Applications close down unexpectedly even though they are not banned

Question

How does Ranger security stop application from running?

Symptoms

Applications close down unexpectedly even though they are not banned

Cause

Ranger security provides a number of ways to stop users using specific applications or parts of applications. Application checks are the most reliable because they will identify illegal applications however or from wherever they are run even - if the filename is changed.

Some applications however, cannot be uniquely identified, so title checks or path limitation checking provide flexible alternatives.

Title checking also allows individual dialogs to be identified and closed automatically. This allows specific parts of applications to be banned.


If an application closes down unexpectedly there are a number of possible causes.

Firstly, check to ensure the problem occurs as a result of Ranger security. Log on different machines as different users with different and no security. Next, remove Ranger from a machine (by logging on as the "RangerRemove" user) then log on as the same test user.

Note: Although Ranger security will no longer be in place any registry based security will still be present in the user's registry so many environment and policy-based security settings (e.g. Desktop location, Start Menu contents and visible drives) may still be configured as Ranger's settings.


To get a completely new registry remove any cached roaming profiles from the test machine and remove the User.dat and/or NTuser.dat files for the user's server home directory.

 

If you think the problem is being caused by Ranger's security, check LAN Ranger's status log to determine the reason the application was closed down. If the status log reports the program has closed but does not report a security violation thennbsp; Ranger didn't do anything explicitly to close the program. It is likely the program closed for another reason, such as an unexpected program error or a conflict with another program.

Resolution

Application closed by Ranger's application checking

 
Application checking uses Ranger's unique method of identifying applications by their Window's signature. 95 of application class-ids are unique and do not change, although occasionally programs written using similar language components can share class-ids.

If an application is closing unexpectedly then check to see if it shares it's signature with another application that is banned. The easiest way to do this is to:

1. On a workstation log on as a manager user without ranger security.
2. Run the offending program (it shouldn't close down)
3. Run RangerAdmin
4. Select the Security node, then the appropriate Ranger group within which security closes the application down.
5. Select the Application Tab

If the application does not appear in the "Running Applications" list then either Ranger cannot recognise it at all (see below), it is already in the illegal list or it shares it's ID with one of the other applications in the "Illegal Applications" list.

Remove each application from the illegal list in turn until the target application appears in the Running Applications list.

If the application cannot be identified uniquely or shares it's class-id with another program, then title checks will have to be used to identify it accurately.

Note:

Occasionally applications are written in such a way that their class-id changes each time the program is run. Test this by seeing whether an application in the "Illegal" list also appears in the "Running Application's" list when run again. If this is the case then you will have to resort to title checks or path limitations for security.

Many NT based standard Windows applications have different class-ids to their 9x counterparts. Be aware of the target operating system when configuring illegal applications. It may be necessary for example to ban command.com and cmd.exe separately from 9x and NT based machines respectively.

Application closed by Ranger's title checking

Title checks are an extremely flexible way of closing down applications with certain words or characters in their titles. Incorrect usage however may result in applications being closed unexpectedly due to an unintentional title check match.

Beware of using "Text appears anywhere in the title" matches that may inadvertently
match other applications. E.g. Using the word "nuke".

Beware of using generic text to catch titles such as "options", "properties" and "Microsoft"

Check for wildly incorrect entries such as (space) or single characters

To verify if an application is being closed due to title checks, disable title checking for the test group via RangerAdmin's SecuritySettings tab.

Testing

Logon as the affected account and test the application again.