AppLocker Basics

I wrote a set of quick documentation on on AppLocker and it’s configuration for my workplace which I thought I’d post here. I’ve taken out anything specific to my workplace and here is the rest.

AppLocker Introduction

  • Define rules based on file path and file hash as well as rules based on file attributes such as the publisher, product name and file version.
  • Target these rules to specific security groups or individual users. You can also Exclude specific groups or users from the rule.
  • Create exceptions to rules such as blocking all applications exept winword.exe.
  • Use audit-only mode for what-if scenarios which are logged in EventViewer to analyse the impact should the rules be enforced

GPOs With AppLocker Rules

AppLocker rules are are configured in standard Group Policy Objects. This is where you would configure the rules in a GPO:

clip_image002

The following rules can be set using AppLocker:

Rule collection Note:
Executable Rules This is for allowing or denying .exe programs
Windows installer rules This is for MSI installers
Script rules This is for .vbs, .ps1, .cmd, .bat, etc
Packaged app rules This is for Universal Windows apps
DLL rules* This is for specific .dll files

*Note that the DLL rules node is not visible by default (as shown in the previous screenshot). To use DLL rules you have to enable it by right-clicking on “AppLocker” > Advanced tab > check “Enable the DLL rule collection”.

*If your script, exe or installer require the use of DLL files then you must also create rules for the DLL files in addition to the script/exe/installer.

Creating a AppLocker Rule

AppLocker rules are only configured in the Computer Configuration of a GPO but you can apply any rule to a specific group of users or set it to apply to the “Everyone” group.

It is recommended to create a set of default rules for each of the collection of rules. This is already done in the two GPOs that currently have AppLocker policies.

To create a rule for a executable right-click on “Executable Rules” under AppLocker and select “Create New Rule…”.

clip_image004

At this point you choose whether your rule is to Allow or Deny an executable from running. In other words, Allow is whitelisting an app and Deny is blacklisting an app.

You can also choose to apply this rule to a specific group of users by choosing an Active Directory security group or leave the default which is applied to the “Everyone” group.

clip_image006

You then have the option to choose a condition to meet to be able to apply this rule to an executable. Another way of looking at this is to work out how to identify the said executable. You have the following three options:

Condition/Option Notes
Publisher This will only work if the executable is signed by a software publisher. Alternatively you can sign the item using a certificate.
Path This tells AppLocker to expect to find the executable in a specific location. You can use wildcards for folder paths and filenames.

If the executable is moved a location which is not covered by a rule then the application will be allowed to run (since the executable was not in the path specified in this rule).

File hash If the application is not signed by a publisher then you can select the executable and AppLocker will generate a hash which uniquely identifies this executable.

If the executable is updated at any time in the future, the hash that was originally generated will not identify the updated executable. In this case the hash will need to be regenerated in AppLocker or else the rule will no longer apply to the application (since it has a different hash now).

For further information on understanding rule conditions consult the following Microsoft guide:

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types

Enforce Rule vs Audit Only

By default, the rules you create are set to “Audit only” which means the executables, scripts, etc will be allowed to run on client devices but everything will be logged in the Event Viewer so you can monitor what the behaviour will be like on a client device. The logs will say if the executables, scripts, etc was allowed to run or if it would have been blocked if the rules were enforced.

To enforce the rules you have to right-click AppLocker, select Properties and choose “Enforce rules” from the drop down under each rule collection:

clip_image008

Furthermore, it is necessary to understand how AppLocker rule collections are inherited in Group Policy. The following article can help understand inheritance:

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy

AppLocker Logs on Clients

You can examine the logs in the Event Viewer to troubleshoot AppLocker. The location of the logs are shown in the following screenshot:

clip_image010

To monitor the AppLocker logs on a remote computer you can use the following PowerShell code:

$Computer = “MNI-Win10PC”

Get-WinEvent -LogName “Microsoft-Windows-AppLocker/EXE and DLL” -ComputerName $Computer  # | Where-Object {$_.Id -eq 8004}

This will give you an output like the following:

image

Change the log name as appropriate (look this up in the Event View as shown in the above screenshot). This script will need to be run from your PAW device with your workstation admin account.

