?
Assume, create new fleet using the new image then cut over the stack to the new fleet. (What happens to the currently running fleet instances, what about the spare capacity?)
How to roll back a bad image update? Do we have to do this out of hours?
AppLocker
- AppStream doesn’t prevent applications from running other applications. This is a potential security issue as there are several well-known ways to launch arbitrary processes from most applications. To prevent this we can whitelist allowed processes using Microsoft AppLocker. See:
Steps:
a. Launch an image builder instance:
- Navigate to AppStream service
- Click on Images and then the ImageBuilder tab
- Select: bcp-appstream-builder
- Select Actions and then Start.
- Once it is started, click on Actions — Create streaming URL and copy the URL into a new browser window / tab
b. Steps inside the image builder to configure AppLocker:
- Click on Administrator
- Click on Start, type “seclpol” and hit enter
- Navigate to “Application Control Policies — AppLocker — Executable Rules”
- NOTE: if prompted to create default rules, select No.
- Create AWS required rules, documented here:
- Note: the rule allowing persistent storage is not required
- Add rule allowing anyone to launch Remote Desktop Connection, using the path %windir%\system32\mstsc.exe
- Right click on AppLocker in the left hand navigation pane and select Properties
- For “Executable Rules” click on Configured and select Enforce rules.
NOTE:
You can select something else if you need to test rules before enforcing them. Open Event Viewer and navigate to “Applications and Services Logs — Microsoft — Windows — AppLocker — EXE and DLL”. Make sure there aren’t any unexpected events with the code 8003 (indicating an application was allowed to run but will be blocked once Enforce is enabled).
- Launch the Image Assistant application (icon on desktop)
- Click on Start, type “cmd”, right click on “Command Prompt” and select “Run as administrator”
- Enter the command:
sc config appidsvc start=auto
20