Creating AppLocker rules from the Windows event log

In my last post, I discussed some AppLocker best practices and concluded that you have to start with gathering event log data first. After 3–4 weeks, it's time to start creating the first rules.
Latest posts by Sami Laiho (see all)

On the Event Collector server, you can run the below command to see what you have in the log:

Getting statistics of apps that would have been blocked

Getting statistics of apps that would have been blocked

It might make sense to start by adding the -statistics parameter to see what has been blocked the most so you know what to focus on.

Getting statistics of apps that would have been blocked the most times

Getting statistics of apps that would have been blocked the most times

If you already have log files archived, you need to point to the file instead of the log name.

I like using the GridView for quick operations, but in the beginning it might be easier to dump the content to Excel and first work in there before deciding what to whitelist. You can do that by replacing Out-GridView with Export-CSV.

Dumping the audited events to Excel

Dumping the audited events to Excel

There are numerous ways to approach choosing the things to whitelist. Some want to dump everything to a local GPO, edit there, export to an XML file, and import to an AD GPO. Some want to choose one by one. I'm not going to go through every option. Instead, I'll point you to the ones I use the most. I prefer the latter option.

To dump everything to a local GPO, use the following:

After this, you can open GPEDIT.msc and find the new rules to edit and export in your application control policies.

What I normally do is take a specific app and make a publisher rule for it, merging it straight to a GPO in Active Directory, like this:

You need to get the LDAP path to the object and the GUID for the GPO. Normally, after this, I will edit the rule to point to the publishing company instead of the specific app. Please read my first blog post to find the reasoning for this.

Changing a rule to be less specific

Changing a rule to be less specific

After creating your rules, it's time to audit for a few more weeks and make sure you will find fewer entries in the logs.

As I stated in the previous blog post, my normal run for an AppLocker project is:

  1. Install event log forwarding and the required GPOs.
  2. Create basic rules for auditing.
  3. Log for 3–4 weeks.
  4. Create the first custom rule set based on the logged
  5. Log for 3–4 weeks.
  6. Tweak the rules based on the logged events.
  7. Teach ServiceDesk to deal with AppLocker and inform users.
  8. Configure about 25% of the clients to use enforced mode and create a PANIC policy.
  9. Run for 3–4 weeks.
  10. Configure the rest (75%) of the clients to use enforced mode.
  11. Harden AppLocker.
  12. Include DLLs in the project. First audit all and then enforce, like with other executables.

So now we should be at step 6. You'll basically redo everything you did in this post.

Now it's a good time to prepare a note for users about the introduction of whitelisting and how to contact You/ServiceDesk if they get into trouble. Also take some time to teach ServiceDesk how to create rules or how to escalate to the correct contact.

In the next blog post, we will move from Audit mode to Enforced mode.

Want to write for 4sysops? We are looking for new authors.

Read 4sysops without ads by becoming a member!

5+
avataravataravatar
Share
Articles in series

AppLocker field experiences

0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account