applocker your solution for true application smackdown l.
Skip this Video
Loading SlideShow in 5 Seconds..
AppLocker : Your Solution for True Application Smackdown PowerPoint Presentation
Download Presentation
AppLocker : Your Solution for True Application Smackdown

Loading in 2 Seconds...

play fullscreen
1 / 38

AppLocker : Your Solution for True Application Smackdown - PowerPoint PPT Presentation

  • Uploaded on

Required Slide. SESSION CODE: WCL303. AppLocker : Your Solution for True Application Smackdown. Jeremy Moskowitz , Group Policy MVP Chief Propeller-Head: Founder: PolicyPak Software ( WHAT’S THE POINT? Why do you need “Application Whitelisting” technology?.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'AppLocker : Your Solution for True Application Smackdown' - Antony

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
applocker your solution for true application smackdown

Required Slide


AppLocker: Your Solution for True Application Smackdown

Jeremy Moskowitz, Group Policy MVP

Chief Propeller-Head:

Founder: PolicyPak Software (

what s the point why do you need application whitelisting technology
WHAT’S THE POINT?Why do you need “Application Whitelisting” technology?
  • Common arguments “against” the need:
    • “We’re already locked down…”
    • “We’re already running with ‘standard user’ rights.”
  • Good uses for:
    • Prevent users from running “portable” (non-installed) applications
    • Prevent users from installing MSIs.
      • Seriously: Try FireFox or Google Chrome as local non-elevated user
    • Restricting parts of the operating system (sol.exe)
    • Restricting Junior admins or “prying eyes” from “big things” (gpmc.msc)
    • Ensuring specific applications of “correct” version numbers are used
in the beginning there was software restriction policy srp
IN THE BEGINNING….There was Software Restriction Policy (SRP)

