Amazon WorkSpaces Application Manager
Administration Guide

Setting File Security

The standard security settings for the files in your application may need to be bypassed by specific application processes. For example, an application patch (such as Windows Updates) may be required to modify a file with a read-only attribute. In this case, a security override can be used to allow this to happen while still protecting the application. Another example would be to not allow anti-virus or indexing software from fetching all the application pages. This undesirable side effect can also be prevented by denying those specific processes from accessing the virtual application.


Using a different security setting only affect the file security settings but do not change the visibility of the disposition layer. If the file disposition is set to Virtual-isolated (layer 4), then setting a system process to override all the security settings still does not allow that process to see this file.

To change the security of a file

  1. In Amazon Studio, choose Update to get the files in your package.

  2. Under 3. Optional settings, choose Settings.

  3. In the navigation pane, choose Security and Add.

  4. In the Security Override Process dialog box, do the following:

    • For Process name, type the exact name of the process for the security override controls. Do not use wildcards.

    • For Recognition method, choose one of the following methods to use to determine which file version to override the process. You many have several versions of the same file in the system. For any option that requires a file path, enter the path and file name in the Process file field.

      Process name

      Use only the process name. This is the weakest verification method.

      Process path

      Use the path and filename of the process.

      MD5 Hash

      Use an MD5 algorithm to compute and store a fingerprint of the executable file to verify that the process file is authentic. This method is the most secure verification method.

      CRC Checksum

      Use a CRC algorithm to compute and store a checksum value to verify that the process file is authentic.

    • For Choose how virtual assets should be accessed (disposition override), choose one of the following:

      Allow or deny access based on the dispositions specified for the virtual assets

      Use the individual disposition setting for files, folders, registry keys, and values.

      Always allow access

      Treat all files, folders, registry keys, and values as having Virtual-integrated (layer 3) disposition, even if they have Virtual-isolated (layer 4) disposition.

      Always deny access

      Treat all files, folders, registry keys, and values as having Virtual-isolated (layer 4) disposition, even if they have Virtual-integrated (layer 3) disposition.

    • For Security settings override, choose Allow or Deny for the following options and choose Apply.


      Deny takes precedence over Allow. Choosing both settings is the same as choosing Deny.

      Read or copy content of files

      Read or copy the application files.

      Write or modify content of files

      Write or modify the contents of the application files.

      Make files visible through folder listings

      Show the files in the folder listing.