INTRODUCTION
Welcome to RES ONE Workspace by RES. RES ONE Workspace allows IT to centrally manage, secure and automate your workers’
workspaces. RES ONE Workspace works across delivery platforms and operating systems to offer workers a secure and consistent
experience as they roam across devices and physical and virtual and cloud-hosted sessions. Using RES, IT teams can:
• Increase worker productivity
• Lower the cost of IT operations
• Provide greater security and compliance
This document will guide you through the basic steps for setting up RES ONE Workspace in Azure, and walks through several
critical capabilities offered by RES, including:
✓✓ Application access controls
✓✓ Management of elevated privileges
✓✓ Context awareness
✓✓ Basic whitelisting
SETUP
Two user accounts have been created:
User: ACavendish password: RESONEWorkspace2016
User: BJohnson password: RESONEWorkspace2016
RES ONE Workspace has been installed and connected to a local SQL Express database
To be able to administer the system and use the RES ONE Workspace console without being in a RES ONE Workspace session as
a user, you’ll have to bypass the RES ONE Workspace composer for the administrator you defined while setting up this system
in Azure. You can do this by starting the RES ONE Workspace console, select setup — advanced settings in the menu and add
the “<computer name>\ the administrator you defined while setting up this system in Azure” to ‘bypass composer for user and
groups”. ->
In order to avoid confusion about the whereabouts of the user accounts, you’ll have to add “local computer” to User Context —
­
Directory Services. You can safely remove the “Windows Domain — Workgroup” that you’ll find there.
You might want to disable ‘IE enhanced Security configuration’ for users.
To manage all shortcuts, go to Applications, select tab ‘Settings’ and select ‘Replace all unmanaged shortcuts’.
Next:
To experience RES ONE Workspace as and end user, you’ll have to have change the custom user interface of the server:
Start a command prompt as administrator, type gpedit.msc
The local group policy editor will start. Go to ‘User Configuration — Administrative templates —System — Custom User Interface’
and enable this setting on the right side of the pane.
For “Interface File Name” use: C:\Program Files (x86)\RES Software\Workspace Manager\pfwsmgr.exe
The next time you logon as one of the pre-created users the RES ONE Workspace composer will start.
USER-BASED ACCESS TO AN APPLICATION
Logon to the system as the administrator you defined while setting up this system in Azure.
Create an application, e.g. Notepad in RES ONE Workspace console.
Go to Composition — Applications
TAB Start Menu, right click and select “New Application”
Title: Notepad for Amanda
Command Line: C:\windows\system32\notepad.exe
Working directory: C:\windows\system32
Select “Access Control”. Select Type: Users and Groups. Click add, select ‘User/Group’, click the search button and select ‘Amanda
Cavendish’. Click ‘OK ’and go to Security. Select “Only RES ONE Workspace is allowed to run this application”. Click ‘OK’
Make sure that only the managed shortcut can be used to start the application. To enable this go to ‘Security’ in the RES ONE
Workspace console, select tab ‘Settings’ for ‘Manage Application Security’ select ‘enabled’
Deselect ‘Notify users about security events’
Click ‘Save Settings’.
To verify this, logon to this server with the User account ACavendish, password RESONEWorkspace2016.
Start the application ‘Notepad for Amanda’
Go to C:\windows\system32\notepad.exe and try to start notepad from this location
Return to the RES ONE Workspace Management console and go to Security, select ‘Managed Applications’ and select the Log Tab.
Take a look at the logs
Now logon to this server with the user account Bob Johnson, password RESONEWorkspace2016. You will see that the application
‘Notepad for Amanda’ is not available for you in the start menu. And when you try to start notepad from C:\windows\system32\
notepad.exe you will find that you cannot start it.
INSTALL APPLICATION AS USER WITH ELEVATED PRIVILEGES
(Note: Install Application as user through “User install applications” can only be done on non-RDS machine)
By design, User Installed Applications cannot be installed on Terminal Servers, even if the user session on the Terminal Server
complies with all the criteria set for User Installed Applications.
In this example we’ll install 7-zip on the end user’s system. You should use ‘User installed Applications’ for this when running on
a Windows 7, 8.1 or 10. On a Terminal Server this feature is not available, so this is a workaround, to show what you can do with
elevated privileges.
Log on to the system as user ACavendish, browse to C:\RES_Install and double-click the 7-zip executable (7z1603-x64.exe). You will
get a notification that you do not have the right to do so.
