AppLocker is a simple tool that has a lot of potential to accomplish Application Control Policies. You can configure it with relaxed policies, or lock down the environment with complex policy restrictions that will give the administrator a headache. For this demo we will be enabling AppLocker in a relaxed “Trusted Publisher” environment. You will need a server/workstation to create your reference machine and also access to Group Policy. For the reference machine used below I utilized the Advanced Group Policy Manager “AGPM” provided in the MDOP suite.
First we need to enable “Application Identity” via Group Policy on the server(s) / workstation that will have AppLocker enabled.
Edit Group Policy being applied to the server(s) / workstation.
Computer Configuration / Policies / Windows Settings / Security Policies / System Services
Expand Application Control Policies
Computer Configuration / Policies / Windows Settings / Security Policies / Application control Policies / AppLocker
Select Configure rule enforcement. For this demo we will be enforcing “Executable rules”. As you can see you can lock down “Windows Installer”, “Scripts”, as well as “Metro Appz”, how cool 🙂
Notice we have 0 rules enforced in the Overview Pane.
Now you will need to remote to your reference machine that we will be creating the policy from. It has to be Windows 7 / Server 2008 R2 or above and access to Group Policy, which we will be using AGPM.
Security Settings / Application Control Policies / AppLocker / Executable Rules / Automatically Generate Rules…
Select who you want this restriction policy to apply to. Note that by selecting everyone, administrators on the box will be exempt from the policy. Select the folder where you wish to white list the programs. I will repeat this process for C:\Program Files (x86), D:\Program Files, D:\Program Files (x86), and so on.
For the most relaxed and simplistic policy select “Create publisher rules for files that are digitally signed”. This way it will trust all versions of the trusted publisher who Microsoft has certified. If you select “Create file hash for all files” you will run into a versioning nightmare, i.e. version 2.0 of putty’s hash is captured during this process, but if a user wants to use 1.0 or 3.0 you will have to perform this capture process again for the different versions.
You can now select / deselect what you want included in the policy for each file.
Finally you will receive a prompt on default rules. Select Yes or you will have a broken OS unless you wanna spend hours creating policies for allowed system files.
Now we will see what is being applied in the Rule.
Now lets see how we did. Do a gpupdate /Force on the computers receiving the AppLocker polices.
Map to an untrusted publisher .exe that was not included when you created the policy, and BAM you should be denied.
Make sure you are not testing with a Domain Admin account as i was and the policy does not block DA’s!
Simple, versatile, included in Windows, and secure. AppLocker is a sweet little tool!
If you are using Microsoft AppV make sure you Whitelist the App-V Path- %OSDRIVE%\ProgramData\App-V\*-*\*
-END OF LINE-