AppLocker Audit vs. Enforced mode

If you haven't done so already, you should first read my previous AppLocker article, where we created our AppLocker rules from event log data. We can now move from AppLocker Audit mode to AppLocker Enforced mode.
Latest posts by Sami Laiho (see all)

Until now, we have only been auditing. Audit mode only adds event log entries about apps that would have been prevented if AppLocker was in Enforced mode. When moving to Enforced mode, you need to be ready to react quickly. When you have a client that can't run what is needed, you have a few options:

  1. Make the app work by moving it to a trusted path.
  2. Sign the app and trust your own code signing certificate.
  3. Create an AppLocker rule to allow the app.

Sometimes the problem needs to be solved super-fast, or the person having it is a VIP that we really need to be on our side with the project. There's nothing more important than having management buy in on things like this, so you don't want to kill AppLocker in the beginning by angering VIPs or stopping people from being productive.

What I recommend is that you create a new policy that you use for enforcing AppLocker and keep another policy for auditing. You can export and import AppLocker rules as XML, so it's easy to copy from one policy to another.

Filter the GPOs so that you can instruct the ServiceDesk to just move the user's computer to another group if they are not able to solve a problem quickly. Then you can have the computer just audit while you fix the issue. When you're done, move the computer back to Enforced mode. I call this auditing policy PANIC MODE.

Exporting and importing AppLocker rules can be done via an XML file

Exporting and importing AppLocker rules can be done via an XML file

You should now set the policies as seen in the picture.

Moving AppLocker to Enforced mode will actually block apps that are not trusted

Moving AppLocker to Enforced mode will actually block apps that are not trusted

Keeping another policy in Audit mode to quickly allow computers to run apps if needed

Keeping another policy in Audit mode to quickly allow computers to run apps if needed

The Enforced policy should hit about 25% of your final target, and the rest should stay in Audit mode. After this, let it run again for a few weeks to see how everything goes. After that, you are ready to move the rest of the environment to Enforced mode.

After this, you still have a few tasks to do in the project: hardening AppLocker and adding the DLLs. We will go through this in the last blog post.

Want to write for 4sysops? We are looking for new authors.

Read 4sysops without ads by becoming a member!

2+
avataravatar
Share
0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account