- Hardening AppLocker - Thu, Jun 25 2020
- AppLocker Audit vs. Enforced mode - Tue, Jun 23 2020
- Creating AppLocker rules from the Windows event log - Wed, Jun 17 2020
My normal flow of running an AppLocker project is as follows:
- Install event log forwarding and required GPOs.
- Create basic rules for auditing.
- Log for 3–4 weeks.
- Create the first custom rule set based on the logged
- Log for 3–4 weeks.
- Tweak the rules based on the logged events.
- Teach ServiceDesk to deal with AppLocker and inform users.
- Configure about 25% of the clients to use enforced mode and create a PANIC policy.
- Run for 3–4 weeks.
- Configure the rest (75%) of the clients to use enforced mode.
- Harden AppLocker.
- Include DLLs in the project. First audit all and then enforce, like with other executables.
The most important feature in a successful AppLocker project is logging. If you have a system already forwarding logs from clients (such as Splunk), you could use that; I mostly install Windows' own Event Log Forwarding, which has been available since Vista. Below is my simple guide for enabling Event Log Forwarding. You need a file server for this that is at least Server 2008.
Configuration steps on the server:
- Run on an elevated command prompt:
- Winrm quickconfig
- Wecutil qc
- Make sure you have an incoming firewall rule to allow port 5985 (TCP).
- In the Event Viewer:
- Increase the size of the Forwarded Events log to x10 and change it to Archive when full.
- Create a subscription with the following settings:
- To make the events readable, run the following on an elevated command prompt:
- Wecutil es
- Wecutil ss “Name of subscription” /cf:Events
Configuration steps in Group Policy:
- Create a GPO that is filtered to apply to the computers to be audited for AppLocker.
- Configure the following settings on the GPO (replacing the server name with your server):
Note: for Windows 10, you don't necessarily need to set the AppIDsvc to Automatic anymore.
You can also forward the entries to a SQL database, as shown in this article.
For troubleshooting purposes, you will need to look at a local event log for a client at some point. The problem with this is that the default size of the log, which is only 1MB, will not show entries older than maybe a day. You should set this to a higher level. Although in theory, the logs should be forwarded to the Event Collector, this will not always be the case; trust me, I know. To change the log size, you can use a Group Policy preference to set the MaxSize value.
Next, you need to create a GPO for the computers' AppLocker. I normally make this apply on all workstations, as it doesn't block anything and the more log data we get, the better. But what I would recommend is to start without DLL rules. When you run notepad.exe, you get one entry to a log. If you have DLLs monitored, you will get around a hundred entries. So, it's just easier to start without so that you can first learn how AppLocker works and how to live with it. When you are done, it's easy to add DLLs.
- Set the AppLocker policies as follows by creating the default rules for every category and setting the enforcement options to Audit:
Now make sure that you are getting events to the Event Log Collector server's ForwardedEvents log. If you are running it on a Server 2016 or newer, you might need to configure a few more settings based on this article.
Now you should let the auditing gather data for the next 3–4 weeks. After that, we are ready to create the first custom rules for your environment based on the logs. We will go through this in the next blog post.