Sami Laiho

In this last part of my AppLocker series, I explain how you can harden AppLocker. Although AppLocker can dramatically reduce the amount of work required to secure your network, it doesn’t mean that AppLocker doesn’t need maintenance. Your job is not just adding rules but also keeping AppLocker safe against found weaknesses; that is, you have to harden AppLocker.

If you haven’t done so already, you should first read my previous AppLocker article, where we created our AppLocker rules from event log data. We can now move from AppLocker Audit mode to AppLocker Enforced mode.

In my last post, I discussed some AppLocker best practices and concluded that you have to start with gathering event log data first. After 3–4 weeks, it’s time to start creating the first rules.

In my last post, I explained why I prefer AppLocker whitelisting over blacklisting. In this article, I will describe the best practices I’ve learned from deploying AppLocker in a few-man company to an organization with 500,000+ seats, both military-grade and not.

I have deployed AppLocker for hundreds of thousands of computers and customers ranging from a nuclear plant and military-level establishments to cloud-only startups. I wrote this series of five posts to share my most important tips and realities learned from the field. Today, I am writing about my take on the AppLocker whitelisting and blacklisting discussion.

When an error is escalated, one of the most common requests is to get a full memory dump of the computer. This can be achieved easily by blue-screening the computer; however, that is not always possible. Sometimes you also don’t have a big enough pagefile or a dedicated dump file configured. Let me show you how to do this without booting the computer and without tweaking the pagefile.

Many people think the built-in Administrator account is the most powerful account in Windows, which is not true. If you wanted to find something in Windows like root is for Linux, it would be the SYSTEM user account. This account can see and do things an admin can’t. This makes it essential for all troubleshooting, like when you want to access the SAM and SECURITY hives in the Registry.

Before troubleshooting anything, we need to know what the problem is. However, we often don’t really speak the same language as our end users. We need end users to send us good, descriptive messages about the problems they have.

To start any troubleshooting case, I always ask for two things. I ask for a Process Monitor trace, which you can get remotely by following this blog post, and a network trace. In this article, I will show you how to get a network trace from a remote computer without installing Wireshark or something similar on it.

When I need to troubleshoot a problem in Windows, the first things I ask my customer to provide are a Process Monitor trace and a network trace. Process Monitor is the second most downloaded tool from the Sysinternals toolkit. You can download it as part of the Sysinternals Suite. Sometimes you don’t have access to the computer to run the tool interactively, or you don’t want the end user seeing Procmon running on the computer. In the next post, I will show how you can acquire a Process Monitor trace from a remote computer.