Applocker 2 7 0 3
Forget AppLocker and all its weaknesses and start using Microsoft Defender Application Control for superior application whitelisting in Windows 10 1903 and later.
Download App Locker for Windows 10 for Windows to this application is for all the people who wants to make their apps password protected. Step 3: Update the AppLocker policy by editing the appropriate AppLocker rule. After the AppLocker policy has been exported from the GPO into the AppLocker reference or test computer, or has been accessed on the local computer, the specific rules can be modified as required. To modify AppLocker rules, see the following: Edit AppLocker Rules. AppLocker requirements AppLocker enforcement is available in all editions of Windows Server 2008 R2, Windows Server 2012, Windows 7 Ultimate, Windows 7 Enterprise, Windows 8 Ultimate, and Windows 8 Enterprise. To use AppLocker, you need: You must be logged in as an administrator to be able to do this tutorial.
This is a guide to get you started within an hour or two with what I call “AppLocker Deluxe” and that is Microsoft Defender Application Control,formerly known as Device Guard and up until recently Windows Defender Application Control (WDAC).
Most customers that did not use AppLocker before Wannacry and other types of ransomware attacks are now using AppLocker to prevent malicious software to run on their Windows devices. As many security specialists have shown, there are numerous ways to bypass AppLocker and still get code to execute. One of them being using regsvr32 to download and execute script directly from the internet for instance.
What is superior to AppLocker is Microsoft Defender Application Guard (MDAC). This takes application whitelisting to a new level and with Windows 10 version 1903 it becomes the first time since Windows 10 launched that it is actually usuable in many common day scenarios as the administration can now be on a level which is really to manage. The reason for this it being rather easy to manage now is primarily:
- Multiple policies. You can have multiple policies complementing each other so that you do not have to sign everything nor have to create an entirely new baseline each time you want to allow new things to run.
- Path rules. You can use path rules as of Windows 10 version 1903. As always, this is a balance between security and useability and administration so bear in mind and use this with caution. What is good is that MDAC comes with a use writable protection.
Pre-reqs for getting started
So to get started in something that looks like a real world scebario you need this:
- 2 physical machines, different hardware models, that run Windows 10 version 1903 or preferably 1909 or later as that gives you some better insights.
- A couple of hours of your time to get going!
High level steps
- Create a baseline on each hardware model.
- Merge the baselines into one general baseline.
- Create a supplemental policy.
- Deploy the two policies.
- Start the testing.
- Switch from Audit to Enforced mode!
1. Create a baseline on each hardware model
Let’s start with creating a baseline policy from two different machines, which will later be merged to one baseline policy. We will start with auditing, and eventually in the end of this guide switch to enforced mode.
Now we set the necessary options for the code integrity policy, which is to use Microsofts Intelligent Security Graph for whitelisting (option 14), to allow supplemental policies to be used (option 17) and then we set Hardware Virtualized Code Integrity (HVCI) to Enabled.
Repeat the above process for at least two models, but preferably for each model you have in your environment (or at least the top five mot used models).
Note: Enabling the Intelligent Security Graph option will white list the installer for 7-Zip for instance. It will then also white list all executables that the 7-Zip installer puts on your system.
2. Merge the baselines into one general baseline
We will now merge the baselines from the two models (or more) and create one single baseline policy.
Last but not least you must change the name of the Merged.cip file to match the Policy ID of the file which can be found at the bottom in the Merged.xml file, see the <PolicyID> section. The end result should look like {76300157-42A0-4A2D-A383-AF140D64AAE0}.cip.
3. Create a supplemental policy
Now we will create the first supplemental policy to supplement the baseline policy created in step 1 and 2. This is using path rules which is something that was added with Windows 10 version 1903.
You must change the name of the Supplemental.cip file to match the Policy ID of the supplemental file which can be found at the bottom in the Supplemental.xml file, see the <PolicyID> section. The end result should look like {56B75B7A-06D3-49EF-BCF8-8FC47C6ADA20}.cip.
4. Deploy the two policies
Now, lets deploy the two policies by copying them to C:WindowsSystem32CodeIntegrityCIPoliciesActive.
For the sake of it, restart the machine. You could also use the below PowerShell command to refresh the policy without reboot:
5. Start the testing
Now you can start the testing and see what is blocked by fetching the log files which are located in Event Viewer under Applications and Services Logs > Microsoft > Windows > Code Integrity > Operational.