And it was good…

  • Built-in to Windows XP
  • Has whitelisting and blacklisting ability
  • Four rule types:
    • Hash
    • Path
    • Windows Installer / Network Zone Rule
    • Certificate rules
in the beginning there was software restriction policy srp4
IN THE BEGINNING….There was Software Restriction Policy (SRP)
  • Of course, still available on XP and…
  • Also available in ALL versions of Windows 7
  • No “direct” migration path to AppLocker. Will need to re-create rules during a transition time
  • Huge gotcha ! :
    • Once AppLocker is turned on, and first rules are applied.. SRP no longer enforced!
applocker 101
  • Good news:
    • Under the hood, references as “SRPv2”
    • Active Directory Group Policy or Local Policy
    • Way better for whitelisting
  • Targets can be:
    • Windows 7
    • Windows Server 2008 / R2
  • Only available in the following Windows 7 editions:
    • Enterprise
    • Ultimate
immutable applocker laws
  • Applocker’s “brain” is in a loop, like this:
    • Law #1: Explicit deny: A specific rule which denies an action.
    • Law #2: Explicit allow: A specific rule which allows an action.
    • Law #3: Implicit deny: All files that are not specifically named by an Allow rule are automatically blocked.
  • Not related to Azimov’s “Three Laws or Robotics”
applocker rules
  • Action:
    • Allow
    • Deny
  • Based upon condition:
    • Path
    • File Hash
    • Publisher
  • Rule types:
    • Executable
    • DLL
    • Windows Installer
    • Script
  • Can make “Exceptions”
  • Mix and Match, like this:
    • ALLOW Executable, based upon who PUBLISHED the application (publisher condition) EXCEPT a specific application (or version), which is DENIED
    • Windows Installer Rule, based upon a specific build (file hash)
    • DENY Scripts, based upon where its executing from (PATH condition), EXCEPT for a certain (known good) directory
applocker four steps to success
APPLOCKERFour Steps to Success
  • Setting up the default rules (highly recommended, not required)
  • Adding more rules (also, highly recommended, not required)
  • Leveraging AUDIT vs. ENFORCE mode
  • Turning on the client’s Application Identity (AppID) service
step 1 setting up the default rules or how not to blow your foot off
STEP 1: SETTING UP THE DEFAULT RULES(or… how NOT to blow your foot off)
  • Default rules are NOT set by default.
  • Different default rules for each rule type
executable rule defaults good ideas to get started with
EXECUTABLE RULE DEFAULTS(Good ideas to get started with)
  • Allow anything to run that’s already installed in Program Files
  • Allow anything to run if it’s in the Windows folder
  • Allow local administrators to run any file
step 2 adding your own rules
  • On rule type, right-click, select “Create New Rule…”
  • Add your rule, with conditions (will see in demonstration)
step 3 audit only vs enforce
  • AppLocker Modes:
    • Enforce rules
    • Audit Only
      • Logs go to Applications and Services Logs | Microsoft | Windows AppLocker
step 4 turn on appid service on client
  • Final step to fully engage AppLocker
  • Can be done manually (good for one-off testing)
  • Can be scripted
  • Can be done via Group Policy Preferences (my preferred way!)
applocker results
  • Default user pop-up as seen here:
applocker safety precedence how safe can you get
APPLOCKER: Safety PrecedenceHow safe can you get?
  • Hash rule:
    • Safest, most specific
    • Issue: Unmanageable at scale
  • Publisher Condition
    • Next safest
  • Path Condition
    • Next safest
    • Issue: Might expose “too much” file system within whitelist
applocker security awareness how the bad guys can still get you
APPLOCKER: SECURITY AWARENESSHow the bad guys can still get you
  • Path Condition: They could figure out where an application isn’t allowed to run, and move it to a place that is allowed to run. (ie: move the application to somewhere in Program Files and run from there; the default rule allows me to do that.)
  • Publisher Condition: A publisher certificate gets compromised. A “bad guy” signs malicious code with (Allowed) certificate
  • Code Injection: .DLL rules; fool .EXE it’s not supposed to load.
    • Safe when .DLL rules are enabled
applocker security awareness part ii how the bad guys can still get you
APPLOCKER: SECURITY AWARENESS (Part II)How the bad guys can still get you
  • EXE Rules: .EXE, .COM – and that’s it.
    • DLL Rules: .DLL, .OCX – and that’s it.
  • Script Rules: .PS1, .BAT, .CMD, .VBS, .JS – and that’s it.
    • AppLocker is extensible by 3rd party script hosts
  • Windows Installer Rules: .MSI and .MSP – and that’s it.
applocker more info for users default vs more info dialog
APPLOCKER: MORE INFO FOR USERSDefault vs. “more info” dialog
  • Optional result
  • Computer | Policies | Administrative Templates | Windows Components | Windows Explorer | Set a Support Web Page Link
automatically generating rules
  • Get “representative machine”
  • Automatically Generate Rules
  • Export Rules / Import Rules
applocker appv gotcha
AppLocker + AppV - GOTCHA
  • AppV has a “virtual drive” it uses
  • Usually Q: drive
  • Must Allow the Q: drive, or AppLocker continues to lock
applocker powershell automation subtitle
  • Get them via PowerShell upon Windows 7 vusing
    • Import-module applocker
  • PowerShell Cmdlets
    • Get-AppLockerFileInformation
    • Get-AppLockerPolicy
    • Set-AppLockerPolicy
      • Apply specific “fully formed” AppLocker XML policy
    • New-AppLockerPolicy
    • Test-AppLockerPolicy
  • Check out:
applocker powershell examples

Get AppLocker File Info (for .EXEs) :

Get-AppLockerFileInformation -Directory 'C:\Program Files' –recurse -FileType exe

Create AppLocker Policy XML rule set:

(Get-AppLockerFileInformation… line above) | New-AppLockerPolicy -ruletype publisher, hash -user everyone -XML

Create a new Applocker Local GPO with that rule set:

Get-AppLockerFileInformation -Directory 'C:\Program Files' -recurse -FileType exe | New-AppLockerPolicy -ruletype publisher, hash -user everyone | Set-AppLockerPolicy–merge

applocker powershell examples part 2

Create a new GPO AppLocker Policy:

