Active Directory 2008: AppLocker Facts…

AppLocker policies (also known as application control policies) are similar to Software Restriction Policies, but have the following advantages:

  • Policies are applied to a specific user or group, or all existing, future, or      previous versions of an application.
  • Policy management is through a set of predefined rules, called default rules,      which are created automatically. The default rules:
    • Are populated in specific rule types when you manually       select the Create Default Rules option.
    • Are managed and maintained by an administrator to meet       specific needs.
    • Act as a fallback block rule that restricts the       execution of any application that does not have an allow rule (i.e., once       AppLocker is enabled, only applications that have an allow rule will       execute).

The following table describes the AppLocker rule types:

Rule Type Description
Executable An executable rule applies   to files with .exe and .com extensions.

  • The default executable rules        allow:
    • Everyone to execute all         applications in the C:\Windows and C:\Program Files directories.
    • Administrators to execute         all applications regardless of location.
  • You must enable the default        executable rules, otherwise Windows cannot execute system files in the C:\Windows        and C:\Program Files directories.
  • When you create a rule, the        scope of the rule is set to Everyone. If you choose to modify the rule,        you can select a specific security group or user account.
Windows Installer The Windows installer rule   applies to .msi and .msp file extensions. The default installer rules allow:

  • Everyone to access        digitally-signed Windows installer files and all MSI files in the %systemdriver%\windows\installer        directory.
  • Administrators to run any MSI        or MSP file.
  • The installation of software        and software updates through Group Policy.
Script The script rule applies to   .ps1, .bat, .cmd, .vbs, and .js file extensions. The default script rules   allow:

  • The execution of all scripts        in the C:\Windows and C:\Program Files directories.
  • Administrators to execute all        scripts regardless of location.
DLL The DLL rule applies to   .dll (Dynamic-Link Library) and .ocx file extensions.

  • The DLL rule is not enabled        by default. Enable DLL rules from the Advanced tab of AppLocker        properties within Group Policy.
  • When using DLL rules, you        must manually create a rule for each DLL that is used by applications        installed on the Windows 7 client.

Note: DLL   rules affect system performance and require considerable administrative   effort.

When you create a new rule, regardless of the rule type, you must specify a condition for the rule. Conditions are properties of files that AppLocker uses to enforce rules. AppLocker rules have the following conditions:

Condition Description
Publisher The publisher condition   uses the digital signature of the application’s publisher. The digital   signature contains details about the company that created the application.

  • There is no need to obtain        the certificate from the publisher because the details of the digital        signature are extracted from the application file.
  • If the file does not have a        digital signature, it cannot be used with the publisher condition.
  • You can specify exactly which        application version(s) can execute (an exact version, a version above or        below a specific version, or any current or future version).
Path The path condition   specifies a folder, a file, or a wildcard of files to restrict or allow execution.

  • If you specify a folder,        restrictions apply to all programs within that folder.
  • Path conditions are the least        secure of all the AppLocker conditions.
  • Implement NTFS permissions to        prevent users from copying executable files to other locations outside        the scope of the path condition.
Hash The hash condition uses the   digital fingerprint (also known as a file hash) of the application.

  • A hash value of a file is        based on the content of the file, not the name of the file.
  • You must recreate file hashes        each time the software is updated or changes versions.

Be aware of the following:

  • AppLocker      rules take precedence over software restriction policies for Windows      Server 2008 R2 and Windows 7 clients.
  • If      both software restriction policies and AppLocker policies are configured      in the same policy object, only the AppLocker settings will apply.      Microsoft recommends that you use AppLocker for Windows Server 2008 R2 and      Windows 7.
  • If      no rules have been defined for a specific type, then all applications of      that type are allowed to run. Once you define one rule, then only software      allowed by that rule (or the default rules) is allowed.
  • Exceptions      allow specific applications to be exempt from the AppLocker rules.      Exceptions of any condition can be made in any rules. For example, you can      create a path condition that allows all applications in C:\Windows      to execute, but restrict the calculator application from running using a      hash condition.
  • AppLocker      has a soft-enforcement (also known as auditing) mode.      Soft-enforcement mode:
    • Uses restrictions to only monitor AppLocker events.       Blocked software is still allowed to run while in soft-enforcement mode.
    • Audits AppLocker functionality before full       implementation in the environment.
    • Verifies which applications are affected without       actually blocking or hard-enforcing the applications from executing.

Note: The enforcement mode (either Enforce rules or Audit only) applies to all rules of a specific type. You cannot selectively enforce or audit different rules within a rule type. For example, you cannot audit one executable rule and enforce another executable rule, but you can audit all executable rules and enforce all script rules.

  • Events      that are generated by auditing AppLocker are written to the AppLocker      event log. Each log contains the following information:
    • Rule name
    • SID of the user or group
    • File and path of the restricted or permitted       application
    • Rule type or condition used
  • Use      the following Windows PowerShell cmdlets to manage AppLocker policies:
    • Test-ApplockerPolicy tests whether an AppLocker rule will block an       application file on a client computer.
    • Get-AppLockerPolicy displays an AppLockerPolicy object or exports an       XML-formatted string.
    • New-AppLockerPolicy creates a new AppLocker policy.
    • Set-AppLockerPolicy applies an AppLocker policy to the specified GPO.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s