To be able to execute the 7-zip installer on to the system as the administrator you defined while setting up this system in Azure
and add the path to the executable ( C:\RES_install\7z1603-x64.exe) to the Authorized Files list (RES ONE Workspace Console —
Security)
When you login with the user ACavendish and try to install 7-zip by double-clicking on the 7z1603-64.exe you will find that you are
asked for the administrator password. So the user does have the right to execute this file, but does not have the right to install 7-zip.
To solve that issue create the application cmd.exe:
Logon to the system as the administrator you defined while setting up this system in Azure.
Start the RES ONE Workspace Console
TAB Start Menu, right click and select “New Application”
Title: cmd for Amanda
Command Line: C:\windows\system32\cmd.exe
Working directory: C:\windows\system32
Select “Access Control”. Select Type: Users and Groups. Click add, select ‘User/Group’, click the search button and select
‘Amanda Cavendish’. Click ‘OK ’and go to Security. Select “Only RES ONE Workspace is allowed to run this application”. On the
tab Dynamic Privileges. select as access token ‘Add Administrator rights’
Click ‘Ok’.
You have now created an application that, when started by Amanda Cavendish, will give her administrative privileges.
To verify this, logon to the system as user ACavendish and start the application ‘cmd for Amanda’
Once the command prompt is available, type the command C:\RES_install\7z1603-x64.exe
User ACavendish will be able to install 7-Zip. With the rights user ACavendish has with this elevated command prompt, she can do
much more on the system than install applications.
CONTEXT AWARE ACCESS
Logon to the system as the administrator you defined while setting up this system in Azure.
Create an application, e.g. calculator in RES ONE Workspace console.
Go to Composition — Applications
TAB Start Menu, right click and select “New Application”
Title: Calculator
Command Line: C:\windows\system32\calc.exe
Working directory: C:\windows\system32
Make sure that all users have access (Access control — Identity — type: all users)
Now we are going to make this application available based on the IP address for which you connect to this server. Please note your
local IP address.
Select Locations and Devices. Click ‘Add’, click ‘New Zone’, and name the new zone. Select tab Rules, click ‘Add’, select Network
— IP address — IP address. Make sure the type is ‘TS client’ and add your local ip address as a filter. Click ‘Ok’ until you have
closed all windows.
Now connect from the same machine as you were connected as the administrator to the server as user ACavendish. The
application ‘calculator’ will be available. You can verify the TS client IP address by going to: Diagnostics — User Sessions. Here you
will the current sessions and its properties like User name, TS client name, TS client IP address and so on.
Now connect from a different machine (e.g. a Virtual Machine running on your system in VMware Workstation, VirtualBox or
Hyper-V) as user ACavendish. Check if this machine has a different IP address than your local system. Logon to the server. You
will find that the application ‘calculator’ Is not available. You can verify the TS client IP address by going to: Diagnostics — User
Sessions. Here you will the current sessions and its properties like User name, TS client name, TS client IP address and so on.
WHITELISTING
If you want to allow access to certain websites, and do not want to provide access to all of the www, you can use whitelisting.
Go to Security — Applications — Websites — Settings. Select ‘enabled’ for Website Security and for Security method choose
Whitelisting from the Dropdown list.
Return to the tab Websites, right click and choose “New...” The “New Website Rule’ window opens. Make sure ‘Enabled’ is
selected, choose a protocol (e.g. https) and add a website (e.g. https://www.res.com)
You can change the message that the end user will get in the browser by clicking on the button ‘Message’. (HTML can be used here)
Make sure you save the settings.
Logon with user BJohnson and try to open the website https://www.res.com
Next try to access the website http://www.res.com and https://www.google.com. In both cases you will receive the message
that you set (or the default message if you did not change it) and you are not allowed to access these or any other website than
https://www.res.com
NEXT STEPS
These are just a few examples of how RES can simplify IT’s management of digital workspaces while improving security and the
user experience. To learn more, visit www.res.com.
ABOUT RES
RES, the leader in digital workspace technology, helps organizations achieve better business results with reduced risks in security and compliance — while
making enterprise technology easier and less disruptive for the worker to access. RES takes a people-centric approach to making technology access secure, even
in complex multi-device/multi-location scenarios. RES boasts numerous patented technologies, fast time to value, and superior customer support for more than
3,000 companies around the world. RES was named a “Cool Vendor 2015” by Gartner, Inc., for the innovative capabilities of its RES ONE Service Store. For more
information, visit www.res.com, contact your preferred RES partner, or follow updates on Twitter @ressoftware.
© Copyright 2016 RES Software. All Rights Reserved.
All other trademarks are the properties of their respective companies.
RES ONE is a trademark of Real Enterprise Solutions Nederland B.V.
v 1.0 10/21/16