In my last article I gave an overview of AppLocker. In this post I will give you some tips on how to test AppLocker.
Latest posts by Michael Pietroforte (see all)
- Result of the 4sysops 2016 topic poll - Tue, Apr 5 2016
- New free eBooks for SysAdmins and DevOps – VMware NSX, Windows 10, SQL Server 2016 - Mon, Mar 14 2016
- Introducing the 4sysops IT pro network - Tue, Mar 1 2016
You can try AppLocker in a Windows domain environment using Group Policy or you can test it with the Local Security Policy snap-in. If you want to work with Group Policy, then you should install the Remote Server Administration Tools (RSAT) for Windows 7 first and then add the Group Policy Management Tools through the Windows Feature applet. This allows you to define Publisher Rules with the Group Policy Editor under Windows 7. You can also configure Publisher Rules on a Windows Sever 2008 R2 domain controller. But to do this you need a reference file of the application that might be unavailable on the domain controller.
I don’t recommend using Group Policy if you are trying AppLocker for the first time. It is quite easy to completely block your Windows installation with AppLocker. Then you will not be able to launch any program, not even gpupdate, and you will have to reboot your machine to activate new AppLocker settings. If you are working with the Local Security Policy snap-in you can just add or remove rules if you have blocked your machine. AppLocker doesn’t affect programs that are already running.
To launch the Local Security Policy snap-in just type “Local…” at the Start Search prompt. The AppLocker rules can be found under Computer Configuration\Policies\Windows Settings\Security Settings\Application Control Policies.
The first thing you should do is create the Default Rules. Right click on “Executable Rules” and navigate to “Create Default Rules”. This will create three rules that allow the execution of all files in the Windows and in the Program Files folder. The third rule allows local administrators to execute all programs. You can also launch the wizard that automatically creates rules for all installed applications (Automatically Generate Rules).
AppLocker rules become effective only if the AppID Service is running, which is not the case by default. Considering how easy it is to lock yourself out with AppLocker, this makes sense. I recommend starting the AppID Service manually. Don’t set the start type to automatic until you fully understand how AppLocker works. This way you can always reboot your test computer to disable the AppLocker rules. Note that if the AppID Service is running, AppLocker becomes active as soon as you add the first rule. In other words, if you add an allow rule, AppLocker will automatically block all other programs to which this rule doesn’t apply.
For your first test you can delete the Administrators Rule and the Windows Program Files Rule. You have to wait a few seconds until Windows has processed the new rule settings. Then you can try to launch Notepad. You should get the following message: “The program is blocked by group policy. For more information contact your system administrator”. I don’t recommend contacting the system administrator at this point though. 😉
You might also consider creating a Publisher Rule for notepad.exe, but this isn’t a good idea either. In theory this would work, but Windows 7 Beta1 has a bug. Publisher Rules don’t work with Windows 7 executables. Therefore, if you want to try Publisher Rules you have to use the executable of an installed program as a reference file. To create a new rule, right click on Executables and then on “Create new rule”. The wizard is self-explainable, so I can now leave you with AppLocker.