AppLocker best practices

In my last post, I explained why I prefer AppLocker whitelisting over blacklisting. In this article, I will describe the best practices I've learned from deploying AppLocker in a few-man company to an organization with 500,000+ seats, both military-grade and not.
Latest posts by Sami Laiho (see all)

My normal flow of running an AppLocker project is as follows:

  1. Install event log forwarding and required GPOs.
  2. Create basic rules for auditing.
  3. Log for 3–4 weeks.
  4. Create the first custom rule set based on the logged
  5. Log for 3–4 weeks.
  6. Tweak the rules based on the logged events.
  7. Teach ServiceDesk to deal with AppLocker and inform users.
  8. Configure about 25% of the clients to use enforced mode and create a PANIC policy.
  9. Run for 3–4 weeks.
  10. Configure the rest (75%) of the clients to use enforced mode.
  11. Harden AppLocker.
  12. Include DLLs in the project. First audit all and then enforce, like with other executables.

The most important feature in a successful AppLocker project is logging. If you have a system already forwarding logs from clients (such as Splunk), you could use that; I mostly install Windows' own Event Log Forwarding, which has been available since Vista. Below is my simple guide for enabling Event Log Forwarding. You need a file server for this that is at least Server 2008.

Configuration steps on the server:

  1. Run on an elevated command prompt:
    1. Winrm quickconfig
    2. Wecutil qc
  2. Make sure you have an incoming firewall rule to allow port 5985 (TCP).
  3. In the Event Viewer:
    1. Increase the size of the Forwarded Events log to x10 and change it to Archive when full.
    2. Create a subscription with the following settings:
The server that collects the logs needs to have an event subscription configured

The server that collects the logs needs to have an event subscription configured

The event subscription should be targeted to all domain computers

The event subscription should be targeted to all domain computers

Gathering all AppLocker related logs with Event Log Forwarding

Gathering all AppLocker related logs with Event Log Forwarding

  1. To make the events readable, run the following on an elevated command prompt:
    1. Wecutil es
    2. Wecutil ss “Name of subscription” /cf:Events

Configuration steps in Group Policy:

  1. Create a GPO that is filtered to apply to the computers to be audited for AppLocker.
  2. Configure the following settings on the GPO (replacing the server name with your server):
A Group Policy setting will target the clients to the correct Event Collector

A Group Policy setting will target the clients to the correct Event Collector

Note: for Windows 10, you don't necessarily need to set the AppIDsvc to Automatic anymore.

You can also forward the entries to a SQL database, as shown in this article.

For troubleshooting purposes, you will need to look at a local event log for a client at some point. The problem with this is that the default size of the log, which is only 1MB, will not show entries older than maybe a day. You should set this to a higher level. Although in theory, the logs should be forwarded to the Event Collector, this will not always be the case; trust me, I know. To change the log size, you can use a Group Policy preference to set the MaxSize value.

An event log's maximum size can be changed from the registry

An event log's maximum size can be changed from the registry

Next, you need to create a GPO for the computers' AppLocker. I normally make this apply on all workstations, as it doesn't block anything and the more log data we get, the better. But what I would recommend is to start without DLL rules. When you run notepad.exe, you get one entry to a log. If you have DLLs monitored, you will get around a hundred entries. So, it's just easier to start without so that you can first learn how AppLocker works and how to live with it. When you are done, it's easy to add DLLs.

  1. Set the AppLocker policies as follows by creating the default rules for every category and setting the enforcement options to Audit:
Setting all AppLocker categories to Audit only

Setting all AppLocker categories to Audit only

Creating default rules for every AppLocker category

Creating default rules for every AppLocker category

Now make sure that you are getting events to the Event Log Collector server's ForwardedEvents log. If you are running it on a Server 2016 or newer, you might need to configure a few more settings based on this article.

Now you should let the auditing gather data for the next 3–4 weeks. After that, we are ready to create the first custom rules for your environment based on the logs. We will go through this in the next blog post.

Want to write for 4sysops? We are looking for new authors.

Read 4sysops without ads by becoming a member!

3+
avataravatar
Share
2 Comments
  1. Alex 4 weeks ago

    Wecutil qc is just hanging , isnt the /c used to  point  it to a config file?

    0

  2. Author

    qc is QuickConfig.

     

    2+

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account