6. Switch from audit mode to enforced mode!
Out of everything that would have been blocked by fetching the logs as mentioned in step 5, create additional supplemental policies and deploy until everything you need to run is white listed. Then, switch from audit mode to enforced!
Applocker 2 7 0 3300 0
Deploying via Intune
Even though there are existing configuration settings for enabling Microsoft Defender Application Control in an Intune endpoint restrictions policy, enabling it via those settings will mean very limited control and you cannot use supplemental policies. So, therefore you need to deploy these control policies in another way.
1. Create a source folder in C: named MDAC, in which you create a folder named Source, where you copy the .CIP files.
2. Create a textfile named SchTask.ps1 and add the following content.
3. Create a textfile named MDAC.ps1 and add the following content.
Applocker 2 7 0 32
4. As we will deploy this using a Win32 app, download the Intune content prep tool and run the following command from the extracted IntuneWinAppUtil.exe.
IntuneWinAppUtil.exe -c C:MDACSource -s SchTask.ps1 -o C:MDAC
5. Create a new Win32 app in Intune and use the following parameters when adding it:
Program install and uninstall command:
powershell.exe -ExecutionPolicy Bypass .SchTask.ps1
Running as System.
Detection rules:
Type: File
Path: C:WindowsSystem32CodeIntegrityCiPoliciesActive
File or folder: {GUID}.cip
Detection method: file or folder exists
6. Assign the app and wait for the MDAC policy to apply. This can be verified by running msinfo32.exe and watching the status for Windows Defender Application Control.
Next steps: Looking at the CSP for Application Control for even smoother deploying via Intune.
-->Applies to
- Windows 10
- Windows Server
This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
Note
AppLocker is unable to control processes running under the system account on any operating system.
AppLocker can help you:
- Define rules based on file attributes that persist across app updates, such as the publisher name (derived from the digital signature), product name, file name, and file version. You can also create rules based on the file path and hash.
- Assign a rule to a security group or an individual user.
- Create exceptions to rules. For example, you can create a rule that allows all users to run all Windows binaries, except the Registry Editor (regedit.exe).
- Use audit-only mode to deploy the policy and understand its impact before enforcing it.
- Create rules on a staging server, test them, then export them to your production environment and import them into a Group Policy Object.
- Simplify creating and managing AppLocker rules by using Windows PowerShell.
AppLocker helps reduce administrative overhead and helps reduce the organization's cost of managing computing resources by decreasing the number of Help Desk calls that result from users running unapproved apps. AppLocker addresses the following app security scenarios:
Application inventory
AppLocker has the ability to enforce its policy in an audit-only mode where all app access activity is registered in event logs. These events can be collected for further analysis. Windows PowerShell cmdlets also help you analyze this data programmatically.
Protection against unwanted software
AppLocker has the ability to deny apps from running when you exclude them from the list of allowed apps. When AppLocker rules are enforced in the production environment, any apps that are not included in the allowed rules are blocked from running.
Licensing conformance
AppLocker can help you create rules that preclude unlicensed software from running and restrict licensed software to authorized users.
Software standardization
AppLocker policies can be configured to allow only supported or approved apps to run on computers within a business group. This permits a more uniform app deployment.
Manageability improvement
AppLocker includes a number of improvements in manageability as compared to its predecessor Software Restriction Policies. Importing and exporting policies, automatic generation of rules from multiple files, audit-only mode deployment, and Windows PowerShell cmdlets are a few of the improvements over Software Restriction Policies.
When to use AppLocker
In many organizations, information is the most valuable asset, and ensuring that only approved users have access to that information is imperative. Access control technologies, such as Active Directory Rights Management Services (AD RMS) and access control lists (ACLs), help control what users are allowed to access.
However, when a user runs a process, that process has the same level of access to data that the user has. As a result, sensitive information could easily be deleted or transmitted out of the organization if a user knowingly or unknowingly runs malicious software. AppLocker can help mitigate these types of security breaches by restricting the files that users or groups are allowed to run.Software publishers are beginning to create more apps that can be installed by non-administrative users. This could jeopardize an organization's written security policy and circumvent traditional app control solutions that rely on the inability of users to install apps. By creating an allowed list of approved files and apps, AppLocker helps prevent such per-user apps from running. Because AppLocker can control DLLs, it is also useful to control who can install and run ActiveX controls.