Get-AppLockerFileInformation -Directory 'C:\Program Files' –recurse -FileTypeexe | New-AppLockerPolicy -ruletype publisher, hash -user everyone | Set-AppLockerPolicy-LDAP "LDAP://{4391FF66-197D-4BBE-B83E-4B536A09B543},CN=Policies,CN=System,DC=Fabrikam,DC=com"

Dump a domain-based GPO’s AppLocker rules:

Get-AppLockerPolicy -Domain -LDAP "LDAP://{4391FF66-197D-4BBE-B83E-4B536A09B543},CN=Policies,CN=System,DC=Fabrikam,DC=com“ –XML > output.xml

The applications for which a user is blocked:

Step 1: Get-AppLockerPolicy-EFFECTIVE -Xml > output2.xml

Step 2: Get-ChildItem-Path "C:\Program Files" -Recurse -Filter *.exe | Convert-Path | Test-AppLockerPolicy -XMLPolicy.\output2.xml

some tips and best practices part 1 of 2 things to think about before during after your rollout
Some Tips and Best Practices (PART 1 of 2)Things to think about before / during / after your rollout
  • ALLOW rules with DENY exceptions, likely your best bet
  • DLL rules – turn on if you have the horsepower and can monitor it
    • Subtip: Note, not all DLLs from a package are necessarily digitally signed !
  • Try to get your “internal Devs” on board with digitally signed apps (.EXEs and .DLLs)
some tips and best practices part 2 of 2 things to think about before during after your rollout
Some Tips and Best Practices (PART 2 of 2)Things to think about before / during / after your rollout
  • When ready, use Group Policy Preferences to turn on AppID service en-mass
  • Don’t turn on the WRONG service, like “Application Experience” (oops!)
  • Start with Executable Rules, and move onward toward Install, Script, and possibly DLL rules
  • Emergency Troubleshooting:
    • Use Group Policy Preferences to DISABLE AppID service
more information
  • Microsoft AppLocker Documentation:
    • as Beta)
  • Microsoft AppLocker PowerShell Reference
  • Understanding why users can install MSI apps as regular users (Darwin Sanoy)
  • and
    • Hands on examples (live training, and in book form)
related content

Required Slide

Speakers, please list the Breakout Sessions, Interactive Sessions, Labs and Demo Stations that are related to your session.

Related Content
  • SIA12-HOL – Windows 7 AppLocker Hands-On Lab
what is the springboard series
What is the Springboard Series?

The Springboard Series IT pro experience offers dynamic content

and structured guidance across the adoption lifecycle

  • Inside of Microsoft we are
  • A turnkey IT pro engagement platform for depth and breadth
  • The program to mobilize MS marketing and field to focus on desktop OS IT pros
  • To the IT pro, our goal is
  • Be the definitive resource for Desktop IT pros
    • Open, honest; show don’t tell
    • Information at right time, right level across Adoption Lifecycle






How does it change my work?

How do I maintain and optimize?

Is it worth the pain?

Is our environment ready?

Is the organization ready?

Weekly, Monthly and Quarterly Rhythm of Topical Content

Springboard Technical Experts Panel Event Support and Resources

Straight-talk Monthly Feature Articles and Overview Guides

one-Windows TechCenter in 10 languages


Video Blogs

Virtual Roundtable Events

Visit the Springboard Series on TechNet at


Required Slide



  • Sessions On-Demand & Community
  • Microsoft Certification & Training Resources

  • Resources for IT Professionals
  • Resources for Developers

Required Slide

Complete an evaluation on CommNet and enter to win!


Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st

You can also register at the North America 2011 kiosk located at registrationJoin us in Atlanta next year

do more with group policy
Do MORE with Group Policy

Extend Group Policy for AWESOME control

  • Group Policy Tips
  • Live Training
  • Online Training

Free Software:

Group Policy “To Go”


© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.