AppLocker Basics

I wrote a set of quick documentation on on AppLocker and it’s configuration for my workplace which I thought I’d post here. I’ve taken out anything specific to my workplace and here is the rest.

AppLocker Introduction

  • Define rules based on file path and file hash as well as rules based on file attributes such as the publisher, product name and file version.
  • Target these rules to specific security groups or individual users. You can also Exclude specific groups or users from the rule.
  • Create exceptions to rules such as blocking all applications exept winword.exe.
  • Use audit-only mode for what-if scenarios which are logged in EventViewer to analyse the impact should the rules be enforced

GPOs With AppLocker Rules

AppLocker rules are are configured in standard Group Policy Objects. This is where you would configure the rules in a GPO:

clip_image002

The following rules can be set using AppLocker:

Rule collection Note:
Executable Rules This is for allowing or denying .exe programs
Windows installer rules This is for MSI installers
Script rules This is for .vbs, .ps1, .cmd, .bat, etc
Packaged app rules This is for Universal Windows apps
DLL rules* This is for specific .dll files

*Note that the DLL rules node is not visible by default (as shown in the previous screenshot). To use DLL rules you have to enable it by right-clicking on “AppLocker” > Advanced tab > check “Enable the DLL rule collection”.

*If your script, exe or installer require the use of DLL files then you must also create rules for the DLL files in addition to the script/exe/installer.

Creating a AppLocker Rule

AppLocker rules are only configured in the Computer Configuration of a GPO but you can apply any rule to a specific group of users or set it to apply to the “Everyone” group.

It is recommended to create a set of default rules for each of the collection of rules. This is already done in the two GPOs that currently have AppLocker policies.

To create a rule for a executable right-click on “Executable Rules” under AppLocker and select “Create New Rule…”.

clip_image004

At this point you choose whether your rule is to Allow or Deny an executable from running. In other words, Allow is whitelisting an app and Deny is blacklisting an app.

You can also choose to apply this rule to a specific group of users by choosing an Active Directory security group or leave the default which is applied to the “Everyone” group.

clip_image006

You then have the option to choose a condition to meet to be able to apply this rule to an executable. Another way of looking at this is to work out how to identify the said executable. You have the following three options:

Condition/Option Notes
Publisher This will only work if the executable is signed by a software publisher. Alternatively you can sign the item using a certificate.
Path This tells AppLocker to expect to find the executable in a specific location. You can use wildcards for folder paths and filenames.

If the executable is moved a location which is not covered by a rule then the application will be allowed to run (since the executable was not in the path specified in this rule).

File hash If the application is not signed by a publisher then you can select the executable and AppLocker will generate a hash which uniquely identifies this executable.

If the executable is updated at any time in the future, the hash that was originally generated will not identify the updated executable. In this case the hash will need to be regenerated in AppLocker or else the rule will no longer apply to the application (since it has a different hash now).

For further information on understanding rule conditions consult the following Microsoft guide:

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types

Enforce Rule vs Audit Only

By default, the rules you create are set to “Audit only” which means the executables, scripts, etc will be allowed to run on client devices but everything will be logged in the Event Viewer so you can monitor what the behaviour will be like on a client device. The logs will say if the executables, scripts, etc was allowed to run or if it would have been blocked if the rules were enforced.

To enforce the rules you have to right-click AppLocker, select Properties and choose “Enforce rules” from the drop down under each rule collection:

clip_image008

Furthermore, it is necessary to understand how AppLocker rule collections are inherited in Group Policy. The following article can help understand inheritance:

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy

AppLocker Logs on Clients

You can examine the logs in the Event Viewer to troubleshoot AppLocker. The location of the logs are shown in the following screenshot:

clip_image010

To monitor the AppLocker logs on a remote computer you can use the following PowerShell code:

$Computer = “MNI-Win10PC”

Get-WinEvent -LogName “Microsoft-Windows-AppLocker/EXE and DLL” -ComputerName $Computer  # | Where-Object {$_.Id -eq 8004}

This will give you an output like the following:

image

Change the log name as appropriate (look this up in the Event View as shown in the above screenshot). This script will need to be run from your PAW device with your workstation admin account.

You can remove the # and filter the events to a specific event id. For example, event id 8004 is when something is blocked by AppLocker. For more information on event ids relating to AppLocker consult the following article:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ee844150(v%3Dws.11)

Process for whitelisting an application

  • Ensure you understand what the application does and that it does not present any security concerns

  • Ask the customer if this is a one-time use application or meant for only one or two computers. If so then consider moving the application to one of the locations mentioned above

  • Ask if the computer and the app in question is only used by a group of users

  • Install the application on a test computer and try and run it

  • Check the AppLocker event log and see if the app requires additional dll/files which are also blocked

  • Make note of the exact path mentioned in the AppLocker logs

  • Whitelist the app as per the instructions above under the heading “Creating a AppLocker rule”. Make sure you use the “Allow” option to whitelist the application.

  • To only allow the application to a select number of users only then create a group of AD users and filter the AppLocker rule to the group.

  • Decide whether to Allow the application based on its location (path), publisher, or hash. Consider the pros and cons set out in the table above.

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s