In this guide I will share the lessons I have learned during an AppLocker implementation. The tutorial covers the following topics: planning, best practices, testing and deployment.
Like any good systems administrator, I always try to do my research before implementing a new technology. While researching AppLocker, I came across quite a bit of documentation from Microsoft, questions various people posted to message boards, but nothing that really gave me an idea of what I could actually expect during my implementation. Here are the things I’ve learned after a couple of AppLocker deployments that I hope will help you.
AppLocker – Group Policy Management Editor
What is AppLocker?
AppLocker is an application whitelisting and blacklisting that is built in to Windows 7 and Windows Server 2008 R2. It allows you to write rules in Group Policy for which applications, scripts, and Windows installers are allowed to run (and which ones aren’t) that are enforced on the client PC by the Application Identity Service (AppIDSvc). Michael’s done a great job of giving an overview of AppLocker.
To implement AppLocker, you’re going to need a management station that is running Windows 7 or Windows Server 2008 R2 with the latest GPMC. AppLocker policies cannot be edited on earlier versions of Windows. You’ll also need to be running Windows 7 or Windows Server 2008 R2 on any client systems where you want to use AppLocker. If you’re using older versions of Windows, you’ll have to work with Software Restriction Policies since the older OS will ignore the AppLocker settings in a GPO.
First, you’re going to have to decide on what you would like to accomplish by implementing AppLocker. This is important because it will determine how you’re going to write your AppLocker rules. In my situation, I wanted to block malware from running in user profiles as well as preventing unauthorized software from being installed or run from USB media. There are two ways you can deploy your rules: Blacklisting and Whitelisting.
Blacklisting in AppLocker lets you allow everything, but block specific applications, scripts, and Windows installers that you do not want to allow on your computers. (Microsoft recently published a whitepaper on how Microsoft IT did this internally. This method will most likely cause the fewest headaches if you know exactly what you want to block. The downside is that you’ll have to generate a list of what you want to block and keep the list up to date. This method is also easier to circumvent if you’re using file paths to identify the application or file hashes that don’t include every version of an application.
Whitelisting in AppLocker lets you deny everything except for specific applications, scripts, and Windows installers you want to allow. Anything that is not included in your list will be blocked. This method will require a lot more upfront work to make sure that you don’t accidentally block something, but in the long run will stop more unauthorized applications from running.
Now that you’ve decided how you want to implement AppLocker, you need to identify the executables that you’ll need to allow or deny. (I’m probably going to use the term executable most often since my goal was to control applications. In most of what I’ll discuss, script or Windows Installer can be interchanged with the term executable.) Create a new GPO in the Group Policy Management Console and go to Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker (see screenshot above).
Here, you can right-click on Executable Rules and choose Create Default Rules. This will create rules that will allow Everyone to run files that are in Program Files and in the Windows folder. It will also create a rule that allows users with local Admin rights to run anything. The default action is Deny. This means that you’ll need to explicitly create a rule to allow everything if you’re planning on Blacklisting only.
Next, you’ll need a computer that is running a typical software load for your organization that has the Remote Server Administration Tools installed. Run the GPMC and go back to the AppLocker settings in your new GPO. Right-click on Executable Rules and choose Automatically Generate Rules. By default, you’ll be prompted to scan Program Files. You may want to consider changing the path to C:\ to catch things that end up outside Program Files. Just be aware that if you do change it, you may end up with things in your initial set of rules that you actually want blocked.
The wizard will ask whether you want Hash or Path rules for executables that don’t digital signatures. The answer really depends on your environment and how often those files will be updated. Just be aware if you choose file hash, you’ll need to keep your rules updated after each application update.
Between the default rules and the rules created automatically by the GPMC, you should have a good starting point for your AppLocker rules. In my next article, I’ll discuss the rules that were created by the GPMC and strategies for paring them down into something more manageable.