AppLocker is ideal for organizations that currently use Group Policy to manage their PCs.
The following are examples of scenarios in which AppLocker can be used:
- Your organization's security policy dictates the use of only licensed software, so you need to prevent users from running unlicensed software and also restrict the use of licensed software to authorized users.
- An app is no longer supported by your organization, so you need to prevent it from being used by everyone.
- The potential that unwanted software can be introduced in your environment is high, so you need to reduce this threat.
- The license to an app has been revoked or it is expired in your organization, so you need to prevent it from being used by everyone.
- A new app or a new version of an app is deployed, and you need to prevent users from running the old version.
- Specific software tools are not allowed within the organization, or only specific users should have access to those tools.
- A single user or small group of users needs to use a specific app that is denied for all others.
- Some computers in your organization are shared by people who have different software usage needs, and you need to protect specific apps.
- In addition to other measures, you need to control the access to sensitive data through app usage.
Note
AppLocker is a defense-in-depth security feature and not a security boundary. Windows Defender Application Control should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal.
AppLocker can help you protect the digital assets within your organization, reduce the threat of malicious software being introduced into your environment, and improve the management of application control and the maintenance of application control policies.
Installing AppLocker
AppLocker is included with enterprise-level editions of Windows. You can author AppLocker rules for a single computer or for a group of computers. For a single computer, you can author the rules by using the Local Security Policy editor (secpol.msc). For a group of computers, you can author the rules within a Group Policy Object by using the Group Policy Management Console (GPMC).
Applocker 2 7 0 38
Note
The GPMC is available in client computers running Windows only by installing the Remote Server Administration Tools. On computer running Windows Server, you must install the Group Policy Management feature.
Using AppLocker on Server Core
AppLocker on Server Core installations is not supported.
Virtualization considerations
You can administer AppLocker policies by using a virtualized instance of Windows provided it meets all the system requirements listed previously. You can also run Group Policy in a virtualized instance. However, you do risk losing the policies that you created and maintain if the virtualized instance is removed or fails.
Security considerations
Application control policies specify which apps are allowed to run on the local computer.
The variety of forms that malicious software can take make it difficult for users to know what is safe to run. When activated, malicious software can damage content on a hard disk drive, flood a network with requests to cause a denial-of-service (DoS) attack, send confidential information to the Internet, or compromise the security of a computer.
The countermeasure is to create a sound design for your application control policies on PCs in your organization, and then thoroughly test the policies in a lab environment before you deploy them in a production environment. AppLocker can be part of your app control strategy because you can control what software is allowed to run on your computers.
A flawed application control policy implementation can disable necessary applications or allow malicious or unintended software to run. Therefore, it is important that organizations dedicate sufficient resources to manage and troubleshoot the implementation of such policies.
For additional information about specific security issues, see Security considerations for AppLocker.
When you use AppLocker to create application control policies, you should be aware of the following security considerations:
- Who has the rights to set AppLocker policies?
- How do you validate that the policies are enforced?
- What events should you audit?
For reference in your security planning, the following table identifies the baseline settings for a PC with AppLocker installed:
| Setting | Default value |
|---|---|
| Accounts created | None |
| Authentication method | Not applicable |
| Management interfaces | AppLocker can be managed by using a Microsoft Management Console snap-in, Group Policy Management, and Windows PowerShell |
| Ports opened | None |
| Minimum privileges required | Administrator on the local computer; Domain Admin, or any set of rights that allow you to create, edit and distribute Group Policy Objects. |
| Protocols used | Not applicable |
| Scheduled Tasks | Appidpolicyconverter.exe is put in a scheduled task to be run on demand. |
| Security Policies | None required. AppLocker creates security policies. |
| System Services required | Application Identity service (appidsvc) runs under LocalServiceAndNoImpersonation. |
| Storage of credentials | None |
In this section
Applocker 2 7 0 35
| Topic | Description |
|---|---|
| Administer AppLocker | This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies. |
| AppLocker design guide | This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker. |
| AppLocker deployment guide | This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. |
| AppLocker technical reference | This overview topic for IT professionals provides links to the topics in the technical reference. |