Let’s check how to create AppLocker Policies to Secure Windows Environments. These Applocker policies can help to build appropriate Windows Information Protection (WIP) using Intune.
Applocker is introduced with the Windows 7 operating system, Windows Server 2008 R2. It helps you to determine which applications, settings users can run.
If you need to prevent an application from running, AppLocker provides a simple interface to do so. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
AppLocker helps reduce administrative overhead and the organization’s cost of managing computing resources by decreasing the number of help desk calls that result from users running unapproved apps.
It requires no additional licensing.
AppLocker is included with enterprise-level editions of Windows. For a single computer, you can enforce the rules by using the Local Security Policy editor (secpol.msc). For a group of computers, you can enforce the rules using the Group Policy Management Console or MDT, SCCM, or MECM.
- AppLocker does not have any specific hardware requirements.
- Operating system requirements Refer to Microsoft Blog.
Note – You can configure AppLocker policies on any edition of Windows 10, but you can only enforce AppLocker on devices running Windows 10 Enterprise, Education, or Windows Server 2016 later..
Why does AppLocker exist?
AppLocker can help you in the following ways to control applications within your organization:-
AppLocker helps reduce administrative overhead and the organization’s cost of managing computing resources by decreasing the number of Help Desk calls that result from users running unapproved apps. AppLocker addresses the following app security scenarios:
• Application inventory
It has the ability to enforce its policy in an audit-only mode where all app access activity is registered in event logs. These events can be collected for further analysis. Windows PowerShell cmdlets also help you analyze this data programmatically.
• Protection against unwanted software
AppLocker has the ability to deny apps from running when you exclude them from the list of allowed apps. When AppLocker rules are enforced in the production environment, any apps that are not included in the allowed rules are blocked from running.
AppLocker can help you create rules that preclude unlicensed software from running and restrict licensed software to authorized users.
AppLocker policies can be configured to allow only supported or approved apps to run on computers within a business group. This permits a more uniform app deployment.
AppLocker includes a number of improvements in manageability as compared to its predecessor Software Restriction Policies. Importing and exporting policies, automatic generation of rules from multiple files, audit-only mode deployment, and Windows PowerShell cmdlets are a few of the improvements over Software Restriction Policies.
How does it work?
An AppLocker rule is a control placed on a file to govern whether or not it is allowed to run for a specific user or group. Rules apply to different types of conditions or collections and files.
Architecture and components
AppLocker relies on the Application Identity Service to provide attributes for a file and to evaluate the AppLocker policy for the file. AppLocker policies are conditional access control entries (ACEs), and policies are evaluated by using the attribute-based access control SeAccessCheckWithSecurityAttributes or AuthzAccessCheck functions.
AppLocker provides three ways to intercept and validate if a file is allowed to execute.
- A new process is created
- A script is run
- A DLL is loaded
Process Overview for Deploying AppLocker
The phases are summarized as follows –
- Envision – Determine the objectives and scope as well as identify assumptions and risks.
2. Plan – Perform a detailed analysis of the environment with computers, users’ roles, and applications to be controlled.
3. Develop – Create AppLocker rules on reference computers for the operating system and all applications. Test and refine the rules until they are ready for formal testing, and then
export the rule sets to XML.
4. Stabilize – Configure centralized monitoring of AppLocker events by Performing detailed
5. Deploy – Change AppLocker to “Enforce rules” mode to complete the deployment of
AppLocker Rule Collections
AppLocker enforces rules by grouping enforcement for different types of files. AppLocker includes five different types of rules collections:
- Executable files: .exe and .com
- Windows Installer files: .msi, mst, and .msp
- Scripts: .ps1, .bat, .cmd, .vbs, and .js
- DLLs: .dll and .ocx
- Packaged apps and packaged app installers: .appx
Configure Enforcement Rule
- Open Local Security Policy Editor. Type secpol.msc, click Run as administrator.
- Expand Application Control Policies, click on AppLocker, and click on the Configure rule enforcement on the right side
- You can configure the enforcement setting to Enforce rules or Audit only on the rule collection.
- Enforce rules, rules are enforced for the rule collection and all events are audited.
- Audit only, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log.
- Check the Configured box under file types and click on Apply then OK.
The three primary rule conditions are publisher, path, and file hash.
This helps you to determine on which the AppLocker rule is based. what condition, controls are available, and how it is applied.
Publisher – Publisher conditions can only identify digitally signed applications. It is easier to maintain compared to the file hash rule as doesn’t need to update frequently and a single rule can be implemented for the entire product suite.
Path – Path conditions are best for known paths such as program files and windows. It provides less security compared to other rules as if a rule that is configured to use a folder path holds subfolders that are writable by the local users.
File hash – File hash rules use a cryptographic hash system of the identified file for files that are not digitally signed. It is more secure compared to path rules.
Create AppLocker Rules
Open Local Security Policy Editor. Type secpol.msc, click Run as administrator.
AppLocker includes default rules for each rule collection. These rules are intended to help ensure that important system files will be allowed to run applocker.