You can remove the # and filter the events to a specific event id. For example, event id 8004 is when something is blocked by AppLocker. For more information on event ids relating to AppLocker consult the following article:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ee844150(v%3Dws.11)

Process for whitelisting an application

  • Ensure you understand what the application does and that it does not present any security concerns

  • Ask the customer if this is a one-time use application or meant for only one or two computers. If so then consider moving the application to one of the locations mentioned above

  • Ask if the computer and the app in question is only used by a group of users

  • Install the application on a test computer and try and run it

  • Check the AppLocker event log and see if the app requires additional dll/files which are also blocked

  • Make note of the exact path mentioned in the AppLocker logs

  • Whitelist the app as per the instructions above under the heading “Creating a AppLocker rule”. Make sure you use the “Allow” option to whitelist the application.

  • To only allow the application to a select number of users only then create a group of AD users and filter the AppLocker rule to the group.

  • Decide whether to Allow the application based on its location (path), publisher, or hash. Consider the pros and cons set out in the table above.

Advertisement

Group Policy Order of Precedence FAQ

I’ve had a few queries from friends about group policy since my last post so I thought why not answer these queries here on my blog? And, yes, a few of them were about group precedences, hence this short FAQ.

What is the order of precedence in group policy?

I’ve prepared an illustration which I hope will help to understand the order of precedence for Group Policy.

gp order 2

While this illustration may be self-explanatory (at least I hope it is) there’s actually more to the story…

What is the order of precedence in an OU hierarchy?

Continue reading

Disabling the Windows 10 First Log-in Animation using Group Policy

If you’re not a fan of the first log-in animation on Windows 10 computers then you can disable this very easily using Group Policy. I decided to test this in my lab as I was curious to see what the first log-in experience would be like after having the animation disabled.

Here’s a quick rundown on how to do this:

  • Create/Open your GPO and browse to Computer Configuration > Policies > Administrative Templates > System > Logon
  • Double-click on Show first sign-in animation and select “Disabled”

image

If, like me, you’re curious what the first-login experience is like after disabling the animation then I’ve got a before and an after video below for you to check out. Continue reading

Installing the Windows 10 1511 Group Policy Administrative Templates

The administrative templates for Windows 10 15111 were released by Microsoft a couple of months ago but I only just got round to installing it on my lab domain. Here’s the procedure how to do this, if anybody wants to know.

1) To begin with, download the Windows 10 1511 administrative templates from Microsoft and run the installer on your domain controller

2) Make a note of the folder it’s being installed on. By default this is set to C:\Program Files (x86)\Microsoft Group Policy\Windows 10 Version 1511\

clip_image001

3) Browse to the folder you just installed the administrative templates on. Open the “Policy Definitions” folder.

4) Open a new Explorer window and browse to your domain’s Group Policy Central Store. You can do this from a Run command window – type in the path to your central store in the format of \\Domain.com\SYSVOL\Domain.com\Policies\PolicyDefinitions

5) Copy everything from the “Policy Definitions” folder you opened in step 4 and paste it into your Group Policy central store which you opened in step 5. If you have the Windows 10 RTM admin templates in the central store make sure you replace the files in the destination.

The updated admin templates also include the following brand new templates:

  • AppPrivacy.admx
  • CloudContent.admx
  • FeedbackNotifications.admx
  • WindowsStore.admx
  • WinMaps.admx

The FeedbackNotifications.admx template, for example, provides the following setting:

Computer Configuration > Policies > Administrative Templates > Windows Components > Data Collection and Preview Builds > Do not show feedback notifications

clip_image003

Open a GPO and browse to the above setting to verify the new administrative templates have been installed successfully.