AppLocker rules can be set up by using group policy in a Windows domain and have been very useful in limiting the execution of arbitrary executable files. AppLocker takes the approach of denying all executables from running unless they have specifically been whitelisted and allowed.
AppLocker is available in Windows Desktop and Servers. Desktop Windows require Enterprise Editions.
The AppLocker requirements can be found here.
Note: before implementing AppLocker rules in a production environment it is important to perform thorough testing. AppLocker will not allow anything to run unless it has been explicitly whitelisted. So keep in mind those non-standard installs to the system root or other drives (C:\ or E:\).
AppLocker Rule Types:
- Executable Rules: These rules apply to executables, such as .exe and .com files.
- Windows Installer Rules: These rules apply to files used for installing programs such as .msi, .mst and .msp files.
- Script Rules: These rules apply to scripts such as .bat, .js, .vbs, .cmd, and .ps1 files.
- Packaged App Rules: These rules apply to the Windows applications that may be downloaded through the Windows store with the .appx extension.
With each of these rules, we can also whitelist based on the publisher, path, or file hash.
- Publisher: This method of whitelisting items is used when creating default rules as we’ll soon see, it works based on checking the publisher of the executable and allowing this. If the publisher, file name or version etc change then the executable will no longer be allowed to run.
- Path: Executables can be whitelisted by providing a folder path, for example, we can say that anything within C:\tools is allowed to be run by a specific active directory user group.
- File Hash: While this may be the most secure option, it is inconvenient to work with and manage. If a file changes at all, for instance, if an executable is updated, it will not be allowed to run as the allowed hash will have changed too.
AppLocker Configuration:
- Open Server Manager, selecting Tools, followed by Group Policy Management.
- From the Group Policy Management window that opens, we’ll select the group policy objects folder within the domain, right click and select new to create a new group policy object (GPO). In this case, we’ll create one called AppLocker Rules.
- From within the Group Policy Management Editor (GPME). Select Computer Configuration > Policies > Windows Settings > Security Settings > Applications Control Policies > AppLocker
- In the main AppLocker interface where we can create executable, windows installer, script, and packaged app rules. We can get started with the default settings by clicking the “Configure rule enforcement” By default each of these four items is unticked and not enabled, we can tick the box next to “Configured” to enable to set the rules to be “Enforced”.
This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more info: https://www.microsoft.com/en-us/learning/exam-70-744.aspx