- Expand Application Control Policies under AppLocker. right-click on Executable Rules Rules and click on Create Default Rules.
Important – You can use the default rules as a template when creating your own rules to allow files within the Windows folders to run. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules. The default rules can be modified in the same way as other AppLocker rule types.
- Default rules have been created successfully as shown below.
In this post, I’ll walk you through an example to create a new Executable file rule to restrict Mozilla Firefox execution for everyone.
- In the left pane under AppLocker right-click on Executable Rules then select Create New Rule.
- Click on Next.
- If you would like to specify a user or group to apply this rule on, click on Select.
Note – By default setting is Everyone for all users and groups.
A rule can be configured to use allow or deny actions:
- Allow: You can specify which files are allowed to run for which particular user or groups of users in your environment.
- Deny: You can specify which files are not allowed to run for which particular user or groups of users in your environment.
- Click on the Advanced button, then click on the Find Now for Select a user or group you want to allow or deny and click on OK.
- On the Conditions page, I will select File hash condition and then click Next.
File hash rules use a system-computed cryptographic hash of the identified file. For files that are not digitally signed, file hash rules are more secure than path rules.
Keep hash rules to a minimum – The rule must be updated each time that a new version of the file is released.
- Click Browse Folders and select the path for the apps that you want to allow or deny access. For this example, use “C:\Program Files”.
Note – If you want to block the application installation then you need to provide the executable files by Browse Files…
- The files in the folder have been added then click Next.
- On the Name page, type a name and description for the rule, and then click Create.
- The rule to restrict Mozilla firefox will now be created under “Executable Rules” as shown below.
- Once done, close the Local Security Policy editor.
Repeat this by changing the – FileType parameter for each of the different file types that rules will be created for (Exe, Script, WindowsInstaller, and Dll).
Export AppLocker Rules
- To export an AppLocker policy to an XML file.
- From the AppLocker console, right-click AppLocker, and then click Export Policy.
- Browse to the location where you want to save the XML file.
- In the File name box, type a file name for the XML file, and then click Save.
Clearing – Deleting AppLocker Rule
Once all of the AppLocker policies have been created and exported to XML, the local security policy of the reference computers should be cleared.
This will ensure that policy can be deployed and managed centrally, and the effective policy on the reference computers won’t contain rules from the local policy.
To clear AppLocker policy
- From the AppLocker console, right-click AppLocker, and then click Clear Policy.
- On the Clear Policy prompt, Click on Yes to confirm.
- The AppLocker dialog box will notify you of how many rules were permanently removed. Click on OK.
- Reboot the machine.
To delete a rule in an AppLocker policy
- Open the AppLocker console.
- Click the appropriate rule collection for which you want to delete the rule, then click Yes.
Points to consider to test AppLocker validation.
- Deploy a reference computer that will be used for authoring of AppLocker rules.
- Configure the Application Identity service set to Automatic and running.
- Put AppLocker into “Audit only” mode so that the rules created don’t actually block execution.
- Auto-generate AppLocker rules for each of the file categories that will be used, and manually edit them to meet exact requirements.
- Performed testing for all end-user and administrative usage cases, and review audit entries in the Event Log.
- Export AppLocker policies into individual XML files for later import.
On Target Devices Make sure the Application Identity service is enabled, set to Automatic, and running. AppLocker cannot enforce rules if this service is not running.
- The Application Identity service determines and verifies the identity of an application. Stopping this service will prevent AppLocker policies from being enforced.
- Start to command prompt Run as administrator.
- Run the below command to make sure the Application Identity service is enabled and set to Automatic and running.
sc config "AppIDSvc" start=auto & net start "AppIDSvc"
- To start the Application Identity service manually.
- Type services.msc in the start menu search box.
- Click the Services Run as an administrator, find Display Name “Application Identity”, and then click Start Service.
- Verify that the status for the Application Identity service is running.
Analyze AppLocker Events
This gives you a fair understanding of how an AppLocker policy is delivered to the devices and is implemented to the devices.
All AppLocker events are logged to Applications and Services event logs under the path Microsoft\Windows\AppLocker
- Microsoft-Windows-AppLocker/EXE and DLL
- Microsoft-Windows-AppLocker/MSI and Script
- Microsoft-Windows-AppLocker/Packaged app-Deployment
- Microsoft-Windows-AppLocker/Packaged app-Execution
A list of relevant AppLocker event IDs can be found in Microsoft Blog.
- Event ID – 8001, Indicates that the AppLocker policy was successfully applied to the computer.
- Event ID – 8004, Indicated The .exe or .dll file cannot run.
Once policies are successfully applied, when users will try to open a blocked executable (Mozilla Firefox) then you will get a prompt as shown.
“This app has been blocked by your system administrator”
I will try to cover later how can we apply the applocker policies based on path or publisher rules, using SCCM or MECM. For that time Stay Tuned!!
- AppLocker design guide
- How AppLocker works
- AppLocker deployment guide