- Hardening AppLocker - Thu, Jun 25 2020
- AppLocker Audit vs. Enforced mode - Tue, Jun 23 2020
- Creating AppLocker rules from the Windows event log - Wed, Jun 17 2020
Until now, we have only been auditing. Audit mode only adds event log entries about apps that would have been prevented if AppLocker was in Enforced mode. When moving to Enforced mode, you need to be ready to react quickly. When you have a client that can't run what is needed, you have a few options:
- Make the app work by moving it to a trusted path.
- Sign the app and trust your own code signing certificate.
- Create an AppLocker rule to allow the app.
Sometimes the problem needs to be solved super-fast, or the person having it is a VIP that we really need to be on our side with the project. There's nothing more important than having management buy in on things like this, so you don't want to kill AppLocker in the beginning by angering VIPs or stopping people from being productive.
What I recommend is that you create a new policy that you use for enforcing AppLocker and keep another policy for auditing. You can export and import AppLocker rules as XML, so it's easy to copy from one policy to another.
Filter the GPOs so that you can instruct the ServiceDesk to just move the user's computer to another group if they are not able to solve a problem quickly. Then you can have the computer just audit while you fix the issue. When you're done, move the computer back to Enforced mode. I call this auditing policy PANIC MODE.
You should now set the policies as seen in the picture.
The Enforced policy should hit about 25% of your final target, and the rest should stay in Audit mode. After this, let it run again for a few weeks to see how everything goes. After that, you are ready to move the rest of the environment to Enforced mode.
Subscribe to 4sysops newsletter!
After this, you still have a few tasks to do in the project: hardening AppLocker and adding the DLLs. We will go through this in the last blog post.